Skip to content

Instantly share code, notes, and snippets.

@trozet

trozet/gist:f2f90e6c9e752b69dd521de2196fe424

Created October 7, 2024 16:12
Show Gist options
  • Save trozet/f2f90e6c9e752b69dd521de2196fe424 to your computer and use it in GitHub Desktop.
Save trozet/f2f90e6c9e752b69dd521de2196fe424 to your computer and use it in GitHub Desktop.
Download ZIP
ipsec output
Raw
gistfile1.txt
im pinging between node 10.0.120.167 and 10.0.24.207. On 207 I see:
000 Total IPsec connections: loaded 9, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(7), half-open(0), open(0), authenticated(7), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #1: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[1] ...10.0.29.156:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27869s; REPLACE in 28544s; newest; idle;
000 #2: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[2] ...10.0.67.171:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27772s; REPLACE in 28544s; newest; idle;
000 #5: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27886s; REPLACE in 28544s; idle;
000 #6: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27540s; REPLACE in 28544s; IKE SA #5; idle;
000 #6: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97 [email protected] [email protected] Traffic: ESPin=0B ESPout=1KB ESPmax=2^63B
000 #11: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28279s; REPLACE in 28549s; idle;
000 #12: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 28279s; REPLACE in 28549s; newest; eroute owner; IKE SA #11; idle;
000 #12: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97 [email protected] [email protected] Traffic: ESPin=0B ESPout=55KB ESPmax=2^63B
000 #13: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.111.97:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 28287s; REPLACE in 28557s; newest; idle;
000 #7: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[4] ...10.0.96.131:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27659s; REPLACE in 28544s; newest; idle;
000 #9: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[5] ...10.0.120.167:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27524s; REPLACE in 28544s; newest; idle;
000
000 Bare Shunt list:
000
has a couple child_SA but missing the one to 167.
[root@ip-10-0-24-207 ~]# ip xfrm state
src 10.0.24.207 dst 10.0.120.167
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.24.207/32 dst 10.0.120.167/32 proto udp sport 53928 dport 6081 dev br-ex
src 10.0.24.207 dst 10.0.29.156
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.24.207/32 dst 10.0.29.156/32 proto udp sport 2835 dport 6081 dev br-ex
src 10.0.24.207 dst 10.0.96.131
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.24.207/32 dst 10.0.96.131/32 proto udp sport 45284 dport 6081 dev br-ex
src 10.0.24.207 dst 10.0.67.171
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.24.207/32 dst 10.0.67.171/32 proto udp sport 29328 dport 6081 dev br-ex
src 10.0.111.97 dst 10.0.24.207
proto esp spi 0xf60a7c44 reqid 16413 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0xe37de9422884a712435045a51839220d3712a888e27d4263afac8e0fb07082c54c3ddfd4 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.0.111.97/32 dst 10.0.24.207/32 proto udp sport 6081
src 10.0.24.207 dst 10.0.111.97
proto esp spi 0x46c46718 reqid 16413 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0x8c5bc330222d70bf4b2a2cbe78951b8beb470684b6bafbff1e12dbb4b106903ff737d647 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x782
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.0.24.207/32 dst 10.0.111.97/32 proto udp dport 6081
src 10.0.111.97 dst 10.0.24.207
proto esp spi 0xc707d13c reqid 16413 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0x820f619c2845c03217936c8e7cfaf7e7ff4d6d2ea19cbc9049e870e1036c1802dd28bb12 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.0.111.97/32 dst 10.0.24.207/32 proto udp sport 6081
src 10.0.24.207 dst 10.0.111.97
proto esp spi 0x22c4c807 reqid 16413 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0x52f5c25158eb816634d7708e7262d1c17a7658f9bfda29eb021c40be6a1bcb6df478eb51 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x14
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.0.24.207/32 dst 10.0.111.97/32 proto udp dport 6081
[root@ip-10-0-24-207 ~]# ip xfrm policy
src 10.0.24.207/32 dst 10.0.111.97/32 proto udp dport 6081
dir out priority 2408640 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16413 mode transport
src 10.0.111.97/32 dst 10.0.24.207/32 proto udp sport 6081
dir in priority 2408640 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16413 mode transport
src 10.0.24.207/32 dst 10.0.0.0/16 proto udp dport 6081
dir out priority 2408673 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 10.0.24.207/32 dst 10.0.0.0/16 proto udp sport 6081
dir out priority 2408673 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
Then on 167:
000
000 Total IPsec connections: loaded 10, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(8), half-open(0), open(0), authenticated(8), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #9: "ovn-opportunistic-in#10.0.0.0/16-(6081--17--0)"[1] ...10.0.96.131:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27578s; REPLACE in 27848s; newest; idle;
000 #10: "ovn-opportunistic-in#10.0.0.0/16-(6081--17--0)"[1] ...10.0.96.131:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 27578s; REPLACE in 27848s; newest; eroute owner; IKE SA #9; idle;
000 #10: "ovn-opportunistic-in#10.0.0.0/16-(6081--17--0)"[1] ...10.0.96.131 [email protected] [email protected] Traffic: ESPin=147KB ESPout=0B ESPmax=2^63B
000 #1: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[1] ...10.0.111.97:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27005s; REPLACE in 27836s; idle;
000 #15: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[1] ...10.0.111.97:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27603s; REPLACE in 27873s; newest; idle;
000 #3: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[2] ...10.0.24.207:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 26886s; REPLACE in 27836s; idle;
000 #13: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[2] ...10.0.24.207:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27590s; REPLACE in 27860s; newest; idle;
000 #4: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[3] ...10.0.67.171:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 26794s; REPLACE in 27836s; newest; idle;
000 #7: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[4] ...10.0.29.156:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 26774s; REPLACE in 27843s; newest; idle;
000 #11: "ovn-opportunistic-out#10.0.0.0/16-(0--17--6081)"[5] ...10.0.96.131:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27197s; REPLACE in 27850s; newest; idle;
000
000 Bare Shunt list:
000
[root@ip-10-0-120-167 ~]# ip xfrm state
src 10.0.120.167 dst 10.0.96.131
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.120.167/32 dst 10.0.96.131/32 proto udp sport 18710 dport 6081 dev br-ex
src 10.0.120.167 dst 10.0.24.207
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.120.167/32 dst 10.0.24.207/32 proto udp sport 49153 dport 6081 dev br-ex
src 10.0.120.167 dst 10.0.67.171
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.120.167/32 dst 10.0.67.171/32 proto udp sport 43000 dport 6081 dev br-ex
src 10.0.96.131 dst 10.0.120.167
proto esp spi 0x657e4fcf reqid 16421 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0xbcd9ff7fe2b9f4c1d08dce848f7b7f7483eb7cf2fd2a2b328eb9f445084ac76af783091f 128
anti-replay esn context:
seq-hi 0x0, seq 0x626, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
sel src 10.0.96.131/32 dst 10.0.120.167/32 proto udp dport 6081
src 10.0.120.167 dst 10.0.96.131
proto esp spi 0x14881c4f reqid 16421 mode transport
replay-window 0 flag esn
aead rfc4106(gcm(aes)) 0xead754a44e419f1e65cead89dd3dd984217238c3ebb366222e5a4f183a8869eae051aefd 128
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
sel src 10.0.120.167/32 dst 10.0.96.131/32 proto udp sport 6081
[root@ip-10-0-120-167 ~]# ip xfrm policy
src 10.0.120.167/32 dst 10.0.96.131/32 proto udp sport 6081
dir out priority 2408640 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16421 mode transport
src 10.0.96.131/32 dst 10.0.120.167/32 proto udp dport 6081
dir in priority 2408640 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16421 mode transport
src 10.0.120.167/32 dst 10.0.0.0/16 proto udp dport 6081
dir out priority 2408673 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 10.0.120.167/32 dst 10.0.0.0/16 proto udp sport 6081
dir out priority 2408673 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment