Last active
March 15, 2017 23:27
-
-
Save greenboxal/23506b5b4b06c82c970da0cf6ba304dd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -o nounset | |
set -o errexit | |
VTI_IF="vti${PLUTO_UNIQUEID}" | |
VTI_LOCAL="$1" | |
VTI_REMOTE="$2" | |
case "${PLUTO_VERB}" in | |
up-client) | |
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}" | |
ip addr add ${VTI_LOCAL} remote "${VTI_REMOTE}" dev "${VTI_IF}" | |
ip link set "${VTI_IF}" up mtu 1436 | |
#iptables -t mangle -A FORWARD -o "${VTI_IF}" -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
#iptables -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN} | |
set sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1 | |
;; | |
down-client) | |
ip tunnel del "${VTI_IF}" | |
#iptables -t mangle -D FORWARD -o ${VTI_IF} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
#iptables -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN} | |
;; | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 | |
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
inet 127.0.0.1/8 scope host lo | |
valid_lft forever preferred_lft forever | |
inet6 ::1/128 scope host | |
valid_lft forever preferred_lft forever | |
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 | |
link/ether 02:18:38:80:79:25 brd ff:ff:ff:ff:ff:ff | |
inet 10.200.4.212/24 brd 10.200.4.255 scope global dynamic eth0 | |
valid_lft 3399sec preferred_lft 3399sec | |
inet6 fe80::18:38ff:fe80:7925/64 scope link | |
valid_lft forever preferred_lft forever | |
3: ip_vti0@NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1 | |
link/ipip 0.0.0.0 brd 0.0.0.0 | |
21: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1 | |
link/ipip 10.200.4.212 peer 52.67.165.21 | |
inet 169.254.37.42 peer 169.254.37.41/30 scope global vti1 | |
valid_lft forever preferred_lft forever | |
22: vti2@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1 | |
link/ipip 10.200.4.212 peer 54.94.166.153 | |
inet 169.254.36.14 peer 169.254.36.13/30 scope global vti2 | |
valid_lft forever preferred_lft forever |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
default via 10.200.4.1 dev eth0 proto dhcp src 10.200.4.212 metric 1024 | |
10.200.4.0/24 dev eth0 proto kernel scope link src 10.200.4.212 | |
10.200.4.1 dev eth0 proto dhcp scope link src 10.200.4.212 metric 1024 | |
169.254.36.12/30 dev vti2 proto kernel scope link src 169.254.36.14 | |
169.254.37.40/30 dev vti1 proto kernel scope link src 169.254.37.42 | |
broadcast 10.200.4.0 dev eth0 table local proto kernel scope link src 10.200.4.212 | |
local 10.200.4.212 dev eth0 table local proto kernel scope host src 10.200.4.212 | |
broadcast 10.200.4.255 dev eth0 table local proto kernel scope link src 10.200.4.212 | |
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 | |
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 | |
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 | |
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 | |
broadcast 169.254.36.12 dev vti2 table local proto kernel scope link src 169.254.36.14 | |
local 169.254.36.14 dev vti2 table local proto kernel scope host src 169.254.36.14 | |
broadcast 169.254.36.15 dev vti2 table local proto kernel scope link src 169.254.36.14 | |
broadcast 169.254.37.40 dev vti1 table local proto kernel scope link src 169.254.37.42 | |
local 169.254.37.42 dev vti1 table local proto kernel scope host src 169.254.37.42 | |
broadcast 169.254.37.43 dev vti1 table local proto kernel scope link src 169.254.37.42 | |
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium | |
fe80::/64 dev eth0 proto kernel metric 256 pref medium | |
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium | |
local ::1 dev lo table local proto unspec metric 0 pref medium | |
local fe80::18:38ff:fe80:7925 dev lo table local proto unspec metric 0 pref medium | |
ff00::/8 dev eth0 table local metric 256 pref medium | |
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.13-1-ec2, x86_64): | |
uptime: 16 minutes, since Mar 15 22:57:23 2017 | |
malloc: sbrk 2830336, mmap 0, used 766752, free 2063584 | |
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8 | |
loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp chapoly xcbc cmac hmac ntru newhope bliss curl sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity | |
Listening IP addresses: | |
10.200.4.212 | |
169.254.37.42 | |
169.254.36.14 | |
Connections: | |
sa1-bunker1: 10.200.4.212...52.67.165.21 IKEv1, dpddelay=10s | |
sa1-bunker1: local: [10.200.4.212] uses pre-shared key authentication | |
sa1-bunker1: remote: [52.67.165.21] uses pre-shared key authentication | |
sa1-bunker1: child: 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 TUNNEL, dpdaction=restart | |
sa1-bunker2: 10.200.4.212...54.94.166.153 IKEv1, dpddelay=10s | |
sa1-bunker2: local: [10.200.4.212] uses pre-shared key authentication | |
sa1-bunker2: remote: [54.94.166.153] uses pre-shared key authentication | |
sa1-bunker2: child: 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 TUNNEL, dpdaction=restart | |
Security Associations (2 up, 0 connecting): | |
sa1-bunker2[2]: ESTABLISHED 16 minutes ago, 10.200.4.212[10.200.4.212]...54.94.166.153[54.94.166.153] | |
sa1-bunker2[2]: IKEv1 SPIs: df955e435eac0dd7_i* c579a107e9e6fb32_r, rekeying in 2 hours | |
sa1-bunker2[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256 | |
sa1-bunker2{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c386085e_i b5ed77af_o | |
sa1-bunker2{2}: AES_CBC_128/HMAC_SHA2_256_128/MODP_2048_256, 0 bytes_i (0 pkts, 3s ago), 36480 bytes_o (608 pkts, 1s ago), rekeying in 30 minutes | |
sa1-bunker2{2}: 0.0.0.0/0 === 0.0.0.0/0 | |
sa1-bunker1[1]: ESTABLISHED 16 minutes ago, 10.200.4.212[10.200.4.212]...52.67.165.21[52.67.165.21] | |
sa1-bunker1[1]: IKEv1 SPIs: 8dd62e37b0d8ef5b_i* 60af9f7e6ed965f7_r, rekeying in 2 hours | |
sa1-bunker1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256 | |
sa1-bunker1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6c05c28_i b8b57b05_o | |
sa1-bunker1{1}: AES_CBC_128/HMAC_SHA2_256_128/MODP_2048_256, 0 bytes_i (0 pkts, 4s ago), 118152 bytes_o (1580 pkts, 1s ago), rekeying in 25 minutes | |
sa1-bunker1{1}: 0.0.0.0/0 === 0.0.0.0/0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
config setup | |
conn %default | |
leftauth=psk | |
rightauth=psk | |
type=tunnel | |
dpddelay=10s | |
dpdtimeout=30s | |
keyexchange=ikev1 | |
#keyingtries=%forever | |
rekey=yes | |
reauth=no | |
dpdaction=restart | |
closeaction=restart | |
left=%defaultroute | |
leftsubnet=0.0.0.0/0,::/0 | |
rightsubnet=0.0.0.0/0,::/0 | |
lifetime=3600s | |
ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! | |
esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! | |
installpolicy=yes | |
compress=no | |
mobike=no | |
conn sa1-bunker1 | |
auto=start | |
leftupdown="/usr/sbin/aws-vpc-ipsec-control 169.254.37.42/30 169.254.37.41/30" | |
left=10.200.4.212 | |
right=52.67.165.21 | |
mark=1000 | |
conn sa1-bunker2 | |
auto=start | |
leftupdown="/usr/sbin/aws-vpc-ipsec-control 169.254.36.14/30 169.254.36.13/30" | |
left=10.200.4.212 | |
right=54.94.166.153 | |
mark=1001 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.6.0 on Wed Mar 15 23:13:40 2017 | |
*filter | |
:INPUT ACCEPT [15445:1468519] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [20077:3882623] | |
COMMIT | |
# Completed on Wed Mar 15 23:13:40 2017 | |
# Generated by iptables-save v1.6.0 on Wed Mar 15 23:13:40 2017 | |
*mangle | |
:PREROUTING ACCEPT [3629:454087] | |
:INPUT ACCEPT [3629:454087] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [5968:655330] | |
:POSTROUTING ACCEPT [8080:804582] | |
-A PREROUTING -d 0.0.0.0/32 -j MARK --set-xmark 0x3e9/0xffffffff | |
-A PREROUTING -s 54.94.166.153/32 -d 10.200.4.212/32 -p udp -m udp --sport 4500 --dport 4500 -j MARK --set-xmark 0x3e9/0xffffffff | |
-A PREROUTING -d 0.0.0.0/32 -j MARK --set-xmark 0x3e8/0xffffffff | |
-A PREROUTING -s 52.67.165.21/32 -d 10.200.4.212/32 -p udp -m udp --sport 4500 --dport 4500 -j MARK --set-xmark 0x3e8/0xffffffff | |
-A INPUT -s 54.94.166.153/32 -d 10.200.4.212/32 -p esp -j MARK --set-xmark 0x3e9/0xffffffff | |
-A INPUT -s 52.67.165.21/32 -d 10.200.4.212/32 -p esp -j MARK --set-xmark 0x3e8/0xffffffff | |
-A FORWARD -o sa1-bunker1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -o vti1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A FORWARD -o vti2 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
-A OUTPUT -d 0.0.0.0/32 -j MARK --set-xmark 0x3e9/0xffffffff | |
-A OUTPUT -d 0.0.0.0/32 -j MARK --set-xmark 0x3e8/0xffffffff | |
COMMIT | |
# Completed on Wed Mar 15 23:13:40 2017 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[NET] using forecast interface eth0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading crls from '/etc/ipsec.d/crls' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loading secrets from '/etc/ipsec.secrets' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loaded IKE secret for 54.233.184.43 52.67.165.21 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loaded IKE secret for 54.233.184.43 54.94.166.153 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] sql plugin: database URI not set | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] loaded 0 RADIUS server configurations | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] HA config misses local/remote address | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[CFG] no script for ext-auth script defined, disabled | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp chapoly xcbc cmac hmac ntru newhope bliss curl sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[LIB] dropped capabilities, running as uid 0, gid 0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 00[JOB] spawning 16 worker threads | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 05[CFG] received stroke: add connection 'sa1-bunker1' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 05[CFG] added configuration 'sa1-bunker1' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[CFG] received stroke: initiate 'sa1-bunker1' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[IKE] initiating Main Mode IKE_SA sa1-bunker1[1] to 52.67.165.21 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[ENC] generating ID_PROT request 0 [ SA V V V V V ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[NET] sending packet: from 10.200.4.212[500] to 52.67.165.21[500] (216 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[IKE] IKE_SA sa1-bunker1[1] established between 10.200.4.212[10.200.4.212]...52.67.165.21[52.67.165.21] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[CFG] received stroke: add connection 'sa1-bunker2' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 13[CFG] added configuration 'sa1-bunker2' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 07[CFG] received stroke: initiate 'sa1-bunker2' | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 07[IKE] initiating Main Mode IKE_SA sa1-bunker2[2] to 54.94.166.153 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 07[NET] sending packet: from 10.200.4.212[500] to 54.94.166.153[500] (216 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[NET] received packet: from 52.67.165.21[500] to 10.200.4.212[500] (124 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[ENC] parsed ID_PROT response 0 [ SA V V ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[IKE] received DPD vendor ID | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[IKE] received NAT-T (RFC 3947) vendor ID | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[NET] received packet: from 54.94.166.153[500] to 10.200.4.212[500] (124 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[ENC] parsed ID_PROT response 0 [ SA V V ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[IKE] received DPD vendor ID | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[IKE] received NAT-T (RFC 3947) vendor ID | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 06[NET] sending packet: from 10.200.4.212[500] to 52.67.165.21[500] (396 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 15[NET] sending packet: from 10.200.4.212[500] to 54.94.166.153[500] (396 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[NET] received packet: from 52.67.165.21[500] to 10.200.4.212[500] (380 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[NET] received packet: from 54.94.166.153[500] to 10.200.4.212[500] (380 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[IKE] local host is behind NAT, sending keep alives | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[IKE] remote host is behind NAT | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 14[NET] sending packet: from 10.200.4.212[4500] to 52.67.165.21[4500] (108 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[IKE] local host is behind NAT, sending keep alives | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[IKE] remote host is behind NAT | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 09[NET] sending packet: from 10.200.4.212[4500] to 54.94.166.153[4500] (108 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 10[NET] received packet: from 52.67.165.21[4500] to 10.200.4.212[4500] (76 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 10[ENC] parsed ID_PROT response 0 [ ID HASH ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 10[IKE] IKE_SA sa1-bunker1[1] established between 10.200.4.212[10.200.4.212]...52.67.165.21[52.67.165.21] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[IKE] IKE_SA sa1-bunker1[1] established between 10.200.4.212[10.200.4.212]...52.67.165.21[52.67.165.21] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net ipsec[1828]: 10[IKE] scheduling rekeying in 10021s | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[IKE] scheduling rekeying in 10021s | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[IKE] maximum IKE_SA lifetime 10561s | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[ENC] generating QUICK_MODE request 1219971402 [ HASH SA No KE ID ID ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 10[NET] sending packet: from 10.200.4.212[4500] to 52.67.165.21[4500] (460 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[NET] received packet: from 54.94.166.153[4500] to 10.200.4.212[4500] (76 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[ENC] parsed ID_PROT response 0 [ ID HASH ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[IKE] IKE_SA sa1-bunker2[2] established between 10.200.4.212[10.200.4.212]...54.94.166.153[54.94.166.153] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[IKE] IKE_SA sa1-bunker2[2] established between 10.200.4.212[10.200.4.212]...54.94.166.153[54.94.166.153] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[IKE] scheduling rekeying in 10237s | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[IKE] maximum IKE_SA lifetime 10777s | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[ENC] generating QUICK_MODE request 3259434988 [ HASH SA No KE ID ID ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 12[NET] sending packet: from 10.200.4.212[4500] to 54.94.166.153[4500] (460 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[NET] received packet: from 52.67.165.21[4500] to 10.200.4.212[4500] (444 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[ENC] parsed QUICK_MODE response 1219971402 [ HASH SA No KE ID ID ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[IKE] CHILD_SA sa1-bunker1{1} established with SPIs cd86ac1a_i 708b87ac_o and TS 0.0.0.0/0 === 0.0.0.0/0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[IKE] CHILD_SA sa1-bunker1{1} established with SPIs cd86ac1a_i 708b87ac_o and TS 0.0.0.0/0 === 0.0.0.0/0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[NET] received packet: from 54.94.166.153[4500] to 10.200.4.212[4500] (444 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 09[KNL] 169.254.37.42 appeared on vti1 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 07[KNL] interface vti1 activated | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[ENC] generating QUICK_MODE request 1219971402 [ HASH ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[ENC] parsed QUICK_MODE response 3259434988 [ HASH SA No KE ID ID ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 16[NET] sending packet: from 10.200.4.212[4500] to 52.67.165.21[4500] (76 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[IKE] CHILD_SA sa1-bunker2{2} established with SPIs c6cdff51_i 25605e90_o and TS 0.0.0.0/0 === 0.0.0.0/0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[IKE] CHILD_SA sa1-bunker2{2} established with SPIs c6cdff51_i 25605e90_o and TS 0.0.0.0/0 === 0.0.0.0/0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 06[KNL] 169.254.36.14 appeared on vti2 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 15[KNL] interface vti2 activated | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[ENC] generating QUICK_MODE request 3259434988 [ HASH ] | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 11[NET] sending packet: from 10.200.4.212[4500] to 54.94.166.153[4500] (76 bytes) | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 13[NET] using forecast interface eth0 | |
Mar 15 23:15:03 sa1-transit1.ad.pagarme.net charon[1837]: 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 16[NET] received packet: from 52.67.165.21[4500] to 10.200.4.212[4500] (108 bytes) | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 16[ENC] parsed INFORMATIONAL_V1 request 1783897951 [ HASH N(DPD) ] | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 16[ENC] generating INFORMATIONAL_V1 request 3414446537 [ HASH N(DPD_ACK) ] | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 16[NET] sending packet: from 10.200.4.212[4500] to 52.67.165.21[4500] (108 bytes) | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 06[NET] received packet: from 54.94.166.153[4500] to 10.200.4.212[4500] (108 bytes) | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 06[ENC] parsed INFORMATIONAL_V1 request 1807674129 [ HASH N(DPD) ] | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 06[ENC] generating INFORMATIONAL_V1 request 622799371 [ HASH N(DPD_ACK) ] | |
Mar 15 23:15:13 sa1-transit1.ad.pagarme.net charon[1837]: 06[NET] sending packet: from 10.200.4.212[4500] to 54.94.166.153[4500] (108 bytes) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sysctl: reading key "net.ipv6.conf.all.stable_secret" | |
sysctl: reading key "net.ipv6.conf.default.stable_secret" | |
sysctl: reading key "net.ipv6.conf.eth0.stable_secret" | |
sysctl: reading key "net.ipv6.conf.ip_vti0.stable_secret" | |
sysctl: reading key "net.ipv6.conf.lo.stable_secret" | |
sysctl: reading key "net.ipv6.conf.vti1.stable_secret" | |
sysctl: reading key "net.ipv6.conf.vti2.stable_secret" | |
net.ipv4.conf.vti1.accept_local = 0 | |
net.ipv4.conf.vti1.accept_redirects = 1 | |
net.ipv4.conf.vti1.accept_source_route = 0 | |
net.ipv4.conf.vti1.arp_accept = 0 | |
net.ipv4.conf.vti1.arp_announce = 0 | |
net.ipv4.conf.vti1.arp_filter = 0 | |
net.ipv4.conf.vti1.arp_ignore = 0 | |
net.ipv4.conf.vti1.arp_notify = 0 | |
net.ipv4.conf.vti1.bootp_relay = 0 | |
net.ipv4.conf.vti1.disable_policy = 1 | |
net.ipv4.conf.vti1.disable_xfrm = 0 | |
net.ipv4.conf.vti1.drop_gratuitous_arp = 0 | |
net.ipv4.conf.vti1.drop_unicast_in_l2_multicast = 0 | |
net.ipv4.conf.vti1.force_igmp_version = 0 | |
net.ipv4.conf.vti1.forwarding = 1 | |
net.ipv4.conf.vti1.igmpv2_unsolicited_report_interval = 10000 | |
net.ipv4.conf.vti1.igmpv3_unsolicited_report_interval = 1000 | |
net.ipv4.conf.vti1.ignore_routes_with_linkdown = 0 | |
net.ipv4.conf.vti1.log_martians = 0 | |
net.ipv4.conf.vti1.mc_forwarding = 0 | |
net.ipv4.conf.vti1.medium_id = 0 | |
net.ipv4.conf.vti1.promote_secondaries = 1 | |
net.ipv4.conf.vti1.proxy_arp = 0 | |
net.ipv4.conf.vti1.proxy_arp_pvlan = 0 | |
net.ipv4.conf.vti1.route_localnet = 0 | |
net.ipv4.conf.vti1.rp_filter = 1 | |
net.ipv4.conf.vti1.secure_redirects = 1 | |
net.ipv4.conf.vti1.send_redirects = 1 | |
net.ipv4.conf.vti1.shared_media = 1 | |
net.ipv4.conf.vti1.src_valid_mark = 0 | |
net.ipv4.conf.vti1.tag = 0 | |
net.ipv4.neigh.vti1.anycast_delay = 100 | |
net.ipv4.neigh.vti1.app_solicit = 0 | |
net.ipv4.neigh.vti1.base_reachable_time_ms = 30000 | |
net.ipv4.neigh.vti1.delay_first_probe_time = 5 | |
net.ipv4.neigh.vti1.gc_stale_time = 60 | |
net.ipv4.neigh.vti1.locktime = 100 | |
net.ipv4.neigh.vti1.mcast_resolicit = 0 | |
net.ipv4.neigh.vti1.mcast_solicit = 3 | |
net.ipv4.neigh.vti1.proxy_delay = 80 | |
net.ipv4.neigh.vti1.proxy_qlen = 64 | |
net.ipv4.neigh.vti1.retrans_time_ms = 1000 | |
net.ipv4.neigh.vti1.ucast_solicit = 3 | |
net.ipv4.neigh.vti1.unres_qlen = 31 | |
net.ipv4.neigh.vti1.unres_qlen_bytes = 65536 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | |
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes | |
23:16:31.029766 IP 10.200.4.212.4500 > 54.94.166.153.4500: UDP-encap: ESP(spi=0x25605e90,seq=0x35), length 104 | |
23:16:31.029782 IP 10.200.4.212.49230 > 169.254.0.50.179: Flags [S], seq 278146407, win 26883, options [mss 8961,sackOK,TS val 717600 ecr 0,nop,wscale 7], length 0 | |
23:16:31.030886 IP 54.94.166.153.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xc6cdff51,seq=0x4d), length 104 | |
23:16:31.229843 IP 52.67.165.21.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xcd86ac1a,seq=0x9e), length 104 | |
23:16:31.349846 IP 10.200.4.212.4500 > 52.67.165.21.4500: UDP-encap: ESP(spi=0x708b87ac,seq=0x8a), length 136 | |
23:16:31.350304 IP 52.67.165.21.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xcd86ac1a,seq=0x9f), length 136 | |
23:16:32.261823 IP 52.67.165.21.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xcd86ac1a,seq=0xa0), length 104 | |
23:16:32.309787 IP 10.200.4.212.4500 > 52.67.165.21.4500: UDP-encap: ESP(spi=0x708b87ac,seq=0x8b), length 104 | |
23:16:32.310215 IP 52.67.165.21.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xcd86ac1a,seq=0xa1), length 104 | |
23:16:32.389811 IP 10.200.4.212.4500 > 52.67.165.21.4500: UDP-encap: ESP(spi=0x708b87ac,seq=0x8c), length 136 | |
23:16:32.390170 IP 52.67.165.21.4500 > 10.200.4.212.4500: UDP-encap: ESP(spi=0xcd86ac1a,seq=0xa2), length 136 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment