*Oct 3 17:52:53.617: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. *Oct 3 17:52:53.617: ISAKMP: Locking peer struct 0x8480B114, refcount 1 for isakmp_initiator *Oct 3 17:52:53.617: ISAKMP: Created a peer struct for .2, peer port 500 Ikev2 local-authentication pre-shared-key *****Ĭrypto isakmp key ****** address .11Ĭrypto ipsec security-association lifetime seconds 86400Ĭrypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac Ikev2 remote-authentication pre-shared-key ***** Tunnel-group .73 general-attributesĭefault-group-policy GroupPolicy_.73 Nat (inside,outside) source static ASA ASA destination static Router Router no-proxy-arp route-lookupĬrypto map outside_map 1 match address outside_cryptomapĬrypto map outside_map 1 set peer .73Ĭrypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 I see that it fails IKE phase 1 because of the hash.but everything looks good.Īccess-list outside_cryptomap extended permit ip object ASA object Router Obviously, a userspace daemon through which network packets flows would need to be developed with a fair amount of care.I do not understand why the VPN will not work. As each packet returns to netfilter from userspace, the MARK set by the process can be used to direct packets through further processing (by, say, iptables or tc).Ĭaveat: I have never actually implemented a solution using netlink's queue module, so I have no first hand experience regarding its potential robustness, security, or performance. The iptables QUEUE and NFQUEUE targets put selected packets on a queue, and a userspace process takes the packets from there via the nfnetlink_queue API ( documentation here). The mechanics of this are relatively straightforward. The idea is that you send packets through a userspace process (most likely a daemon) that examines the packets, MARKs them as it sees fit, and then returns them to netfilter for further processing. Is someone here aware of a good method, or at least of some good u32 documentation that would make this possible?Īs an alternative to using netfilter's u32 module, which, as you've found, is pretty much undocumented, you could use the nfnetlink_queue subsystem of netfilter. Moreover, mikrotiks are essentially linux-based, so there has to be a way to do that :D But some randomness would be great too, and having a network split into anything like exact thirds is impossible to do with this. I've succeeded in splitting the network into powers of two using u32 (2^n networks just by matching last n bits of source IP address). My question is that if there is some good method to divide the network into any number of stochastically-equal subnets using some similar, preferably easy iptables rules. The groups are then given some kind of common resource to share (say, bandwidth, or public IP address) that they don't like to change very often (esp. More specifically, six such groups would look like this: Group 1: pcc_hash(source IP) % 6 = 0 I'm actually using this to mostly randomly divide my network into several almost-equally-big groups. To explain a little further: PCC just takes, say, source address of the packet, hashes it, divides the hash by some number, and if the remainder is equal to some other number, it makes a rule match.