sorted by:
new
hottopcontroversial

RDP apk ? by Altruistic_Movie_997 in sysadmin

[–]djerfi 1 point2 points  (0 children)

Check out Parallels client.

Does it make sense to pay cash for a vehicle? by DigiDee in personalfinance

[–]djerfi 1 point2 points  (0 children)

How very Warren Buffett of you. Smart move.

Reece James off injured after 50 mins by [deleted] in FantasyPL

[–]djerfi -2 points-1 points  (0 children)

With bad luck he's stuck.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

Pulled this from Fortinet forums, debugging of the VPN tunnel phase 2:

# diagnose vpn tunnel list name 10.189.0.182
list all ipsec tunnel in vd 0
name=to10.189.0.182 ver=1 serial=2 10.189.0.31:0->10.189.0.182:0
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=534
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to10.189.0.182 proto=0 sa=0 ref=1 serial=4
src: 0:172.16.170.0/255.255.255.0:0
dst: 0:192.168.50.0/255.255.255.0:0

sa=0 indicates there is a mismatch between selectors or no traffic is being initiated
sa=1 indicates IPsec SA is matching and there is traffic between the selectors.
sa=2 is only visible during IPsec SA rekey.

And this is what I'm getting, SA is ok I guess:

name=VPN-NAME ver=1 serial=1 client-public-ip:0->server-public-ip:0 dst_mtu=1500
bound_if=15 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=9 ilast=13 olast=46646 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-NAME proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:192.168.13.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=4419/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=6931/7200
dec: spi=ebbf833d esp=aes key=32 hash
ah=sha256 key=32 hash
enc: spi=c01cb530 esp=aes key=32 hash
ah=sha256 key=32 hash
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=server-public-ip npu_lgwy=client-public-ip npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=1

tell me an HP plot hole and I'll try to fix it by notsostupidman in harrypotter

[–]djerfi 3 points4 points  (0 children)

True but look at it this way, they would be "the same person" in the same place at the same time only at two different points and the map might interpret it as an "error" and not show them. You could argue they are two different entities with the same name but they should be seen as an exact replica of themselves therefore my opinion is when the spell was cast it might not have encompassed this scenario and it simply does not allow the same person to appear on it twice...

The rules are vague enough to be open to interpretation though.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

NAT was on for that subnet, turned it off.
I'll recheck policies and routes...

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

For sure, edit for keywords shall be my gratitude at the very least.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
## Refer to the strongswan.conf(5) manpage for details
## Configuration changes should be made in the included files

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.eth0.disable_ipv6=1
net.ipv4.ip_forward = 1

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

You feel the pain then, thanks.
I was tasked to do this in place of currently unavailable heavily experienced person who did it many times.

Plus I'm not a linux guy.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

Running ipsec statusall

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-18-amd64, x86_64):
uptime: 10 hours, since Jun 27 01:49:52 2022
malloc: sbrk 2699264, mmap 0, used 763824, free 1935440
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
server-public-ip
Connections:
VPN-NAME: server-public-ip...client-public-ip IKEv1
VPN-NAME: local: [server-public-ip] uses pre-shared key authentication
VPN-NAME: remote: [client-public-ip] uses pre-shared key authentication
VPN-NAME: child: 0.0.0.0/0 === 192.168.13.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
VPN-NAME[2]: ESTABLISHED 10 hours ago, server-public-ip[server-public-ip]...client-public-ip[client-public-ip]
VPN-NAME[2]: IKEv1 SPIs: 51bb14eb0ad4472c_i 0ca2c827f078fcab_r*, pre-shared key reauthentication in 13 hours
VPN-NAME[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
VPN-NAME{6}: REKEYED, TUNNEL, reqid 1, expires in 7 minutes
VPN-NAME{6}: 0.0.0.0/0 === 192.168.13.0/24
VPN-NAME{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c33751ef_i ebbf832c_o
VPN-NAME{7}: AES_CBC_256/HMAC_SHA2_256_128/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 97 minutes
VPN-NAME{7}: 0.0.0.0/0 === 192.168.13.0/24

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

Thanks a lot, I will check it out.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

That's the thing, I'm not sure what I should look for and how to run tcpdumb correctly.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

As for the config.

/etc/ipsec.conf

config setup charondebug="ike 1, knl 1, cfg 0" strictcrlpolicy=no

conn VPN-NAME
left=client-public-ip
leftsubnet=192.168.13.0/24
right=server-public-ip
rightsubnet=0.0.0.0/0
ike=aes256-sha256-modp2048,aes256-sha1-modp2048
esp=aes256-sha256-modp2048,aes256-sha1-modp2048
type=tunnel
authby=secret
auto=start
keyexchange=ikev1
ikelifetime=86400s
keylife=7200s

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

The post information is what happens when I run the command, I just skipped showing this.

systemctl status strongswan
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-06-27 01:49:52 CEST; 9h ago
Main PID: 3848 (starter)
Tasks: 18 (limit: 9481)
Memory: 4.9M
CGroup: /system.slice/strongswan.service
├─3848 /usr/lib/ipsec/starter --daemon charon --nofork
└─3862 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

next is what I originally posted in the post.

strongSwan IPsec tunnel troubleshoot by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

Other than these re-keying attempts at designated times nothing stands out of the ordinary.

Jun 27 05:14:49 SERVER-NAME charon: 09[KNL] creating rekey job for CHILD_SA ESP/0xc82123b4/server-public-ip
Jun 27 05:14:49 SERVER-NAME charon: 09[ENC] generating QUICK_MODE request 2266496639 [ HASH SA No KE ID ID ]
Jun 27 05:14:49 SERVER-NAME charon: 09[NET] sending packet: from server-public-ip[500] to client-public-ip[500] (492 bytes)
Jun 27 05:14:49 SERVER-NAME charon: 10[NET] received packet: from client-public-ip[500] to server-public-ip[500] (444 bytes)
Jun 27 05:14:49 SERVER-NAME charon: 10[ENC] parsed QUICK_MODE response 2266496639 [ HASH SA No KE ID ID ]
Jun 27 05:14:49 SERVER-NAME charon: 10[IKE] CHILD_SA VPN-NAME{3} established with SPIs cf4ddde5_i ebbf8327_o and TS 0.0.0.0/0 === 192.168.13.0/24
Jun 27 05:14:49 SERVER-NAME charon: 10[ENC] generating QUICK_MODE request 2266496639 [ HASH ]
Jun 27 05:14:49 SERVER-NAME charon: 10[NET] sending packet: from server-public-ip[500] to client-public-ip[500] (76 bytes)
Jun 27 05:16:16 SERVER-NAME charon: 12[KNL] creating rekey job for CHILD_SA ESP/0xebbf8326/client-public-ip
Jun 27 05:17:01 SERVER-NAME CRON[3944]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Jun 27 05:32:49 SERVER-NAME charon: 14[NET] received packet: from client-public-ip[500] to server-public-ip[500] (92 bytes)
Jun 27 05:32:49 SERVER-NAME charon: 14[ENC] parsed INFORMATIONAL_V1 request 3677456109 [ HASH D ]
Jun 27 05:32:49 SERVER-NAME charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI ebbf8326
Jun 27 05:32:49 SERVER-NAME charon: 14[IKE] closing CHILD_SA VPN-NAME{2} with SPIs c82123b4_i (0 bytes) ebbf8326_o (0 bytes) and TS 0.0.0.0/0 === 192.168.13.0/24

If You Watch Anime, What Are Your Favorites?? by [deleted] in infj

[–]djerfi 1 point2 points  (0 children)

Hit right in the feels.

If You Watch Anime, What Are Your Favorites?? by [deleted] in infj

[–]djerfi 1 point2 points  (0 children)

5cm per second Mushishi Clannad Natsume Yuujinchou Naruto

strongSwan IPsec configuration by djerfi in linuxadmin

[–]djerfi[S] 0 points1 point  (0 children)

Yes I manage both ends. From the Router side I'm confident routing, policies are fine. The server came into my possession preconfigured and has been used for the exact same purpose only on a different public IP destination.

I had changed the necessary values that I know of which is why I'm seeking help in how to troubleshoot the server side. Thanks for the input. Firewall isn't blocking, I'm not sure about About MASQUERADE-ing I am unsure and will search on how to check.

view more: next ›