miguemely/DN42-ChrisConvo

## DN42-ChrisConvo
chrismoos> does your ipsec support public keys?
<chrismoos> or just PSK
<miguelr> seems I can do public keys.
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> cool
<miguelr> Oh, seems ZNC doesnt like you haha.
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> ?
<miguelr> "<chrismoos>  [znc] User not connected. Notification message sent."
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> oh, weird
<miguelr> Yeah.
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> is that from my side or yours?
<miguelr> your side.
<chrismoos>  [znc] User not connected. Notification message sent.
<miguelr> Since I'm not on ZNC.
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> hmm, weird
<miguelr> agreed
<chrismoos>  [znc] User not connected. Notification message sent.
<chrismoos> i use a notify plugin
<chrismoos> sends me email
<miguelr> Figured
<chrismoos>  [znc] User not connected. Notification message sent.
<miguelr> You must be getting spammed right about now.
<chrismoos>  [znc] User not connected. Notification message sent.
<miguelr> Let me generate a public key for you...
<chrismoos>  [znc] User not connected. Notification message sent.
* chrismoos has quit (Remote host closed the connection)
<chrismoos> there?
<chrismoos> recompiled znc module and it crashed
<chrismoos> yeah, if you can send me your public key
<miguelr> yeah
<miguelr> give me asec
<miguelr> EdgeOS decides to be special and output it a certain way
<miguelr> I mean I got this
<miguelr> 0sAwEAAdsIlEm6dH2JZPJbyXZ+EwEH7ItAtLKc06ljRzLFOVyfvz9LtGxrxjfLDZIv14pkzZs/oD7wGB
<miguelr> 1Fl7Yu3+jwH6G6oSY3b+/QMawH6Lex5gaC3pSMaCnEJkOA5LO9Sbgc/JQFk77PW0AzUf2eZAJn7CXiK2
<miguelr> +y3P13WJRav0bMBZuFbkld9PBjbEdEveQLiEVQ+P50vvVnytGhpooWbnsd9IUZrKVW/6ux9yIlk0TawG
<miguelr> Np7ohQYWn5ZsZq8uUhZBuPDvh5kem9Bowj8nYwtcwl6lpIINYbADb/0QQeoeTEs9s8qNz53GJs3XZuiy
<miguelr> dWdGIO86iG6Gs/CgW7WEJ08YSHZDVjD6xYuPKlGCvCTW4wRmL2+yJOUGxNzqxvpDUxmKPGOaBoFvWHNJ
<miguelr> tj1tEKgE7kd0L6+3Znocki1ixm6btUIqnPytJ7jjK7BALSquYFmpjfN5OojoY2u2DHZwkJDUbCbxIVb3
<miguelr> kbevMGEB+slLB7LLpPl1rA2qwzSNbvGce0FD//YpRRpHzW30h/f+/pXwoYbf6uoUbIM4nR25jJmUXr8P
<miguelr> K2vIZ+vcWtCX1ipXGXcMaShD5hNEjsLf1b+fPGCsfQCuOTIh4PxUjg+DPbubUxOF8ost8x/AbHBZZ+ck
<miguelr> Le8pJYIa4RwRwFScV1zTnjrUV/pRdv/E5LN23+ZrVnXHW6uyc1
<miguelr> but that doesnt seem right.
<miguelr> http://pastebin.com/BRUwnJEH heres the pastebin version
<miguelr> Bingo. Got it in a block.
<miguelr> https://gist.github.com/miguemely/e83ee1c0ee9aced310500fb57a429dc1
<miguelr> Hopefully that works for you.
<chrismoos> yeah
<chrismoos> great
<chrismoos> here are my details
<chrismoos> https://www.chrismoos.com/dn42-peering
<chrismoos> can you set yours to: ike=aes256-sha256-modp1536!
<chrismoos> esp=aes256-sha256-modp1536!
<miguelr> Let me see how I can translate that to EdgeOS... haha
<miguelr> tunnel mode for esp, i would imagine
<miguelr> Curious, ikev1 or ikev2
<chrismoos> ikev2
<miguelr> Hmm... Don't know why it isn't connecting.
<chrismoos> received AUTHENTICATION_FAILED notify error
<chrismoos> can you check your log?
<miguelr> Let me see where it is.
<miguelr> Well I think i found the issue
<miguelr> Connections:
<miguelr> peer-107.170.29.134-tunnel-0:  73.1.142.180...107.170.29.134  IKEv2
<miguelr> peer-107.170.29.134-tunnel-0:   local:  [73.1.142.180] uses public key authentication
<miguelr> peer-107.170.29.134-tunnel-0:    cert:  "73.1.142.180"
<miguelr> peer-107.170.29.134-tunnel-0:   remote: [107.170.29.134] uses public key authentication
<miguelr> peer-107.170.29.134-tunnel-0:    cert:  "107.170.29.134"
<miguelr> peer-107.170.29.134-tunnel-0:   child:  dynamic[gre] === dynamic[gre] TUNNEL
<chrismoos> there we go
<miguelr> ?
<chrismoos> had to fix my id to use ip instead of DNS
<miguelr> ah
<miguelr> now to setup BGP.
<chrismoos> let me send you my tunnel ip
<miguelr> Alright.
<chrismoos> 172.20.186.181
<chrismoos> yours?
<chrismoos> now, typically we setup a /31
<chrismoos> for the tunnel
<chrismoos> does that work for you?
<chrismoos> 172.20.186.181/31
<chrismoos> i'd be .181, you are .182
<miguelr> Thats fine.
<miguelr> Hold on
<miguelr> Trying to learn this little by little.
<chrismoos> cool
<miguelr> By tunnel IP your refering to IP I assigned this router to the DN42net?
<chrismoos> no, it's a separate thing
<miguelr> and thats where I get lost, haha.
<chrismoos> think of two servers next to each other with a GRE tunnel and a cable to each other
<chrismoos> there is an interface on each side
<chrismoos> if you setup a p2p link typically a /31 is used...meaning one ip address for each node
<chrismoos> it represents the *direct* connection between the two
<miguelr> I see.
<miguelr> So basically, the local and remote IP, give or take?
<chrismoos> yeah, essentially, and specific to the interface (the GRE tunnel)
<miguelr> and I assign it from my block?
<chrismoos> so, if you can't handle the /31 CIDR syntax then just use the ipaddresses directly
<miguelr> no I can do CIDR .
<chrismoos> so, typically one person on the peering assigns a /31
<chrismoos> which is me in this case
<miguelr> Ok.
<miguelr> And I would put that in local, correct?
<chrismoos> so, you'd add 172.20.186.182/31
<chrismoos> which says .182 is your side, and .181 is mine
<miguelr> Ok.
<miguelr> and remote would be the DN42 full prefix, or would that be something else?
<miguelr> Sorry for making you give me a lesson here.
<chrismoos> oh actually, sorry, switch your CIDR to 172.20.186.183/31
<miguelr> Done.
<chrismoos> so on your GRE you have local/remote addresses?
<miguelr> I have local set to that CIDR
<miguelr> remote should be DN42, correct?
<chrismoos> okay, set remote to 172.20.186.182/31
<chrismoos> so this is really just the p2p link and not even related to BGP/dn42 really
<chrismoos> except that we use dn42 routeable addresses for our p2p link
<miguelr> Ahh that makes sense.
<miguelr> vpn restarting
* Disconnected (Connection reset by peer)
* miguelr sets mode +i on miguelr
-NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
<miguelr> well something happened
-NickServ- You are now identified for miguelr.
-NickServ- 1 failed login since last login.
-NickServ- Last failed attempt from: miguelr!~miguelr@c-73-1-142-180.hsd1.fl.comcast.net on Dec 06 04:46:40 2016 +0000.
<chrismoos> try dropping the CIDR, just use the addresses
<miguelr> makes me use a CIDR.
<miguelr> I do know on my old IPSec with another friends net, we used local for the subnet I had and remote for the complete subnet that everyone was on.
<miguelr> Actually, let me ask this, do I have to change the interface IP (vlaned) from '172.20.235.33/27
<miguelr> ', which would be my subnet?
<chrismoos> it crashes when you set it?
<miguelr> No, just bliped my internet for a second.
<miguelr> and errors out saying (Invalid prefix)
<miguelr> I do know the example config they have on DN42 doesnt make me set local or remote tho.
<miguelr> And it connected fine without it.
<chrismoos> https://wiki.dn42.us/howto/EdgeOS-GRE-IPsec-Example
<chrismoos> tunnel tun0 {
<chrismoos>         address 172.23.248.10/31
<chrismoos>         description "CREST-DN42 AS64828"
<chrismoos>         encapsulation gre
<chrismoos>         local-ip 192.0.2.2
<chrismoos>         mtu 1400
<chrismoos>         multicast disable
<chrismoos>         remote-ip 192.0.2.243
<chrismoos>         ttl 255
<chrismoos>     }
<chrismoos> can you just set local-ip to 172.20.186.183
<chrismoos> and remote-ip to 172.20.186.12
<chrismoos> err, .182
<miguelr> ohhh
<miguelr> Ok I see now
<miguelr> Let's try this...
<miguelr> Did you get an error on your side?
<miguelr> Connections:
<miguelr> peer-107.170.29.134-tunnel-0:  73.1.142.180...107.170.29.134  IKEv2
<miguelr> peer-107.170.29.134-tunnel-0:   local:  [73.1.142.180] uses public key authentication
<miguelr> peer-107.170.29.134-tunnel-0:    cert:  "73.1.142.180"
<miguelr> peer-107.170.29.134-tunnel-0:   remote: [107.170.29.134] uses public key authentication
<miguelr> peer-107.170.29.134-tunnel-0:    cert:  "107.170.29.134"
<miguelr> peer-107.170.29.134-tunnel-0:   child:  dynamic[gre] === dynamic[gre] TUNNEL
<miguelr> oh it finally connected
<chrismoos> yeah seems up
<miguelr> Now from here...now what?
<miguelr> I presume make a BGP using my AS?
<chrismoos> still can't ping you
<chrismoos> do you see the pings?
<miguelr> Let me check the fw
<miguelr> let me try pinging you. What should I ping?
<chrismoos> 172.20.186.182
<miguelr> Hmm
<miguelr> Yeah I can't ping you. What the hell
<miguelr> hmm
<miguelr> I configured remote and local and strongswan still does this
<miguelr>   local  '73.1.142.180' @ 73.1.142.180
<miguelr>   remote '107.170.29.134' @ 107.170.29.134
<miguelr>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
<miguelr>   established 675s ago, rekeying in 27336s
<miguelr>   peer-107.170.29.134-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
<miguelr>     installed 675 ago, rekeying in 1892s, expires in 2925s
<miguelr>     in  cf0d2001,  38124 bytes,   353 packets,     0s ago
<miguelr>     out cd409182,      0 bytes,     0 packets
<miguelr>     local  73.1.142.180/32[gre]
<miguelr>     remote 107.170.29.134/32[gre]
<chrismoos> seems like you are receiving packets from me
<miguelr> Yeah I saw
<miguelr> but nothing out
<miguelr> let me check rules one last time
<miguelr> Hopefully this update should fix it.
* Disconnected (Connection reset by peer)
* Disconnected (Connection reset by peer)
* Disconnected (Connection reset by peer)
* Disconnected (Connection reset by peer)
* Disconnected (Connection reset by peer)
* Disconnected (Connection reset by peer)
<miguelr> Hey you awake? I think I can make this easier now.
<miguelr> https://gist.github.com/miguemely/eb0b8832cbe16c62ffa01a1f1ab88f1e is the new key. Hopefully, I can set this up correctly.
<miguelr> Using Mikrotik now.
<chrismoos> hey
<chrismoos> so you want to try again?
<chrismoos> let me add your key
<chrismoos> same IP address?
<miguelr> Yup
<miguelr> I'm also trying with Elephant
<chrismoos> hm, i get no response
<chrismoos> make sure your firewall allows ipsec
<miguelr> I turrned it off
<miguelr> one sec
<miguelr> actually
<miguelr> it should be on
<chrismoos> sending packet: from 107.170.29.134[500] to 73.1.142.180[500] (368 bytes)
<chrismoos> no response
<miguelr> admin@edge.int.netrouter.us] > ip addr print
<miguelr> Flags: X - disabled, I - invalid, D - dynamic
<miguelr>  #   ADDRESS            NETWORK         INTERFACE
<miguelr>  0   10.250.0.1/24      10.250.0.0      vlan5
<miguelr>  1   192.168.1.1/24     192.168.1.0     ether3
<miguelr>  2   10.254.1.1/24      10.254.1.0      vlan1
<miguelr>  3   10.203.0.1/16      10.203.0.0      vlan2
<miguelr>  4 D 73.1.142.180/22    73.1.140.0      ether1
<miguelr>  5   44.98.17.33/8      44.0.0.0        ucsd
<miguelr>  6   172.22.150.73/31   172.22.150.72   gre-tunnel1
<miguelr> woops
<miguelr> http://i.netrouter.us/winbox_2016-12-08_15-56-56.jpg
<miguelr> I got that
<miguelr> So I recieved it
<miguelr> It looks like im sending responses.
<miguelr> http://i.netrouter.us/Wireshark_2016-12-08_16-22-37.jpg
<chrismoos> okay, made progress
<chrismoos> you were using ikev1
<chrismoos> i've switch mine to ikev1
<chrismoos> what are your p2 settings?
<chrismoos> algorithm
<miguelr> should be the same set
<miguelr> sorry not home atm
<miguelr> on teamviewer
<miguelr> You on?
* [chrismoos] (~chrismoos@hackint/user/chrismoos): Chris Moos
* [chrismoos] #tombii #dn42 #chaosvpn
* [chrismoos] ing.hackint.org :irc.hamburg.ccc.de
* [chrismoos] is using a secure connection
* [chrismoos] is logged in as chrismoos
* [chrismoos] End of WHOIS list.
<miguelr> Test?
	chrismoos> does your ipsec support public keys?
	<chrismoos> or just PSK
	<miguelr> seems I can do public keys.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> cool
	<miguelr> Oh, seems ZNC doesnt like you haha.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> ?
	<miguelr> "<chrismoos> [znc] User not connected. Notification message sent."
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> oh, weird
	<miguelr> Yeah.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> is that from my side or yours?
	<miguelr> your side.
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> Since I'm not on ZNC.
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> hmm, weird
	<miguelr> agreed
	<chrismoos> [znc] User not connected. Notification message sent.
	<chrismoos> i use a notify plugin
	<chrismoos> sends me email
	<miguelr> Figured
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> You must be getting spammed right about now.
	<chrismoos> [znc] User not connected. Notification message sent.
	<miguelr> Let me generate a public key for you...
	<chrismoos> [znc] User not connected. Notification message sent.
	* chrismoos has quit (Remote host closed the connection)
	<chrismoos> there?
	<chrismoos> recompiled znc module and it crashed
	<chrismoos> yeah, if you can send me your public key
	<miguelr> yeah
	<miguelr> give me asec
	<miguelr> EdgeOS decides to be special and output it a certain way
	<miguelr> I mean I got this
	<miguelr> 0sAwEAAdsIlEm6dH2JZPJbyXZ+EwEH7ItAtLKc06ljRzLFOVyfvz9LtGxrxjfLDZIv14pkzZs/oD7wGB
	<miguelr> 1Fl7Yu3+jwH6G6oSY3b+/QMawH6Lex5gaC3pSMaCnEJkOA5LO9Sbgc/JQFk77PW0AzUf2eZAJn7CXiK2
	<miguelr> +y3P13WJRav0bMBZuFbkld9PBjbEdEveQLiEVQ+P50vvVnytGhpooWbnsd9IUZrKVW/6ux9yIlk0TawG
	<miguelr> Np7ohQYWn5ZsZq8uUhZBuPDvh5kem9Bowj8nYwtcwl6lpIINYbADb/0QQeoeTEs9s8qNz53GJs3XZuiy
	<miguelr> dWdGIO86iG6Gs/CgW7WEJ08YSHZDVjD6xYuPKlGCvCTW4wRmL2+yJOUGxNzqxvpDUxmKPGOaBoFvWHNJ
	<miguelr> tj1tEKgE7kd0L6+3Znocki1ixm6btUIqnPytJ7jjK7BALSquYFmpjfN5OojoY2u2DHZwkJDUbCbxIVb3
	<miguelr> kbevMGEB+slLB7LLpPl1rA2qwzSNbvGce0FD//YpRRpHzW30h/f+/pXwoYbf6uoUbIM4nR25jJmUXr8P
	<miguelr> K2vIZ+vcWtCX1ipXGXcMaShD5hNEjsLf1b+fPGCsfQCuOTIh4PxUjg+DPbubUxOF8ost8x/AbHBZZ+ck
	<miguelr> Le8pJYIa4RwRwFScV1zTnjrUV/pRdv/E5LN23+ZrVnXHW6uyc1
	<miguelr> but that doesnt seem right.
	<miguelr> http://pastebin.com/BRUwnJEH heres the pastebin version
	<miguelr> Bingo. Got it in a block.
	<miguelr> https://gist.github.com/miguemely/e83ee1c0ee9aced310500fb57a429dc1
	<miguelr> Hopefully that works for you.
	<chrismoos> yeah
	<chrismoos> great
	<chrismoos> here are my details
	<chrismoos> https://www.chrismoos.com/dn42-peering
	<chrismoos> can you set yours to: ike=aes256-sha256-modp1536!
	<chrismoos> esp=aes256-sha256-modp1536!
	<miguelr> Let me see how I can translate that to EdgeOS... haha
	<miguelr> tunnel mode for esp, i would imagine
	<miguelr> Curious, ikev1 or ikev2
	<chrismoos> ikev2
	<miguelr> Hmm... Don't know why it isn't connecting.
	<chrismoos> received AUTHENTICATION_FAILED notify error
	<chrismoos> can you check your log?
	<miguelr> Let me see where it is.
	<miguelr> Well I think i found the issue
	<miguelr> Connections:
	<miguelr> peer-107.170.29.134-tunnel-0: 73.1.142.180...107.170.29.134 IKEv2
	<miguelr> peer-107.170.29.134-tunnel-0: local: [73.1.142.180] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "73.1.142.180"
	<miguelr> peer-107.170.29.134-tunnel-0: remote: [107.170.29.134] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "107.170.29.134"
	<miguelr> peer-107.170.29.134-tunnel-0: child: dynamic[gre] === dynamic[gre] TUNNEL
	<chrismoos> there we go
	<miguelr> ?
	<chrismoos> had to fix my id to use ip instead of DNS
	<miguelr> ah
	<miguelr> now to setup BGP.
	<chrismoos> let me send you my tunnel ip
	<miguelr> Alright.
	<chrismoos> 172.20.186.181
	<chrismoos> yours?
	<chrismoos> now, typically we setup a /31
	<chrismoos> for the tunnel
	<chrismoos> does that work for you?
	<chrismoos> 172.20.186.181/31
	<chrismoos> i'd be .181, you are .182
	<miguelr> Thats fine.
	<miguelr> Hold on
	<miguelr> Trying to learn this little by little.
	<chrismoos> cool
	<miguelr> By tunnel IP your refering to IP I assigned this router to the DN42net?
	<chrismoos> no, it's a separate thing
	<miguelr> and thats where I get lost, haha.
	<chrismoos> think of two servers next to each other with a GRE tunnel and a cable to each other
	<chrismoos> there is an interface on each side
	<chrismoos> if you setup a p2p link typically a /31 is used...meaning one ip address for each node
	<chrismoos> it represents the direct connection between the two
	<miguelr> I see.
	<miguelr> So basically, the local and remote IP, give or take?
	<chrismoos> yeah, essentially, and specific to the interface (the GRE tunnel)
	<miguelr> and I assign it from my block?
	<chrismoos> so, if you can't handle the /31 CIDR syntax then just use the ipaddresses directly
	<miguelr> no I can do CIDR .
	<chrismoos> so, typically one person on the peering assigns a /31
	<chrismoos> which is me in this case
	<miguelr> Ok.
	<miguelr> And I would put that in local, correct?
	<chrismoos> so, you'd add 172.20.186.182/31
	<chrismoos> which says .182 is your side, and .181 is mine
	<miguelr> Ok.
	<miguelr> and remote would be the DN42 full prefix, or would that be something else?
	<miguelr> Sorry for making you give me a lesson here.
	<chrismoos> oh actually, sorry, switch your CIDR to 172.20.186.183/31
	<miguelr> Done.
	<chrismoos> so on your GRE you have local/remote addresses?
	<miguelr> I have local set to that CIDR
	<miguelr> remote should be DN42, correct?
	<chrismoos> okay, set remote to 172.20.186.182/31
	<chrismoos> so this is really just the p2p link and not even related to BGP/dn42 really
	<chrismoos> except that we use dn42 routeable addresses for our p2p link
	<miguelr> Ahh that makes sense.
	<miguelr> vpn restarting
	* Disconnected (Connection reset by peer)
	* miguelr sets mode +i on miguelr
	-NickServ- This nickname is registered. Please choose a different nickname, or identify via /msg NickServ identify <password>.
	<miguelr> well something happened
	-NickServ- You are now identified for miguelr.
	-NickServ- 1 failed login since last login.
	-NickServ- Last failed attempt from: miguelr!~miguelr@c-73-1-142-180.hsd1.fl.comcast.net on Dec 06 04:46:40 2016 +0000.
	<chrismoos> try dropping the CIDR, just use the addresses
	<miguelr> makes me use a CIDR.
	<miguelr> I do know on my old IPSec with another friends net, we used local for the subnet I had and remote for the complete subnet that everyone was on.
	<miguelr> Actually, let me ask this, do I have to change the interface IP (vlaned) from '172.20.235.33/27
	<miguelr> ', which would be my subnet?
	<chrismoos> it crashes when you set it?
	<miguelr> No, just bliped my internet for a second.
	<miguelr> and errors out saying (Invalid prefix)
	<miguelr> I do know the example config they have on DN42 doesnt make me set local or remote tho.
	<miguelr> And it connected fine without it.
	<chrismoos> https://wiki.dn42.us/howto/EdgeOS-GRE-IPsec-Example
	<chrismoos> tunnel tun0 {
	<chrismoos> address 172.23.248.10/31
	<chrismoos> description "CREST-DN42 AS64828"
	<chrismoos> encapsulation gre
	<chrismoos> local-ip 192.0.2.2
	<chrismoos> mtu 1400
	<chrismoos> multicast disable
	<chrismoos> remote-ip 192.0.2.243
	<chrismoos> ttl 255
	<chrismoos> }
	<chrismoos> can you just set local-ip to 172.20.186.183
	<chrismoos> and remote-ip to 172.20.186.12
	<chrismoos> err, .182
	<miguelr> ohhh
	<miguelr> Ok I see now
	<miguelr> Let's try this...
	<miguelr> Did you get an error on your side?
	<miguelr> Connections:
	<miguelr> peer-107.170.29.134-tunnel-0: 73.1.142.180...107.170.29.134 IKEv2
	<miguelr> peer-107.170.29.134-tunnel-0: local: [73.1.142.180] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "73.1.142.180"
	<miguelr> peer-107.170.29.134-tunnel-0: remote: [107.170.29.134] uses public key authentication
	<miguelr> peer-107.170.29.134-tunnel-0: cert: "107.170.29.134"
	<miguelr> peer-107.170.29.134-tunnel-0: child: dynamic[gre] === dynamic[gre] TUNNEL
	<miguelr> oh it finally connected
	<chrismoos> yeah seems up
	<miguelr> Now from here...now what?
	<miguelr> I presume make a BGP using my AS?
	<chrismoos> still can't ping you
	<chrismoos> do you see the pings?
	<miguelr> Let me check the fw
	<miguelr> let me try pinging you. What should I ping?
	<chrismoos> 172.20.186.182
	<miguelr> Hmm
	<miguelr> Yeah I can't ping you. What the hell
	<miguelr> hmm
	<miguelr> I configured remote and local and strongswan still does this
	<miguelr> local '73.1.142.180' @ 73.1.142.180
	<miguelr> remote '107.170.29.134' @ 107.170.29.134
	<miguelr> AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
	<miguelr> established 675s ago, rekeying in 27336s
	<miguelr> peer-107.170.29.134-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
	<miguelr> installed 675 ago, rekeying in 1892s, expires in 2925s
	<miguelr> in cf0d2001, 38124 bytes, 353 packets, 0s ago
	<miguelr> out cd409182, 0 bytes, 0 packets
	<miguelr> local 73.1.142.180/32[gre]
	<miguelr> remote 107.170.29.134/32[gre]
	<chrismoos> seems like you are receiving packets from me
	<miguelr> Yeah I saw
	<miguelr> but nothing out
	<miguelr> let me check rules one last time
	<miguelr> Hopefully this update should fix it.
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	* Disconnected (Connection reset by peer)
	<miguelr> Hey you awake? I think I can make this easier now.
	<miguelr> https://gist.github.com/miguemely/eb0b8832cbe16c62ffa01a1f1ab88f1e is the new key. Hopefully, I can set this up correctly.
	<miguelr> Using Mikrotik now.
	<chrismoos> hey
	<chrismoos> so you want to try again?
	<chrismoos> let me add your key
	<chrismoos> same IP address?
	<miguelr> Yup
	<miguelr> I'm also trying with Elephant
	<chrismoos> hm, i get no response
	<chrismoos> make sure your firewall allows ipsec
	<miguelr> I turrned it off
	<miguelr> one sec
	<miguelr> actually
	<miguelr> it should be on
	<chrismoos> sending packet: from 107.170.29.134[500] to 73.1.142.180[500] (368 bytes)
	<chrismoos> no response
	<miguelr> admin@edge.int.netrouter.us] > ip addr print
	<miguelr> Flags: X - disabled, I - invalid, D - dynamic
	<miguelr> # ADDRESS NETWORK INTERFACE
	<miguelr> 0 10.250.0.1/24 10.250.0.0 vlan5
	<miguelr> 1 192.168.1.1/24 192.168.1.0 ether3
	<miguelr> 2 10.254.1.1/24 10.254.1.0 vlan1
	<miguelr> 3 10.203.0.1/16 10.203.0.0 vlan2
	<miguelr> 4 D 73.1.142.180/22 73.1.140.0 ether1
	<miguelr> 5 44.98.17.33/8 44.0.0.0 ucsd
	<miguelr> 6 172.22.150.73/31 172.22.150.72 gre-tunnel1
	<miguelr> woops
	<miguelr> http://i.netrouter.us/winbox_2016-12-08_15-56-56.jpg
	<miguelr> I got that
	<miguelr> So I recieved it
	<miguelr> It looks like im sending responses.
	<miguelr> http://i.netrouter.us/Wireshark_2016-12-08_16-22-37.jpg
	<chrismoos> okay, made progress
	<chrismoos> you were using ikev1
	<chrismoos> i've switch mine to ikev1
	<chrismoos> what are your p2 settings?
	<chrismoos> algorithm
	<miguelr> should be the same set
	<miguelr> sorry not home atm
	<miguelr> on teamviewer
	<miguelr> You on?
	* [chrismoos] (~chrismoos@hackint/user/chrismoos): Chris Moos
	* [chrismoos] #tombii #dn42 #chaosvpn
	* [chrismoos] ing.hackint.org :irc.hamburg.ccc.de
	* [chrismoos] is using a secure connection
	* [chrismoos] is logged in as chrismoos
	* [chrismoos] End of WHOIS list.
	<miguelr> Test?