Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] DUPLICATED PACKET ERROR

From: Hanumanth Rao (ahraous_at_yahoo.com)
Date: Fri Jun 28 2002 - 14:05:40 CEST

Next message: Christopher Barry: "Re: [Users] Network-to-Network VPN with dynamic IP on one side"
Previous message: Domany: "[Users] dynamic ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

The below is the output of ipsec barf, kindly let me
know why my tunnel is not going thro', the tunnel is
between linux ipsec and cisco pix, this was working
for 2 weeks without any probs, suddenly this went
down.
TIME AND AGAIN IM GETTING THE "DUPLICATED PACKET
ERROR"

Regds
Rao

Fri Jun 28 17:32:13 IST 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.97
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.7-10custom (root_at_gateway) (gcc
version 2.96 20000731
(Red Hat Linux 7.1 2.96-98)) #4 Thu Jun 13 16:49:04
IST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
1352 192.168.11.0/24 -> 192.168.1.0/24 =>

tun0x1004_at_67.104.20.130
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1003_at_203.200.43.235 IPIP: dir=in
src=67.104.20.130
life(c,s,h)=bytes(21067,0,0)addtime(53,0,0)usetime(54,0,0)packets(112,0,0)
idle=102
tun0x1001_at_203.200.43.235 IPIP: dir=in
src=67.104.20.130
life(c,s,h)=bytes(110,0,0)addtime(53,0,0)usetime(53,0,0)
idle=997
esp0x6d8fc8af_at_203.200.43.235 ESP_3DES_HMAC_MD5: dir=in

src=67.104.20.130 iv_bits=64bits iv=0x597ec79cf40855cb
ooowin=64 seq=112
bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(21067,0,0)addtime(53,0,0)usetime(54,0,0)packets(112,0,0)
idle=102
esp0x6d8fc8ae_at_203.200.43.235 ESP_3DES_HMAC_MD5: dir=in

src=67.104.20.130 iv_bits=64bits iv=0x22fed857cd2242c3
ooowin=64 seq=1 bit=0x1
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(110,0,0)addtime(53,0,0)usetime(53,0,0)
idle=997
tun0x1004_at_67.104.20.130 IPIP: dir=out
src=203.200.43.235
life(c,s,h)=bytes(121746,0,0)addtime(53,0,0)usetime(53,0,0)packets(1352,0,0)
idle=1
tun0x1002_at_67.104.20.130 IPIP: dir=out
src=203.200.43.235
life(c,s,h)=bytes(116,0,0)addtime(53,0,0)usetime(53,0,0)
idle=997
esp0x90fe2c72_at_67.104.20.130 ESP_3DES_HMAC_MD5: dir=out

src=203.200.43.235 iv_bits=64bits
iv=0x2fc1bb6e84330bd1 ooowin=64 seq=1352 alen=128
aklen=128 eklen=192
life(c,s,h)=bytes(166528,0,0)addtime(53,0,0)usetime(53,0,0)packets(1352,0,0)
idle=1
esp0x7e89dc73_at_67.104.20.130 ESP_3DES_HMAC_MD5: dir=out

src=203.200.43.235 iv_bits=64bits
iv=0xb29d42fd40382afe ooowin=64 seq=1 alen=128
aklen=128 eklen=192
life(c,s,h)=bytes(152,0,0)addtime(53,0,0)usetime(53,0,0)

idle=997
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1003_at_203.200.43.235 esp0x6d8fc8af_at_203.200.43.235
tun0x1001_at_203.200.43.235 esp0x6d8fc8ae_at_203.200.43.235
tun0x1004_at_67.104.20.130 esp0x90fe2c72_at_67.104.20.130
tun0x1002_at_67.104.20.130 esp0x7e89dc73_at_67.104.20.130
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags
MSS Window
irtt Iface
203.200.43.224 0.0.0.0 255.255.255.240 U
  40 0
0 eth0
203.200.43.224 0.0.0.0 255.255.255.240 U
  40 0
0 ipsec0
192.168.1.0 203.200.43.225 255.255.255.0 UG
  40 0
0 ipsec0
192.168.11.0 0.0.0.0 255.255.255.0 U
  40 0
0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U
  40 0
0 lo
0.0.0.0 203.200.43.225 0.0.0.0 UG
  40 0
0 eth0
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
    sock pid socket next prev e n p sndbf
  Flags Type
St
cec045a0 1000 ce2c8e84 0 0 0 0 2 65535
00000000 3
1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 ce2c8e84 1000 cec045a0
pf_key_registered: 3 ce2c8e84 1000 cec045a0
pf_key_registered: 9 ce2c8e84 1000 cec045a0
pf_key_registered: 10 ce2c8e84 1000 cec045a0
pf_key_supported:satype exttype alg_id ivlen minbits
maxbits
pf_key_supported: 2 14 3 0 160
  160
pf_key_supported: 2 14 2 0 128
  128
pf_key_supported: 3 15 3 128 168
  168
pf_key_supported: 3 14 3 0 160
  160
pf_key_supported: 3 14 2 0 128
  128
pf_key_supported: 9 15 4 0 128
  128
pf_key_supported: 9 15 3 0 32
  128
pf_key_supported: 9 15 2 0 128
   32
pf_key_supported: 9 15 1 0 32
   32
pf_key_supported: 10 15 2 0 1
    1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp
debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi
debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 203.200.43.235
000
000 "vpnprod":
192.168.11.0/24===203.200.43.235---203.200.43.225...67.104.20.129---67.104.20.130===192.168.1.0/24
000 "vpnprod": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnprod": policy:
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth0; erouted
000 "vpnprod": newest ISAKMP SA: #10; newest IPsec
SA: #3; eroute
owner: #3
000
000 #9: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 3169s
000 #3: "vpnprod" STATE_QUICK_I2 (sent QI2, IPsec SA
established);
EVENT_SA_REPLACE in 27023s; newest IPSEC; eroute owner
000 #3: "vpnprod" esp.90fe2c72_at_67.104.20.130
esp.6d8fc8af_at_203.200.43.235 tun.1004_at_67.104.20.130
tun.1003_at_203.200.43.235
000 #2: "vpnprod" STATE_QUICK_I2 (sent QI2, IPsec SA
established);
EVENT_SA_REPLACE in 27041s
000 #2: "vpnprod" esp.7e89dc73_at_67.104.20.130
esp.6d8fc8ae_at_203.200.43.235 tun.1002_at_67.104.20.130
tun.1001_at_203.200.43.235
000 #1: "vpnprod" STATE_MAIN_I4 (ISAKMP SA
established);
EVENT_SA_REPLACE in 2056s
000 #5: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 2689s
000 #4: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 2569s
000 #10: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 3289s; newest ISAKMP
000 #8: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 3049s
000 #6: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 2809s
000 #7: "vpnprod" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 2929s
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr
00:48:54:63:77:A9
          inet addr:203.200.43.235
Bcast:203.200.43.239
Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
          RX packets:7751 errors:0 dropped:0
overruns:0 frame:0
          TX packets:8237 errors:0 dropped:0
overruns:0 carrier:0
          collisions:0
          RX bytes:5864486 (5.5 Mb) TX bytes:1113374
(1.0 Mb)

eth1 Link encap:Ethernet HWaddr
00:50:BA:A8:81:EF
          inet addr:192.168.11.1 Bcast:192.168.11.255

Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
          RX packets:8643 errors:0 dropped:0
overruns:0 frame:0
          TX packets:7629 errors:0 dropped:0
overruns:0 carrier:0
          collisions:0
          RX bytes:1079502 (1.0 Mb) TX bytes:5811713
(5.5 Mb)

gre0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP MTU:1476 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ipsec0 Link encap:Ethernet HWaddr
00:48:54:63:77:A9
          inet addr:203.200.43.235
Mask:255.255.255.240
          UP RUNNING NOARP MTU:16260 Metric:1
          RX packets:113 errors:0 dropped:0 overruns:0
frame:0
          TX packets:1353 errors:0 dropped:1
overruns:0 carrier:0
          collisions:0
          RX bytes:18917 (18.4 Kb) TX bytes:185622
(181.2 Kb)

ipsec1 Link encap:IPIP Tunnel HWaddr
          NOARP MTU:0 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ipsec2 Link encap:IPIP Tunnel HWaddr
          NOARP MTU:0 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ipsec3 Link encap:IPIP Tunnel HWaddr
          NOARP MTU:0 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

tunl0 Link encap:IPIP Tunnel HWaddr
          NOARP MTU:1480 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gateway
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
  5:32pm up 17 min, 1 user, load average: 0.07,
0.03, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
  F UID PID PPID PRI NI VSZ RSS WCHAN STAT
TTY TIME
COMMAND
040 0 994 1 9 0 1996 940 wait4 S ?
         0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none
--uniqueids
040 0 996 994 9 0 1996 940 wait4 S ?
         0:00
\_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug none
--uniqu
100 0 1000 996 9 0 2052 960 do_sel S ?
         0:00 |
\_ /usr/local/lib/ipsec/pluto --nofork --debug-none
000 0 1002 1000 9 0 1452 312 do_sel S ?
         0:00 |
\_ _pluto_adns 7 10
000 0 997 994 8 0 1976 916 pipe_w S ?
         0:00
\_ /bin/sh /usr/local/lib/ipsec/_plutoload --load
%search --st
000 0 995 1 9 0 1392 500 pipe_w S ?
         0:00
logger -p daemon.error -t ipsec__plutorun
000 0 1458 1129 9 0 2228 992 wait4 S
tty1 0:00
\_ /bin/sh /usr/local/sbin/ipsec barf
000 0 1459 1458 17 0 2256 1040 wait4 S
tty1 0:00
\_ /bin/sh /usr/local/lib/ipsec/barf
040 0 1499 1459 16 0 2256 1040 - R
tty1 0:00
\_ /bin/sh /usr/local/lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file

# More elaborate and more varied sample configurations
can be found
# in FreeS/WAN's doc/examples file.

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will
work;
        # %defaultroute is okay for most simple cases.
        # interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # manualstart=
        # Debug-logging controls: "none" for (almost) none,
"all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to
control startup
actions.
        plutoload=%search
        plutostart=%search
        # plutowait=no
        # Close down old connection when new one using same
ID shows up.
        # uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0
means very).
        keyingtries=0
        #auto=start
        # Parameters for manual-keying testing (DON'T USE
OPERATIONALLY).
        # Note: only one test connection at a time can use
these parameters!
        #spi=0x0
        #esp=3des-md5-96
        #espenckey=[sums to ee78...]
        #espauthkey=[sums to e715...]
        #RSA authentication with keys from DNS.
        #authby=rsasig
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns

# sample connection
#conn sample
conn vpnprod
        type=tunnel
        # Left security gateway, subnet behind it, next hop
toward right.
        left=203.200.43.235
        leftsubnet=192.168.11.0/24
        leftnexthop=203.200.43.225
        # Right security gateway, subnet behind it, next hop
toward left.
        right=67.104.20.130
        rightsubnet=192.168.1.0/24
        rightnexthop=67.104.20.129
        keyexchange=ike
        authby=secret
        auth=esp
        esp=3des-md5-96
        spi=0x0
        pfs=yes
        auto=start
        # cisco defaults
        # ikelifetime=200s
        # rekeymargin=9s
        # rekeyfuzz=0%
        # keylife=2h
        # To authorize this connection, but not actually
start it, at startup,
        # uncomment this.
        #auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys
for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and
HTML documentation.

203.200.43.235 67.104.20.130 : PSK "[sums to 067e...]"

# RSA private key for this host, authenticating it to
any other host
# which knows the public part. Suitable public keys,
for ipsec.conf,
DNS,
# or configuration of other implementations, can be
extracted
conveniently
# with "[sums to ef67...]".
: RSA {
        # RSA 2192 bits gateway Thu Jun 13 16:20:54 2002
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=[keyid AQNGU9goY]
        #IN KEY 0x4200 4 1 [keyid AQNGU9goY]
        # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
        Modulus: [...]
        PublicExponent: [...]
        # everything after this point is secret
        PrivateExponent: [...]
        Prime1: [...]
        Prime2: [...]
        Exponent1: [...]
        Exponent2: [...]
        Coefficient: [...]
        }
# do not change the indenting of that "[sums to
7d9d...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 2620
-rwxr-xr-x 1 root root 11150 Jun 13
16:21 _confread
-rwxr-xr-x 1 root root 46737 Jun 13
16:21 _copyright
-rwxr-xr-x 1 root root 2163 Jun 13
16:21 _include
-rwxr-xr-x 1 root root 1472 Jun 13
16:21 _keycensor
-rwxr-xr-x 1 root root 69269 Jun 13
16:21 _pluto_adns
-rwxr-xr-x 1 root root 3495 Jun 13
16:21 _plutoload
-rwxr-xr-x 1 root root 4442 Jun 13
16:21 _plutorun
-rwxr-xr-x 1 root root 7327 Jun 13
16:21 _realsetup
-rwxr-xr-x 1 root root 1971 Jun 13
16:21 _secretcensor
-rwxr-xr-x 1 root root 6839 Jun 13
16:21 _startklips
-rwxr-xr-x 1 root root 5014 Jun 13
16:21 _updown
-rwxr-xr-x 1 root root 7838 Jun 13
16:21 _updown.dhcp
-rwxr-xr-x 1 root root 12845 Jun 13
16:21 auto
-rwxr-xr-x 1 root root 7132 Jun 13
16:21 barf
-rwxr-xr-x 1 root root 225909 Jun 13
16:21 eroute
-rwxr-xr-x 1 root root 98748 Jun 13
16:21 ikeping
-rwxr-xr-x 1 root root 2915 Jun 13
16:21 ipsec
-rw-r--r-- 1 root root 1950 Jun 13
16:21
ipsec_pr.template
-rwxr-xr-x 1 root root 161594 Jun 13
16:21 klipsdebug
-rwxr-xr-x 1 root root 2437 Jun 13
16:21 look
-rwxr-xr-x 1 root root 16157 Jun 13
16:21 manual
-rwxr-xr-x 1 root root 1847 Jun 13
16:21 newhostkey
-rwxr-xr-x 1 root root 140157 Jun 13
16:21 pf_key
-rwxr-xr-x 1 root root 893329 Jun 13
16:21 pluto
-rwxr-xr-x 1 root root 53050 Jun 13
16:21 ranbits
-rwxr-xr-x 1 root root 76514 Jun 13
16:21 rsasigkey
-rwxr-xr-x 1 root root 16671 Jun 13
16:21 send-pr
lrwxrwxrwx 1 root root 22 Jun 13
16:21 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Jun 13
16:21 showdefaults
-rwxr-xr-x 1 root root 3484 Jun 13
16:21 showhostkey
-rwxr-xr-x 1 root root 246922 Jun 13
16:21 spi
-rwxr-xr-x 1 root root 202742 Jun 13
16:21 spigrp
-rwxr-xr-x 1 root root 71199 Jun 13
16:21 tncfg
-rwxr-xr-x 1 root root 17032 Jun 13
16:21 uml_netjig
-rwxr-xr-x 1 root root 141817 Jun 13
16:21 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry
Spencer
#
# This program is free software; you can redistribute
it and/or modify
it
# under the terms of the GNU General Public License as
published by the
# Free Software Foundation; either version 2 of the
License, or (at
your
# option) any later version. See
<http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will
be useful, but
# WITHOUT ANY WARRANTY; without even the implied
warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public
License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry
Exp $

# CAUTION: Installing a new version of FreeS/WAN will
install a new
# copy of this script, wiping out any custom changes
you make. If
# you need changes, make a copy of this under another
name, and
customize
# that, and use the (left/right)updown parameters in
ipsec.conf to make
# FreeS/WAN use yours instead of this default one.

# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be
using new
features.
        echo "$0: obsolete interface version
\`$PLUTO_VERSION'," >&2
        echo "$0: called by obsolete Pluto?" >&2
        exit 2
        ;;
1.*) ;;
*) echo "$0: unknown interface version
\`$PLUTO_VERSION'" >&2
        exit 2
        ;;
esac

# check parameter(s)
case "$1:$*" in
':') # no parameters
        ;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for
default script only
        ;;
custom:*) # custom parameters (see above CAUTION
comment)
        ;;
*) echo "$0: unknown parameters \`$*'" >&2
        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and
requires great
care.
uproute() {
        doroute add
}
downroute() {
        doroute del
}
doroute() {
        parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
        parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK"
in
        "0.0.0.0/0.0.0.0")
                # horrible kludge for obscure routing bug with
opportunistic
                it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2
&&
                        route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
                ;;
        *) it="route $1 $parms $parms2"
                ;;
        esac
        eval $it
        st=$?
        if test $st -ne 0
        then
                # route has already given its own cryptic message
                echo "$0: \`$it' failed" >&2
                if test " $1 $st" = " add 7"
                then
                        # another totally undocumented interface -- 7 and
                        # "SIOCADDRT: Network is unreachable" means that
                        # the gateway isn't reachable.
                        echo "$0: (incorrect or missing nexthop setting??)"
>&2
                fi
        fi
        return $st
}

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and
requires great
care.
uproute() {
        doroute add
}
downroute() {
        doroute del
}
doroute() {
        parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
        parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK"
in
        "0.0.0.0/0.0.0.0")
                # horrible kludge for obscure routing bug with
opportunistic
                it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2
&&"
                it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0
$parms2"
                route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
                        route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
                ;;
        *) it="route $1 $parms $parms2"
                route $1 $parms $parms2
                ;;
        esac
        st=$?
        if test $st -ne 0
        then
                # route has already given its own cryptic message
                echo "$0: \`$it' failed" >&2
                if test " $1 $st" = " add 7"
                then
                        # another totally undocumented interface -- 7 and
                        # "SIOCADDRT: Network is unreachable" means that
                        # the gateway isn't reachable.
                        echo "$0: (incorrect or missing nexthop setting??)"
>&2
                fi
        fi
        return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
        # delete possibly-existing route (preliminary to
adding a route)
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK"
in
        "0.0.0.0/0.0.0.0")
                # horrible kludge for obscure routing bug with
opportunistic
                parms1="-net 0.0.0.0 netmask 128.0.0.0"
                parms2="-net 128.0.0.0 netmask 128.0.0.0"
                it="route del $parms1 2>&1 ; route del $parms2 2>&1"
                oops="`route del $parms1 2>&1 ; route del $parms2
2>&1`"
                ;;
        *)
                parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
                it="route del $parms 2>&1"
                oops="`route del $parms 2>&1`"
                ;;
        esac
        status="$?"
        if test " $oops" = " " -a " $status" != " 0"
        then
                oops="silent error, exit status $status"
        fi
        case "$oops" in
        'SIOCDELRT: No such process'*)
                # This is what route (currently -- not documented!)
gives
                # for "could not find such a route".
                oops=
                status=0
                ;;
        esac
        if test " $oops" != " " -o " $status" != " 0"
        then
                echo "$0: \`$it' failed ($oops)" >&2
        fi
        exit $status
        ;;
route-host:*|route-client:*)
        # connection to me or my client subnet being routed
        uproute
        ;;
unroute-host:*|unroute-client:*)
        # connection to me or my client subnet being unrouted
        downroute
        ;;
up-host:*)
        # connection to me coming up
        # If you are doing a custom version, firewall
commands go here.
        ;;
down-host:*)
        # connection to me going down
        # If you are doing a custom version, firewall
commands go here.
        ;;
up-client:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall
commands go here.
        if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [
"$PLUTO_MY_PROTOCOL" == "17" ]
        then
          iptables -I INPUT 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--sport
$PLUTO_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--dport
$PLUTO_MY_PORT -j ACCEPT
          iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--sport
$PLUTO_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--dport
$PLUTO_PEER_PORT -j ACCEPT
          iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--sport
$PLUTO_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--dport
$PLUTO_PEER_PORT -j ACCEPT
          iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--sport
$PLUTO_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--dport
$PLUTO_MY_PORT -j ACCEPT
        else
          iptables -I INPUT 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
\
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j
ACCEPT
          iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-j ACCEPT
          iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-j ACCEPT
          iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
\
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j
ACCEPT
        fi
        ;;
down-client:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall
commands go here.
        if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [
"$PLUTO_MY_PROTOCOL" == "17" ]
        then
          iptables -D INPUT -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--sport
$PLUTO_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--dport
$PLUTO_MY_PORT -j ACCEPT
          iptables -D OUTPUT -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--sport
$PLUTO_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--dport
$PLUTO_PEER_PORT -j ACCEPT
          iptables -D FORWARD -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--sport
$PLUTO_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--dport
$PLUTO_PEER_PORT -j ACCEPT
          iptables -D FORWARD -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
--sport
$PLUTO_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
--dport
$PLUTO_MY_PORT -j ACCEPT
        else
          iptables -D INPUT -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
\
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j
ACCEPT
          iptables -D OUTPUT -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-j ACCEPT
          iptables -D FORWARD -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
-j ACCEPT
          iptables -D FORWARD -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
\
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j
ACCEPT
        fi
        ;;
up-client:ipfwadm)
        # connection to client subnet, with
(left/right)firewall=yes, coming
up
        # This is used only by the default updown script, not
by your custom
        # ones, so do not mess with it; see CAUTION comment
up at top.
        ipfwadm -F -i accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client:ipfwadm)
        # connection to client subnet, with
(left/right)firewall=yes, going
down
        # This is used only by the default updown script, not
by your custom
        # ones, so do not mess with it; see CAUTION comment
up at top.
        ipfwadm -F -d accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter
\`$1'" >&2
        exit 1
        ;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive
          |
Transmit
face |bytes packets errs drop fifo frame
compressed multicast|bytes
packets errs drop fifo colls carrier compressed
    lo: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
  gre0: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
ipsec0: 18917 113 0 0 0 0
0 0
185984 1356 0 1 0 0 0 0
ipsec1: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0
0 0
0 0 0 0 0 0 0 0
  eth0: 5864486 7751 0 0 0 0
0 0
1113810 8241 0 0 0 0 0
0
  eth1: 1079774 8647 0 0 0 0
0 0
5811713 7629 0 0 0 0 0
0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT

eth0 E02BC8CB 00000000 0001 0 0 0 F0FFFFFF 40 0 0


ipsec0 E02BC8CB 00000000 0001 0 0 0 F0FFFFFF 40 0 0


ipsec0 0001A8C0 E12BC8CB 0003 0 0 0 00FFFFFF 40 0 0


eth1 000BA8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0


lo 0000007F 00000000 0001 0 0 0 000000FF 40 0 0


eth0 00000000 E12BC8CB 0003 0 0 0 00000000 40 0 0


+ _________________________
proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter
eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux gateway 2.4.7-10custom #4 Thu Jun 13 16:49:04
IST 2002 i686
unknown
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 7.2 (Enigma)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.97
+ _________________________ iptables/list
+ iptables -L -v -n
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

init_module: Device or resource busy
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

insmod
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o

failed
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

init_module: Device or resource busy
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

insmod
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o

failed
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

insmod ip_tables failed
Hint: insmod errors can be caused by incorrect module
parameters,
including invalid IO or IRQ parameters
iptables v1.2.3: can't initialize iptables table
`nat': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
IP masquerading entries
prot expire initseq delta prevd source
   destination
ports
TCP 00:46.70 0 0 0 192.168.11.38

203.199.70.247 2516 (61248) -> 8080
TCP 00:48.00 0 0 0 192.168.11.38
   203.199.93.75
2517 (61248) -> 80
UDP 02:46.42 0 0 0 192.168.11.8
   67.104.20.139
500 (61013) -> 500
TCP 00:54.62 0 0 0 192.168.11.34
   207.188.7.55
4512 (61252) -> 80
TCP 00:54.14 0 0 0 192.168.11.38

203.199.70.229 2524 (61251) -> 80
TCP 7189:05.74 0 0 0 192.168.11.36

209.126.180.49 3092 (61120) -> 80
TCP 7196:04.90 0 0 0 192.168.11.29
     64.4.12.49
1071 (61227) -> 1863
TCP 7197:43.68 0 0 0 192.168.11.40

216.136.173.179 1500 (61006) -> 5050
TCP 00:51.23 0 0 0 192.168.11.38

203.197.64.239 2525 (61251) -> 80
TCP 00:55.72 0 0 0 192.168.11.34
   207.188.7.55
4513 (61253) -> 80
TCP 00:58.62 0 0 0 192.168.11.34
   207.188.7.74
4520 (61256) -> 80
TCP 00:48.52 0 0 0 192.168.11.38

203.199.70.237 2518 (61248) -> 80
TCP 00:52.29 0 0 0 192.168.11.34

208.147.89.220 4508 (61252) -> 80
TCP 00:51.52 0 0 0 192.168.11.38

203.197.64.239 2526 (61252) -> 80
TCP 00:55.77 0 0 0 192.168.11.34
   207.188.7.55
4514 (61254) -> 80
TCP 00:48.42 0 0 0 192.168.11.38

203.199.70.237 2519 (61249) -> 80
TCP 00:59.82 0 0 0 192.168.11.34
   207.188.7.175
4521 (61257) -> 80
UDP 02:56.44 0 0 0 192.168.11.8
   67.104.20.139
10000 (61013) -> 10000
TCP 7199:50.92 0 0 0 192.168.11.34

216.136.233.133 4483 (61121) -> 5050
TCP 7197:24.37 0 0 0 192.168.11.8

216.136.224.142 2699 (61061) -> 5050
TCP 01:10.01 0 0 0 192.168.11.38

216.247.126.111 2527 (61257) -> 80
TCP 7199:11.83 0 0 0 192.168.11.32

216.136.175.142 3081 (61000) -> 5050
TCP 00:56.52 0 0 0 192.168.11.34
   207.188.7.55
4515 (61255) -> 80
TCP 00:48.66 0 0 0 192.168.11.38

203.199.70.237 2520 (61250) -> 80
TCP 00:46.32 0 0 0 192.168.11.38

203.199.70.237 2513 (61247) -> 80
TCP 7199:17.61 0 0 0 192.168.11.34

67.104.20.139 4497 (61247) -> 80
TCP 01:10.56 0 0 0 192.168.11.38

216.247.126.111 2528 (61258) -> 80
TCP 00:48.62 0 0 0 192.168.11.38

203.199.70.237 2521 (61250) -> 8080
TCP 00:57.17 0 0 0 192.168.11.34
   207.188.7.55
4516 (61256) -> 80
TCP 01:11.50 0 0 0 192.168.11.38
   209.225.0.6
2529 (61258) -> 80
TCP 00:46.52 0 0 0 192.168.11.38

203.199.70.247 2514 (61247) -> 80
TCP 7199:32.08 0 0 0 192.168.11.39

67.104.20.139 3715 (61122) -> 80
TCP 7195:03.83 0 0 0 192.168.11.29

216.136.233.133 1038 (61122) -> 119
TCP 7197:59.19 0 0 0 192.168.11.38

216.136.233.130 2326 (61007) -> 5050
TCP 7187:54.77 0 0 0 192.168.11.36

216.247.126.114 3023 (61071) -> 80
TCP 7195:48.73 0 0 0 192.168.11.38

209.126.180.49 2476 (61223) -> 80
TCP 7198:33.22 0 0 0 192.168.11.25

216.136.233.131 2912 (61007) -> 5050
TCP 00:46.58 0 0 0 192.168.11.38

203.199.70.237 2515 (61248) -> 8080
TCP 01:12.87 0 0 0 192.168.11.38
   209.225.0.6
2530 (61259) -> 80
TCP 00:48.87 0 0 0 192.168.11.38

203.199.70.229 2522 (61250) -> 80
TCP 00:53.46 0 0 0 192.168.11.34
   207.188.7.118
4510 (61252) -> 80
TCP 00:48.94 0 0 0 192.168.11.38

203.199.70.237 2523 (61251) -> 8080
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
IP masquerading entries
prot expire source destination
ports
TCP 00:46.65 192.168.11.38 203.199.70.247
2516 (61248) ->
webcache
TCP 00:47.95 192.168.11.38 203.199.93.75
2517 (61248) ->
http
UDP 02:46.37 192.168.11.8 67.104.20.139
isakmp (61013)
-> isakmp
TCP 00:54.57 192.168.11.34 benedictrn.real.com
4512 (61252) ->
http
TCP 00:54.09 192.168.11.38 203.199.70.229
2524 (61251) ->
http
TCP 7189:05.69 192.168.11.36 209.126.180.49
   3092 (61120)
-> http
TCP 7196:04.85 192.168.11.29
msgr-cs20.msgr.hotmail.com 1071
(61227) -> 1863
TCP 7197:43.63 192.168.11.40
cs36.msg.sc5.yahoo.com 1500
(61006) -> 5050
TCP 00:51.18 192.168.11.38 203.197.64.239
2525 (61251) ->
http
TCP 00:55.67 192.168.11.34 benedictrn.real.com
4513 (61253) ->
http
TCP 00:58.57 192.168.11.34 207.188.7.74
4520 (61256) ->
http
TCP 00:48.47 192.168.11.38 203.199.70.237
2518 (61248) ->
http
TCP 00:52.24 192.168.11.34 cdinfo.real.com
4508 (61252) ->
http
TCP 00:51.47 192.168.11.38 203.197.64.239
2526 (61252) ->
http
TCP 00:55.72 192.168.11.34 benedictrn.real.com
4514 (61254) ->
http
TCP 00:48.37 192.168.11.38 203.199.70.237
2519 (61249) ->
http
TCP 00:59.77 192.168.11.34 imagesrr1.real.com
4521 (61257) ->
http
UDP 02:56.39 192.168.11.8 67.104.20.139
10000 (61013)
-> 10000
TCP 7199:50.87 192.168.11.34
cs46.msg.sc5.yahoo.com 4483
(61121) -> 5050
TCP 7197:24.32 192.168.11.8
acs1.msg.sc5.yahoo.com 2699
(61061) -> 5050
TCP 01:09.96 192.168.11.38
dhcppool-126.247.216.interland.net
2527 (61257) -> http
TCP 7199:11.78 192.168.11.32
cs10.msg.sc5.yahoo.com 3081
(61000) -> 5050
TCP 00:56.47 192.168.11.34 benedictrn.real.com
4515 (61255) ->
http
TCP 00:48.61 192.168.11.38 203.199.70.237
2520 (61250) ->
http
TCP 00:46.27 192.168.11.38 203.199.70.237
2513 (61247) ->
http
TCP 7199:17.56 192.168.11.34 67.104.20.139
   4497 (61247)
-> http
TCP 01:10.51 192.168.11.38
dhcppool-126.247.216.interland.net
2528 (61258) -> http
TCP 00:48.57 192.168.11.38 203.199.70.237
2521 (61250) ->
webcache
TCP 00:57.12 192.168.11.34 benedictrn.real.com
4516 (61256) ->
http
TCP 01:11.45 192.168.11.38
servedby.advertising.com 2529
(61258) -> http
TCP 00:46.47 192.168.11.38 203.199.70.247
2514 (61247) ->
http
TCP 7199:32.03 192.168.11.39 67.104.20.139
   3715 (61122)
-> http
TCP 7195:03.78 192.168.11.29
cs46.msg.sc5.yahoo.com 1038
(61122) -> nntp
TCP 7197:59.14 192.168.11.38
cs43.msg.sc5.yahoo.com 2326
(61007) -> 5050
TCP 7187:54.72 192.168.11.36
dhcppool-126.247.216.interland.net
3023 (61071) -> http
TCP 7195:48.68 192.168.11.38 209.126.180.49
   2476 (61223)
-> http
TCP 7198:33.17 192.168.11.25
cs44.msg.sc5.yahoo.com 2912
(61007) -> 5050
TCP 00:46.53 192.168.11.38 203.199.70.237
2515 (61248) ->
webcache
TCP 01:12.82 192.168.11.38
servedby.advertising.com 2530
(61259) -> http
TCP 00:48.82 192.168.11.38 203.199.70.229
2522 (61250) ->
http
TCP 00:53.41 192.168.11.34
switchboardrr1.real.com 4510 (61252)
-> http
TCP 00:48.89 192.168.11.38 203.199.70.237
2523 (61251) ->
webcache
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

init_module: Device or resource busy
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

insmod
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o

failed
/lib/modules/2.4.7-10custom/kernel/net/ipv4/netfilter/ip_tables.o:

insmod ip_tables failed
Hint: insmod errors can be caused by incorrect module
parameters,
including invalid IO or IRQ parameters
iptables v1.2.3: can't initialize iptables table
`mangle': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ proc/modules
+ cat /proc/modules
ipchains 36448 0
8139too 12608 2
appletalk 20432 0 (autoclean)
ipx 16160 0 (autoclean)
usb-uhci 21424 0 (unused)
usbcore 50912 1 [usb-uhci]
ext3 64624 5
jbd 40992 5 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers:
cached:
Mem: 260403200 64892928 195510272 0 13377536
31469568
Swap: 625078272 0 625078272
MemTotal: 254300 kB
MemFree: 190928 kB
MemShared: 0 kB
Buffers: 13064 kB
Cached: 30732 kB
SwapCached: 0 kB
Active: 19328 kB
Inact_dirty: 24468 kB
Inact_clean: 0 kB
Inact_target: 1160 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 254300 kB
LowFree: 190928 kB
SwapTotal: 610428 kB
SwapFree: 610428 kB
NrSwapPages: 152607 pages
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute
/proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp
/proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jun 28
17:32
/proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
CONFIG_MD_MULTIPATH=m
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
# IP: Virtual Server Configuration
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=16
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
# IPv6: Netfilter Configuration
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_ATM_CLIP=y
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_IPSEC=y
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
CONFIG_SCSI_IPS=m
# CONFIG_SCSI_IZIP_EPP16 is not set
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
CONFIG_TULIP_MMIO=m
# CONFIG_HIPPI is not set
CONFIG_PLIP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
CONFIG_CIPE=m
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
CONFIG_WANPIPE_FR=y
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_PCMCIA_XIRTULIP=m
CONFIG_SERIAL_MULTIPORT=y
CONFIG_I2C_PHILIPSPAR=m
CONFIG_INPUT_GRIP=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none
/var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a
special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

#
# INN
#
news.=crit
/var/log/news/news.crit
news.=err
/var/log/news/news.err
news.notice
/var/log/news/news.notice
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 12
drwxr-xr-x 4 root root 4096 Jun 13
17:45 2.4.7-10
drwxr-xr-x 4 root root 4096 Jun 13
17:49 2.4.7-10custom
drwxr-xr-x 4 root root 4096 Jun 13
18:04 2.4.7-10debug
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c01bfee0 netif_rx_R7cb763cb
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.7-10: U netif_rx_R7cb763cb
2.4.7-10custom:
2.4.7-10debug: U netif_rx_Rff5ef9bd
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '74079,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Jun 28 17:15:32 gateway ipsec_setup: Starting
FreeS/WAN IPsec 1.97...
Jun 28 17:15:32 gateway ipsec_setup: KLIPS debug
`none'
Jun 28 17:15:32 gateway ipsec_setup: KLIPS ipsec0 on
eth0
203.200.43.235/255.255.255.240 broadcast
203.200.43.239
Jun 28 17:15:33 gateway ipsec_setup: ...FreeS/WAN
IPsec started
Jun 28 17:15:36 gateway ipsec__plutorun: 104 "vpnprod"
#1:
STATE_MAIN_I1: initiate
Jun 28 17:15:36 gateway ipsec__plutorun: 106 "vpnprod"
#1:
STATE_MAIN_I2: sent MI2, expecting MR2
Jun 28 17:15:36 gateway ipsec__plutorun: 003 "vpnprod"
#1: ignoring
Vendor ID payload
Jun 28 17:15:36 gateway ipsec__plutorun: 108 "vpnprod"
#1:
STATE_MAIN_I3: sent MI3, expecting MR3
Jun 28 17:15:36 gateway ipsec__plutorun: 004 "vpnprod"
#1:
STATE_MAIN_I4: ISAKMP SA established
Jun 28 17:15:36 gateway ipsec__plutorun: 112 "vpnprod"
#2:
STATE_QUICK_I1: initiate
Jun 28 17:15:36 gateway ipsec__plutorun: 003 "vpnprod"
#2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
Jun 28 17:15:36 gateway ipsec__plutorun: 004 "vpnprod"
#2:
STATE_QUICK_I2: sent QI2, IPsec SA established
+ _________________________ plog
+ sed -n '43169,$p' /var/log/secure
+ egrep -i pluto
+ cat
Jun 28 17:15:33 gateway ipsec__plutorun: Starting
Pluto subsystem...
Jun 28 17:15:33 gateway Pluto[1000]: Starting Pluto
(FreeS/WAN Version
1.97)
Jun 28 17:15:33 gateway Pluto[1000]: including X.509
patch (Version
0.9.12)
Jun 28 17:15:33 gateway Pluto[1000]: Changing to
directory
'/etc/ipsec.d/cacerts'
Jun 28 17:15:33 gateway Pluto[1000]: Warning: empty
directory
Jun 28 17:15:33 gateway Pluto[1000]: Changing to
directory
'/etc/ipsec.d/crls'
Jun 28 17:15:33 gateway Pluto[1000]: Warning: empty
directory
Jun 28 17:15:33 gateway Pluto[1000]: could not open
my default X.509
cert file '/etc/x509cert.der'
Jun 28 17:15:33 gateway Pluto[1000]: OpenPGP
certificate file
'/etc/pgpcert.pgp' not found
Jun 28 17:15:33 gateway Pluto[1000]: added connection
description
"vpnprod"
Jun 28 17:15:33 gateway Pluto[1000]: listening for IKE
messages
Jun 28 17:15:33 gateway Pluto[1000]: adding interface
ipsec0/eth0
203.200.43.235
Jun 28 17:15:33 gateway Pluto[1000]: loading secrets
from
"/etc/ipsec.secrets"
Jun 28 17:15:33 gateway Pluto[1000]: "vpnprod" #1:
initiating Main Mode
Jun 28 17:15:35 gateway Pluto[1000]: "vpnprod" #1:
ignoring Vendor ID
payload
Jun 28 17:15:35 gateway Pluto[1000]: "vpnprod" #1:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:15:35 gateway Pluto[1000]: "vpnprod" #1:
ISAKMP SA
established
Jun 28 17:15:35 gateway Pluto[1000]: "vpnprod" #2:
initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 28 17:15:35 gateway Pluto[1000]: "vpnprod" #3:
initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 28 17:15:36 gateway Pluto[1000]: "vpnprod" #2:
ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
Jun 28 17:15:36 gateway Pluto[1000]: "vpnprod" #2:
sent QI2, IPsec SA
established
Jun 28 17:15:36 gateway Pluto[1000]: "vpnprod" #3:
ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
Jun 28 17:15:36 gateway Pluto[1000]: "vpnprod" #3:
sent QI2, IPsec SA
established
Jun 28 17:15:46 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:15:58 gateway Pluto[1000]: "vpnprod" #1:
ignoring Delete SA
payload
Jun 28 17:15:58 gateway Pluto[1000]: "vpnprod" #1:
received and ignored
informational message
Jun 28 17:16:01 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:16:01 gateway Pluto[1000]: "vpnprod" #1:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:16:16 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:16:16 gateway Pluto[1000]: "vpnprod" #1:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x3b027cb5 (perhaps this is a duplicated packet)
Jun 28 17:16:31 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:16:31 gateway Pluto[1000]: "vpnprod" #1:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x3b027cb5 (perhaps this is a duplicated packet)
Jun 28 17:16:46 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:16:46 gateway Pluto[1000]: "vpnprod" #1:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x3b027cb5 (perhaps this is a duplicated packet)
Jun 28 17:17:31 gateway Pluto[1000]: "vpnprod" #1:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:17:32 gateway Pluto[1000]: "vpnprod" #1:
ignoring Delete SA
payload
Jun 28 17:17:32 gateway Pluto[1000]: "vpnprod" #1:
received and ignored
informational message
Jun 28 17:18:31 gateway Pluto[1000]: packet from
67.104.20.130:500:
Quick Mode message is for a non-existent (expired?)
ISAKMP SA
Jun 28 17:18:32 gateway Pluto[1000]: packet from
67.104.20.130:500:
Informational Exchange is for an unknown (expired?) SA
Jun 28 17:19:31 gateway Pluto[1000]: "vpnprod" #4:
responding to Main
Mode
Jun 28 17:19:31 gateway Pluto[1000]: "vpnprod" #4:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:19:31 gateway Pluto[1000]: "vpnprod" #4:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:19:31 gateway Pluto[1000]: "vpnprod" #4:
ignoring Vendor ID
payload
Jun 28 17:19:32 gateway Pluto[1000]: "vpnprod" #4:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:19:32 gateway Pluto[1000]: "vpnprod" #4:
sent MR3, ISAKMP SA
established
Jun 28 17:19:32 gateway Pluto[1000]: "vpnprod" #4:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:19:47 gateway Pluto[1000]: "vpnprod" #4:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xb8fa3e52 (perhaps this is a duplicated packet)
Jun 28 17:20:31 gateway Pluto[1000]: "vpnprod" #4:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:20:32 gateway Pluto[1000]: "vpnprod" #4:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xb8fa3e52 (perhaps this is a duplicated packet)
Jun 28 17:20:46 gateway Pluto[1000]: "vpnprod" #4:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x86b2438a (perhaps this is a duplicated packet)
Jun 28 17:20:48 gateway Pluto[1000]: "vpnprod" #4:
ignoring Delete SA
payload
Jun 28 17:20:48 gateway Pluto[1000]: "vpnprod" #4:
received and ignored
informational message
Jun 28 17:21:31 gateway Pluto[1000]: "vpnprod" #5:
responding to Main
Mode
Jun 28 17:21:31 gateway Pluto[1000]: "vpnprod" #5:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:21:31 gateway Pluto[1000]: "vpnprod" #5:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:21:31 gateway Pluto[1000]: "vpnprod" #5:
ignoring Vendor ID
payload
Jun 28 17:21:32 gateway Pluto[1000]: "vpnprod" #5:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:21:32 gateway Pluto[1000]: "vpnprod" #5:
sent MR3, ISAKMP SA
established
Jun 28 17:21:32 gateway Pluto[1000]: "vpnprod" #5:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:21:47 gateway Pluto[1000]: "vpnprod" #5:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x1f93d7a4 (perhaps this is a duplicated packet)
Jun 28 17:22:31 gateway Pluto[1000]: "vpnprod" #5:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:22:32 gateway Pluto[1000]: "vpnprod" #5:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x1f93d7a4 (perhaps this is a duplicated packet)
Jun 28 17:22:46 gateway Pluto[1000]: "vpnprod" #5:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x65c9752b (perhaps this is a duplicated packet)
Jun 28 17:22:48 gateway Pluto[1000]: "vpnprod" #5:
ignoring Delete SA
payload
Jun 28 17:22:48 gateway Pluto[1000]: "vpnprod" #5:
received and ignored
informational message
Jun 28 17:23:31 gateway Pluto[1000]: "vpnprod" #6:
responding to Main
Mode
Jun 28 17:23:31 gateway Pluto[1000]: "vpnprod" #6:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:23:31 gateway Pluto[1000]: "vpnprod" #6:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:23:31 gateway Pluto[1000]: "vpnprod" #6:
ignoring Vendor ID
payload
Jun 28 17:23:32 gateway Pluto[1000]: "vpnprod" #6:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:23:32 gateway Pluto[1000]: "vpnprod" #6:
sent MR3, ISAKMP SA
established
Jun 28 17:23:32 gateway Pluto[1000]: "vpnprod" #6:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:23:47 gateway Pluto[1000]: "vpnprod" #6:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x44744c57 (perhaps this is a duplicated packet)
Jun 28 17:24:31 gateway Pluto[1000]: "vpnprod" #6:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:24:32 gateway Pluto[1000]: "vpnprod" #6:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x44744c57 (perhaps this is a duplicated packet)
Jun 28 17:24:46 gateway Pluto[1000]: "vpnprod" #6:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x30bc5de7 (perhaps this is a duplicated packet)
Jun 28 17:24:48 gateway Pluto[1000]: "vpnprod" #6:
ignoring Delete SA
payload
Jun 28 17:24:48 gateway Pluto[1000]: "vpnprod" #6:
received and ignored
informational message
Jun 28 17:25:31 gateway Pluto[1000]: "vpnprod" #7:
responding to Main
Mode
Jun 28 17:25:31 gateway Pluto[1000]: "vpnprod" #7:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:25:31 gateway Pluto[1000]: "vpnprod" #7:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:25:31 gateway Pluto[1000]: "vpnprod" #7:
ignoring Vendor ID
payload
Jun 28 17:25:32 gateway Pluto[1000]: "vpnprod" #7:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:25:32 gateway Pluto[1000]: "vpnprod" #7:
sent MR3, ISAKMP SA
established
Jun 28 17:25:32 gateway Pluto[1000]: "vpnprod" #7:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:25:47 gateway Pluto[1000]: "vpnprod" #7:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xb3a11026 (perhaps this is a duplicated packet)
Jun 28 17:26:31 gateway Pluto[1000]: "vpnprod" #7:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:26:32 gateway Pluto[1000]: "vpnprod" #7:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xb3a11026 (perhaps this is a duplicated packet)
Jun 28 17:26:46 gateway Pluto[1000]: "vpnprod" #7:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x328da6fe (perhaps this is a duplicated packet)
Jun 28 17:26:48 gateway Pluto[1000]: "vpnprod" #7:
ignoring Delete SA
payload
Jun 28 17:26:48 gateway Pluto[1000]: "vpnprod" #7:
received and ignored
informational message
Jun 28 17:27:31 gateway Pluto[1000]: "vpnprod" #8:
responding to Main
Mode
Jun 28 17:27:31 gateway Pluto[1000]: "vpnprod" #8:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:27:31 gateway Pluto[1000]: "vpnprod" #8:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:27:31 gateway Pluto[1000]: "vpnprod" #8:
ignoring Vendor ID
payload
Jun 28 17:27:32 gateway Pluto[1000]: "vpnprod" #8:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:27:32 gateway Pluto[1000]: "vpnprod" #8:
sent MR3, ISAKMP SA
established
Jun 28 17:27:32 gateway Pluto[1000]: "vpnprod" #8:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:27:47 gateway Pluto[1000]: "vpnprod" #8:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xc03a7e2e (perhaps this is a duplicated packet)
Jun 28 17:28:31 gateway Pluto[1000]: "vpnprod" #8:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:28:32 gateway Pluto[1000]: "vpnprod" #8:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0xc03a7e2e (perhaps this is a duplicated packet)
Jun 28 17:28:46 gateway Pluto[1000]: "vpnprod" #8:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x11c5183e (perhaps this is a duplicated packet)
Jun 28 17:28:48 gateway Pluto[1000]: "vpnprod" #8:
ignoring Delete SA
payload
Jun 28 17:28:48 gateway Pluto[1000]: "vpnprod" #8:
received and ignored
informational message
Jun 28 17:29:31 gateway Pluto[1000]: "vpnprod" #9:
responding to Main
Mode
Jun 28 17:29:31 gateway Pluto[1000]: "vpnprod" #9:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:29:31 gateway Pluto[1000]: "vpnprod" #9:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:29:31 gateway Pluto[1000]: "vpnprod" #9:
ignoring Vendor ID
payload
Jun 28 17:29:32 gateway Pluto[1000]: "vpnprod" #9:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:29:32 gateway Pluto[1000]: "vpnprod" #9:
sent MR3, ISAKMP SA
established
Jun 28 17:29:32 gateway Pluto[1000]: "vpnprod" #9:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:29:47 gateway Pluto[1000]: "vpnprod" #9:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x15759aff (perhaps this is a duplicated packet)
Jun 28 17:30:31 gateway Pluto[1000]: "vpnprod" #9:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:30:32 gateway Pluto[1000]: "vpnprod" #9:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x15759aff (perhaps this is a duplicated packet)
Jun 28 17:30:46 gateway Pluto[1000]: "vpnprod" #9:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x74c6df86 (perhaps this is a duplicated packet)
Jun 28 17:30:48 gateway Pluto[1000]: "vpnprod" #9:
ignoring Delete SA
payload
Jun 28 17:30:48 gateway Pluto[1000]: "vpnprod" #9:
received and ignored
informational message
Jun 28 17:31:31 gateway Pluto[1000]: "vpnprod" #10:
responding to Main
Mode
Jun 28 17:31:31 gateway Pluto[1000]: "vpnprod" #10:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:31:31 gateway Pluto[1000]: "vpnprod" #10:
OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jun 28 17:31:31 gateway Pluto[1000]: "vpnprod" #10:
ignoring Vendor ID
payload
Jun 28 17:31:32 gateway Pluto[1000]: "vpnprod" #10:
Peer ID is
ID_IPV4_ADDR: '67.104.20.130'
Jun 28 17:31:32 gateway Pluto[1000]: "vpnprod" #10:
sent MR3, ISAKMP SA
established
Jun 28 17:31:32 gateway Pluto[1000]: "vpnprod" #10:
cannot respond to
IPsec SA request because no connection is known for
192.168.3.0/24===203.200.43.235...67.104.20.130===192.168.1.0/24
Jun 28 17:31:47 gateway Pluto[1000]: "vpnprod" #10:
Quick Mode I1
message is unacceptable because it uses a previously
used Message ID
0x50e448e8 (perhaps this is a duplicated packet)

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Christopher Barry: "Re: [Users] Network-to-Network VPN with dynamic IP on one side"
Previous message: Domany: "[Users] dynamic ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST