IPSEC configuration

This post contains short notes about IPSCEC configuration and validations on Cisco router.

Summary table

The following table summarizes which options must be configured for IKEv1 phase 1 [ISAKMP] and phase 2 [IPSEC] tunnel.

ipsec-conf-table1

IKEv1 phase 1 (ISAKMP) – configuration

The following commands should be executed in configuration mode. It configures ISAKMP policy with priority 100 (the lower the better) which is send as the proposal to the peer. All parameters must match except lifetime.

You can define many policies with different priority. However these policies are not bound to any tunnel now. You bind these policies in the next step (where tunnel crypt-map is defined). Basically all the policies are sent to the peer which tries to match one of them with its own policy; the decision which policy is used is made be responding (not initiating) peer.

Note that if you don’t specify all the parameters the default values will be taken (the default values will be not shown in run config).

Router(config)#crypto isakmp policy 100
Router(config-isakmp)# encr aes
Router(config-isakmp)# hash sha256
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 5
Router(config-isakmp)# lifetime 86400

Configure shared secret key for each peer which uses PSK as authentication method.

Router(config)#crypto isakmp key SecretP@ssw0rd address 192.168.1.2  // secret key used for building tunnel with 192.168.1.2

// You can use either the peer IP address or the hostname, but you must be consistent between peers.
// In order to use the hostname you must also issue the following command
Router(config)#crypto isakmp identity hostname

IKEv1 phase 1 – verification

Use the following commands to verify ISAKMP policy configuration.

Router1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 100
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard 2 (256 bit)
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit


// verify the same but looking up into run-config (default values are not visible)
Router1#show run | section crypto isakmp policy 
(...)

Verify shared keys (if PSK authentication option is used for ISAKMP)

Router1#sh run | section crypto isakmp key
crypto isakmp key SecretP@ssw0rd address 192.168.1.2  // secret key used for building tunnel with 192.168.1.2
crypto isakmp key MySecretP@ssw0rd address 192.168.1.3 // secret key used for building tunnel with 192.168.1.3
(...)

Verify ISAKMP SA operational status

// show all ISAKMP SAs on router (SA will be initiated as soos as any traffic will be generated)
// QM_IDLE means that the SA is operational. "ACTIVE" (status column) doesn't say anything about tunnel status
// (it indicates role for VPN high-availability cluster)
Router1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.4.2     192.168.3.2     QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

// All the possible states for isakmp SA:
//
// MM_NO_STATE - The Phase 1 SA has been created, but nothing else has happened.
// MM_SA_SETUP - The peers have agreed on parameters for the Phase 1 SA.
// MM_KEY_EXCH - DH negotiation is successful, but the Phase 1 SA remains unauthenticated.
// MM_KEY_AUTH - The Phase 1 SA has been authenticated.
// QM_IDLE - The Phase 1 SA is idle, in a quiescent state.
// 
 
// show detail of the ISAKMP SAs
Router1#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1001  192.168.3.2     192.168.4.2            ACTIVE aes  sha256 psk  5  11:54:20     
       Engine-id:Conn-id =  SW:1


IKEv1 phase 2 – configuration

The following commands should be executed in configuration mode. Follow these steps:

  1. define which traffic to protect – ACL
  2. define how to protect the traffic – create transform set which defines how to transform clear message into the tunnel; it defines encryption and integrity algorithms for data SAs and also point out that ISAKMP policies (defined earlier) should be used in IKEv1 phase 1
  3. create crypto-map to bind all the previous configuration together; set the peer IP address
  4. apply crypto-map to the interface
// Which traffic put into tunnel
Router(config)# extended IP access list 2ABC-ACL
    10 permit ip 10.10.10.0 0.255.255.255 172.16.110.0 0.0.0.255
 
// How to protect traffic (IPSEC SAs)
Router(config)# crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac // Use ESP with AES and SHA-hmac for data SAs
 mode tunnel // use tunnel mode (not transport)
 
// bind all together
Router(config)# crypto map ABC-CM 10 ipsec-isakmp // define crypto map [entry number 10]; use isakmp policies defined earlier (for IKEv1 phase 1 process)
Router(config-crypto-map)# description Tunnel to ABC
Router(config-crypto-map)# set transform-set ESP-AES-SHA // how to protect traffic (data SAs); you can apply a few transform sets (a match must be found between peers)
Router(config-crypto-map)# match address 2ABC-ACL // which traffic to protect
Router(config-crypto-map)# set peer 52.13.21.5 // set peer IP (where to send traffic); you can define multiple peers for redundancy
Router(config-crypto-map)# set security-association lifetime seconds 3600 // lifetime for IPSEC SA


// apply the configuration to the interface
interface gigabitethernet 0/0
  crypto map ABC-CM

The VPN peer should apply the mirrored ACL, has at least one transform-set in common and identify the other peer [IP].
You can apply only one crypto-map to the interface; however one crypto-map can have multiple entries (for different tunnels).

IKEv1 phase 2 – verification

Use the following commands to verify IPSEC configuration.

Router1#show crypto map 
Crypto Map IPv4 "VPNCRYPTOMAP " 10 ipsec-isakmp
Description: Tunnel 1
Peer = 192.168.1.2
Extended IP access list TUNNEL_1_ACL
    access-list TUNNEL_1_ACL permit ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={ 
ESP-AES-SHA:  { esp-aes esp-sha-hmac  } , 
}
(...)

// Verify the same but looking up into run-config (default values are not shown)

sh run | section crypto map // note that there is one crypto map which contains three entries (for three diffirent tunnels) - one crypto-map can be applied to the interface
crypto map VPNCRYPTOMAP 10 ipsec-isakmp 
 description Tunnel 1
 set peer 192.168.1.2
 set transform-set ESP-AES-SHA 
 match address TUNNEL_1_ACL
crypto map VPNCRYPTOMAP 20 ipsec-isakmp 
 description Tunnel 2
 set peer 192.168.2.2
 set transform-set ESP-AES-SHA 
 match address TUNNEL_2_ACL
crypto map VPNCRYPTOMAP 30 ipsec-isakmp 
 description Tunnel 3
 set peer 192.168.3.2
 set transform-set ESP-AES-SHA 
 match address TUNNEL_3_ACL
show run | section crypto ipsec // see defined transform-sets (they are applied to the crypto-map)
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
 mode tunnel

show crypto ipsec transform set // shows all defined transform sets
(...)

Verify IPSEC SAs operational status

Router1#show crypto ipsec sa peer 192.168.4.2

interface: GigabitEthernet0/2
    Crypto map tag: VPNMAP, local addr 192.168.3.2
	
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.4.0/255.255.255.0/0/0)
   current_peer 192.168.4.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 // packets sent via tunnel
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2 // packets received via tunnel
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.3.2, remote crypto endpt.: 192.168.4.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
     current outbound spi: 0x73661469(1936069737)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x6000843E(1610646590)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4258270/3516)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x73661469(1936069737)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4258269/3516)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
(...)

//
// NOTE that there are two esp SAs - one for inbound and one for outbound traffic.
// There is one esp SA pair (in/out) created per line of the Crypto ACL - if your ACL
// (which matches "interesting traffic") has three entries then you will see six esp SAs.
//

Reseting tunnel

The following snippet shows how to get connect [tunnel] ID and reset it.

//
// Reset ISAKMP SA
//

// Get connection ID 
Site3-Rtr#show crypto isakmp sa   
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.4.2     192.168.3.2     QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

// Reset tunnel
Site3-Rtr#clear crypto isakmp 1001

// Verify tunnel is deleted (any traffic is needed to associate again)
Site3-Rtr#show crypto isakmp sa   
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.4.2     192.168.3.2     MM_NO_STATE       1001 ACTIVE (deleted)

//
// Reset IPSEC SAs
//

// Verify IPSEC SAs for specific peer
Router1#show crypto ipsec sa peer 192.168.4.2

interface: GigabitEthernet0/2
    Crypto map tag: VPNMAP, local addr 192.168.3.2

    (...)

     inbound esp sas:
      spi: 0x6000843E(1610646590)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4258270/1173)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

	(...)

     outbound esp sas:
      spi: 0x73661469(1936069737)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4258269/1173)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
// Clear IPSEC SAs
Router1#clear crypto sa peer 192.168.4.2

// Verify IPSEC SAs
Router1#show crypto ipsec sa peer 192.168.4.2

interface: GigabitEthernet0/2
    Crypto map tag: VPNMAP, local addr 192.168.3.2

    (...)

     inbound esp sas:
          
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

Routing configuration

Also routing must be properly configured to route the “interesting traffic” into the tunnel. To accomplish that you must route the interesting traffic into the interface where the crypto-map was applied. For example

// ACL (applied later to the crypto-map)
extended IP access list 2ABC-ACL
    10 permit ip 10.10.10.0 0.255.255.255 172.16.110.0 0.0.0.255

// crypto map applied to the interface
interface gigabitethernet 0/0
  crypto map ABC-CM

// route the interesting traffic via the interface with crypto-map applied
ip route 172.16.110.0/24 gigabitethernet 0/0 172.16.110.2

NAT configuration

You have to also configure NAT properly if IPSEC tunnel is enabled.

  1. if you use Cisco router configured with PAT then configure your “PAT ACL” to exclude IPSEC traffic
  2. if you use Cisco ASA then you can create Identity NAT before PAT (it translates the real IP address to the same IP address) – this ACL actually causes that PAT is not used (because PAT is applied later)

Firewall configuration

You must also configure firewall (or router) to allow IPSEC protocol traffic. The following snippet shows the ACL applied to the router which allows IPSEC traffic.

Router# show running-config
!
interface Serial0/2
 ip address 150.1.1.2 255.255.255.0
 ip access-group 102 in
!
access-list 102 permit ahp host 140.1.1.2 host 150.1.1.2
access-list 102 permit esp host 140.1.1.2 host 150.1.1.2
access-list 102 permit udp host 140.1.1.2 host 150.1.1.2 eq isakmp // UDP 500 [for isakmp]
access-list 102 permit udp host 140.1.1.2 host 150.1.1.2 eq non500-isakmp // UDP 4500 [for NAT-t]

Both ESP and AH protocols are enabled. Also udp ports 500 and 4500 are opened to allow IPSEC to work with  PAT devices. NAT-T feature is commonly implemented extension to IKE and has been incorporated into IKEv2.  ESP does not use the concept of ports (like UDP or TCP) so PAT devices cannot work with IPSEC. NAT-T simply encapsulates IPSEC within UDP packet.

Debugging

The following example shows the debug message generated during ISAKMP and IPSEC tunnel creation.

Router1# 

Router1#debug crypto isakmp
Router1#debug crypto ipsec

//
// NOTE
// IKE_I_MM1 - means - IKEv1 MainMode phase 1
//

// Request to the peer - let's start the tunnel
*Sep  4 17:46:46.657: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.3.2:500, remote= 192.168.4.2:500,
    local_proxy= 10.10.3.0/255.255.255.0/256/0,
    remote_proxy= 10.10.4.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
(...)

// Start ISKAMP policy negotiations
*Sep  4 17:46:46.658: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 
*Sep  4 17:46:46.658: ISAKMP:(0): beginning Main Mode exchange
*Sep  4 17:46:46.658: ISAKMP:(0): sending packet to 192.168.4.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep  4 17:46:46.658: ISAKMP:(0):Sending an IKE IPv4 Packet.

// The router got reply from the peer (the peer accepted policy)
*Sep  4 17:46:46.694: ISAKMP (0): received packet from 192.168.4.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Sep  4 17:46:46.694: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep  4 17:46:46.694: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 
*Sep  4 17:46:46.694: ISAKMP:(0): processing SA payload. message ID = 0
*Sep  4 17:46:46.694: ISAKMP:(0): processing vendor id payload
*Sep  4 17:46:46.694: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep  4 17:46:46.694: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep  4 17:46:46.694: ISAKMP:(0):found peer pre-shared key matching 192.168.4.2
*Sep  4 17:46:46.694: ISAKMP:(0): local preshared key found
*Sep  4 17:46:46.694: ISAKMP : Scanning profiles for xauth ...
*Sep  4 17:46:46.694: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Sep  4 17:46:46.694: ISAKMP:      encryption AES-CBC
*Sep  4 17:46:46.694: ISAKMP:      keylength of 256
*Sep  4 17:46:46.694: ISAKMP:      hash SHA256
*Sep  4 17:46:46.694: ISAKMP:      default group 5
*Sep  4 17:46:46.694: ISAKMP:      auth pre-share
*Sep  4 17:46:46.694: ISAKMP:      life type in seconds
*Sep  4 17:46:46.694: ISAKMP:      life duration (basic) of 43200
*Sep  4 17:46:46.694: ISAKMP:(0):Hash algorithm offered does not match policy!
*Sep  4 17:46:46.694: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep  4 17:46:46.694: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*Sep  4 17:46:46.694: ISAKMP:      encryption AES-CBC
*Sep  4 17:46:46.694: ISAKMP:      keylength of 256
*Sep  4 17:46:46.694: ISAKMP:      hash SHA256
*Sep  4 17:46:46.694: ISAKMP:      default group 5
*Sep  4 17:46:46.694: ISAKMP:      auth pre-share
*Sep  4 17:46:46.694: ISAKMP:      life type in seconds
*Sep  4 17:46:46.694: ISAKMP:      life duration (basic) of 43200
*Sep  4 17:46:46.694: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep  4 17:46:46.694: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep  4 17:46:46.694: ISAKMP:(0):Acceptable atts:life: 0
*Sep  4 17:46:46.694: ISAKMP:(0):Basic life_in_seconds:43200
*Sep  4 17:46:46.694: ISAKMP:(0):Returning Actual lifetime: 43200
*Sep  4 17:46:46.694: ISAKMP:(0)::Started lifetime timer: 43200.
*Sep  4 17:46:46.694: ISAKMP:(0): processing vendor id payload
*Sep  4 17:46:46.694: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep  4 17:46:46.694: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep  4 17:46:46.694: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep  4 17:46:46.694: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

// Step 3 and 4 - DH algorithm
*Sep  4 17:46:46.695: ISAKMP:(0): sending packet to 192.168.4.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep  4 17:46:46.695: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep  4 17:46:46.695: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep  4 17:46:46.695: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 
(...)
*Sep  4 17:46:46.729: ISAKMP (1001): His hash no match - this node outside NAT
*Sep  4 17:46:46.729: ISAKMP:received payload type 20
*Sep  4 17:46:46.729: ISAKMP (1001): No NAT Found for self or peer
*Sep  4 17:46:46.729: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep  4 17:46:46.729: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4 

// Step 5 and 6 - authentication
*Sep  4 17:46:46.729: ISAKMP:(1001):Send initial contact
*Sep  4 17:46:46.729: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep  4 17:46:46.729: ISAKMP (1001): ID payload 
next-payload : 8
type         : 1 
address      : 192.168.3.2 
protocol     : 17 
port         : 500 
length       : 12
(...)
*Sep  4 17:46:46.762: ISAKMP: Trying to insert a peer 192.168.3.2/192.168.4.2/500/,  and inserted successfully DA67490.
*Sep  4 17:46:46.762: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep  4 17:46:46.762: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6 
*Sep  4 17:46:46.762: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep  4 17:46:46.762: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6 
*Sep  4 17:46:46.762: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

// IKE phase 1 completes
*Sep  4 17:46:46.762: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 
(...)

// Perform a phase 2 negotiation of an IPsec SA.
*Sep  4 17:46:46.786: ISAKMP (1001): received packet from 192.168.4.2 dport 500 sport 500 Global (I) QM_IDLE      
*Sep  4 17:46:46.786: ISAKMP:(1001): processing HASH payload. message ID = 3949697178
*Sep  4 17:46:46.786: ISAKMP:(1001): processing SA payload. message ID = 3949697178
*Sep  4 17:46:46.786: ISAKMP:(1001):Checking IPSec proposal 1
*Sep  4 17:46:46.786: ISAKMP: transform 1, ESP_AES 
*Sep  4 17:46:46.786: ISAKMP:   attributes in transform:
*Sep  4 17:46:46.786: ISAKMP:      encaps is 1 (Tunnel)
*Sep  4 17:46:46.786: ISAKMP:      SA life type in seconds
*Sep  4 17:46:46.786: ISAKMP:      SA life duration (basic) of 3600
*Sep  4 17:46:46.786: ISAKMP:      SA life type in kilobytes
*Sep  4 17:46:46.786: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*Sep  4 17:46:46.786: ISAKMP:      authenticator is HMAC-SHA
*Sep  4 17:46:46.786: ISAKMP:      key length is 128

// ISAKMP finished its job
*Sep  4 17:46:46.786: ISAKMP:(1001):atts are acceptable.


(...)
*Sep  4 17:46:46.786: IPSEC(crypto_ipsec_create_ipsec_sas): Map found VPNMAP, 10
*Sep  4 17:46:46.786: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.4.2

// first IPSEC SA created (inbound)
*Sep  4 17:46:46.786: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.3.2, sa_proto= 50, 
    sa_spi= 0x44CD9DF4(1154326004), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 192.168.3.2:0, remote= 192.168.4.2:0,
    local_proxy= 10.10.3.0/255.255.255.0/256/0,
    remote_proxy= 10.10.4.0/255.255.255.0/256/0
	
// second IPSEC SA created (outband)
*Sep  4 17:46:46.786: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.4.2, sa_proto= 50, 
    sa_spi= 0x7A96C18C(2056700300), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 192.168.3.2:0, remote= 192.168.4.2:0,
    local_proxy= 10.10.3.0/255.255.255.0/256/0,
    remote_proxy= 10.10.4.0/255.255.255.0/256/0
	
(...)

Leave a Reply

Your email address will not be published. Required fields are marked *