Hi to all, I am trying to configure a VPN, site to site, with IKEV1 and a preshared key on IPv4.
I followed the configuration at https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/ (closest configuration I could find, though the examples seem to have been designed for local networks) However the computer does not manage to connect thyfate@DataLearning-001:~$ sudo ipsec start Starting strongSwan 5.1.2 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping daemon start starter is already running (/var/run/starter.charon.pid exists) -- no fork done thyfate@DataLearning-001:~$ sudo ipsec up ciscoios initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX generating ID_PROT request 0 [ SA V V V V ] sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) sending retransmit 5 of request message ID 0, seq 1 sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 bytes) giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'ciscoios' failed Any help would be greatly appreciated ! Thanks in advance, Below some details on the setup: I am using Ubuntu 14.04. My computer is behind an ISP-provided router box where ports 500 and 4500 have been NAT - forwarded, both on TCP and UDP. My computer external address is 93.XXX.XXX.XXX and the local network the computer is on has ranges 192.168.1.XXX, the specific machine having ip 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the VPN on an external ip address of 83.XXX.XXX.XXX. Strongswan was installed with the following command line sudo apt-get install strongswan strongswan-plugin-af-alg strongswan-plugin-agent strongswan-plugin-certexpire strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp strongswan-plugin-duplicheck strongswan-plugin-eap-aka strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 strongswan-plugin-eap-peap strongswan-plugin-eap-radius strongswan-plugin-eap-tls strongswan-plugin-eap-ttls strongswan-plugin-error-notify strongswan-plugin-farp strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr strongswan-plugin-sshkey strongswan-plugin-systime-fix strongswan-plugin-whitelist strongswan-plugin-xauth-eap strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth strongswan-plugin-xauth-pam The following configuration files are used: ============================================================ /etc/strongswan.conf ============================================================ # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf ============================================================ /etc/ipsec.conf ============================================================ # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # auto=start conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn ciscoios left=93.XXX.XXX.XXX #strongswan outside address leftsubnet=172.31.17.0/28 #network behind strongswan leftid=93.XXX.XXX.XXX #IKEID sent by strongswan leftfirewall=no right=83.XXX.XXX.XXX #IOS outside address rightsubnet=172.21.148.0/28 #network behind IOS rightid=83.XXX.XXX.XXX #IKEID sent by IOS auto=add ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2 esp=aes256-sha1 #P2 ============================================================ /etc/ipsec.secrets ============================================================ # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". 83.XXX.XXX.XXX : PSK "XXXXXX" ============================================================ Various command line results ============================================================ thyfate@DataLearning-001:~$ sudo ipsec --version Linux strongSwan U5.1.2/K3.16.0-77-generic Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. thyfate@DataLearning-001:~$ sudo ipsec statusall [sudo] password for thyfate: Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic, x86_64): uptime: 42 days, since Jul 24 07:41:43 2017 malloc: sbrk 2904064, mmap 266240, used 581776, free 2322288 worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon test-vectors curl unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp sshkey ipseckey pem openssl gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock Listening IP addresses: 192.168.1.104 Connections: ciscoios: 93.XXX.XXX.XXX...83.XXX.XXX.XXX IKEv1 ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication ciscoios: child: 0.0.0.0/0 === 172.21.148.0/28 TUNNEL Security Associations (1 up, 0 connecting): ciscoios[3554]: CONNECTING, 93.XXX.XXX.XXX[%any]...83.XXX.XXX.XXX[%any] ciscoios[3554]: IKEv1 SPIs: 1b151f2a679038df_i* 0000000000000000_r ciscoios[3554]: Tasks queued: QUICK_MODE ciscoios[3554]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD thyfate@DataLearning-001:~$ sudo ipsec listall [sudo] password for thyfate: List of registered IKE algorithms: encryption: DES_CBC[openssl] 3DES_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl] AES_CBC[aes] AES_CTR[gcrypt] CAMELLIA_CBC[openssl] CAMELLIA_CTR[gcrypt] DES_ECB[openssl] SERPENT_CBC[gcrypt] TWOFISH_CBC[gcrypt] RC2_CBC[rc2] integrity: HMAC_MD5_96[openssl] HMAC_SHA1_96[openssl] AES_XCBC_96[af-alg] HMAC_MD5_128[openssl] HMAC_SHA1_160[openssl] AES_CMAC_96[cmac] HMAC_SHA2_256_128[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA1_128[openssl] HMAC_SHA2_256_96[af-alg] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[af-alg] aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl] CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm] CAMELLIA_CCM_16[ccm] hasher: HASH_MD4[md4] HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] prf: PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_AES128_XCBC[af-alg] PRF_HMAC_SHA2_256[openssl] PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1] PRF_CAMELLIA128_XCBC[af-alg] dh-group: MODP_768[openssl] MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl] NTRU_112[ntru] NTRU_128[ntru] NTRU_192[ntru] NTRU_256[ntru] MODP_CUSTOM[openssl] random-gen: RNG_WEAK[rdrand] RNG_STRONG[rdrand] RNG_TRUE[rdrand] nonce-gen: [nonce] List of loaded Plugins: charon: CUSTOM:libcharon NONCE_GEN CUSTOM:libcharon-receiver CUSTOM:kernel-ipsec CUSTOM:kernel-net CUSTOM:libcharon-receiver HASHER:HASH_SHA1 RNG:RNG_STRONG CUSTOM:socket test-vectors: CUSTOM:test-vectors curl: FETCHER:file:// FETCHER:http:// FETCHER:https:// FETCHER:ftp:// unbound: RESOLVER ldap: FETCHER:ldap:// FETCHER:ldaps:// pkcs11: CUSTOM:pkcs11-certs CERT_DECODE:X509 PRIVKEY:ANY aes: CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 rc2: CRYPTER:RC2_CBC-0 sha1: HASHER:HASH_SHA1 PRF:PRF_KEYED_SHA1 sha2: HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 md4: HASHER:HASH_MD4 md5: HASHER:HASH_MD5 rdrand: RNG:RNG_WEAK RNG:RNG_STRONG RNG:RNG_TRUE CRYPTER:AES_CBC-16 random: RNG:RNG_STRONG RNG:RNG_TRUE nonce: NONCE_GEN RNG:RNG_WEAK x509: CERT_ENCODE:X509 HASHER:HASH_SHA1 CERT_DECODE:X509 HASHER:HASH_SHA1 PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) CERT_ENCODE:X509_AC CERT_DECODE:X509_AC CERT_ENCODE:X509_CRL CERT_DECODE:X509_CRL CERT_ENCODE:X509_OCSP_REQUEST HASHER:HASH_SHA1 RNG:RNG_WEAK CERT_DECODE:X509_OCSP_RESPONSE CERT_ENCODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST revocation: CUSTOM:revocation CERT_ENCODE:X509_OCSP_REQUEST (soft) CERT_DECODE:X509_OCSP_RESPONSE (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509 (soft) FETCHER:(null) (soft) constraints: CUSTOM:constraints CERT_DECODE:X509 (soft) pubkey: CERT_ENCODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) pkcs1: PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA pkcs7: CONTAINER_DECODE:PKCS7 CONTAINER_ENCODE:PKCS7_DATA CONTAINER_ENCODE:PKCS7_SIGNED_DATA CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA pkcs8: PRIVKEY:ANY PRIVKEY:RSA PRIVKEY:ECDSA pkcs12: CONTAINER_DECODE:PKCS12 CONTAINER_DECODE:PKCS7 CERT_DECODE:X509 (soft) PRIVKEY:ANY (soft) HASHER:HASH_SHA1 (soft) CRYPTER:3DES_CBC-24 (soft) CRYPTER:RC2_CBC-0 (soft) pgp: PRIVKEY:ANY PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA CERT_DECODE:PGP sshkey: PUBKEY:ANY ipseckey: CUSTOM:ipseckey RESOLVER PUBKEY:RSA CERT_ENCODE:TRUSTED_PUBKEY pem: PRIVKEY:ANY PRIVKEY:ANY HASHER:HASH_MD5 (soft) PRIVKEY:RSA PRIVKEY:RSA HASHER:HASH_MD5 (soft) PRIVKEY:ECDSA PRIVKEY:ECDSA HASHER:HASH_MD5 (soft) PRIVKEY:DSA (not loaded) PRIVKEY:DSA HASHER:HASH_MD5 (soft) PUBKEY:ANY PUBKEY:ANY PUBKEY:RSA PUBKEY:RSA PUBKEY:ECDSA PUBKEY:ECDSA PUBKEY:DSA (not loaded) PUBKEY:DSA CERT_DECODE:ANY CERT_DECODE:X509 (soft) CERT_DECODE:PGP (soft) CERT_DECODE:X509 CERT_DECODE:X509 CERT_DECODE:X509_CRL CERT_DECODE:X509_CRL CERT_DECODE:X509_OCSP_REQUEST (not loaded) CERT_DECODE:X509_OCSP_REQUEST CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_AC CERT_DECODE:X509_AC CERT_DECODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:PGP CERT_DECODE:PGP CONTAINER_DECODE:PKCS12 CONTAINER_DECODE:PKCS12 openssl: CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 CRYPTER:CAMELLIA_CBC-16 CRYPTER:CAMELLIA_CBC-24 CRYPTER:CAMELLIA_CBC-32 CRYPTER:CAST_CBC-0 CRYPTER:BLOWFISH_CBC-0 CRYPTER:3DES_CBC-24 CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 CRYPTER:NULL-0 HASHER:HASH_MD4 HASHER:HASH_MD5 HASHER:HASH_SHA1 HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 PRF:PRF_KEYED_SHA1 PRF:PRF_HMAC_MD5 PRF:PRF_HMAC_SHA1 PRF:PRF_HMAC_SHA2_256 PRF:PRF_HMAC_SHA2_384 PRF:PRF_HMAC_SHA2_512 SIGNER:HMAC_MD5_96 SIGNER:HMAC_MD5_128 SIGNER:HMAC_SHA1_96 SIGNER:HMAC_SHA1_128 SIGNER:HMAC_SHA1_160 SIGNER:HMAC_SHA2_256_128 SIGNER:HMAC_SHA2_256_256 SIGNER:HMAC_SHA2_384_192 SIGNER:HMAC_SHA2_384_384 SIGNER:HMAC_SHA2_512_256 SIGNER:HMAC_SHA2_512_512 AEAD:AES_GCM_8-16 AEAD:AES_GCM_8-24 AEAD:AES_GCM_8-32 AEAD:AES_GCM_12-16 AEAD:AES_GCM_12-24 AEAD:AES_GCM_12-32 AEAD:AES_GCM_16-16 AEAD:AES_GCM_16-24 AEAD:AES_GCM_16-32 DH:MODP_2048 DH:MODP_2048_224 DH:MODP_2048_256 DH:MODP_1536 DH:MODP_3072 DH:MODP_4096 DH:MODP_6144 DH:MODP_8192 DH:MODP_1024 DH:MODP_1024_160 DH:MODP_768 DH:MODP_CUSTOM PRIVKEY:RSA PRIVKEY:ANY PRIVKEY_GEN:RSA PUBKEY:RSA PUBKEY:ANY PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 CERT_DECODE:X509 PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) CERT_DECODE:X509_CRL CONTAINER_DECODE:PKCS7 CONTAINER_DECODE:PKCS12 DH:ECP_256 DH:ECP_384 DH:ECP_521 DH:ECP_224 DH:ECP_192 DH:ECP_224_BP DH:ECP_256_BP DH:ECP_384_BP DH:ECP_512_BP PRIVKEY:ECDSA PRIVKEY_GEN:ECDSA PUBKEY:ECDSA PRIVKEY_SIGN:ECDSA_WITH_NULL PUBKEY_VERIFY:ECDSA_WITH_NULL PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER PRIVKEY_SIGN:ECDSA-256 PUBKEY_VERIFY:ECDSA-256 PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER PRIVKEY_SIGN:ECDSA-384 PRIVKEY_SIGN:ECDSA-521 PUBKEY_VERIFY:ECDSA-384 PUBKEY_VERIFY:ECDSA-521 RNG:RNG_STRONG RNG:RNG_WEAK gcrypt: CRYPTER:AES_CTR-16 CRYPTER:AES_CTR-24 CRYPTER:AES_CTR-32 CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 CRYPTER:BLOWFISH_CBC-16 CRYPTER:CAMELLIA_CTR-16 CRYPTER:CAMELLIA_CTR-24 CRYPTER:CAMELLIA_CTR-32 CRYPTER:CAMELLIA_CBC-16 CRYPTER:CAMELLIA_CBC-24 CRYPTER:CAMELLIA_CBC-32 CRYPTER:CAST_CBC-0 CRYPTER:3DES_CBC-24 CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 CRYPTER:SERPENT_CBC-16 CRYPTER:SERPENT_CBC-24 CRYPTER:SERPENT_CBC-32 CRYPTER:TWOFISH_CBC-16 CRYPTER:TWOFISH_CBC-32 HASHER:HASH_MD4 HASHER:HASH_MD5 HASHER:HASH_SHA1 HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 DH:MODP_2048 DH:MODP_2048_224 DH:MODP_2048_256 DH:MODP_1536 DH:MODP_3072 DH:MODP_4096 DH:MODP_6144 DH:MODP_8192 DH:MODP_1024 DH:MODP_1024_160 DH:MODP_768 DH:MODP_CUSTOM PUBKEY:RSA PRIVKEY:RSA PRIVKEY_GEN:RSA RNG:RNG_WEAK RNG:RNG_STRONG RNG:RNG_TRUE af-alg: HASHER:HASH_MD4 HASHER:HASH_MD5 HASHER:HASH_SHA1 HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 SIGNER:HMAC_SHA1_96 SIGNER:HMAC_SHA1_128 SIGNER:HMAC_SHA1_160 SIGNER:HMAC_SHA2_256_96 SIGNER:HMAC_SHA2_256_128 SIGNER:HMAC_MD5_96 SIGNER:HMAC_MD5_128 SIGNER:HMAC_SHA2_256_256 SIGNER:HMAC_SHA2_384_192 SIGNER:HMAC_SHA2_384_384 SIGNER:HMAC_SHA2_512_256 SIGNER:HMAC_SHA2_512_512 SIGNER:AES_XCBC_96 SIGNER:CAMELLIA_XCBC_96 PRF:PRF_HMAC_SHA1 PRF:PRF_HMAC_SHA2_256 PRF:PRF_HMAC_MD5 PRF:PRF_HMAC_SHA2_384 PRF:PRF_HMAC_SHA2_512 PRF:PRF_AES128_XCBC PRF:PRF_CAMELLIA128_XCBC CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 CRYPTER:3DES_CBC-24 CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 CRYPTER:AES_CTR-16 CRYPTER:AES_CTR-24 CRYPTER:AES_CTR-32 CRYPTER:CAMELLIA_CBC-16 CRYPTER:CAMELLIA_CBC-24 CRYPTER:CAMELLIA_CBC-32 CRYPTER:CAMELLIA_CTR-16 CRYPTER:CAMELLIA_CTR-24 CRYPTER:CAMELLIA_CTR-32 CRYPTER:CAST_CBC-16 CRYPTER:BLOWFISH_CBC-16 CRYPTER:BLOWFISH_CBC-24 CRYPTER:BLOWFISH_CBC-32 CRYPTER:SERPENT_CBC-16 CRYPTER:SERPENT_CBC-24 CRYPTER:SERPENT_CBC-32 CRYPTER:TWOFISH_CBC-16 CRYPTER:TWOFISH_CBC-24 CRYPTER:TWOFISH_CBC-32 fips-prf: PRF:PRF_FIPS_SHA1_160 PRF:PRF_KEYED_SHA1 gmp: DH:MODP_2048 RNG:RNG_STRONG DH:MODP_2048_224 RNG:RNG_STRONG DH:MODP_2048_256 RNG:RNG_STRONG DH:MODP_1536 RNG:RNG_STRONG DH:MODP_3072 RNG:RNG_STRONG DH:MODP_4096 RNG:RNG_STRONG DH:MODP_6144 RNG:RNG_STRONG DH:MODP_8192 RNG:RNG_STRONG DH:MODP_1024 RNG:RNG_STRONG DH:MODP_1024_160 RNG:RNG_STRONG DH:MODP_768 RNG:RNG_STRONG DH:MODP_CUSTOM RNG:RNG_STRONG PRIVKEY:RSA PRIVKEY_GEN:RSA RNG:RNG_TRUE PUBKEY:RSA PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 RNG:RNG_WEAK xcbc: PRF:PRF_AES128_XCBC CRYPTER:AES_CBC-16 PRF:PRF_CAMELLIA128_XCBC CRYPTER:CAMELLIA_CBC-16 SIGNER:CAMELLIA_XCBC_96 CRYPTER:CAMELLIA_CBC-16 SIGNER:AES_XCBC_96 CRYPTER:AES_CBC-16 cmac: PRF:PRF_AES128_CMAC CRYPTER:AES_CBC-16 SIGNER:AES_CMAC_96 CRYPTER:AES_CBC-16 hmac: PRF:PRF_HMAC_SHA1 HASHER:HASH_SHA1 PRF:PRF_HMAC_MD5 HASHER:HASH_MD5 PRF:PRF_HMAC_SHA2_256 HASHER:HASH_SHA256 PRF:PRF_HMAC_SHA2_384 HASHER:HASH_SHA384 PRF:PRF_HMAC_SHA2_512 HASHER:HASH_SHA512 SIGNER:HMAC_SHA1_96 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_128 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_160 HASHER:HASH_SHA1 SIGNER:HMAC_MD5_96 HASHER:HASH_MD5 SIGNER:HMAC_MD5_128 HASHER:HASH_MD5 SIGNER:HMAC_SHA2_256_128 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_256_256 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_384_192 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_384_384 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_512_256 HASHER:HASH_SHA512 SIGNER:HMAC_SHA2_512_512 HASHER:HASH_SHA512 ctr: CRYPTER:AES_CTR-16 CRYPTER:AES_CBC-16 CRYPTER:AES_CTR-24 CRYPTER:AES_CBC-24 CRYPTER:AES_CTR-32 CRYPTER:AES_CBC-32 CRYPTER:CAMELLIA_CTR-16 CRYPTER:CAMELLIA_CBC-16 CRYPTER:CAMELLIA_CTR-24 CRYPTER:CAMELLIA_CBC-24 CRYPTER:CAMELLIA_CTR-32 CRYPTER:CAMELLIA_CBC-32 ccm: AEAD:AES_CCM_8-16 CRYPTER:AES_CBC-16 AEAD:AES_CCM_8-24 CRYPTER:AES_CBC-24 AEAD:AES_CCM_8-32 CRYPTER:AES_CBC-32 AEAD:AES_CCM_12-16 CRYPTER:AES_CBC-16 AEAD:AES_CCM_12-24 CRYPTER:AES_CBC-24 AEAD:AES_CCM_12-32 CRYPTER:AES_CBC-32 AEAD:AES_CCM_16-16 CRYPTER:AES_CBC-16 AEAD:AES_CCM_16-24 CRYPTER:AES_CBC-24 AEAD:AES_CCM_16-32 CRYPTER:AES_CBC-32 AEAD:CAMELLIA_CCM_8-16 CRYPTER:CAMELLIA_CBC-16 AEAD:CAMELLIA_CCM_8-24 CRYPTER:CAMELLIA_CBC-24 AEAD:CAMELLIA_CCM_8-32 CRYPTER:CAMELLIA_CBC-32 AEAD:CAMELLIA_CCM_12-16 CRYPTER:CAMELLIA_CBC-16 AEAD:CAMELLIA_CCM_12-24 CRYPTER:CAMELLIA_CBC-24 AEAD:CAMELLIA_CCM_12-32 CRYPTER:CAMELLIA_CBC-32 AEAD:CAMELLIA_CCM_16-16 CRYPTER:CAMELLIA_CBC-16 AEAD:CAMELLIA_CCM_16-24 CRYPTER:CAMELLIA_CBC-24 AEAD:CAMELLIA_CCM_16-32 CRYPTER:CAMELLIA_CBC-32 gcm: AEAD:AES_GCM_8-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_8-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_8-32 CRYPTER:AES_CBC-32 AEAD:AES_GCM_12-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_12-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_12-32 CRYPTER:AES_CBC-32 AEAD:AES_GCM_16-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_16-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_16-32 CRYPTER:AES_CBC-32 ntru: DH:NTRU_112 DH:NTRU_128 DH:NTRU_192 DH:NTRU_256 RNG:RNG_TRUE SIGNER:HMAC_SHA2_256_256 HASHER:HASH_SHA256 HASHER:HASH_SHA1 (soft) attr: CUSTOM:attr kernel-netlink: CUSTOM:kernel-ipsec CUSTOM:kernel-net resolve: CUSTOM:resolve socket-default: CUSTOM:socket CUSTOM:kernel-ipsec (soft) farp: CUSTOM:farp stroke: CUSTOM:stroke PRIVKEY:RSA (soft) PRIVKEY:ECDSA (soft) PRIVKEY:DSA (soft) CERT_DECODE:ANY (soft) CERT_DECODE:X509 (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509_AC (soft) CERT_DECODE:TRUSTED_PUBKEY (soft) updown: CUSTOM:updown eap-identity: EAP_SERVER:ID EAP_CLIENT:ID eap-aka: CUSTOM:aka-manager EAP_SERVER:AKA RNG:RNG_WEAK HASHER:HASH_SHA1 PRF:PRF_FIPS_SHA1_160 SIGNER:HMAC_SHA1_128 CRYPTER:AES_CBC-16 EAP_CLIENT:AKA RNG:RNG_WEAK HASHER:HASH_SHA1 PRF:PRF_FIPS_SHA1_160 SIGNER:HMAC_SHA1_128 CRYPTER:AES_CBC-16 eap-aka-3gpp2: CUSTOM:eap-aka-3gpp2-functions PRF:PRF_KEYED_SHA1 CUSTOM:aka-card CUSTOM:aka-manager CUSTOM:eap-aka-3gpp2-functions CUSTOM:aka-provider CUSTOM:aka-manager CUSTOM:eap-aka-3gpp2-functions eap-gtc: EAP_SERVER:GTC EAP_CLIENT:GTC eap-mschapv2: EAP_SERVER:MSCHAPV2 CRYPTER:DES_ECB-8 HASHER:HASH_MD4 HASHER:HASH_SHA1 RNG:RNG_WEAK EAP_CLIENT:MSCHAPV2 CRYPTER:DES_ECB-8 HASHER:HASH_MD4 HASHER:HASH_SHA1 RNG:RNG_WEAK eap-dynamic: EAP_SERVER:DYN eap-radius: EAP_SERVER:RAD CUSTOM:eap-radius XAUTH_SERVER:radius CUSTOM:eap-radius CUSTOM:eap-radius HASHER:HASH_MD5 SIGNER:HMAC_MD5_128 RNG:RNG_WEAK eap-tls: EAP_SERVER:TLS HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK EAP_CLIENT:TLS HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK RNG:RNG_STRONG eap-ttls: EAP_SERVER:TTLS EAP_SERVER:ID HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK EAP_CLIENT:TTLS EAP_CLIENT:ID HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK RNG:RNG_STRONG eap-peap: EAP_SERVER:PEAP EAP_SERVER:ID HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK EAP_CLIENT:PEAP EAP_CLIENT:ID HASHER:HASH_MD5 HASHER:HASH_SHA1 RNG:RNG_WEAK RNG:RNG_STRONG xauth-generic: XAUTH_SERVER:generic XAUTH_CLIENT:generic xauth-eap: XAUTH_SERVER:eap xauth-noauth: XAUTH_SERVER:noauth dhcp: CUSTOM:dhcp RNG:RNG_WEAK whitelist: CUSTOM:whitelist lookip: CUSTOM:lookip error-notify: CUSTOM:error-notify certexpire: CUSTOM:certexpire led: CUSTOM:led duplicheck: CUSTOM:duplicheck radattr: CUSTOM:radattr addrblock: CUSTOM:addrblock CERT_DECODE:X509 (soft) thyfate@DataLearning-001:~$ sudo ip -s xfrm policy src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 507 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use 2017-09-02 10:13:15 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 500 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use 2017-09-02 10:13:15 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 491 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use 2017-09-04 08:15:37 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 484 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use 2017-09-04 02:54:33 src ::/0 dst ::/0 uid 0 socket in action allow index 475 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use - src ::/0 dst ::/0 uid 0 socket out action allow index 468 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use - src ::/0 dst ::/0 uid 0 socket in action allow index 459 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use - src ::/0 dst ::/0 uid 0 socket out action allow index 452 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-07-24 07:42:21 use - thyfate@DataLearning-001:~$ sudo ip -s xfrm state thyfate@DataLearning-001:~$ ip route list table 220 thyfate@DataLearning-001:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere thyfate@DataLearning-001:~$ sudo iptables-save # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017 *nat :PREROUTING ACCEPT [14381:2557534] :INPUT ACCEPT [14224:2540988] :OUTPUT ACCEPT [18294:1425542] :POSTROUTING ACCEPT [18294:1425542] -A POSTROUTING -s 172.31.17.0/28 -o eth0 -j MASQUERADE COMMIT # Completed on Mon Sep 4 08:39:12 2017 # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017 *filter :INPUT ACCEPT [676542:524740723] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [434134:197554510] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN COMMIT # Completed on Mon Sep 4 08:39:12 2017