StrongSwan VPN tunnel

Hello everyone!
I have remote machines acting as strongswan VPN servers.
They can handle roadwarrior clients with EAP-TLS auth.
I installed OpenWRT on my Archer C6. I want all router's clients traffic to go thru VPN tunnel.
I've followed a guide to make a tunnel.
It works. I can ping machines from server's subnet from my pc.

I can't set up forwarding properly.
I need to wrap all traffic thru VPN.
If i set Firewall rule in LuCi LAN->VPN i just have no internet.
I understand that this is most likely a very simple question, but i am a programmer and not a network eginner. I desperately need you help. Much appreciated!

/etc/ipsec.conf on OpenWRT

config setup
    strictcrlpolicy=no
    uniqueids=never
    cachecrls=no

conn swanvpn
  type=tunnel
  auto=start
  keyexchange=ikev2
  authby=secret
  left=92.255.**.** # Public ip
  #leftsubnet=10.10.10.10/32
  #leftsubnet=192.168.1.1/24
  leftsubnet=192.168.1.0/32
  leftsourceip=%config
  right=3.8.**.** # AWS server public ip
  rightsubnet=172.31.0.0/20
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  mark_in=32
  mark_out=42

include /var/ipsec/ipsec.conf

/etc/ipsec.conf on server


config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn # Default roadwarrior connection
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    #leftid=%any
    leftid=@vpn.***.com # Domain
    leftcert=server-cert.pem
    leftsendcert=always
    leftupdown=/etc/ipsec.d/firewall.updown
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes12>
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

conn wrt # PSK For OpenWRT
  type=tunnel
  auto=add
  keyexchange=ikev2
  authby=secret
  left=%any
  leftid=%any
  #leftsubnet=172.31.0.0/20
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  #rightsubnet=192.168.1.0/32
  rightsubnet=0.0.0.0/0
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  leftupdown=/etc/ipsec.d/firewall.updown


/etc/config/firewall

config defaults
        option synflood_protect '1'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option input 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'VPN'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

config forwarding
        option src 'wan'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'


ip a

root@OpenWrt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
       valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
6: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd16:8463:f762::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:c3:2a:34:30:ad brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e6c3:2aff:fe34:30ad/64 scope link
       valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 92.255.**.** peer 172.20.63.254/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether e4:c3:2a:34:30:ac brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e6c3:2aff:fe34:30ac/64 scope link
       valid_lft forever preferred_lft forever
13: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 92.255.**.** peer 3.8.**.**
    inet 192.168.1.0/32 brd 255.255.255.255 scope global vti1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:5cff:c2ea/64 scope link
       valid_lft forever preferred_lft forever

I strongly recommend to use xfrm configuration on openwrt side, and also use /etc/swanctl/conf.d/*.conf to configure strongswan. Then you can handle ipsec traffic through xfrm interface, just like any other interface.

  1. See route table on client.
  2. Check, if default route works on Windows machine, running Strongswan.

Thank you for your respose!
I will read about xfrm.

and also use /etc/swanctl/conf.d/*.conf

I don't even have that folder. Besides, I'am rather new to IPSec and StrongSwan, and only began to understand old config files. I will read about swanctl.

Can you please tell me what exactly i was doing wrong? Tunnel is working, it seems.
I just dont know how to force traffic thru virtual tunnel interface, even with help of LuCi.

On OpenWrt

leftsubnet=10.10.10.10/32
#leftsourceip=%config
rightsubnet=0.0.0.0/0

On Server, which conn are you using? Anyway, make sure negotiation and auth are right, and then:

leftsubnet=0.0.0.0/0
rightsubnet=10.10.10.10/32

Then on Openwrt:

ip addr del 192.168.1.0/32 dev vti1
ip addr add 10.10.10.10/32 dev vti1
ip r add YOUR SERVER IP dev pppoe-wan
ip r add 0.0.0.0/1 dev vti1
ip r add 128.0.0.0/1 dev vti1

I think this should work.
Also you can check strongswan wiki, there are a lot of examples.
https://docs.strongswan.org/docs/5.9/config/IKEv2Stroke.html
And mikrotik wiki is very helpful too.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

1 Like

Thank you for your response. Will try immedeately.

On Server, which conn are you using?

conn wrt # PSK For OpenWRT

When i comment "#leftsourceip=%config" i get this error on server.

swanvpn    | 13[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED
swanvpn    | 13[IKE] configuration payload negotiation failed, no CHILD_SA built
swanvpn    | 13[IKE] failed to establish CHILD_SA, keeping IKE_SA

Connection is up, though.


root@OpenWrt:/etc/ipsec.d# ip addr del 192.168.1.0/32 dev vti1
RTNETLINK answers: Address not available
root@OpenWrt:/etc/ipsec.d# ip addr add 10.10.10.10/32 dev vti1
root@OpenWrt:/etc/ipsec.d# ip r add 3.8.*.* dev pppoe-wan
root@OpenWrt:/etc/ipsec.d# ip r add 0.0.0.0/1 dev vti1
root@OpenWrt:/etc/ipsec.d# ip r add 128.0.0.0/1 dev vti1
root@OpenWrt:/etc/ipsec.d# ipsec restart

It bricked internet connection.
VPN Interface ip is set to 10.10.10.10 in luci.

P.S.
Thanks for the links! I've used first one when i was making our fleet(~40) of VPN servers.
I think i generally understand how they work. But setting it up on OpenWRT is far from my current skills and knowledge.
But routing and firewalls...

I've made full reset just in case.

ip r add YOUR SERVER IP dev pppoe-wan

This line just breaks internet

failed to establish CHILD_SA, keeping IKE_SA

so only control channel was established, data channel negotiation failed.

you're setting up a route based ipsec, so firewall is not complicated. more about routing, maybe you need this:

https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html

1 Like

Okay, thank you.
I will look into XFRM as you said previously.

Both vti and xfrm are route based vpn solution of ipsec, they are similar, besides the difference said in the wiki, xfrm has been integrated into openwrt by luci-proto-xfrm.

1 Like

Can you please explain what is wrong with my current config?
Tunnel is up, IP is assigned and i can even reach other machines in AWS subnet.

I am not insisting that my config is good, but it seems to work and i try to figure out what is wrong.

OpenWRT

config setup
    strictcrlpolicy=no
    uniqueids=never
    cachecrls=no

conn swanvpn
  type=tunnel
  auto=start
  keyexchange=ikev2
  authby=secret
  left=92.255.**.** # Public ip
  leftsubnet=192.168.1.0/32
  leftsourceip=%config
  right=3.8.**.**
  rightsubnet=172.31.0.0/20
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  mark_in=32
  mark_out=42

Server


conn wrt-psk
  type=tunnel
  auto=add
  keyexchange=ikev2
  authby=secret
  left=%any
  leftid=%any
  leftsubnet=172.31.0.0/20
  right=%any
  rightid=%any
  rightdns=8.8.8.8,8.8.4.4
  rightsourceip=10.10.10.0/24
  rightsubnet=192.168.1.0/24
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  leftupdown=/etc/ipsec.d/firewall.updown

Thank you in advance.

What's the output of ipsec statusall ?

OpenWRT

root@OpenWrt:~# ipsec statusall
no files found matching '/var/ipsec/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.188, mips):
  uptime: 16 hours, since Jun 14 16:24:45 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes sha1 random nonce x509 pubkey gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  192.168.1.1
  fde4:942c:2041::1
  92.255.**.**
  192.168.1.0
Connections:
     swanvpn:  92.255.**.**...3.8.**.**  IKEv2, dpddelay=30s
     swanvpn:   local:  [92.255.**.**] uses pre-shared key authentication
     swanvpn:   remote: [3.8.**.**] uses pre-shared key authentication
     swanvpn:   child:  192.168.1.0/32 === 172.31.0.0/20 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     swanvpn[8]: ESTABLISHED 62 minutes ago, 92.255.**.**[92.255.**.**]...3.8.**.**[3.8.**.**]
     swanvpn[8]: IKEv2 SPIs: 866cf12e585815ce_i* bab5e7fdee0e8e3a_r, pre-shared key reauthentication in 6 hours
     swanvpn[8]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     swanvpn{24}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cb4ceebe_i c453da02_o
     swanvpn{24}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 24 minutes
     swanvpn{24}:   192.168.1.0/32 === 172.31.0.0/20
root@OpenWrt:~#


Server

ubuntu@ip-172-31-5-226:~/VPN2$ docker compose exec -it swanvpn ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.13.0-1022-aws, x86_64):
  uptime: 17 hours, since Jun 14 14:59:13 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni sha3 md4 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 chapoly xcbc cmac kdf gcm ntru drbg newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls dhcp counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/1
Listening IP addresses:
  192.168.32.3
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [vpn.**.com] uses public key authentication
   ikev2-vpn:    cert:  "CN=vpn.***.com"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
     wrt-psk:  %any...%any  IKEv2, dpddelay=30s
     wrt-psk:   local:  uses pre-shared key authentication
     wrt-psk:   remote: uses pre-shared key authentication
     wrt-psk:   child:  172.31.0.0/20 === 192.168.1.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
     wrt-psk[6]: ESTABLISHED 62 minutes ago, 192.168.32.3[3.8.**.**...192.168.32.1[92.255.**.**]
     wrt-psk[6]: IKEv2 SPIs: 866cf12e585815ce_i bab5e7fdee0e8e3a_r*, pre-shared key reauthentication in 6 hours
     wrt-psk[6]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     wrt-psk{27}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c453da02_i cb4ceebe_o
     wrt-psk{27}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 26 minutes
     wrt-psk{27}:   172.31.0.0/20 === 192.168.1.0/32

I can even access webserver running in another container by server_local_ip:80

What you want is clients behind openwrt can reach to 172.31.0.0/20, right?
There are two ways to achieve this, net-net or net-host, I suggest the latter, it's more flexible.
To setup a net-host connection, remove rightdns and rightsourceip on server, and remove leftsourceip on openwrt, we only need:

on server:

leftsubnet=172.31.0.0/20
rightsubnet=10.10.10.10/32

on openwrt:

leftsubnet=10.10.10.10/32
rightsubnet=172.31.0.0/20

replace the address of vti interface with 10.10.10.10/32, and add static route to 172.31.0.0/20 through vti interface.

2 Likes

Thank you for your reply.
Sorry if i am not being clear.

I've tried exact same configuration as you just said. It allowed me, as i said, to reach servers on remote subnet, but that was not intentional. I've accidentaly made site-to-site connection.

All i need is to use VPN as a consumer VPN, in other words, to access internet with server's ip.
I've made docker container with strongSwan and webserver, they are automatically deployed on auto-scaling fleet of servers, behind load-balancer attached to domain name. Everything i just said works fine.

Trouble is, Russian ISPs are startring to block ipsec traffic. During one of blockages i conducted an experiment: i've changed ports from 4500 and 500 to different ones, and it worked. While all major vpn providers (and ours)failed, changing ports somehow helped.

I've writted a windows forms app that manages certificates, creating vpn connection and split-tunneling selected traffic. Problem is: THERE IS NO WAY to change ports on Windows. Such option is nonexistent. Creator of strongswan confirmed that to me.

So only option i saw - i need an intermediate machine, running *nix system, where i can change those ports. And i stumbled upon OpenWRT. I need to make all LAN(cable and wifi) clients connected to router to be routed thru vpn tunnel... and make that on ~160 routers...

Iron curtain is closing fast. I am using our VPN to access this forum, because its also restricted.

BTW, i am using strongswan-default, not strongswan-full, and ip-tiny due to 1900kb of available total space and no usb port for extroot. Could it be an issue somehow?

Is wireguard blocked? If not, it's a very good replacement, it's fast, it can be set up easily on openwrt, also supported on many major platforms.

Also, there is a luci app luci-app-vpn-policy-routing to configure traffic rules.

As to ipsec, just replace 172.31.0.0/20 with 0.0.0.0/0, and then you can add static route through vti interface, or do some policy based routing. Traffic from LAN would be NATed, encrypted, and then sent to Server.

2 Likes

Thank you for your time.
I've actually stumbled upon this extension before... Will try.

I am actually looking towards other solutions like Wireguard or OpenVPN.
But i've already spent alot of time on our swan infrastructure...
I just cant abandon it like that...

I've also found a possible error. strongswan-minimal really does lack some plugins i actually needed.

I've tried multiple solutions and configs i found on the internet but still got nothing.
I can't install luci app due to size limitations.

I am completely clueless.
Is there a way to check tunnel integrity besides ipsec statusall?

/etc/ipsec.conf of OpenWRT

config setup
    strictcrlpolicy=no
    uniqueids=never
    cachecrls=no

conn swanvpn
  type=tunnel
  auto=start
  keyexchange=ikev2
  authby=secret
  left=192.168.0.137
  leftsubnet=10.10.10.10/32
  right=3.8.**.**
  rightsubnet=0.0.0.0/0
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  mark_in=32
  mark_out=42

/etc/ipsec.conf on Server

conn wrt-psk
  type=tunnel
  auto=add
  keyexchange=ikev2
  authby=secret
  left=%any
  leftid=%any
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightdns=8.8.8.8,8.8.4.4
  #rightsourceip=10.10.11.0/24 
  rightsubnet=10.10.10.10/32
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  leftupdown=/etc/ipsec.d/firewall.updown

setting vti:

ip tunnel add vti1 mode vti local 192.168.0.137 remote 3.8.**.** ikey 32 okey 42
ip link set vti1 up
sysctl -w net.ipv4.conf.vti1.disable_policy=1
sysctl -w net.ipv4.conf.vti1.rp_filter=0
ip link set vti1 up

ip a

10: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 192.168.0.137 peer 3.8.**.**
    inet 10.10.10.10/32 brd 255.255.255.255 scope global vti1
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:c0a8:89/64 scope link
       valid_lft forever preferred_lft forever

ipsec

ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.188, mips):
  uptime: 64 seconds, since Jun 17 14:27:16 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aes sha1 random nonce x509 pubkey gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  192.168.1.1
  fd07:441d:f0d8::1
  192.168.0.137
  10.10.10.10
Connections:
     swanvpn:  192.168.0.137...3.8.**.**  IKEv2, dpddelay=30s
     swanvpn:   local:  [192.168.0.137] uses pre-shared key authentication
     swanvpn:   remote: [3.8.**.**] uses pre-shared key authentication
     swanvpn:   child:  10.10.10.10/32 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     swanvpn[1]: ESTABLISHED 58 seconds ago, 192.168.0.137[192.168.0.137]...3.8.**.**[3.8.**.**]
     swanvpn[1]: IKEv2 SPIs: e43a8305069ca735_i* fb366d1a4c29f7ec_r, pre-shared key reauthentication in 7 hours
     swanvpn[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024


Interface

Firewall

Route(disabled for now)

ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            0      0        0        0
vti1: ip/ip remote 3.8.**.** local 192.168.0.137 ttl inherit ikey 32 okey 42
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            41     32       9        0