Tom Eastep wrote:
> Mike Lander wrote:
>> Which address is specified as the local end of the IPSEC tunnel-mode SP?
>>
>> -Tom
>>
>> conn arkonaIPsec
>> type = tunnel
>> left =66.224.62.118
>> leftnexthop= 66.224.62.97
>> right = 65.203.186.182
>> leftsubnet = 10.194.79.0/255.255.255.0
>> rightsubnet = 172.30.0.0/255.255.255.0
>> auto = start
>> keyexchange = ike
>> authby = secret
>> auth = esp
>> keyingtries = 0
>> pfs = yes
>> esp = 3DES-MD5
>> ike = 3DES-MD5-MODP1024
>> ikelifetime = 60m
>> rekeyfuzz = 100%
>> rekeymargin = 10m
>>
>> [EMAIL PROTECTED] ~]# ipsec auto status
>> ipsec auto: warning: obsolete command syntax used
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 66.224.62.118
>> 000 interface eth1/eth1 67.183.187.44
>> 000 interface eth3/eth3 10.194.79.1
>> 000 %myid = (none)
>> 000 debug none
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>> keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
>> keysizemax=192
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
>> keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>> keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000
>> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
>> trans={0,3,336} attrs={0,3,224}
>> 000
>> 000 "arkonaIPsec":
>> 10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24;
>>
>> erouted; eroute owner: #5
>> 000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
>> 600s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
>> interface: eth0;
>> 000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5;
>> 000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict
>> 000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2,
>> 000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
>> 000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict
>> 000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict
>> 000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5;
>> pfsgroup=<Phase1>
>> 000
>> 000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner
>> 000 #5: "arkonaIPsec" [EMAIL PROTECTED] [EMAIL PROTECTED]
>> [EMAIL PROTECTED] [EMAIL PROTECTED]
>> 000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0)
>> 000
>> [EMAIL PROTECTED] ~]#
>>
>>
>> This is tunnedl status as we speak
>
> Ok.
>
> You have some cruft in your current configuration.
>
> a) The old routing rules when you has HIGH_ROUTE_MARKS=Yes are still there.
>Never mind -- I see that you have HIGH_ROUTE_MARKS=Yes but are using other mark values to select the provider. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
