--- west.console.txt 2019-09-21 07:12:56.263539255 +0000 +++ OUTPUT/west.console.txt 2019-09-21 07:21:24.858281208 +0000 @@ -32,14 +32,12 @@ iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination -NFLOG all -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec nflog-prefix all-ipsec nflog-group 50 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec LOGDROP all -- 192.0.2.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -NFLOG all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec nflog-prefix all-ipsec nflog-group 50 Chain LOGDROP (1 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 @@ -49,11 +47,15 @@ 002 "westnet-eastnet-ikev2" #1: initiating v2 parent SA 1v2 "westnet-eastnet-ikev2" #1: initiate 1v2 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 -1v2 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "westnet-eastnet-ikev2" #2: IKEv2 mode peer ID is ID_FQDN: '@east' -003 "westnet-eastnet-ikev2" #2: Authenticated using RSA -002 "westnet-eastnet-ikev2" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] -004 "westnet-eastnet-ikev2" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 4 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 16 seconds for response +010 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: retransmission; will wait 32 seconds for response +031 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message +000 "westnet-eastnet-ikev2" #1: starting keying attempt 2 of an unlimited number, but releasing whack west # rm -fr /tmp/nflog-50.pcap west # @@ -63,31 +65,13 @@ ping -n -c 5 -I 192.0.1.254 192.0.2.254 tcpdump: listening on nflog:50, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. -64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms -8 packets captured -8 packets received by filter -0 packets dropped by kernel -64 bytes from 192.0.2.254: icmp_seq=5 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- -5 packets transmitted, 5 received, 0% packet loss, time XXXX -rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms -[1]+ Done tcpdump -c 8 -s 0 -w /tmp/nflog-50.pcap -i nflog:50 +5 packets transmitted, 0 received, 100% packet loss, time XXXX west # cp /tmp/nflog-50.pcap OUTPUT/nflog-50.pcap west # tcpdump -n -r OUTPUT/nflog-50.pcap -reading from file OUTPUT/nflog-50.pcap, link-type NFLOG (Linux netfilter log messages) -IP 192.0.1.254 > 192.0.2.254: ICMP echo request, id XXXX, seq 1, length 64 -IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id XXXX, seq 1, length 64 -IP 192.0.1.254 > 192.0.2.254: ICMP echo request, id XXXX, seq 2, length 64 -IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id XXXX, seq 2, length 64 -IP 192.0.1.254 > 192.0.2.254: ICMP echo request, id XXXX, seq 3, length 64 -IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id XXXX, seq 3, length 64 -IP 192.0.1.254 > 192.0.2.254: ICMP echo request, id XXXX, seq 4, length 64 -IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id XXXX, seq 4, length 64 +tcpdump: truncated dump file; tried to read 4 file header bytes, only got 0 west # echo done done @@ -96,10 +80,6 @@ west NOW XFRM state: XFRM policy: -src 192.0.1.0/24 dst 192.0.2.0/24 - dir out priority 1042407 ptype main - tmpl src 0.0.0.0 dst 0.0.0.0 - proto esp reqid REQID mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES @@ -114,7 +94,8 @@ west # west # ipsec stop -Redirecting to: [initsystem] +PATH/bin/nsenter --mount=/run/mountns/west-nflog-01-global --net=/run/netns/west-nflog-01-global --uts=/run/utsns/west-nflog-01-global /bin/bash +002 shutting down west # # show no nflog left behind west #