IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] im out of ideas

From: Romain Casagrande (rcasagrande_at_aurora-linux.com)
Date: Thu Jul 04 2002 - 15:59:29 CEST

On Thu, 2002-07-04 at 14:50, Jimmy Nordstrom wrote:
> im out of ideas
>
> Before i wrote this email i read about 4-5 different HOWTO's on freeswan
> after i read them, i tried all the examples (x.509, PSK, Roadwarrior,
> and so on...)
>
> Problem:
> Everything seems fine when i initiate the connections with:
> /etc/init.d/ipsec start
> and tail /var/log/messages. But still i am unable to send traffic thru
> my tunnel.
another idea :

do you use netfilter or any fw rules that could block your ipsec traffic
?
if you've any NAT system after your gateway VPN you do not nat the ipsec
traffic.

>
> now im runing SuSE 8.0 with precompiled ipsec-kernel on both gateways,
> but i've also tried slackware 8.0 with selfcompiled kernel
> as if thats not enough i also tried two "SnapGear Firewall/Routers"
> with built-in freeswan.
>
> The confusing thing is that i get the same error with all three systems...
>
> i've attached a Barf-file from my last configuration in case someone
> could help me figure this thing out...
>
> /Jimmy Nordstrom
Romain Casagrande
>
>
> ----
>

> burk1
> Thu Jul 4 12:48:03 CEST 2002
> + _________________________ version
> + ipsec --version
> Linux FreeS/WAN 1.95
> See `ipsec --copyright' for copyright information.
> + _________________________ proc/version
> + cat /proc/version
> Linux version 2.4.18-4GB (root_at_Pentium.suse.de) (gcc version 2.95.3 20010315 (SuSE)) #1 Wed Mar 27 13:57:05 UTC 2002
> + _________________________ proc/net/ipsec_eroute
> + sort +1 /proc/net/ipsec_eroute
> 0 10.0.55.0/24 -> 10.0.56.0/24 => tun0x1002_at_193.41.215.56
> + _________________________ proc/net/ipsec_spi
> + cat /proc/net/ipsec_spi
> esp0xc5bed43b_at_193.41.215.56 ESP_3DES_HMAC_MD5: dir=out src=193.41.215.55 iv_bits=64bits iv=0xf17f36ebb2939bf4 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(163972,0,0)
> tun0x1002_at_193.41.215.56 IPIP: dir=out src=193.41.215.55 life(c,s,h)=addtime(163972,0,0)
> tun0x1001_at_193.41.215.55 IPIP: dir=in src=193.41.215.56 life(c,s,h)=addtime(163972,0,0)
> esp0x824e85ab_at_193.41.215.55 ESP_3DES_HMAC_MD5: dir=in src=193.41.215.56 iv_bits=64bits iv=0x5150d7cb2a4501b0 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(163972,0,0)
> + _________________________ proc/net/ipsec_spigrp
> + cat /proc/net/ipsec_spigrp
> tun0x1002_at_193.41.215.56 esp0xc5bed43b_at_193.41.215.56
> tun0x1001_at_193.41.215.55 esp0x824e85ab_at_193.41.215.55
> + _________________________ netstart-rn
> + netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 10.0.56.0 193.41.215.56 255.255.255.0 UG 40 0 0 ipsec0
> 193.41.215.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
> 193.41.215.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
> 10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 eth1
> 0.0.0.0 193.41.215.62 0.0.0.0 UG 40 0 0 eth0
> + _________________________ proc/net/ipsec_tncfg
> + cat /proc/net/ipsec_tncfg
> ipsec0 -> eth0 mtu=16260(1500) -> 1500
> ipsec1 -> NULL mtu=0(0) -> 0
> ipsec2 -> NULL mtu=0(0) -> 0
> ipsec3 -> NULL mtu=0(0) -> 0
> + _________________________ proc/net/pf_key
> + cat /proc/net/pf_key
> sock pid socket next prev e n p sndbf Flags Type St
> c901aa60 29724 c232d984 0 0 0 0 2 65535 00000000 3 1
> + _________________________ proc/net/pf_key-star
> + cd /proc/net
> + egrep '^' pf_key_registered pf_key_supported
> pf_key_registered:satype socket pid sk
> pf_key_registered: 2 c232d984 29724 c901aa60
> pf_key_registered: 3 c232d984 29724 c901aa60
> pf_key_registered: 9 c232d984 29724 c901aa60
> pf_key_registered: 10 c232d984 29724 c901aa60
> pf_key_supported:satype exttype alg_id ivlen minbits maxbits
> pf_key_supported: 2 14 3 0 160 160
> pf_key_supported: 2 14 2 0 128 128
> pf_key_supported: 3 15 3 128 168 168
> pf_key_supported: 3 14 3 0 160 160
> pf_key_supported: 3 14 2 0 128 128
> pf_key_supported: 9 15 4 0 128 128
> pf_key_supported: 9 15 3 0 32 128
> pf_key_supported: 9 15 2 0 128 32
> pf_key_supported: 9 15 1 0 32 32
> pf_key_supported: 10 15 2 0 1 1
> + _________________________ proc/sys/net/ipsec-star
> + cd /proc/sys/net/ipsec
> + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
> debug_ah:0
> debug_eroute:0
> debug_esp:0
> debug_ipcomp:0
> debug_netlink:0
> debug_pfkey:0
> debug_radij:0
> debug_rcv:0
> debug_spi:0
> debug_tunnel:0
> debug_verbose:0
> debug_xform:0
> icmp:1
> inbound_policy_check:1
> tos:1
> + _________________________ ipsec/status
> + ipsec auto --status
> 000 interface ipsec0/eth0 193.41.215.55
> 000
> 000 "site1-site2": 10.0.55.0/24===193.41.215.55...193.41.215.56===10.0.56.0/24
> 000 "site1-site2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "site1-site2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; erouted
> 000 "site1-site2": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
> 000
> 000 #2: "site1-site2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27740s; newest IPSEC; eroute owner
> 000 #2: "site1-site2" esp.c5bed43b_at_193.41.215.56 esp.824e85ab_at_193.41.215.55 tun.1002_at_193.41.215.56 tun.1001_at_193.41.215.55
> 000 #1: "site1-site2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2903s; newest ISAKMP
> + _________________________ ifconfig-a
> + ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:02:1C:F3:46:00
> inet addr:193.41.215.55 Bcast:193.41.215.255 Mask:255.255.255.0
> inet6 addr: fe80::202:1cff:fef3:4600/10 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:102086 errors:0 dropped:0 overruns:0 frame:0
> TX packets:22321 errors:0 dropped:0 overruns:0 carrier:154
> collisions:61 txqueuelen:100
> RX bytes:14058654 (13.4 Mb) TX bytes:5951159 (5.6 Mb)
> Interrupt:9 Base address:0xac00
>
> eth1 Link encap:Ethernet HWaddr 00:50:04:81:89:BA
> inet addr:10.0.55.1 Bcast:10.255.255.255 Mask:255.0.0.0
> inet6 addr: fe80::250:4ff:fe81:89ba/10 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:101098 errors:0 dropped:0 overruns:0 frame:0
> TX packets:12096 errors:0 dropped:0 overruns:0 carrier:0
> collisions:112 txqueuelen:100
> RX bytes:11115416 (10.6 Mb) TX bytes:7544455 (7.1 Mb)
> Interrupt:11 Base address:0xa800
>
> ipsec0 Link encap:IPIP Tunnel HWaddr
> inet addr:193.41.215.55 Mask:255.255.255.0
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> ipsec1 Link encap:IPIP Tunnel HWaddr
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> ipsec2 Link encap:IPIP Tunnel HWaddr
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> ipsec3 Link encap:IPIP Tunnel HWaddr
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:322 errors:0 dropped:0 overruns:0 frame:0
> TX packets:322 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:37326 (36.4 Kb) TX bytes:37326 (36.4 Kb)
>
> sit0 Link encap:IPv6-in-IPv4
> NOARP MTU:1480 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> + _________________________ ipsec/directory
> + ipsec --directory
> /usr/lib/ipsec
> + _________________________ hostname/fqdn
> + hostname --fqdn
> hostname: Unknown host
> + _________________________ hostname/ipaddress
> + hostname --ip-address
> hostname: Unknown host
> + _________________________ uptime
> + uptime
> 12:48pm up 1 day, 21:33, 4 users, load average: 0.06, 0.03, 0.00
> + _________________________ ps
> + ps alxw
> + egrep -i 'ppid|pluto|ipsec|klips'
> F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
> 002 0 29722 1 20 0 2300 1116 wait4 S tty1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
> 002 0 29723 29722 20 0 2300 1116 wait4 S tty1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
> 004 0 29724 29723 20 0 1932 948 do_sel S tty1 0:00 /usr/lib/ipsec/pluto --nofork --debug-none
> 000 0 29725 29722 20 0 2296 1124 pipe_w S tty1 0:00 /bin/sh /usr/lib/ipsec/_plutoload --load %search --start %search --wait --post
> 000 0 29727 1 19 0 1328 524 pipe_w S tty1 0:00 logger -p daemon.error -t ipsec__plutorun
> 000 0 29888 29845 20 0 1416 500 - R tty1 0:00 egrep -i ppid|pluto|ipsec|klips
> + _________________________ ipsec/showdefaults
> + ipsec showdefaults
> #dr: no default route
> # no default route
> # no default route
> + _________________________ ipsec/conf
> + ipsec _include /etc/ipsec.conf
> + ipsec _keycensor
>
> #< /etc/ipsec.conf 1
> # basic configuration
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
>
> conn %default
> keyingtries=0
>
> conn site1-site2
> left=193.41.215.55
> leftsubnet=10.0.55.0/24
> right=193.41.215.56
> rightsubnet=10.0.56.0/24
> auto=start
> authby=rsasig
> leftid=193.41.215.55
> rightid=193.41.215.56
> leftrsasigkey=[sums to f587...]
> rightrsasigkey=[sums to ac84...]
>
>
> #rightnexthop=193.41.215.62
> #leftnexthop=193.41.215.62
>
>
> + _________________________ ipsec/secrets
> + ipsec _include /etc/ipsec.secrets
> + ipsec _secretcensor
>
> #< /etc/ipsec.secrets 1
> # This file holds shared secrets or RSA private keys for inter-Pluto
> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
> #
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
> # or configuration of other implementations, can be extracted conveniently
> # with "[sums to ef67...]".
> : RSA {
> # RSA 2048 bits linux Tue Jul 2 15:29:33 2002
> # for signatures only, UNSAFE FOR ENCRYPTION
> #pubkey=[sums to f587...]
> #IN KEY 0x4200 4 1 [sums to 2f7c...]
> # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
> Modulus: [...]
> PublicExponent: [...]
> # everything after this point is secret
> PrivateExponent: [...]
> Prime1: [...]
> Prime2: [...]
> Exponent1: [...]
> Exponent2: [...]
> Coefficient: [...]
> }
> # do not change the indenting of that "[sums to 7d9d...]"
> + _________________________ ipsec/ls-dir
> + ls -l /usr/lib/ipsec
> total 860
> -rwxr-xr-x 1 root root 11089 Mar 27 14:11 _confread
> -rwxr-xr-x 1 root root 7065 Mar 27 14:11 _copyright
> -rwxr-xr-x 1 root root 2163 Mar 27 14:11 _include
> -rwxr-xr-x 1 root root 1383 Mar 27 14:11 _keycensor
> -rwxr-xr-x 1 root root 3495 Mar 27 14:11 _plutoload
> -rwxr-xr-x 1 root root 3616 Mar 27 14:11 _plutorun
> -rwxr-xr-x 1 root root 7477 Mar 27 14:11 _realsetup
> -rwxr-xr-x 1 root root 1904 Mar 27 14:11 _secretcensor
> -rwxr-xr-x 1 root root 6076 Mar 27 14:11 _startklips
> -rwxr-xr-x 1 root root 5262 Mar 27 14:11 _updown
> -rwxr-xr-x 1 root root 12247 Mar 27 14:11 auto
> -rwxr-xr-x 1 root root 6418 Mar 27 14:11 barf
> -rwxr-xr-x 1 root root 72075 Mar 27 14:11 eroute
> -rwxr-xr-x 1 root root 11892 Mar 27 14:11 fswcert
> -rwxr-xr-x 1 root root 2823 Mar 27 14:11 ipsec
> -rw-r--r-- 1 root root 1950 Mar 27 14:11 ipsec_pr.template
> -rwxr-xr-x 1 root root 50543 Mar 27 14:11 klipsdebug
> -rwxr-xr-x 1 root root 2437 Mar 27 14:11 look
> -rwxr-xr-x 1 root root 16172 Mar 27 14:11 manual
> -rwxr-xr-x 1 root root 1274 Mar 27 14:11 newhostkey
> -rwxr-xr-x 1 root root 41895 Mar 27 14:11 pf_key
> -rwxr-xr-x 1 root root 301055 Mar 27 14:11 pluto
> -rwxr-xr-x 1 root root 9819 Mar 27 14:11 ranbits
> -rwxr-xr-x 1 root root 21728 Mar 27 14:11 rsasigkey
> -rwxr-xr-x 1 root root 16653 Mar 27 14:11 send-pr
> lrwxrwxrwx 1 root root 17 Jul 2 15:29 setup -> /etc/init.d/ipsec
> -rwxr-xr-x 1 root root 1041 Mar 27 14:11 showdefaults
> -rwxr-xr-x 1 root root 3484 Mar 27 14:11 showhostkey
> -rwxr-xr-x 1 root root 81962 Mar 27 14:11 spi
> -rwxr-xr-x 1 root root 62105 Mar 27 14:11 spigrp
> -rwxr-xr-x 1 root root 12878 Mar 27 14:11 tncfg
> -rwxr-xr-x 1 root root 37115 Mar 27 14:11 whack
> + _________________________ ipsec/updowns
> ++ ls /usr/lib/ipsec
> ++ egrep updown
> + cat /usr/lib/ipsec/_updown
> #! /bin/sh
> # default updown script
> # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
> #
> # This program is free software; you can redistribute it and/or modify it
> # under the terms of the GNU General Public License as published by the
> # Free Software Foundation; either version 2 of the License, or (at your
> # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
> #
> # This program is distributed in the hope that it will be useful, but
> # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
> # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> # for more details.
> #
> # RCSID $Id: _updown,v 1.18 2001/11/09 04:12:19 henry Exp $
>
>
>
> # CAUTION: Installing a new version of FreeS/WAN will install a new
> # copy of this script, wiping out any custom changes you make. If
> # you need changes, make a copy of this under another name, and customize
> # that, and use the (left/right)updown parameters in ipsec.conf to make
> # FreeS/WAN use yours instead of this default one.
>
>
>
> # check interface version
> case "$PLUTO_VERSION" in
> 1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
> echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
> echo "$0: called by obsolete Pluto?" >&2
> exit 2
> ;;
> 1.*) ;;
> *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
> exit 2
> ;;
> esac
>
> # check parameter(s)
> case "$1:$*" in
> ':') # no parameters
> ;;
> ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
> ;;
> custom:*) # custom parameters (see above CAUTION comment)
> ;;
> *) echo "$0: unknown parameters \`$*'" >&2
> exit 2
> ;;
> esac
>
> # utility functions for route manipulation
> # Meddling with this stuff should not be necessary and requires great care.
> uproute() {
> doroute add
> }
> downroute() {
> doroute del
> }
> doroute() {
> parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
> parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # horrible kludge for obscure routing bug with opportunistic
> it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
> it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
> route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
> route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
> ;;
> *) it="route $1 $parms $parms2"
> route $1 $parms $parms2
> ;;
> esac
> st=$?
> if test $st -ne 0
> then
> # route has already given its own cryptic message
> echo "$0: \`$it' failed" >&2
> if test " $1 $st" = " add 7"
> then
> # another totally undocumented interface -- 7 and
> # "SIOCADDRT: Network is unreachable" means that
> # the gateway isn't reachable.
> echo "$0: (incorrect or missing nexthop setting??)" >&2
> fi
> fi
> return $st
> }
>
>
>
> # the big choice
> case "$PLUTO_VERB:$1" in
> prepare-host:*|prepare-client:*)
> # delete possibly-existing route (preliminary to adding a route)
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # horrible kludge for obscure routing bug with opportunistic
> parms1="-net 0.0.0.0 netmask 128.0.0.0"
> parms2="-net 128.0.0.0 netmask 128.0.0.0"
> it="route del $parms1 2>&1 ; route del $parms2 2>&1"
> oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
> ;;
> *)
> parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
> it="route del $parms 2>&1"
> oops="`route del $parms 2>&1`"
> ;;
> esac
> status="$?"
> if test " $oops" = " " -a " $status" != " 0"
> then
> oops="silent error, exit status $status"
> fi
> case "$oops" in
> 'SIOCDELRT: No such process'*)
> # This is what route (currently -- not documented!) gives
> # for "could not find such a route".
> oops=
> status=0
> ;;
> esac
> if test " $oops" != " " -o " $status" != " 0"
> then
> echo "$0: \`$it' failed ($oops)" >&2
> fi
> exit $status
> ;;
> route-host:*|route-client:*)
> # connection to me or my client subnet being routed
> uproute
> ;;
> unroute-host:*|unroute-client:*)
> # connection to me or my client subnet being unrouted
> downroute
> ;;
> up-host:*)
> # connection to me coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-host:*)
> # connection to me going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client:)
> # connection to my client subnet coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-client:)
> # connection to my client subnet going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, coming up
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> down-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, going down
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
> exit 1
> ;;
> esac
> + _________________________ proc/net/dev
> + cat /proc/net/dev
> Inter-| Receive | Transmit
> face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
> lo: 37326 322 0 0 0 0 0 0 37326 322 0 0 0 0 0 0
> sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> eth0:14059894 102102 0 0 0 0 0 0 5953109 22348 0 0 0 61 154 0
> eth1:11118216 101139 0 0 0 0 0 0 7544455 12096 0 0 0 112 0 0
> ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> + _________________________ proc/net/route
> + cat /proc/net/route
> Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
> ipsec0 0038000A 38D729C1 0003 0 0 0 00FFFFFF 40 0 0
> eth0 00D729C1 00000000 0001 0 0 0 00FFFFFF 40 0 0
> ipsec0 00D729C1 00000000 0001 0 0 0 00FFFFFF 40 0 0
> eth1 0000000A 00000000 0001 0 0 0 000000FF 40 0 0
> eth0 00000000 3ED729C1 0003 0 0 0 00000000 40 0 0
> + _________________________ proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
> 1
> + _________________________ uname-a
> + uname -a
> Linux burk1 2.4.18-4GB #1 Wed Mar 27 13:57:05 UTC 2002 i686 unknown
> + _________________________ redhat-release
> + test -r /etc/redhat-release
> + _________________________ proc/net/ipsec_version
> + cat /proc/net/ipsec_version
> FreeS/WAN version: 1.95
> + _________________________ iptables/list
> + iptables -L -v -n
> Chain INPUT (policy ACCEPT 6112 packets, 2019K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 26548 packets, 11M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 8868 packets, 2579K bytes)
> pkts bytes target prot opt in out source destination
> + _________________________ ipchains/list
> + ipchains -L -v -n
> ./barf: ipchains: command not found
> + _________________________ ipfwadm/forward
> + ipfwadm -F -l -n -e
> ./barf: ipfwadm: command not found
> + _________________________ ipfwadm/input
> + ipfwadm -I -l -n -e
> ./barf: ipfwadm: command not found
> + _________________________ ipfwadm/output
> + ipfwadm -O -l -n -e
> ./barf: ipfwadm: command not found
> + _________________________ iptables/nat
> + iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 10369 packets, 1260K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 2991 packets, 406K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 1669 packets, 327K bytes)
> pkts bytes target prot opt in out source destination
> + _________________________ ipchains/masq
> + ipchains -M -L -v -n
> ./barf: ipchains: command not found
> + _________________________ ipfwadm/masq
> + ipfwadm -M -l -n -e
> ./barf: ipfwadm: command not found
> + _________________________ iptables/mangle
> + iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 2301 packets, 253K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 468 packets, 92626 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 1229 packets, 79103 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 525 packets, 131K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 1754 packets, 211K bytes)
> pkts bytes target prot opt in out source destination
> + _________________________ proc/modules
> + cat /proc/modules
> ipsec 235424 2
> iptable_mangle 2144 0 (autoclean) (unused)
> ipt_MASQUERADE 1216 0 (autoclean)
> iptable_nat 12756 0 (autoclean) [ipt_MASQUERADE]
> ip_conntrack 12652 1 (autoclean) [ipt_MASQUERADE iptable_nat]
> iptable_filter 1728 0 (autoclean) (unused)
> ip_tables 10400 6 [iptable_mangle ipt_MASQUERADE iptable_nat iptable_filter]
> 3c59x 25032 2
> ipv6 123424 -1 (autoclean)
> joydev 5728 0 (unused)
> evdev 3904 0 (unused)
> isa-pnp 27816 0 (unused)
> nls_iso8859-1 2880 0 (autoclean)
> usb-uhci 20996 0 (unused)
> usbcore 55136 1 [usb-uhci]
> reiserfs 158784 1
> lvm-mod 58016 0
> parport_pc 25416 0
> parport 21792 0 [parport_pc]
> keybdev 1632 0 (unused)
> input 3040 0 [joydev evdev keybdev]
> sg 23616 0 (unused)
> cramfs 36896 0
> vfat 9200 0
> fat 28960 0 [vfat]
> af_packet 11488 0
> nvram 3712 0
> + _________________________ proc/meminfo
> + cat /proc/meminfo
> total: used: free: shared: buffers: cached:
> Mem: 194379776 181026816 13352960 0 58417152 79392768
> Swap: 263200768 0 263200768
> MemTotal: 189824 kB
> MemFree: 13040 kB
> MemShared: 0 kB
> Buffers: 57048 kB
> Cached: 77532 kB
> SwapCached: 0 kB
> Active: 99532 kB
> Inactive: 42100 kB
> HighTotal: 0 kB
> HighFree: 0 kB
> LowTotal: 189824 kB
> LowFree: 13040 kB
> SwapTotal: 257032 kB
> SwapFree: 257032 kB
> + _________________________ dev/ipsec-ls
> + ls -l '/dev/ipsec*'
> ls: /dev/ipsec*: No such file or directory
> + _________________________ proc/net/ipsec-ls
> + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_eroute
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_klipsdebug
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_spi
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_spigrp
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_tncfg
> -r--r--r-- 1 root root 0 Jul 4 12:48 /proc/net/ipsec_version
> + _________________________ usr/src/linux/.config
> + test -f /usr/src/linux/.config
> + egrep 'IP|NETLINK' /usr/src/linux/.config
> # CONFIG_MWINCHIPC6 is not set
> # CONFIG_MWINCHIP2 is not set
> # CONFIG_MWINCHIP3D is not set
> CONFIG_SYSVIPC=y
> CONFIG_MTD_OBSOLETE_CHIPS=y
> CONFIG_CIPHER_TWOFISH=m
> CONFIG_MD_MULTIPATH=m
> CONFIG_NETLINK_DEV=m
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_NAT=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_TOS=y
> CONFIG_IP_ROUTE_VERBOSE=y
> CONFIG_IP_ROUTE_LARGE_TABLES=y
> CONFIG_IP_PNP=y
> CONFIG_IP_PNP_DHCP=y
> CONFIG_IP_PNP_BOOTP=y
> CONFIG_IP_PNP_RARP=y
> CONFIG_NET_IPIP=m
> CONFIG_NET_IPGRE=m
> CONFIG_NET_IPGRE_BROADCAST=y
> CONFIG_IP_MROUTE=y
> CONFIG_IP_PIMSM_V1=y
> CONFIG_IP_PIMSM_V2=y
> # IP: Netfilter Configuration
> CONFIG_IP_NF_CONNTRACK=m
> CONFIG_IP_NF_FTP=m
> CONFIG_IP_NF_IRC=m
> CONFIG_IP_NF_QUEUE=m
> CONFIG_IP_NF_IPTABLES=m
> CONFIG_IP_NF_MATCH_LIMIT=m
> CONFIG_IP_NF_MATCH_MAC=m
> CONFIG_IP_NF_MATCH_MARK=m
> CONFIG_IP_NF_MATCH_MULTIPORT=m
> CONFIG_IP_NF_MATCH_TOS=m
> CONFIG_IP_NF_MATCH_PSD=m
> CONFIG_IP_NF_MATCH_AH_ESP=m
> CONFIG_IP_NF_MATCH_LENGTH=m
> CONFIG_IP_NF_MATCH_TTL=m
> CONFIG_IP_NF_MATCH_TCPMSS=m
> CONFIG_IP_NF_MATCH_STATE=m
> CONFIG_IP_NF_MATCH_IPLIMIT=m
> CONFIG_IP_NF_MATCH_UNCLEAN=m
> CONFIG_IP_NF_MATCH_STRING=m
> CONFIG_IP_NF_MATCH_OWNER=m
> CONFIG_IP_NF_FILTER=m
> CONFIG_IP_NF_TARGET_REJECT=m
> CONFIG_IP_NF_TARGET_MIRROR=m
> CONFIG_IP_NF_NAT=m
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=m
> CONFIG_IP_NF_TARGET_REDIRECT=m
> CONFIG_IP_NF_NAT_SNMP_BASIC=m
> CONFIG_IP_NF_NAT_IRC=m
> CONFIG_IP_NF_NAT_FTP=m
> CONFIG_IP_NF_MANGLE=m
> CONFIG_IP_NF_TARGET_TOS=m
> CONFIG_IP_NF_TARGET_MARK=m
> CONFIG_IP_NF_TARGET_LOG=m
> CONFIG_IP_NF_TARGET_ULOG=m
> CONFIG_IP_NF_TARGET_TCPMSS=m
> CONFIG_IP_NF_COMPAT_IPCHAINS=m
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_COMPAT_IPFWADM=m
> CONFIG_IP_NF_NAT_NEEDED=y
> # IP: Virtual Server Configuration
> CONFIG_IP_VS=m
> # CONFIG_IP_VS_DEBUG is not set
> CONFIG_IP_VS_TAB_BITS=12
> # IPVS scheduler
> CONFIG_IP_VS_RR=m
> CONFIG_IP_VS_WRR=m
> CONFIG_IP_VS_LC=m
> CONFIG_IP_VS_WLC=m
> CONFIG_IP_VS_LBLC=m
> CONFIG_IP_VS_LBLCR=m
> CONFIG_IP_VS_DH=m
> CONFIG_IP_VS_SH=m
> # IPVS application helper
> CONFIG_IP_VS_FTP=m
> CONFIG_IPV6=m
> # IPv6: Netfilter Configuration
> CONFIG_IP6_NF_QUEUE=m
> CONFIG_IP6_NF_IPTABLES=m
> CONFIG_IP6_NF_MATCH_LIMIT=m
> CONFIG_IP6_NF_MATCH_MAC=m
> CONFIG_IP6_NF_MATCH_MULTIPORT=m
> CONFIG_IP6_NF_MATCH_OWNER=m
> CONFIG_IP6_NF_MATCH_MARK=m
> CONFIG_IP6_NF_FILTER=m
> CONFIG_IP6_NF_TARGET_REJECT=m
> CONFIG_IP6_NF_TARGET_LOG=m
> CONFIG_IP6_NF_MANGLE=m
> CONFIG_IP6_NF_TARGET_MARK=m
> CONFIG_ATM_CLIP=y
> CONFIG_ATM_CLIP_NO_ICMP=y
> CONFIG_IPX=m
> # CONFIG_IPX_INTERN is not set
> # CONFIG_IDEDMA_PCI_WIP is not set
> CONFIG_IDE_CHIPSETS=y
> CONFIG_SCSI_IPS=m
> # CONFIG_SCSI_IZIP_EPP16 is not set
> # CONFIG_SCSI_IZIP_SLOW_CTR is not set
> CONFIG_IPDDP=m
> CONFIG_IPDDP_ENCAP=y
> CONFIG_IPDDP_DECAP=y
> CONFIG_TULIP=m
> # CONFIG_TULIP_MWI is not set
> # CONFIG_TULIP_MMIO is not set
> CONFIG_HIPPI=y
> CONFIG_PLIP=m
> CONFIG_SLIP=m
> CONFIG_SLIP_COMPRESSED=y
> CONFIG_SLIP_SMART=y
> CONFIG_SLIP_MODE_SLIP6=y
> CONFIG_STRIP=m
> CONFIG_IPHASE5526=m
> CONFIG_WANPIPE_CHDLC=y
> CONFIG_WANPIPE_FR=y
> CONFIG_WANPIPE_X25=y
> CONFIG_WANPIPE_PPP=y
> CONFIG_WANPIPE_MULTPPP=y
> CONFIG_PCMCIA_XIRTULIP=m
> CONFIG_HISAX_FRITZ_PCIPNP=m
> CONFIG_SERIAL_MULTIPORT=y
> CONFIG_INPUT_GRIP=m
> CONFIG_FBCON_IPLAN2P2=m
> CONFIG_FBCON_IPLAN2P4=m
> CONFIG_FBCON_IPLAN2P8=m
> CONFIG_USB_AIPTEK=m
> CONFIG_USB_SERIAL_IPAQ=m
> + _________________________ etc/syslog.conf
> + cat /etc/syslog.conf
> # /etc/syslog.conf - Configuration file for syslogd(8)
> #
> # For info about the format of this file, see "man syslog.conf".
> #
>
> #
> #
> # print most on tty10 and on the xconsole pipe
> #
> kern.warn;*.err;authpriv.none /dev/tty10
> kern.warn;*.err;authpriv.none |/dev/xconsole
> *.emerg *
>
> # enable this, if you want that root is informed
> # immediately, e.g. of logins
> #*.alert root
>
>
> #
> # all email-messages in one file
> #
> mail.* -/var/log/mail
>
> #
> # all news-messages
> #
> # these files are rotated and examined by "news.daily"
> news.crit -/var/log/news/news.crit
> news.err -/var/log/news/news.err
> news.notice -/var/log/news/news.notice
> # enable this, if you want to keep all news messages
> # in one file
> #news.* -/var/log/news.all
>
> #
> # Warnings in one file
> #
> *.=warn;*.=err -/var/log/warn
> *.crit /var/log/warn
>
> #
> # save the rest in one file
> #
> *.*;mail.none;news.none -/var/log/messages
>
> #
> # enable this, if you want to keep all messages
> # in one file
> #*.* -/var/log/allmessages
>
> #
> # Some foreign boot scripts require local7
> #
> local0,local1.* -/var/log/localmessages
> local2,local3.* -/var/log/localmessages
> local4,local5.* -/var/log/localmessages
> local6,local7.* -/var/log/localmessages
>
> kern.* -/var/log/firewall
> + _________________________ kern.debug
> + test -f /var/log/kern.debug
> + _________________________ klog
> + sed -n '32725,$p' /var/log/messages
> + egrep -i 'ipsec|klips|pluto'
> + cat
> Jul 4 12:47:44 linux ipsec_setup: Starting FreeS/WAN IPsec 1.95...
> Jul 4 12:47:46 linux kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.95
> Jul 4 12:47:46 linux ipsec_setup: KLIPS debug `none'
> Jul 4 12:47:46 linux ipsec_setup: KLIPS ipsec0 on eth0 193.41.215.55/255.255.255.0 broadcast 193.41.215.255
> Jul 4 12:47:46 linux ipsec__plutorun: Starting Pluto subsystem...
> Jul 4 12:47:46 linux ipsec_setup: ...FreeS/WAN IPsec started
> Jul 4 12:47:46 linux ipsec_setup: ^M^[[80C^[[10D^[[1;32mdone^[[m^O
> Jul 4 12:47:46 linux Pluto[29724]: Starting Pluto (FreeS/WAN Version 1.95)
> Jul 4 12:47:47 linux Pluto[29724]: including X.509 patch (Version 0.9.8)
> Jul 4 12:47:47 linux Pluto[29724]: Changing to directory '/etc/ipsec.d/cacerts'
> Jul 4 12:47:47 linux Pluto[29724]: Warning: empty directory
> Jul 4 12:47:47 linux Pluto[29724]: Changing to directory '/etc/ipsec.d/crls'
> Jul 4 12:47:47 linux Pluto[29724]: Warning: empty directory
> Jul 4 12:47:47 linux Pluto[29724]: could not open my X.509 cert file '/etc/x509cert.der'
> Jul 4 12:47:47 linux Pluto[29724]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
> Jul 4 12:47:47 linux Pluto[29724]: added connection description "site1-site2"
> Jul 4 12:47:47 linux Pluto[29724]: listening for IKE messages
> Jul 4 12:47:47 linux Pluto[29724]: adding interface ipsec0/eth0 193.41.215.55
> Jul 4 12:47:47 linux Pluto[29724]: loading secrets from "/etc/ipsec.secrets"
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: initiating Main Mode
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: Peer ID is ID_IPV4_ADDR: '193.41.215.56'
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: ISAKMP SA established
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #2: sent QI2, IPsec SA established
> Jul 4 12:47:47 linux ipsec__plutorun: 104 "site1-site2" #1: STATE_MAIN_I1: initiate
> Jul 4 12:47:47 linux ipsec__plutorun: 106 "site1-site2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jul 4 12:47:47 linux ipsec__plutorun: 108 "site1-site2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jul 4 12:47:47 linux ipsec__plutorun: 004 "site1-site2" #1: STATE_MAIN_I4: ISAKMP SA established
> Jul 4 12:47:47 linux ipsec__plutorun: 112 "site1-site2" #2: STATE_QUICK_I1: initiate
> Jul 4 12:47:47 linux ipsec__plutorun: 004 "site1-site2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> + _________________________ plog
> + sed -n '32729,$p' /var/log/messages
> + egrep -i pluto
> + cat
> Jul 4 12:47:46 linux ipsec__plutorun: Starting Pluto subsystem...
> Jul 4 12:47:46 linux Pluto[29724]: Starting Pluto (FreeS/WAN Version 1.95)
> Jul 4 12:47:47 linux Pluto[29724]: including X.509 patch (Version 0.9.8)
> Jul 4 12:47:47 linux Pluto[29724]: Changing to directory '/etc/ipsec.d/cacerts'
> Jul 4 12:47:47 linux Pluto[29724]: Warning: empty directory
> Jul 4 12:47:47 linux Pluto[29724]: Changing to directory '/etc/ipsec.d/crls'
> Jul 4 12:47:47 linux Pluto[29724]: Warning: empty directory
> Jul 4 12:47:47 linux Pluto[29724]: could not open my X.509 cert file '/etc/x509cert.der'
> Jul 4 12:47:47 linux Pluto[29724]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
> Jul 4 12:47:47 linux Pluto[29724]: added connection description "site1-site2"
> Jul 4 12:47:47 linux Pluto[29724]: listening for IKE messages
> Jul 4 12:47:47 linux Pluto[29724]: adding interface ipsec0/eth0 193.41.215.55
> Jul 4 12:47:47 linux Pluto[29724]: loading secrets from "/etc/ipsec.secrets"
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: initiating Main Mode
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: Peer ID is ID_IPV4_ADDR: '193.41.215.56'
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #1: ISAKMP SA established
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
> Jul 4 12:47:47 linux Pluto[29724]: "site1-site2" #2: sent QI2, IPsec SA established
> Jul 4 12:47:47 linux ipsec__plutorun: 104 "site1-site2" #1: STATE_MAIN_I1: initiate
> Jul 4 12:47:47 linux ipsec__plutorun: 106 "site1-site2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jul 4 12:47:47 linux ipsec__plutorun: 108 "site1-site2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jul 4 12:47:47 linux ipsec__plutorun: 004 "site1-site2" #1: STATE_MAIN_I4: ISAKMP SA established
> Jul 4 12:47:47 linux ipsec__plutorun: 112 "site1-site2" #2: STATE_QUICK_I1: initiate
> Jul 4 12:47:47 linux ipsec__plutorun: 004 "site1-site2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> + _________________________ date
> + date
> Thu Jul 4 12:48:24 CEST 2002

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST