Openswan ipsec tool: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
Zeile 45: | Zeile 45: | ||
=reread secrets= | =reread secrets= | ||
*ipsec auto --rereadsecrets | *ipsec auto --rereadsecrets | ||
− | |||
− | |||
− | |||
− | |||
− | |||
=status of all connections= | =status of all connections= | ||
− | ipsec auto --status | + | *ipsec auto --status |
+ | =status of one connection= | ||
+ | *ipsec auto --status | grep toc-ras | ||
+ | <pre> | ||
+ | 000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 | ||
+ | 000 "toc-ras": myip=unset; hisip=unset; | ||
+ | 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 | ||
+ | 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; | ||
+ | 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; | ||
+ | 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict | ||
+ | 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) | ||
+ | 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 | ||
+ | 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict | ||
+ | 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 | ||
+ | 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 | ||
+ | 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set | ||
+ | 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 | ||
+ | 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set | ||
+ | </pre> | ||
=have a look to the established connections= | =have a look to the established connections= | ||
− | ipsec look | + | *ipsec look |
+ | <pre> | ||
+ | toc Thu Feb 11 14:40:39 CET 2016 | ||
+ | XFRM state: | ||
+ | src 192.168.241.13 dst 192.168.252.5 | ||
+ | proto esp spi 0x71b98466 reqid 16401 mode tunnel | ||
+ | replay-window 32 flag af-unspec | ||
+ | auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 | ||
+ | enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 | ||
+ | src 192.168.252.5 dst 192.168.241.13 | ||
+ | proto esp spi 0x26aaf00e reqid 16401 mode tunnel | ||
+ | replay-window 32 flag af-unspec | ||
+ | auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 | ||
+ | enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 | ||
+ | XFRM policy: | ||
+ | src 192.168.122.0/24 dst 192.168.56.0/24 | ||
+ | dir out priority 2344 | ||
+ | tmpl src 192.168.252.5 dst 192.168.241.13 | ||
+ | proto esp reqid 16401 mode tunnel | ||
+ | src 192.168.56.0/24 dst 192.168.122.0/24 | ||
+ | dir fwd priority 2344 | ||
+ | tmpl src 192.168.241.13 dst 192.168.252.5 | ||
+ | proto esp reqid 16401 mode tunnel | ||
+ | src 192.168.56.0/24 dst 192.168.122.0/24 | ||
+ | dir in priority 2344 | ||
+ | tmpl src 192.168.241.13 dst 192.168.252.5 | ||
+ | proto esp reqid 16401 mode tunnel | ||
+ | src ::/0 dst ::/0 | ||
+ | socket out priority 0 | ||
+ | src ::/0 dst ::/0 | ||
+ | socket in priority 0 | ||
+ | src ::/0 dst ::/0 | ||
+ | socket out priority 0 | ||
+ | src ::/0 dst ::/0 | ||
+ | socket in priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket out priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket in priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket out priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket in priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket out priority 0 | ||
+ | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
+ | socket in priority 0 | ||
+ | XFRM done | ||
+ | IPSEC mangle TABLES | ||
+ | iptables: No chain/target/match by that name. | ||
+ | ip6tables: No chain/target/match by that name. | ||
+ | NEW_IPSEC_CONN mangle TABLES | ||
+ | iptables: No chain/target/match by that name. | ||
+ | ip6tables: No chain/target/match by that name. | ||
+ | ROUTING TABLES | ||
+ | default via 192.168.252.1 dev eth0 | ||
+ | 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 | ||
+ | 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 | ||
+ | fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 | ||
+ | default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64 | ||
+ | </pre> | ||
+ | |||
=showdefaults ip, nexthop, interface= | =showdefaults ip, nexthop, interface= | ||
ipsec showdefaults | ipsec showdefaults | ||
=collect debugging infos= | =collect debugging infos= | ||
ipsec barf --short | ipsec barf --short | ||
+ | |||
+ | =list ca certs= | ||
+ | ipsec auto --listcacerts | ||
+ | =list certs= | ||
+ | ipsec auto --listcerts |
Version vom 11. Februar 2016, 13:42 Uhr
start
- ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
stop
- ipsec setup --stop
ipsec_setup: Stopping Openswan IPsec...
restart
- ipsec setup --restart
ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
status
- ipsec setup --status
IPsec running - pluto pid: 9515 pluto pid 9515 No tunnels up
Anzeige der verfügbaren Verbindungen
- grep conn /etc/ipsec.conf
conn toc-ras
conn add
- ipsec auto --add toc-ras
conn up
- ipsec auto --up toc-ras
104 "toc-ras" #5: STATE_MAIN_I1: initiate 003 "toc-ras" #5: received Vendor ID payload [Openswan (this version) 2.6.38 ] 003 "toc-ras" #5: received Vendor ID payload [Dead Peer Detection] 106 "toc-ras" #5: STATE_MAIN_I2: sent MI2, expecting MR2 108 "toc-ras" #5: STATE_MAIN_I3: sent MI3, expecting MR3 003 "toc-ras" #5: received Vendor ID payload [CAN-IKEv2] 004 "toc-ras" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536} 117 "toc-ras" #6: STATE_QUICK_I1: initiate 004 "toc-ras" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b54fafa <0xd99615e0 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
conn delete
- ipsec auto --delete toc-ras
conn down
- ipsec auto --down toc-ras
reread secrets
- ipsec auto --rereadsecrets
status of all connections
- ipsec auto --status
status of one connection
- ipsec auto --status | grep toc-ras
000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 000 "toc-ras": myip=unset; hisip=unset; 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
have a look to the established connections
- ipsec look
toc Thu Feb 11 14:40:39 CET 2016 XFRM state: src 192.168.241.13 dst 192.168.252.5 proto esp spi 0x71b98466 reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 src 192.168.252.5 dst 192.168.241.13 proto esp spi 0x26aaf00e reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 XFRM policy: src 192.168.122.0/24 dst 192.168.56.0/24 dir out priority 2344 tmpl src 192.168.252.5 dst 192.168.241.13 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir fwd priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir in priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 XFRM done IPSEC mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. NEW_IPSEC_CONN mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ROUTING TABLES default via 192.168.252.1 dev eth0 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64
showdefaults ip, nexthop, interface
ipsec showdefaults
collect debugging infos
ipsec barf --short
list ca certs
ipsec auto --listcacerts
list certs
ipsec auto --listcerts