Hi Experts,
Tried to create DMVPN b/w Hub on Softlayer and Spoke behind NAT on VMware Fusion.
vyatta@gw-seattle1-02-06-2016:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.16.200.1/24'
set interfaces tunnel tun0 encapsulation 'gre-multipoint'
set interfaces tunnel tun0 local-ip '50.23.185.53'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 nhrp 'redirect'
set vpn ipsec profile DMVPN bind tunnel 'tun0'
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '30'
set vpn ipsec esp-group ESP-1H mode 'transport'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '30'
set vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1H proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1H proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-1H proposal 2 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'
set vpn ipsec profile DMVPN bind tunnel 'tun0'
set vpn ipsec profile DMVPN esp-group 'ESP-1H'
set vpn ipsec profile DMVPN ike-group 'IKE-1H'
vyatta@gw-seattle1-02-06-2016:~$ show ip nhrp
Status: ok
Interface: lo
Type: local
Protocol-Address: 192.168.175.0/24
Flags: up
Interface: lo
Type: local
Protocol-Address: 192.168.170.0/24
Flags: up
Interface: tun0
Type: local
Protocol-Address: 172.16.200.255/32
Alias-Address: 172.16.200.1
Flags: up
Interface: tun0
Type: local
Protocol-Address: 172.16.200.1/32
Flags: up
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
0.0.0.0 50.23.185.53
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- tun0 down n/a n/a n/a no 0 30 gre
vyatta@gw-seattle1-02-06-2016:~$ show log tail
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
vyatta@gw-seattle1-02-06-2016:~$ show vpn debug detail
Unable to find IKEv2 messages. Strongswan might be running with IKEv2 turned off or alternatively, your log files have been emptied (ie, logwatch)
gw-seattle1-02-06-2016
Thu Aug 4 18:10:34 CDT 2016
+ _________________________ version
+ ipsec --version
Linux strongSwan U4.5.2/K3.10.94-1-amd64-vyatta
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip -s xfrm state
+ _________________________ ip-xfrm-policy
+ ip -s xfrm policy
src ::/0 dst ::/0 uid 0
socket out action allow index 30260 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 30251 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 30244 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets)
:src ::/0 dst ::/0 uid 0
socket in action allow index 30235 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30228 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30219 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30212 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current:
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30148 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30139 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use 2016-08-04 18:10:17
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30132 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30123 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30116 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30107 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 30099 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 30092 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 30083 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 30076 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 30067 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 30060 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30051 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30044 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30035 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30028 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 30019 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use 2016-08-04 18:10:31
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 30012 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 17:59:57 use -
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface eth1/eth1 2607:f0d0:2002:182::2:500
000 interface lo/lo 127.0.0.1:500
000 interface lo/lo 192.168.170.1:500
000 interface lo/lo 192.168.175.1:500
000 interface eth0/eth0 10.28.103.98:500
000 interface eth1/eth1 50.23.185.54:500
000 interface eth1v1/eth1v1 50.23.185.53:500
000 interface eth0v1/eth0v1 10.28.103.84:500
000 interface tun0/tun0 172.16.200.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "vpnprof-tunnel-tun0": 50.23.185.53[50.23.185.53]:47/0...%any[%any]:47/0; unrouted; eroute owner: #0
000 "vpnprof-tunnel-tun0": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnprof-tunnel-tun0": policy: PSK+ENCRYPT+PFS+DONTREKEY; prio: 32,32; interface: eth1v1;
000 "vpnprof-tunnel-tun0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 10 minutes, since Aug 04 17:59:57 2016 malloc: sbrk 270336, mmap 0, used 225488, free 44848 worker threads: 8 idle of 16, job queue load: 1, scheduled events: 0 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
10.28.103.98 50.23.185.54 2607:f0d0:2002:182::2 50.23.185.53 10.28.103.84 172.16.200.1
Connections:
Security Associations:
none
+ _________________________ routing/tables
+ ip rule list
0: from all lookup local
32766: from all lookup main
32766: from all lookup main
32766: from all lookup main
32767: from all lookup default
+ _________________________ ip/route
+ /opt/vyatta/bin/vtyshow.pl show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
Gateway of last resort is 50.23.185.49 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 50.23.185.49, eth1
S 10.0.0.0/8 [1/0] via 10.28.103.65, eth0
C 10.28.103.64/26 is directly connected, eth0
C 50.23.185.48/29 is directly connected, eth1
C 127.0.0.0/8 is directly connected, lo
C 172.16.200.0/24 is directly connected, tun0
C 192.168.170.0/24 is directly connected, lo
C 192.168.175.0/24 is directly connected, lo
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 23835 23834 20 0 23088 1236 - S+ pts/0 0:00 | \_ sudo /usr/lib/ipsec/barf
4 0 23836 23835 20 0 9216 1392 - S+ pts/0 0:00 | \_ /bin/sh /usr/lib/ipsec/barf
0 0 23904 23836 20 0 6116 576 - S+ pts/0 0:00 | \_ egrep -i ppid|pluto|ipsec|klips
1 0 22869 1 20 0 14744 880 - Ss ? 0:00 /usr/lib/ipsec/starter
4 0 22870 22869 20 0 147112 3984 - Ssl ? 0:00 \_ /usr/lib/ipsec/pluto --nofork --uniqueids
0 0 22942 22870 20 0 8020 340 - S ? 0:00 | \_ _pluto_adns
4 0 22918 22869 20 0 367428 4416 - Ssl ? 0:00 \_ /usr/lib/ipsec/charon --use-syslog
+ _________________________ ipsec/conf
+ /usr/lib/ipsec/_include /etc/ipsec.conf
+ /usr/lib/ipsec/_keycensor
#< /etc/ipsec.conf 1
generated by /opt/vyatta/sbin/vpn-config.pl
version 2.0
config setup
charonstart=no interfaces="%none"
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn private
auto=ignore
conn block
auto=ignore
conn packetdefault
auto=ignore
conn %default
keyexchange=ikev1
#< /etc/dmvpn.conf 1
generated by /opt/vyatta/sbin/dmvpn-config.pl
conn vpnprof-tunnel-tun0
left=50.23.185.53 right=%any rekey=no leftprotoport=gre rightprotoport=gre ike=aes256-sha1,aes256-md5! ikelifetime=30s esp=aes256-sha1,3des-md5! keylife=30s rekeymargin=14s type=transport pfs=yes pfsgroup=modp1536 compress=no authby=secret auto=add keyingtries=%forever
#conn vpnprof-tunnel-tun0
#> /etc/ipsec.conf 32
+ _________________________ ipsec/secrets
+ /usr/lib/ipsec/_include /etc/ipsec.secrets
+ /usr/lib/ipsec/_secretcensor
#< /etc/ipsec.secrets 1
generated by /opt/vyatta/sbin/vpn-config.pl
#< /etc/dmvpn.secrets 1
generated by /opt/vyatta/sbin/dmvpn-config.pl
50.23.185.53 %any : PSK "[sums to df5b...]"
#> /etc/ipsec.secrets 5
+ _________________________ ipsec/listall
+ ipsec listall
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96
List of registered IKEv2 Algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] CAMELLIA_CBC[openssl] RC5_CBC[openssl] IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl] AES_CTR[ctr] integrity: AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac] aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] AES_GCM_16[gcm] hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5] HASH_MD2[openssl] HASH_MD4[openssl] prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] random-gen: RNG_STRONG[random] RNG_TRUE[random]
+ '[' ']'
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (3.10.94-1-amd64-vyatta) support detected '
NETKEY (3.10.94-1-amd64-vyatta) support detected
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ plutolog
+ sed -n '1286,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: including NAT-Traversal patch (Version 0.6c) [disabled]
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
Aug 4 17:59:57 gw-seattle1-02-06-2016 ipsec_starter[22869]: pluto (22870) started after 20 ms
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: listening for IKE messages
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface tun0/tun0 172.16.200.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth0v1/eth0v1 10.28.103.84:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1v1/eth1v1 50.23.185.53:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1/eth1 50.23.185.54:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth0/eth0 10.28.103.98:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 192.168.175.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 192.168.170.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 127.0.0.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1/eth1 2607:f0d0:2002:182::2:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo ::1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: forgetting secrets
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: forgetting secrets
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: added connection description "vpnprof-tunnel-tun0"
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
+ _________________________ charonlog
+ sed -n '1,$p' /dev/null
+ egrep -i charon
+ case "$1" in
+ cat
+ _________________________ date
+ date
Thu Aug 4 18:10:34 CDT 2016
vyatta@gw-seattle1-02-06-2016:~$
VYATTA ON VMWARE FUSION:
vyatta@vyatta:~$ show version
Version: 4.1R2
Description: Brocade Vyatta Network OS 4.1 R2
Built on: Wed Dec 16 22:05:39 UTC 2015
System type: Intel 64bit
Boot via: image
Hypervisor: VMware
HW model: VMware Virtual Platform
HW S/N: VMware-56 4d a2 87 5f c4 ea 85-19 e1 4b 9f 37 1f d4 5c
HW UUID: 564DA287-5FC4-EA85-19E1-4B9F371FD45C
Uptime: 23:02:41 up 15 min, 2 users, load average: 0.29, 0.16, 0.10
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.16.200.4/24'
set interfaces tunnel tun0 encapsulation 'gre-multipoint'
set interfaces tunnel tun0 local-ip '192.168.166.139'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 nhrp map 172.16.200.1/24 nbma-address '50.23.185.53'
set interfaces tunnel tun0 nhrp map 172.16.200.1/24 'register'
set interfaces tunnel tun0 nhrp 'redirect'
set interfaces tunnel tun0 nhrp 'shortcut'
set security vpn ipsec profile DMVPN bind tunnel 'tun0'
vyatta@vyatta:~$ show configuration commands | grep vpn
set security vpn ipsec esp-group ESP-1H compression 'disable'
set security vpn ipsec esp-group ESP-1H lifetime '30'
set security vpn ipsec esp-group ESP-1H mode 'transport'
set security vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set security vpn ipsec esp-group ESP-1H proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1H proposal 1 hash 'sha1'
set security vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'
set security vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'
set security vpn ipsec ike-group IKE-1H lifetime '30'
set security vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1H proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1H proposal 2 encryption 'aes256'
set security vpn ipsec ike-group IKE-1H proposal 2 hash 'md5'
set security vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set security vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'
set security vpn ipsec profile DMVPN bind tunnel 'tun0'
set security vpn ipsec profile DMVPN esp-group 'ESP-1H'
set security vpn ipsec profile DMVPN ike-group 'IKE-1H'
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
dp0p160p1 192.168.166.139/24 u/u
tun0 172.16.200.4/24 u/u
vyatta@vyatta:~$
vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
0.0.0.0 192.168.166.139
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- tun0 down n/a n/a n/a no 0 30 gre
Peer ID / IP Local ID / IP
50.23.185.53 192.168.166.139
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- tun0 down n/a n/a n/a no 0 30 gre
vyatta@vyatta:~$ show vpn debug detail
IPsec version
Linux strongSwan U4.5.2/K4.1.14-1-amd64-vyatta
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
IPsec working directory
/usr/lib/ipsec
IPsec status
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface dp0p160p1/dp0p160p1 192.168.166.139:500
000 interface tun0/tun0 172.16.200.4:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "tun0-192.168.166.139-to-50.23.185.53": 192.168.166.139[192.168.166.139]:47/0...50.23.185.53[50.23.185.53]:47/0; unrouted; eroute owner: #0
000 "tun0-192.168.166.139-to-50.23.185.53": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "tun0-192.168.166.139-to-50.23.185.53": policy: PSK+ENCRYPT+PFS+UP; prio: 32,32; interface: dp0p160p1;
000 "tun0-192.168.166.139-to-50.23.185.53": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpnprof-tunnel-tun0": 192.168.166.139[192.168.166.139]:47/0...%any[%any]:47/0; unrouted; eroute owner: #0
000 "vpnprof-tunnel-tun0": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnprof-tunnel-tun0": policy: PSK+ENCRYPT+PFS+DONTREKEY; prio: 32,32; interface: dp0p160p1;
000 "vpnprof-tunnel-tun0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "tun0-192.168.166.139-to-50.23.185.53" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 20s
000 #2: pending Phase 2 for "tun0-192.168.166.139-to-50.23.185.53" replacing #0
000
Info about all certificates/groups/plugins
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96
sk RefCnt Rmem Wmem User Inode
src ::/0 dst ::/0 uid 0
socket out action allow index 60 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 51 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 44 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 35 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 28 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use 2016-08-04 23:03:21
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 19 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 12 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2016-08-04 23:01:04 use -
routing rule set
0: from all lookup local
32765: from all iif tun0 lookup 230
32766: from all lookup main
32766: from all lookup main
32767: from all lookup default
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 192.168.166.2 to network 0.0.0.0
K* 0.0.0.0/0 via 192.168.166.2, dp0p160p1
C 127.0.0.0/8 is directly connected, lo
C 172.16.200.0/24 is directly connected, tun0
C 192.168.166.0/24 is directly connected, dp0p160p1
#:cannot open configuration file \'/ipsec.conf\'
#:cannot open configuration file \'/ipsec.secrets\'
NETKEY (4.1.14-1-amd64-vyatta) support detected
vyatta
Thu Aug 4 23:03:41 UTC 2016
vyatta@vyatta:~$ show ip nhrp
Status: ok
Interface: tun0
Type: local
Protocol-Address: 172.16.200.255/32
Alias-Address: 172.16.200.4
Flags: up
Interface: tun0
Type: local
Protocol-Address: 172.16.200.4/32
Flags: up
Interface: tun0
Type: static
Protocol-Address: 172.16.200.1/24
NBMA-Address: 50.23.185.53
vyatta@vyatta:~$ ping 50.23.185.53
PING 50.23.185.53 (50.23.185.53) 56(84) bytes of data.
64 bytes from 50.23.185.53: icmp_seq=1 ttl=128 time=39.5 ms
64 bytes from 50.23.185.53: icmp_seq=2 ttl=128 time=38.8 ms
64 bytes from 50.23.185.53: icmp_seq=3 ttl=128 time=39.8 ms
64 bytes from 50.23.185.53: icmp_seq=4 ttl=128 time=39.3 ms
^C
- 50.23.185.53 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 38.876/39.392/39.839/0.423 ms
vyatta@vyatta:~$ ping 172.16.200.1
PING 172.16.200.1 (172.16.200.1) 56(84) bytes of data.
From 172.16.200.4 icmp_seq=7 Destination Host Unreachable
From 172.16.200.4 icmp_seq=8 Destination Host Unreachable
From 172.16.200.4 icmp_seq=9 Destination Host Unreachable
From 172.16.200.4 icmp_seq=10 Destination Host Unreachable
^C
- 172.16.200.1 ping statistics ---
11 packets transmitted, 0 received, +4 errors, 100% packet loss, time 10060ms
pipe 2
vyatta@vyatta:~$
vyatta@vyatta:~$ show log tail
2016-08-04T23:24:50.266689+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53": deleting connection
2016-08-04T23:24:50.267037+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #7: deleting state (STATE_MAIN_I1)
2016-08-04T23:24:50.271767+00:00 localhost pluto[3902]: added connection description "tun0-192.168.166.139-to-50.23.185.53"
2016-08-04T23:24:50.281342+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #8: initiating Main Mode
2016-08-04T23:26:50.243061+00:00 localhost opennhrp[3625]: [172.16.200.1] Peer up script failed: timeout
2016-08-04T23:28:26.272709+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53": deleting connection
2016-08-04T23:28:26.272960+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #8: deleting state (STATE_MAIN_I1)
2016-08-04T23:28:26.278012+00:00 localhost pluto[3902]: added connection description "tun0-192.168.166.139-to-50.23.185.53"
2016-08-04T23:28:26.287641+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #9: initiating Main Mode
2016-08-04T23:30:26.250374+00:00 localhost opennhrp[3625]: [172.16.200.1] Peer up script failed: timeout