On Thu, 8 Jul 2021, Dan Stromberg wrote:
$ ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40 hosts/sec). 0
returned handshake; 0 returned notify
Could someone not firewalled please run "ike-scan vpn.nohats.ca" and send
output to the list, for the sake of comparison?
paul@bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.616 seconds (0.38 hosts/sec). 0
returned handshake; 0 returned notify
I guess we increased our security :)
Jul 8 13:58:50.834070: packet from 193.110.157.194:500: initial Main Mode
message received but no connection has been authorized with policy PSK
I added a bogus IKEv1 connection to it. So now scanning it shows:
paul@bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
193.110.157.148 Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=d87781dc8be5eff1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.274 seconds (3.65 hosts/sec). 0
returned handshake; 1 returned notify
Note the "1 returned notify"
PS: I'm not sure if I'm happy or daunted by the possibility of this being
because of a firewall, as I haven't set one up and fear it may be out of my
control.
if you have firewalld running, you might just want to either remove it,
or run:
sudo firewall-cmd --zone=trusted --add-port=500/udp --permanent
sudo firewall-cmd --zone=trusted --add-port=4500/udp --permanent
sudo firewall-cmd --zone=trusted --add-protocol=50 --permanent
sudo systemctl restart firewalld
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
