16
General Discussion / ipv6 fw rule with dynamic prefix
« on: September 25, 2018, 08:46:48 am »
Hi
how can I set a ipv6 firewall rule with a dynamic prefix?
Greetz
how can I set a ipv6 firewall rule with a dynamic prefix?
Greetz
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
<opt2>
<if>igb0_vlan4</if>
<descr>cable</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<blockbogons>1</blockbogons>
<ipaddr>192.168.40.3</ipaddr>
<subnet>24</subnet>
<gateway>cable_gateway</gateway>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>1</dhcp6-ia-pd-len>
<dhcp6prefixonly>1</dhcp6prefixonly>
<dhcp6sendsolicit>1</dhcp6sendsolicit>
<adv_dhcp6_debug>1</adv_dhcp6_debug>
<adv_dhcp6_interface_statement_send_options/>
<adv_dhcp6_interface_statement_request_options/>
<adv_dhcp6_interface_statement_information_only_enable/>
<adv_dhcp6_interface_statement_script/>
<adv_dhcp6_id_assoc_statement_address_enable/>
<adv_dhcp6_id_assoc_statement_address/>
<adv_dhcp6_id_assoc_statement_address_id/>
<adv_dhcp6_id_assoc_statement_address_pltime/>
<adv_dhcp6_id_assoc_statement_address_vltime/>
<adv_dhcp6_id_assoc_statement_prefix_enable/>
<adv_dhcp6_id_assoc_statement_prefix/>
<adv_dhcp6_id_assoc_statement_prefix_id/>
<adv_dhcp6_id_assoc_statement_prefix_pltime/>
<adv_dhcp6_id_assoc_statement_prefix_vltime/>
<adv_dhcp6_prefix_interface_statement_sla_id/>
<adv_dhcp6_prefix_interface_statement_sla_len/>
<adv_dhcp6_authentication_statement_authname/>
<adv_dhcp6_authentication_statement_protocol/>
<adv_dhcp6_authentication_statement_algorithm/>
<adv_dhcp6_authentication_statement_rdm/>
<adv_dhcp6_key_info_statement_keyname/>
<adv_dhcp6_key_info_statement_realm/>
<adv_dhcp6_key_info_statement_keyid/>
<adv_dhcp6_key_info_statement_secret/>
<adv_dhcp6_key_info_statement_expire/>
<adv_dhcp6_config_advanced/>
<adv_dhcp6_config_file_override/>
<adv_dhcp6_config_file_override_path/>
</opt2>
<opt3>
<if>igb0_vlan14</if>
<descr>vdsl</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<blockbogons>1</blockbogons>
<ipaddr>192.168.140.3</ipaddr>
<subnet>24</subnet>
<gateway>vdsl_gateway</gateway>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>4</dhcp6-ia-pd-len>
<dhcp6sendsolicit>1</dhcp6sendsolicit>
<adv_dhcp6_debug>1</adv_dhcp6_debug>
<adv_dhcp6_interface_statement_send_options/>
<adv_dhcp6_interface_statement_request_options/>
<adv_dhcp6_interface_statement_information_only_enable/>
<adv_dhcp6_interface_statement_script/>
<adv_dhcp6_id_assoc_statement_address_enable/>
<adv_dhcp6_id_assoc_statement_address/>
<adv_dhcp6_id_assoc_statement_address_id/>
<adv_dhcp6_id_assoc_statement_address_pltime/>
<adv_dhcp6_id_assoc_statement_address_vltime/>
<adv_dhcp6_id_assoc_statement_prefix_enable/>
<adv_dhcp6_id_assoc_statement_prefix/>
<adv_dhcp6_id_assoc_statement_prefix_id/>
<adv_dhcp6_id_assoc_statement_prefix_pltime/>
<adv_dhcp6_id_assoc_statement_prefix_vltime/>
<adv_dhcp6_prefix_interface_statement_sla_id/>
<adv_dhcp6_prefix_interface_statement_sla_len/>
<adv_dhcp6_authentication_statement_authname/>
<adv_dhcp6_authentication_statement_protocol/>
<adv_dhcp6_authentication_statement_algorithm/>
<adv_dhcp6_authentication_statement_rdm/>
<adv_dhcp6_key_info_statement_keyname/>
<adv_dhcp6_key_info_statement_realm/>
<adv_dhcp6_key_info_statement_keyid/>
<adv_dhcp6_key_info_statement_secret/>
<adv_dhcp6_key_info_statement_expire/>
<adv_dhcp6_config_advanced/>
<adv_dhcp6_config_file_override/>
<adv_dhcp6_config_file_override_path/>
</opt3>
<opt5>
<if>igb1</if>
<descr>lan</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<ipaddr>192.168.50.3</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<track6-interface>opt2</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</opt5>
<opt1>
<if>igb2</if>
<descr>lan_media</descr>
<enable>1</enable>
<lock>1</lock>
<spoofmac/>
<ipaddr>192.168.150.3</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<track6-interface>opt3</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</opt1>
# Automatically generated, do not edit
# Generated config for dhcp6 delegation from opt2 on opt5
interface igb1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 2a02:8109:9d40:476::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2a02:8109:9d40:476:20d:b9ff:fe4a:7499 { };
DNSSL chao5.int { };
};
# Generated config for dhcp6 delegation from opt3 on opt1
interface igb2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL chao5.int { };
};
interface igb0_vlan4 {
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_opt2_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
prefix-interface igb1 {
sla-id 0;
sla-len 1;
};
};
interface igb0_vlan14 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix-interface igb2 {
sla-id 1;
sla-len 4;
};
};
Sep 11 07:14:13 cerber dhcp6c[19870]: Sending Solicit
Sep 11 07:14:13 cerber dhcp6c[19870]: set client ID (len 14)
Sep 11 07:14:13 cerber dhcp6c[19870]: set identity association
Sep 11 07:14:13 cerber dhcp6c[19870]: set elapsed time (len 2)
Sep 11 07:14:13 cerber dhcp6c[19870]: set option request (len 4)
Sep 11 07:14:13 cerber dhcp6c[19870]: set IA_PD
Sep 11 07:14:13 cerber dhcp6c[19870]: send solicit to ff02::1:2%igb0_vlan14
Sep 11 07:14:13 cerber dhcp6c[19870]: reset a timer on igb0_vlan14, state=SOLICIT, timeo=13, retrans=110376
Sep 11 07:14:13 cerber dhcp6c[15879]: unexpected interface (9)
local-data-ptr: "192.168.60.3 cerber.chao5.int"
local-data: "cerber.chao5.int A 192.168.60.3"
local-data: "cerber A 192.168.60.3"
local-data: "cerber.chao5.int AAAA fe80::6f0:21ff:fe30:3765"
local-data: "cerber AAAA fe80::6f0:21ff:fe30:3765"
local-data-ptr: "192.168.250.3 cerber.chao5.int"
local-data: "cerber.chao5.int A 192.168.250.3"
local-data: "cerber A 192.168.250.3"
local-data: "cerber.chao5.int AAAA fe80::4f0:21ff:fe30:3765"
local-data: "cerber AAAA fe80::4f0:21ff:fe30:3765"
host cerber.chao5.int
cerber.chao5.int has address 192.168.60.3
cerber.chao5.int has address 192.168.250.3
cerber.chao5.int has IPv6 address fe80::6f0:21ff:fe30:3765
cerber.chao5.int has IPv6 address fe80::4f0:21ff:fe30:3765
50587 - D 26:09.05 (squid-1) -f /usr/local/etc/squid/squid.conf (squid)
#
# Automatic generated configuration for Squid.
# Do not edit this file manually.
#
# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# Setup regular listeners configuration
http_port 192.168.50.3:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.50.2:3128 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 12MB
sslcrtd_children 10
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_options NO_TLSv1
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
# configure bump
ssl_bump peek bump_step1 all
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
sslproxy_cert_error deny all
acl ftp proto FTP
http_access allow ftp
# Setup ftp proxy
# Rules allowing access from your local networks.
# Generated list of (internal) IP networks from where browsing
# should be allowed. (Allow interface subnets).
acl localnet src 192.168.50.0/24 # Possible internal network (interfaces v4)
# Default allow for local-link and private networks
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# ACL lists
# ACL - Allow Subnets - User defined (subnets)
acl subnets src 192.168.50.0/24
acl subnets src 192.168.150.0/24
acl subnets src 192.168.55.0/24
acl subnets src 10.0.8.0/24
acl subnets src 127.0.0.1
# ACL - Remote fetched Blacklist (remoteblacklist)
# ACL - Block browser/user-agent - User defined (browser)
# ACL - SSL ports, default are configured in config.xml
# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
# Default Safe ports are now defined in config.xml
# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
# ACL - Safe_ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ICAP SETTINGS
# enable icap
icap_enable on
icap_default_options_ttl 60
# send user information to the icap server
adaptation_send_client_ip on
adaptation_send_username off
icap_client_username_encode off
icap_client_username_header X-Username
# preview
icap_preview_enable on
icap_preview_size 1024
# add the servers
icap_service response_mod respmod_precache icap://[::1]:1344/avscan
icap_service request_mod reqmod_precache icap://[::1]:1344/avscan
# Pre-auth plugins
include /usr/local/etc/squid/pre-auth/*.conf
# Authentication Settings
# Deny requests to certain unsafe ports
adaptation_access response_mod deny !Safe_ports
adaptation_access request_mod deny !Safe_ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
adaptation_access response_mod deny CONNECT !SSL_ports
adaptation_access request_mod deny CONNECT !SSL_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
http_access deny to_localhost
# Auth plugins
include /usr/local/etc/squid/auth/*.conf
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
http_access allow localnet
# ACL - localhost
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
http_access allow localhost
# ACL list (Allow) subnets
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
http_access allow subnets
# Deny all other access to this proxy
adaptation_access response_mod deny all
adaptation_access request_mod deny all
http_access deny all
# Post-auth plugins
include /usr/local/etc/squid/post-auth/*.conf
# Caching settings
cache_mem 256 MB
cache_dir ufs /var/squid/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid Options
# dns_v4_first reverses the order of preference to make Squid contact dual-stack websites over IPv4 first
dns_v4_first on
access_log syslog:local4.info
# Disable cache store log
cache_store_log none
# URI hanlding with Whitespaces (default=strip)
uri_whitespace strip
# X-Forwarded header handling (default=on)
forwarded_for on
# Disable squid logfile rotate to use system defaults
logfile_rotate 0
# Define visible hostname
visible_hostname cerber.chao5.int
# Define visible email
cache_mgr root@chao5.int
if (is_ipaddrv4($vip['subnet'])) {
/* Ensure a IP on this interface exists prior to configuring CARP. */
$ww_subnet_ip = find_interface_ip($realif);
if (!is_ipaddrv4($ww_subnet_ip)) {
file_notice("CARP", sprintf(gettext("Sorry but we could not find a required assigned ip address on the interface for the virtual IP address %s."), $vip['subnet']), "Firewall: Virtual IP", "");
return;
}
<virtualip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt2</interface>
<descr>carp_cable</descr>
<subnet>192.168.40.2</subnet>
<vhid>40</vhid>
<advskew>100</advskew>
<advbase>30</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt5</interface>
<descr>carp_lan_wlan</descr>
<subnet>192.168.50.2</subnet>
<vhid>50</vhid>
<advskew>100</advskew>
<advbase>30</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt3</interface>
<descr>carp_vdsl</descr>
<subnet>192.168.140.2</subnet>
<vhid>140</vhid>
<advskew>100</advskew>
<advbase>30</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt1</interface>
<descr>carp_lan_media</descr>
<subnet>192.168.150.2</subnet>
<vhid>150</vhid>
<advskew>100</advskew>
<advbase>30</advbase>
<password>!c4rp!</password>
</vip>
</virtualip>
<virtualip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>wan</interface>
<descr>carp_cable</descr>
<subnet>192.168.40.2</subnet>
<vhid>40</vhid>
<advskew>200</advskew>
<advbase>40</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>lan</interface>
<descr>carp_lan_wlan</descr>
<subnet>192.168.50.2</subnet>
<vhid>50</vhid>
<advskew>200</advskew>
<advbase>40</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt1</interface>
<descr>carp_vdsl</descr>
<subnet>192.168.140.2</subnet>
<vhid>140</vhid>
<advskew>200</advskew>
<advbase>40</advbase>
<password>!c4rp!</password>
</vip>
<vip>
<type>single</type>
<subnet_bits>24</subnet_bits>
<mode>carp</mode>
<interface>opt2</interface>
<descr>carp_lan_media</descr>
<subnet>192.168.150.2</subnet>
<vhid>150</vhid>
<advskew>200</advskew>
<advbase>40</advbase>
<password>!c4rp!</password>
</vip>
</virtualip>
conn con4
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = no
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = 192.168.40.3
right = %any
leftid = dync.chao5.net
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 192.168.250.0/24
ike = aes256-sha256-modp2048s256!
leftauth = pubkey
rightauth = pubkey
leftcert = /usr/local/etc/ipsec.d/certs/cert-4.crt
leftsendcert = always
rightca = "/O=CHAO5.INT/CN=Certificate Authority/"
rightsubnet = 192.168.250.0/24
leftsubnet = 192.168.50.0/24
esp = aes256-sha1-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048,aes192-sha1-modp2048,aes192-sha256-modp2048,aes192-sha384-m
odp2048,aes192-sha512-modp2048,aes128-sha1-modp2048,aes128-sha256-modp2048,aes128-sha384-modp2048,aes128-sha512-modp2048!
auto = add
Feb 4 23:09:33 cerber charon: 09[NET] received packet: from 31.17.57.154[61045] to 192.168.40.3[500] (660 bytes)
Feb 4 23:09:33 cerber charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb 4 23:09:33 cerber charon: 09[IKE] 31.17.57.154 is initiating an IKE_SA
Feb 4 23:09:33 cerber charon: 09[IKE] local host is behind NAT, sending keep alives
Feb 4 23:09:33 cerber charon: 09[IKE] remote host is behind NAT
Feb 4 23:09:33 cerber charon: 09[IKE] sending cert request for "O=CHAO5.INT, CN=Certificate Authority"
Feb 4 23:09:33 cerber charon: 09[IKE] sending cert request for "CN=Fake LE Intermediate X1"
Feb 4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Feb 4 23:09:33 cerber charon: 09[IKE] sending cert request for "C=DE, ST=Berlin, L=Berlin, O=chao5, E=perun@chao5.net, CN=internal-ca"
Feb 4 23:09:33 cerber charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 4 23:09:33 cerber charon: 09[NET] sending packet: from 192.168.40.3[500] to 31.17.57.154[61045] (551 bytes)
Feb 4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb 4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Feb 4 23:09:34 cerber charon: 09[ENC] received fragment #1 of 4, waiting for complete IKE message
Feb 4 23:09:34 cerber charon: 09[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb 4 23:09:34 cerber charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Feb 4 23:09:34 cerber charon: 09[ENC] received fragment #2 of 4, waiting for complete IKE message
Feb 4 23:09:34 cerber charon: 08[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (484 bytes)
Feb 4 23:09:34 cerber charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Feb 4 23:09:34 cerber charon: 08[ENC] received fragment #4 of 4, waiting for complete IKE message
Feb 4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (532 bytes)
Feb 4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Feb 4 23:09:34 cerber charon: 06[ENC] received fragment #3 of 4, reassembling fragmented IKE message
Feb 4 23:09:34 cerber charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 4 23:09:34 cerber charon: 06[IKE] received end entity cert "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb 4 23:09:34 cerber charon: 06[CFG] looking for peer configs matching 192.168.40.3[%any]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb 4 23:09:34 cerber charon: 06[CFG] selected peer config 'con4'
Feb 4 23:09:34 cerber charon: 06[CFG] using certificate "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb 4 23:09:34 cerber charon: 06[CFG] using trusted ca certificate "O=CHAO5.INT, CN=Certificate Authority"
Feb 4 23:09:34 cerber charon: 06[CFG] checking certificate status of "O=CHAO5.INT, CN=handy-marlena.vpn"
Feb 4 23:09:34 cerber charon: 06[CFG] requesting ocsp status from 'http://ipa-ca.chao5.int/ca/ocsp' ...
Feb 4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ca/ocsp, no capable fetcher found
Feb 4 23:09:34 cerber charon: 06[CFG] ocsp request to http://ipa-ca.chao5.int/ca/ocsp failed
Feb 4 23:09:34 cerber charon: 06[CFG] ocsp check failed, fallback to crl
Feb 4 23:09:34 cerber charon: 06[CFG] fetching crl from 'http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin' ...
Feb 4 23:09:34 cerber charon: 06[LIB] unable to fetch from http://ipa-ca.chao5.int/ipa/crl/MasterCRL.bin, no capable fetcher found
Feb 4 23:09:34 cerber charon: 06[CFG] crl fetching failed
Feb 4 23:09:34 cerber charon: 06[CFG] certificate status is not available
Feb 4 23:09:34 cerber charon: 06[CFG] reached self-signed root ca with a path length of 0
Feb 4 23:09:34 cerber charon: 06[IKE] authentication of 'O=CHAO5.INT, CN=handy-marlena.vpn' with RSA_EMSA_PKCS1_SHA2_256 successful
Feb 4 23:09:34 cerber charon: 06[IKE] peer supports MOBIKE
Feb 4 23:09:34 cerber charon: 06[IKE] authentication of 'dync.chao5.net' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Feb 4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb 4 23:09:34 cerber charon: 06[IKE] IKE_SA con4[48] established between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb 4 23:09:34 cerber charon: 06[IKE] scheduling reauthentication in 28135s
Feb 4 23:09:34 cerber charon: 06[IKE] maximum IKE_SA lifetime 28675s
Feb 4 23:09:34 cerber charon: 06[IKE] sending end entity cert "O=CHAO5.INT, CN=dync.chao5.net"
Feb 4 23:09:34 cerber charon: 06[IKE] peer requested virtual IP %any
Feb 4 23:09:34 cerber charon: 06[CFG] reassigning offline lease to 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb 4 23:09:34 cerber charon: 06[IKE] assigning virtual IP 192.168.250.1 to peer 'O=CHAO5.INT, CN=handy-marlena.vpn'
Feb 4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb 4 23:09:34 cerber charon: 06[IKE] CHILD_SA con4{52} established with SPIs c802b32d_i c9ec3747_o and TS 192.168.50.0/24 === 192.168.250.0/24
Feb 4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR SUBNET DNS DNS U_DEFDOM U_SPLITDNS U_PFS) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 4 23:09:34 cerber charon: 06[ENC] splitting IKE message with length of 1824 bytes into 2 fragments
Feb 4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 4 23:09:34 cerber charon: 06[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (1236 bytes)
Feb 4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (660 bytes)
Feb 4 23:09:34 cerber charon: 06[NET] received packet: from 31.17.57.154[61046] to 192.168.40.3[4500] (80 bytes)
Feb 4 23:09:34 cerber charon: 06[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 4 23:09:34 cerber charon: 06[IKE] received DELETE for IKE_SA con4[48]
Feb 4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb 4 23:09:34 cerber charon: 06[IKE] deleting IKE_SA con4[48] between 192.168.40.3[dync.chao5.net]...31.17.57.154[O=CHAO5.INT, CN=handy-marlena.vpn]
Feb 4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb 4 23:09:34 cerber charon: 06[IKE] IKE_SA deleted
Feb 4 23:09:34 cerber charon: 06[ENC] generating INFORMATIONAL response 2 [ ]
Feb 4 23:09:34 cerber charon: 06[NET] sending packet: from 192.168.40.3[4500] to 31.17.57.154[61046] (80 bytes)
Feb 4 23:09:34 cerber charon: 06[CFG] lease 192.168.250.1 by 'O=CHAO5.INT, CN=handy-marlena.vpn' went offline