teratail
回答率
85.47%
質問するログイン新規登録
トップに関する質問Amazon Linux 2よりL2TP/IPSecを使用して、VPN接続したい。

編集履歴

質問編集履歴

6

ipsec status

2020/08/17 02:53

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -92,17 +92,11 @@
92
92
 
93
93
  # rightid=SSS.TTT.UUU.VVV```
94
94
 
95
-
96
-
97
- ご存知の方、教えてください。
98
-
99
-
100
-
101
- 追記
95
+ ```
102
-
103
-
104
-
96
+
97
+
98
+
105
- ipsec status結果
99
+ ipsec status
106
100
 
107
101
  ```
108
102
 

5

ipsec status結果

2020/08/17 02:53

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -102,11 +102,9 @@
102
102
 
103
103
 
104
104
 
105
- ```ここに言語を入力
105
+ ipsec status結果
106
+
106
-
107
+ ```
107
-
108
-
109
-
110
108
 
111
109
  000 using kernel interface: netkey
112
110
 

4

修正

2020/08/17 02:51

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -100,252 +100,258 @@
100
100
 
101
101
  追記
102
102
 
103
+
104
+
105
+ ```ここに言語を入力
106
+
107
+
108
+
109
+
110
+
111
+ 000 using kernel interface: netkey
112
+
113
+ 000 interface lo/lo ::1@500
114
+
115
+ 000 interface lo/lo 127.0.0.1@4500
116
+
117
+ 000 interface lo/lo 127.0.0.1@500
118
+
119
+ 000 interface eth0/eth0 172.31.32.76@4500
120
+
121
+ 000 interface eth0/eth0 172.31.32.76@500
122
+
123
+ 000
124
+
125
+ 000
126
+
127
+ 000 fips mode=disabled;
128
+
129
+ 000 SElinux=disabled
130
+
131
+ 000 seccomp=disabled
132
+
133
+ 000
134
+
135
+ 000 config setup options:
136
+
137
+ 000
138
+
139
+ 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
140
+
141
+ 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
142
+
143
+ 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
144
+
145
+ 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
146
+
147
+ 000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
148
+
149
+ 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
150
+
151
+ 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
152
+
153
+ 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
154
+
155
+ 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
156
+
157
+ 000 ocsp-trust-name=<unset>
158
+
159
+ 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
160
+
161
+ 000 secctx-attr-type=32001
162
+
163
+ 000 debug:
164
+
165
+ 000
166
+
167
+ 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
168
+
169
+ 000 virtual-private (%priv):
170
+
171
+ 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
172
+
173
+ 000
174
+
175
+ 000 ESP algorithms supported:
176
+
177
+ 000
178
+
179
+ 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
180
+
181
+ 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
182
+
183
+ 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
184
+
185
+ 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
186
+
187
+ 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
188
+
189
+ 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
190
+
191
+ 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
192
+
193
+ 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
194
+
195
+ 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
196
+
197
+ 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
198
+
199
+ 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
200
+
201
+ 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
202
+
203
+ 000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
204
+
205
+ 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
206
+
207
+ 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
208
+
209
+ 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
210
+
211
+ 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
212
+
213
+ 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
214
+
215
+ 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
216
+
217
+ 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
218
+
219
+ 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
220
+
221
+ 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
222
+
223
+ 000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
224
+
225
+ 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
226
+
227
+ 000
228
+
229
+ 000 IKE algorithms supported:
230
+
231
+ 000
232
+
233
+ 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
234
+
235
+ 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
236
+
237
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
238
+
239
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
240
+
241
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
242
+
243
+ 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
244
+
245
+ 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
246
+
247
+ 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
248
+
249
+ 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
250
+
251
+ 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
252
+
253
+ 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
254
+
255
+ 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
256
+
257
+ 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
258
+
259
+ 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
260
+
261
+ 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
262
+
263
+ 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
264
+
265
+ 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
266
+
267
+ 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
268
+
269
+ 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
270
+
271
+ 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
272
+
273
+ 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
274
+
275
+ 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
276
+
277
+ 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
278
+
279
+ 000 algorithm IKE DH Key Exchange: name=DH19, bits=512
280
+
281
+ 000 algorithm IKE DH Key Exchange: name=DH20, bits=768
282
+
283
+ 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
284
+
285
+ 000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
286
+
287
+ 000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
288
+
289
+ 000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
290
+
291
+ 000
292
+
293
+ 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
294
+
295
+ 000
296
+
297
+ 000 Connection list:
298
+
299
+ 000
300
+
301
+ 000 "L2TP": 172.31.32.76[zz.178.yy.xx]---172.31.32.1...222.228.xxx.yyy<222.228.220.xxx>; unrouted; eroute owner: #0
302
+
303
+ 000 "L2TP": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
304
+
305
+ 000 "L2TP": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
306
+
307
+ 000 "L2TP": our auth:secret, their auth:secret
308
+
309
+ 000 "L2TP": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
310
+
311
+ 000 "L2TP": labeled_ipsec:no;
312
+
313
+ 000 "L2TP": policy_label:unset;
314
+
315
+ 000 "L2TP": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
316
+
317
+ 000 "L2TP": retransmit-interval: 500ms; retransmit-timeout: 60s;
318
+
319
+ 000 "L2TP": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
320
+
321
+ 000 "L2TP": policy: PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
322
+
323
+ 000 "L2TP": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
324
+
325
+ 000 "L2TP": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
326
+
327
+ 000 "L2TP": our idtype: ID_IPV4_ADDR; our id=54.178.40.74; their idtype: ID_IPV4_ADDR; their id=222.228.220.222
328
+
329
+ 000 "L2TP": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
330
+
331
+ 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
332
+
333
+ 000
334
+
335
+ 000 Total IPsec connections: loaded 1, active 0
336
+
337
+ 000
338
+
339
+ 000 State Information: DDoS cookies not required, Accepting new IKE connections
340
+
341
+ 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
342
+
343
+ 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
344
+
345
+ 000
346
+
347
+ 000 #2: "L2TP":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
348
+
349
+ 000 #2: pending Phase 2 for "L2TP"
350
+
351
+ 000
352
+
353
+ 000 Bare Shunt list:
354
+
355
+ 000
356
+
103
357
  ```
104
-
105
- 000 using kernel interface: netkey
106
-
107
- 000 interface lo/lo ::1@500
108
-
109
- 000 interface lo/lo 127.0.0.1@4500
110
-
111
- 000 interface lo/lo 127.0.0.1@500
112
-
113
- 000 interface eth0/eth0 172.31.32.76@4500
114
-
115
- 000 interface eth0/eth0 172.31.32.76@500
116
-
117
- 000
118
-
119
- 000
120
-
121
- 000 fips mode=disabled;
122
-
123
- 000 SElinux=disabled
124
-
125
- 000 seccomp=disabled
126
-
127
- 000
128
-
129
- 000 config setup options:
130
-
131
- 000
132
-
133
- 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
134
-
135
- 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
136
-
137
- 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
138
-
139
- 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
140
-
141
- 000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
142
-
143
- 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
144
-
145
- 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
146
-
147
- 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
148
-
149
- 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
150
-
151
- 000 ocsp-trust-name=<unset>
152
-
153
- 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
154
-
155
- 000 secctx-attr-type=32001
156
-
157
- 000 debug:
158
-
159
- 000
160
-
161
- 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
162
-
163
- 000 virtual-private (%priv):
164
-
165
- 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
166
-
167
- 000
168
-
169
- 000 ESP algorithms supported:
170
-
171
- 000
172
-
173
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
174
-
175
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
176
-
177
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
178
-
179
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
180
-
181
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
182
-
183
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
184
-
185
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
186
-
187
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
188
-
189
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
190
-
191
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
192
-
193
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
194
-
195
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
196
-
197
- 000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
198
-
199
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
200
-
201
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
202
-
203
- 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
204
-
205
- 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
206
-
207
- 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
208
-
209
- 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
210
-
211
- 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
212
-
213
- 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
214
-
215
- 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
216
-
217
- 000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
218
-
219
- 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
220
-
221
- 000
222
-
223
- 000 IKE algorithms supported:
224
-
225
- 000
226
-
227
- 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
228
-
229
- 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
230
-
231
- 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
232
-
233
- 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
234
-
235
- 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
236
-
237
- 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
238
-
239
- 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
240
-
241
- 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
242
-
243
- 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
244
-
245
- 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
246
-
247
- 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
248
-
249
- 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
250
-
251
- 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
252
-
253
- 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
254
-
255
- 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
256
-
257
- 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
258
-
259
- 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
260
-
261
- 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
262
-
263
- 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
264
-
265
- 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
266
-
267
- 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
268
-
269
- 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
270
-
271
- 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
272
-
273
- 000 algorithm IKE DH Key Exchange: name=DH19, bits=512
274
-
275
- 000 algorithm IKE DH Key Exchange: name=DH20, bits=768
276
-
277
- 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
278
-
279
- 000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
280
-
281
- 000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
282
-
283
- 000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
284
-
285
- 000
286
-
287
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
288
-
289
- 000
290
-
291
- 000 Connection list:
292
-
293
- 000
294
-
295
- 000 "L2TP": 172.31.32.76[zz.178.yy.xx]---172.31.32.1...222.228.xxx.yyy<222.228.220.xxx>; unrouted; eroute owner: #0
296
-
297
- 000 "L2TP": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
298
-
299
- 000 "L2TP": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
300
-
301
- 000 "L2TP": our auth:secret, their auth:secret
302
-
303
- 000 "L2TP": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
304
-
305
- 000 "L2TP": labeled_ipsec:no;
306
-
307
- 000 "L2TP": policy_label:unset;
308
-
309
- 000 "L2TP": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
310
-
311
- 000 "L2TP": retransmit-interval: 500ms; retransmit-timeout: 60s;
312
-
313
- 000 "L2TP": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
314
-
315
- 000 "L2TP": policy: PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
316
-
317
- 000 "L2TP": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
318
-
319
- 000 "L2TP": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
320
-
321
- 000 "L2TP": our idtype: ID_IPV4_ADDR; our id=54.178.40.74; their idtype: ID_IPV4_ADDR; their id=222.228.220.222
322
-
323
- 000 "L2TP": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
324
-
325
- 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
326
-
327
- 000
328
-
329
- 000 Total IPsec connections: loaded 1, active 0
330
-
331
- 000
332
-
333
- 000 State Information: DDoS cookies not required, Accepting new IKE connections
334
-
335
- 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
336
-
337
- 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
338
-
339
- 000
340
-
341
- 000 #2: "L2TP":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
342
-
343
- 000 #2: pending Phase 2 for "L2TP"
344
-
345
- 000
346
-
347
- 000 Bare Shunt list:
348
-
349
- 000
350
-
351
- ```

3

ipsec status

2020/08/17 02:49

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -100,7 +100,7 @@
100
100
 
101
101
  追記
102
102
 
103
- ```ipsec status
103
+ ```
104
104
 
105
105
  000 using kernel interface: netkey
106
106
 

2

ipsec status追加

2020/08/17 02:48

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -95,3 +95,257 @@
95
95
 
96
96
 
97
97
  ご存知の方、教えてください。
98
+
99
+
100
+
101
+ 追記
102
+
103
+ ```ipsec status
104
+
105
+ 000 using kernel interface: netkey
106
+
107
+ 000 interface lo/lo ::1@500
108
+
109
+ 000 interface lo/lo 127.0.0.1@4500
110
+
111
+ 000 interface lo/lo 127.0.0.1@500
112
+
113
+ 000 interface eth0/eth0 172.31.32.76@4500
114
+
115
+ 000 interface eth0/eth0 172.31.32.76@500
116
+
117
+ 000
118
+
119
+ 000
120
+
121
+ 000 fips mode=disabled;
122
+
123
+ 000 SElinux=disabled
124
+
125
+ 000 seccomp=disabled
126
+
127
+ 000
128
+
129
+ 000 config setup options:
130
+
131
+ 000
132
+
133
+ 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
134
+
135
+ 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
136
+
137
+ 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
138
+
139
+ 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
140
+
141
+ 000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
142
+
143
+ 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
144
+
145
+ 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
146
+
147
+ 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
148
+
149
+ 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
150
+
151
+ 000 ocsp-trust-name=<unset>
152
+
153
+ 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
154
+
155
+ 000 secctx-attr-type=32001
156
+
157
+ 000 debug:
158
+
159
+ 000
160
+
161
+ 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
162
+
163
+ 000 virtual-private (%priv):
164
+
165
+ 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
166
+
167
+ 000
168
+
169
+ 000 ESP algorithms supported:
170
+
171
+ 000
172
+
173
+ 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
174
+
175
+ 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
176
+
177
+ 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
178
+
179
+ 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
180
+
181
+ 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
182
+
183
+ 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
184
+
185
+ 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
186
+
187
+ 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
188
+
189
+ 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
190
+
191
+ 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
192
+
193
+ 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
194
+
195
+ 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
196
+
197
+ 000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
198
+
199
+ 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
200
+
201
+ 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
202
+
203
+ 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
204
+
205
+ 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
206
+
207
+ 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
208
+
209
+ 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
210
+
211
+ 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
212
+
213
+ 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
214
+
215
+ 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
216
+
217
+ 000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
218
+
219
+ 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
220
+
221
+ 000
222
+
223
+ 000 IKE algorithms supported:
224
+
225
+ 000
226
+
227
+ 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
228
+
229
+ 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
230
+
231
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
232
+
233
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
234
+
235
+ 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
236
+
237
+ 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
238
+
239
+ 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
240
+
241
+ 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
242
+
243
+ 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
244
+
245
+ 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
246
+
247
+ 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
248
+
249
+ 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
250
+
251
+ 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
252
+
253
+ 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
254
+
255
+ 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
256
+
257
+ 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
258
+
259
+ 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
260
+
261
+ 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
262
+
263
+ 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
264
+
265
+ 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
266
+
267
+ 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
268
+
269
+ 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
270
+
271
+ 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
272
+
273
+ 000 algorithm IKE DH Key Exchange: name=DH19, bits=512
274
+
275
+ 000 algorithm IKE DH Key Exchange: name=DH20, bits=768
276
+
277
+ 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
278
+
279
+ 000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
280
+
281
+ 000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
282
+
283
+ 000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
284
+
285
+ 000
286
+
287
+ 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
288
+
289
+ 000
290
+
291
+ 000 Connection list:
292
+
293
+ 000
294
+
295
+ 000 "L2TP": 172.31.32.76[zz.178.yy.xx]---172.31.32.1...222.228.xxx.yyy<222.228.220.xxx>; unrouted; eroute owner: #0
296
+
297
+ 000 "L2TP": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
298
+
299
+ 000 "L2TP": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
300
+
301
+ 000 "L2TP": our auth:secret, their auth:secret
302
+
303
+ 000 "L2TP": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
304
+
305
+ 000 "L2TP": labeled_ipsec:no;
306
+
307
+ 000 "L2TP": policy_label:unset;
308
+
309
+ 000 "L2TP": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
310
+
311
+ 000 "L2TP": retransmit-interval: 500ms; retransmit-timeout: 60s;
312
+
313
+ 000 "L2TP": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
314
+
315
+ 000 "L2TP": policy: PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
316
+
317
+ 000 "L2TP": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
318
+
319
+ 000 "L2TP": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
320
+
321
+ 000 "L2TP": our idtype: ID_IPV4_ADDR; our id=54.178.40.74; their idtype: ID_IPV4_ADDR; their id=222.228.220.222
322
+
323
+ 000 "L2TP": dpd: action:clear; delay:30; timeout:120; nat-t: encaps:yes; nat_keepalive:yes; ikev1_natt:both
324
+
325
+ 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
326
+
327
+ 000
328
+
329
+ 000 Total IPsec connections: loaded 1, active 0
330
+
331
+ 000
332
+
333
+ 000 State Information: DDoS cookies not required, Accepting new IKE connections
334
+
335
+ 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
336
+
337
+ 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
338
+
339
+ 000
340
+
341
+ 000 #2: "L2TP":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
342
+
343
+ 000 #2: pending Phase 2 for "L2TP"
344
+
345
+ 000
346
+
347
+ 000 Bare Shunt list:
348
+
349
+ 000
350
+
351
+ ```

1

内容修正

2020/08/17 02:47

投稿

hrsi
hrsi

スコア20

test CHANGED
File without changes
test CHANGED
@@ -26,7 +26,17 @@
26
26
 
27
27
  010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
28
28
 
29
- 010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for respons
29
+ 010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
30
+
31
+ 010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
32
+
33
+ 010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
34
+
35
+ 010 "L2TP" #1: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
36
+
37
+ 031 "L2TP" #1: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv1 message
38
+
39
+ 000 "L2TP" #1: starting keying attempt 2 of at most 3, but releasing whack
30
40
 
31
41
  ```
32
42