Sorry
I think it's my was wrong. When I'm looking at ipsec barf
and the table 110 on the bintec I think there has nothing done
between the two peers. Maybe you can look at the two files
Elmar!
______________________________________________________________________________
FreeMail in der Premiumversion! Mit mehr Speicher, mehr Leistung, mehr
Erlebnis und mehr Praemie. Jetzt unter http://club.web.de/?mc=021105
inx Index(ro) NextChoice(rw) Description(rw) EncAlg(*rw)
HashAlg(-rw) LifeTime(rw) Group(rw) AuthMethod(rw)
00 1 0 "Blowfish/MD5" blowfish_cbc
md5 0 2 default
01 2 0 "DES3/MD5" des3_cbc
md5 0 2 default
02 3 0 "CAST/MD5" cast128_cbc
md5 0 2 default
03 4 0 "DES/MD5" des_cbc
md5 0 2 default
04 5 0 "Blowfish/SHA1" blowfish_cbc
sha1 0 2 default
05 6 0 "DES3/SHA1" des3_cbc
sha1 0 2 default
06 7 0 "CAST/SHA1" cast128_cbc
sha1 0 2 default
07 8 0 "DES/SHA1" des_cbc
sha1 0 2 default
08 9 0 "DES/Tiger192" des_cbc
tiger192 0 2 default
09 10 0 "DES/Ripemd160" des_cbc
ripemd160 0 2 default
10 11 0 "DES3/Tiger192" des3_cbc
tiger192 0 2 default
11 12 0 "DES3/Ripemd160" des3_cbc
ripemd160 0 2 default
12 13 0 "Blowfish/Tiger19 blowfish_cbc
tiger192 0 2 default
13 14 0 "Blowfish/Ripemd1 blowfish_cbc
ripemd160 0 2 default
14 15 0 "CAST/Tiger192" cast128_cbc
tiger192 0 2 default
15 16 0 "CAST/Ripemd160" cast128_cbc
ripemd160 0 2 default
16 17 0 "Rijndael/Tiger19 rijndael_cbc
tiger192 0 2 default
17 18 0 "Rijndael/Ripemd1 rijndael_cbc
ripemd160 0 2 default
18 19 0 "Rijndael/MD5" rijndael_cbc
md5 0 2 default
19 20 0 "Rijndael/SHA1" rijndael_cbc
sha1 0 2 default
20 21 0 "Twofish/MD5" twofish_cbc
md5 0 2 default
21 22 0 "Twofish/SHA1" twofish_cbc
sha1 0 2 default
22 23 0 "Twofish/Tiger192 twofish_cbc
tiger192 0 2 default
23 24 0 "Twofish/Ripemd16 twofish_cbc
ripemd160 0 2 default
cse52
Tue Jul 23 09:25:06 CEST 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.95
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.18-4GB (root_at_Pentium.suse.de) (gcc version 2.95.3 20010315 (SuSE)) #1 Wed Mar 27 13:57:05 UTC 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +1 /proc/net/ipsec_eroute
0 10.3.6.0/24 -> 128.1.1.0/24 => tun0x1002_at_217.153.4.214
0 10.3.7.0/24 -> 128.1.1.0/24 => tun0x1004_at_217.153.4.214
0 130.1.85.0/24 -> 128.1.1.0/24 => tun0x1006_at_217.153.4.214
0 192.168.42.0/24 -> 128.1.1.0/24 => tun0x100a_at_217.153.4.214
5350 191.1.1.0/24 -> 128.1.1.0/24 => tun0x100c_at_217.153.4.214
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1007_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->191.1.1.0/24 flags=0x8<> life(c,s,h)=addtime(137761,0,0)
tun0x1005_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->130.1.85.0/24 flags=0x8<> life(c,s,h)=addtime(137760,0,0)
tun0x1003_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->10.3.7.0/24 flags=0x8<> life(c,s,h)=addtime(137760,0,0)
tun0x1001_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->10.3.6.0/24 flags=0x8<> life(c,s,h)=addtime(137759,0,0)
esp0x55e059a_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0xce08362e9b6ea87a ooowin=64 seq=2893 bit=0xffffffffffffffff max_seq_diff=1 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(271164,0,0)addtime(137761,0,0)usetime(137762,0,0)packets(2891,0,0) idle=0
esp0x55e0599_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0xfcd04e6baf4657b4 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137761,0,0)
esp0x55e0598_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0x9d94b25cdbf26d1b ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137761,0,0)
esp0x55e0597_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0x707c98c51b46c8c5 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137760,0,0)
esp0x55e0596_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0xcb240e86e45389d4 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137760,0,0)
esp0x55e0595_at_212.21.84.30 ESP_3DES_HMAC_MD5: dir=in src=217.153.4.214 iv_bits=64bits iv=0xb9a0c4355e79a9de ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137759,0,0)
tun0x100c_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=bytes(7481515,0,0)addtime(137761,0,0)usetime(137762,0,0)packets(5350,0,0) idle=0
tun0x100a_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=addtime(137761,0,0)
tun0x1008_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=addtime(137761,0,0)
tun0x1006_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=addtime(137760,0,0)
tun0x1004_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=addtime(137760,0,0)
tun0x1002_at_217.153.4.214 IPIP: dir=out src=212.21.84.30 life(c,s,h)=addtime(137759,0,0)
esp0xcd5c027c_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0x4b22715f9d9ed0f7 ooowin=64 seq=5350 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(7659936,0,0)addtime(137761,0,0)usetime(137762,0,0)packets(5350,0,0) idle=0
esp0xcd5c027b_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0xc5e563feb107ecde ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137761,0,0)
esp0xcd5c027a_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0x2fd4cd7f49e8bea4 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137761,0,0)
esp0xcd5c0279_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0x67bb4b7a32812b44 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137760,0,0)
esp0xcd5c0278_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0x90ddcc7a36772dfe ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137760,0,0)
esp0xcd5c0277_at_217.153.4.214 ESP_3DES_HMAC_MD5: dir=out src=212.21.84.30 iv_bits=64bits iv=0x6c3501c775e292f7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(137759,0,0)
tun0x100b_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->191.1.1.0/24 flags=0x8<> life(c,s,h)=bytes(271164,0,0)addtime(137761,0,0)usetime(137762,0,0)packets(2891,0,0) idle=0
tun0x1009_at_212.21.84.30 IPIP: dir=in src=217.153.4.214 policy=128.1.1.0/24->192.168.42.0/24 flags=0x8<> life(c,s,h)=addtime(137761,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1007_at_212.21.84.30 esp0x55e0598_at_212.21.84.30
tun0x1005_at_212.21.84.30 esp0x55e0597_at_212.21.84.30
tun0x1003_at_212.21.84.30 esp0x55e0596_at_212.21.84.30
tun0x1001_at_212.21.84.30 esp0x55e0595_at_212.21.84.30
tun0x100c_at_217.153.4.214 esp0xcd5c027c_at_217.153.4.214
tun0x100a_at_217.153.4.214 esp0xcd5c027b_at_217.153.4.214
tun0x1008_at_217.153.4.214 esp0xcd5c027a_at_217.153.4.214
tun0x1006_at_217.153.4.214 esp0xcd5c0279_at_217.153.4.214
tun0x1004_at_217.153.4.214 esp0xcd5c0278_at_217.153.4.214
tun0x1002_at_217.153.4.214 esp0xcd5c0277_at_217.153.4.214
tun0x100b_at_212.21.84.30 esp0x55e059a_at_212.21.84.30
tun0x1009_at_212.21.84.30 esp0x55e0599_at_212.21.84.30
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
212.21.84.0 0.0.0.0 255.255.255.224 U 40 0 0 eth1
212.21.84.0 0.0.0.0 255.255.255.224 U 40 0 0 ipsec0
128.1.1.0 212.21.84.29 255.255.255.0 UG 40 0 0 ipsec0
192.168.130.0 191.1.1.58 255.255.255.0 UG 40 0 0 eth0
130.1.85.0 10.130.2.4 255.255.255.0 UG 40 0 0 eth2
192.168.180.0 191.1.1.58 255.255.255.0 UG 40 0 0 eth0
10.130.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
10.3.6.0 191.1.1.6 255.255.255.0 UG 40 0 0 eth0
10.3.7.0 191.1.1.6 255.255.255.0 UG 40 0 0 eth0
191.1.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.42.0 191.1.1.6 255.255.255.0 UG 40 0 0 eth0
192.168.190.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.175.0 191.1.1.28 255.255.255.0 UG 40 0 0 eth0
192.168.173.0 191.1.1.58 255.255.255.0 UG 40 0 0 eth0
0.0.0.0 192.168.190.100 0.0.0.0 UG 40 0 0 eth1
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
ce3d6560 15376 c6fc21a4 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c6fc21a4 15376 ce3d6560
pf_key_registered: 3 c6fc21a4 15376 ce3d6560
pf_key_registered: 9 c6fc21a4 15376 ce3d6560
pf_key_registered: 10 c6fc21a4 15376 ce3d6560
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1:1 212.21.84.30
000
000 "softvig_carano": 191.1.1.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...217.153.4.193---217.153.4.214[C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de]===128.1.1.0/24
000 "softvig_carano": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "softvig_carano": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; erouted
000 "softvig_carano": newest ISAKMP SA: #0; newest IPsec SA: #7; eroute owner: #7
000 "softvig_fps": 192.168.42.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...217.153.4.193---217.153.4.214[C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de]===128.1.1.0/24
000 "softvig_fps": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "softvig_fps": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; erouted
000 "softvig_fps": newest ISAKMP SA: #0; newest IPsec SA: #6; eroute owner: #6
000 "softvig_bsr": 130.1.85.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...217.153.4.193---217.153.4.214[C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de]===128.1.1.0/24
000 "softvig_bsr": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "softvig_bsr": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; erouted
000 "softvig_bsr": newest ISAKMP SA: #0; newest IPsec SA: #4; eroute owner: #4
000 "softvig_dekra2": 10.3.7.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...217.153.4.193---217.153.4.214[C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de]===128.1.1.0/24
000 "softvig_dekra2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "softvig_dekra2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; erouted
000 "softvig_dekra2": newest ISAKMP SA: #0; newest IPsec SA: #3; eroute owner: #3
000 "softvig_dekra1": 10.3.6.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...217.153.4.193---217.153.4.214[C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de]===128.1.1.0/24
000 "softvig_dekra1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "softvig_dekra1": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; erouted
000 "softvig_dekra1": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000 "mobile1_carano": 191.1.1.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_carano": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_carano": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_carano": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_carano": 191.1.1.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_carano": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_carano": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_carano": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_fps": 192.168.42.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_fps": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_fps": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_fps": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile1_bsr": 130.1.85.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_bsr": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_bsr": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_bsr": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile1_dmz": 192.168.190.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_dmz": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_dmz": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_dmz": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "NB_carano": 191.1.1.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=MECKLENBURG-VORPOMMERN, O=CARANO GmbH, OU=NIEDERLASSUNG NEUBRANDENBURG, CN=Elmar Grote/Email=admin_at_carano.de]===192.168.1.0/24
000 "NB_carano": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "NB_carano": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "NB_carano": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_bsr": 130.1.85.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_bsr": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_bsr": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_bsr": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile1_dekra2": 10.3.7.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_dekra2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_dekra2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_dekra2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_dekra2": 10.3.7.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_dekra2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_dekra2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_dekra2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_dmz": 192.168.190.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_dmz": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_dmz": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_dmz": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile1_dekra1": 10.3.6.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_dekra1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_dekra1": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_dekra1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile2_dekra1": 10.3.6.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=Berlin, L=Berlin, O=CARANO GMBH, OU=CARANO GMBH, CN=ADMINISTRATION CARANO GMBH, E=admin_at_carano.de]
000 "mobile2_dekra1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile2_dekra1": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile2_dekra1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "mobile1_fps": 192.168.42.0/24===212.21.84.30[C=DE, ST=Berlin, L=Berlin, O=CARANO Softwareentwicklungs GmbH, OU=Administration, CN=Elmar Grote, E=admin_at_carano.de]---212.21.84.29...%any[C=DE, ST=BERLIN, L=BERLIN, O=CARANO GMBH, OU=MOBILE1, CN=Elmar Grote, E=admin_at_carano.de]
000 "mobile1_fps": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "mobile1_fps": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1:1; unrouted
000 "mobile1_fps": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #7: "softvig_carano" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27983s; newest IPSEC; eroute owner
000 #7: "softvig_carano" esp.cd5c027c_at_217.153.4.214 esp.55e059a_at_212.21.84.30 tun.100c_at_217.153.4.214 tun.100b_at_212.21.84.30
000 #6: "softvig_fps" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27737s; newest IPSEC; eroute owner
000 #6: "softvig_fps" esp.cd5c027b_at_217.153.4.214 esp.55e0599_at_212.21.84.30 tun.100a_at_217.153.4.214 tun.1009_at_212.21.84.30
000 #5: "softvig_carano" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27699s
000 #5: "softvig_carano" esp.cd5c027a_at_217.153.4.214 esp.55e0598_at_212.21.84.30 tun.1008_at_217.153.4.214 tun.1007_at_212.21.84.30
000 #4: "softvig_bsr" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27628s; newest IPSEC; eroute owner
000 #4: "softvig_bsr" esp.cd5c0279_at_217.153.4.214 esp.55e0597_at_212.21.84.30 tun.1006_at_217.153.4.214 tun.1005_at_212.21.84.30
000 #3: "softvig_dekra2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27933s; newest IPSEC; eroute owner
000 #3: "softvig_dekra2" esp.cd5c0278_at_217.153.4.214 esp.55e0596_at_212.21.84.30 tun.1004_at_217.153.4.214 tun.1003_at_212.21.84.30
000 #2: "softvig_dekra1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27776s; newest IPSEC; eroute owner
000 #2: "softvig_dekra1" esp.cd5c0277_at_217.153.4.214 esp.55e0595_at_212.21.84.30 tun.1002_at_217.153.4.214 tun.1001_at_212.21.84.30
000 #1: "softvig_dekra1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2514s; newest ISAKMP
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:4C:13:08
inet addr:191.1.1.5 Bcast:191.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:fe4c:1308/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6779102 errors:0 dropped:0 overruns:0 frame:0
TX packets:5464290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1375577915 (1311.8 Mb) TX bytes:2439734569 (2326.7 Mb)
Interrupt:10 Base address:0xc800 Memory:dffff000-dffff038
eth1 Link encap:Ethernet HWaddr 00:02:B3:25:13:00
inet addr:192.168.190.101 Bcast:192.168.190.255 Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:fe25:1300/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4802159 errors:0 dropped:0 overruns:0 frame:0
TX packets:6014788 errors:0 dropped:0 overruns:0 carrier:0
collisions:134696 txqueuelen:100
RX bytes:2343175950 (2234.6 Mb) TX bytes:1410827395 (1345.4 Mb)
Interrupt:10 Base address:0xc400 Memory:dfffe000-dfffe038
eth1:1 Link encap:Ethernet HWaddr 00:02:B3:25:13:00
inet addr:212.21.84.30 Bcast:212.21.84.31 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xc400 Memory:dfffe000-dfffe038
eth2 Link encap:Ethernet HWaddr 00:80:AD:38:DC:3B
inet addr:10.130.2.1 Bcast:10.130.2.255 Mask:255.255.255.0
inet6 addr: fe80::280:adff:fe38:dc3b/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:600 (600.0 b) TX bytes:888 (888.0 b)
Interrupt:10 Base address:0xc000
ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr:212.21.84.30 Mask:255.255.255.224
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:2896 errors:0 dropped:3 overruns:0 frame:0
TX packets:5350 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:213424 (208.4 Kb) TX bytes:7734836 (7.3 Mb)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1300 (1.2 Kb) TX bytes:1300 (1.2 Kb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
cse52.carano.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
191.1.1.5
+ _________________________ uptime
+ uptime
9:25am up 1 day, 14:17, 1 user, load average: 0.07, 0.10, 0.04
+ _________________________ ps
+ ps alxw
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
002 0 15374 1 20 0 2512 1156 wait4 S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
002 0 15375 15374 20 0 2512 1156 wait4 S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
004 0 15376 15375 20 0 1956 992 do_sel S pts/0 0:00 /usr/lib/ipsec/pluto --nofork --debug-none --uniqueids
000 0 15377 15374 20 0 2508 1156 pipe_w S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutoload --load %search --start %search --wait --post
000 0 15378 1 20 0 1532 548 pipe_w S pts/0 0:00 logger -p daemon.error -t ipsec__plutorun
000 0 16158 14247 20 0 2500 1132 wait4 S pts/0 0:00 /bin/sh /usr/sbin/ipsec barf
000 0 16159 16158 20 0 2520 1168 - R pts/0 0:00 /bin/sh /usr/lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1:1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
right=212.21.84.30
rightnexthop=212.21.84.29
rightcert=cse52cert.pem
###############################################
# Administration
conn mobile1_carano
left=%any
leftcert=mobile1-cert.pem
rightsubnet=191.1.1.0/24
auto=add
conn mobile1_dekra1
left=%any
leftcert=mobile1-cert.pem
rightsubnet=10.3.6.0/24
auto=add
conn mobile1_dekra2
left=%any
leftcert=mobile1-cert.pem
rightsubnet=10.3.7.0/24
auto=add
conn mobile1_fps
left=%any
leftcert=mobile1-cert.pem
rightsubnet=192.168.42.0/24
auto=add
conn mobile1_bsr
left=%any
leftcert=mobile1-cert.pem
rightsubnet=130.1.85.0/24
auto=add
conn mobile1_dmz
left=%any
leftcert=mobile1-cert.pem
rightsubnet=192.168.190.0/24
auto=add
################################################
#Samy
conn mobile2_carano
left=%any
leftcert=mobile2-cert.pem
rightsubnet=191.1.1.0/24
auto=add
conn mobile2_dekra1
left=%any
leftcert=mobile2-cert.pem
rightsubnet=10.3.6.0/24
auto=add
conn mobile2_dekra2
left=%any
leftcert=mobile2-cert.pem
rightsubnet=10.3.7.0/24
auto=add
conn mobile2_fps
left=%any
leftcert=mobile2-cert.pem
rightsubnet=192.168.42.0/24
auto=add
conn mobile2_bsr
left=%any
leftcert=mobile2-cert.pem
rightsubnet=130.1.85.0/24
auto=add
conn mobile2_dmz
left=%any
leftcert=mobile2-cert.pem
rightsubnet=192.168.190.0/24
auto=add
################################################
#softvig Polen
conn softvig_carano
left=217.153.4.214
leftcert=softvig-polen-cert.pem
leftsubnet=128.1.1.0/24
leftnexthop=217.153.4.193
rightsubnet=191.1.1.0/24
auto=start
conn softvig_dekra1
left=217.153.4.214
leftcert=softvig-polen-cert.pem
leftsubnet=128.1.1.0/24
leftnexthop=217.153.4.193
rightsubnet=10.3.6.0/24
auto=start
conn softvig_dekra2
left=217.153.4.214
leftcert=softvig-polen-cert.pem
leftsubnet=128.1.1.0/24
leftnexthop=217.153.4.193
rightsubnet=10.3.7.0/24
auto=start
conn softvig_fps
left=217.153.4.214
leftcert=softvig-polen-cert.pem
leftsubnet=128.1.1.0/24
leftnexthop=217.153.4.193
rightsubnet=192.168.42.0/24
auto=start
conn softvig_bsr
left=217.153.4.214
leftcert=softvig-polen-cert.pem
leftsubnet=128.1.1.0/24
leftnexthop=217.153.4.193
rightsubnet=130.1.85.0/24
auto=start
################################################
# bintec test
conn NB_carano
left=%any
leftcert=caranonbreq.pem
leftsubnet=192.168.1.0/24
rightsubnet=191.1.1.0/24
auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
Modulus: [...]
PublicExponent: [...]
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
+ _________________________ ipsec/ls-dir
+ ls -l /usr/lib/ipsec
total 860
-rwxr-xr-x 1 root root 11089 Mar 27 14:11 _confread
-rwxr-xr-x 1 root root 7065 Mar 27 14:11 _copyright
-rwxr-xr-x 1 root root 2163 Mar 27 14:11 _include
-rwxr-xr-x 1 root root 1383 Mar 27 14:11 _keycensor
-rwxr-xr-x 1 root root 3495 Mar 27 14:11 _plutoload
-rwxr-xr-x 1 root root 3616 Mar 27 14:11 _plutorun
-rwxr-xr-x 1 root root 7477 Mar 27 14:11 _realsetup
-rwxr-xr-x 1 root root 1904 Mar 27 14:11 _secretcensor
-rwxr-xr-x 1 root root 6076 Mar 27 14:11 _startklips
-rwxr-xr-x 1 root root 5262 Mar 27 14:11 _updown
-rwxr-xr-x 1 root root 12247 Mar 27 14:11 auto
-rwxr-xr-x 1 root root 6418 Mar 27 14:11 barf
-rwxr-xr-x 1 root root 72075 Mar 27 14:11 eroute
-rwxr-xr-x 1 root root 11892 Mar 27 14:11 fswcert
-rwxr-xr-x 1 root root 2823 Mar 27 14:11 ipsec
-rw-r--r-- 1 root root 1950 Mar 27 14:11 ipsec_pr.template
-rwxr-xr-x 1 root root 50543 Mar 27 14:11 klipsdebug
-rwxr-xr-x 1 root root 2437 Mar 27 14:11 look
-rwxr-xr-x 1 root root 16172 Mar 27 14:11 manual
-rwxr-xr-x 1 root root 1274 Mar 27 14:11 newhostkey
-rwxr-xr-x 1 root root 41895 Mar 27 14:11 pf_key
-rwxr-xr-x 1 root root 301055 Mar 27 14:11 pluto
-rwxr-xr-x 1 root root 9819 Mar 27 14:11 ranbits
-rwxr-xr-x 1 root root 21728 Mar 27 14:11 rsasigkey
-rwxr-xr-x 1 root root 16653 Mar 27 14:11 send-pr
lrwxrwxrwx 1 root root 17 Jul 19 19:40 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Mar 27 14:11 showdefaults
-rwxr-xr-x 1 root root 3484 Mar 27 14:11 showhostkey
-rwxr-xr-x 1 root root 81962 Mar 27 14:11 spi
-rwxr-xr-x 1 root root 62105 Mar 27 14:11 spigrp
-rwxr-xr-x 1 root root 12878 Mar 27 14:11 tncfg
-rwxr-xr-x 1 root root 37115 Mar 27 14:11 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.18 2001/11/09 04:12:19 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 1300 26 0 0 0 0 0 0 1300 26 0 0 0 0 0 0
eth0:1375589255 6779102 0 0 0 0 0 0 2439735229 5464290 0 0 0 0 0 0
eth1:2343176658 4802159 0 0 0 0 0 0 1410839121 6014788 0 0 0 134696 0 0
eth2: 600 10 0 0 0 0 0 0 888 14 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 213544 2899 0 3 0 0 0 0 7743672 5356 0 1 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 005415D4 00000000 0001 0 0 0 E0FFFFFF 40 0 0
ipsec0 005415D4 00000000 0001 0 0 0 E0FFFFFF 40 0 0
ipsec0 00010180 1D5415D4 0003 0 0 0 00FFFFFF 40 0 0
eth0 0082A8C0 3A0101BF 0003 0 0 0 00FFFFFF 40 0 0
eth2 00550182 0402820A 0003 0 0 0 00FFFFFF 40 0 0
eth0 00B4A8C0 3A0101BF 0003 0 0 0 00FFFFFF 40 0 0
eth2 0002820A 00000000 0001 0 0 0 00FFFFFF 40 0 0
eth0 0006030A 060101BF 0003 0 0 0 00FFFFFF 40 0 0
eth0 0007030A 060101BF 0003 0 0 0 00FFFFFF 40 0 0
eth0 000101BF 00000000 0001 0 0 0 00FFFFFF 40 0 0
eth0 002AA8C0 060101BF 0003 0 0 0 00FFFFFF 40 0 0
eth1 00BEA8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
eth0 00AFA8C0 1C0101BF 0003 0 0 0 00FFFFFF 40 0 0
eth0 00ADA8C0 3A0101BF 0003 0 0 0 00FFFFFF 40 0 0
eth1 00000000 64BEA8C0 0003 0 0 0 00000000 40 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ uname-a
+ uname -a
Linux cse52 2.4.18-4GB #1 Wed Mar 27 13:57:05 UTC 2002 i686 unknown
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.95
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 2 packets, 200 bytes)
pkts bytes target prot opt in out source destination
651 392K IPSEC udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
90416 12M IPSEC esp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 IPSEC ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
84696 9599K REIN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
55056 70M MAIL tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 MAIL tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:109
19 884 MAIL tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
5525K 5414M INTERN-EXTERN all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 ippp0 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 ippp1 0.0.0.0/0 0.0.0.0/0
332K 22M INTERN-EXTERN all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
15865 2304K INTERN-EXTERN all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 ppp1 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 ppp2 0.0.0.0/0 0.0.0.0/0
0 0 INTERN-EXTERN all -- eth0 ppp3 0.0.0.0/0 0.0.0.0/0
4374K 2049M EXTERN-INTERN all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- ippp0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- ippp1 eth0 0.0.0.0/0 0.0.0.0/0
19296 1326K EXTERN-INTERN all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- ppp1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- ppp2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 EXTERN-INTERN all -- ppp3 eth0 0.0.0.0/0 0.0.0.0/0
90352 7170K IPSEC all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
114K 97M IPSEC all -- * ipsec0 0.0.0.0/0 0.0.0.0/0
438 18921 KEIN-ZIEL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 149 packets, 10385 bytes)
pkts bytes target prot opt in out source destination
186K 113M RAUS all -- * * 0.0.0.0/0 0.0.0.0/0
Chain EXTERN-INTERN (8 references)
pkts bytes target prot opt in out source destination
4371K 2049M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ippp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ippp1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
19264 1324K ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp3 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
18 1080 ACCEPT tcp -- * * 192.168.190.110 191.1.1.3 tcp dpt:80
251 15060 ACCEPT tcp -- * * 192.168.190.110 191.1.1.16 tcp dpt:80
2043 123K ACCEPT tcp -- * * 192.168.190.110 191.1.1.4 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.190.0/24 191.1.1.8 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.190.0/24 191.1.1.8 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.190.0/24 191.1.1.57 tcp dpt:53
0 0 ACCEPT udp -- * * 192.168.190.0/24 191.1.1.57 udp dpt:53
32 2240 ACCEPT all -- ppp0 * 192.168.192.0/24 191.1.1.0/24
0 0 ACCEPT all -- ppp1 * 192.168.192.0/24 191.1.1.0/24
0 0 ACCEPT all -- ppp2 * 192.168.192.0/24 191.1.1.0/24
0 0 ACCEPT all -- ppp3 * 192.168.192.0/24 191.1.1.0/24
0 0 TEST all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERN-EXTERN (9 references)
pkts bytes target prot opt in out source destination
82 3936 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:8080
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpts:6346:6347
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpts:5190:5193
3676 167K ACCEPT tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:6667
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpts:6660:7029
15 876 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:1863
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:2562
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:5050
13 780 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:1961
0 0 DROP tcp -- * * 191.1.1.0/24 0.0.0.0/0 tcp dpt:8074
424K 35M ACCEPT all -- * * 192.168.173.0/24 0.0.0.0/0
1952 266K ACCEPT all -- * * 0.0.0.0/0 192.168.173.0/24
5443K 5402M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IPSEC (5 references)
pkts bytes target prot opt in out source destination
91066 13M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
90352 7170K ACCEPT all -- ipsec0 eth0 0.0.0.0/0 0.0.0.0/0
114K 97M ACCEPT all -- eth0 ipsec0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ipsec0 ippp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ippp0 ipsec0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ipsec0 ippp1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ippp1 ipsec0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ipsec0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 ipsec0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ipsec0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain KEIN-ZIEL (1 references)
pkts bytes target prot opt in out source destination
438 18921 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGDROP (2 references)
pkts bytes target prot opt in out source destination
1971 150K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MAIL (3 references)
pkts bytes target prot opt in out source destination
3761 4302K ACCEPT tcp -- * * 191.1.1.3 192.168.190.100 tcp dpt:25
21572 29M ACCEPT tcp -- * * 191.1.1.4 192.168.190.100 tcp dpt:25
1228 1271K ACCEPT tcp -- * * 191.1.1.16 192.168.190.100 tcp dpt:25
0 0 ACCEPT tcp -- * * 191.1.1.63 192.168.190.100 tcp dpt:25
400 35154 ACCEPT tcp -- * * 191.1.1.44 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 191.1.1.102 192.168.190.100 tcp dpt:25
11901 14M ACCEPT tcp -- * * 192.168.190.100 191.1.1.3 tcp dpt:25
16004 21M ACCEPT tcp -- * * 192.168.190.100 191.1.1.4 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.100 191.1.1.16 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.100 191.1.1.63 tcp dpt:25
190 31268 ACCEPT tcp -- * * 192.168.190.100 191.1.1.102 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.100 191.1.1.14 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.110 191.1.1.3 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.110 191.1.1.4 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.110 191.1.1.16 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.110 191.1.1.63 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.110 191.1.1.102 tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.190.100 191.1.1.14 tcp dpt:25
19 884 LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RAUS (1 references)
pkts bytes target prot opt in out source destination
28356 5705K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
158K 108M ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * ippp0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * ippp1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain REIN (1 references)
pkts bytes target prot opt in out source destination
49935 6396K ACCEPT all -- eth0 * 191.1.1.0/24 0.0.0.0/0
4131 437K ACCEPT all -- eth0 * 192.168.173.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.180.0/24 0.0.0.0/0
314 16312 ACCEPT tcp -- eth1 * 0.0.0.0/0 212.21.84.30 tcp dpt:1723
0 0 ACCEPT tcp -- eth1 * 209.205.174.238 212.21.84.30 tcp dpt:1723
0 0 ACCEPT tcp -- eth1 * 209.205.191.44 212.21.84.30 tcp dpt:1723
0 0 ACCEPT tcp -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
28362 2601K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ippp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- ippp1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1952 149K LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SPOOFING (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain TEST (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `fp=test:0 a=DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/lib/ipsec/barf: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 122K packets, 8685K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ippp1 * 191.1.1.0/24 0.0.0.0/0
0 0 DROP all -- ippp0 * 191.1.1.0/24 0.0.0.0/0
0 0 DROP all -- eth2 * 191.1.1.0/24 0.0.0.0/0
0 0 DROP all -- eth1 * 191.1.1.0/24 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.3 tcp dpt:80 to:192.168.190.3:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.4 tcp dpt:80 to:192.168.190.4:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.6 tcp dpt:80 to:192.168.190.6:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.7 tcp dpt:80 to:192.168.190.7:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.8 tcp dpt:80 to:192.168.190.8:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.9 tcp dpt:80 to:192.168.190.10:80
10 480 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.10 tcp dpt:80 to:192.168.190.10:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.11 tcp dpt:80 to:192.168.190.11:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.13 tcp dpt:80 to:192.168.190.13:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.16 tcp dpt:80 to:192.168.190.16:80
29 1324 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.250 tcp dpt:80 to:192.168.190.250:80
8 380 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.250 tcp dpt:21 to:192.168.190.250:21
100 4800 DNAT tcp -- eth0 * 0.0.0.0/0 212.21.84.250 tcp dpt:443 to:192.168.190.250:443
Chain POSTROUTING (policy ACCEPT 7501 packets, 712K bytes)
pkts bytes target prot opt in out source destination
23 1250 MASQUERADE all -- * eth0 0.0.0.0/0 192.168.42.0/24
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 10.3.6.0/24
281 11576 MASQUERADE all -- * eth0 0.0.0.0/0 10.3.7.0/24
0 0 MASQUERADE all -- * eth2 0.0.0.0/0 0.0.0.0/0
94433 4813K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ippp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ippp1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1250 packets, 80147 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/lib/ipsec/barf: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 11M packets, 7684M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 250K packets, 34M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 11M packets, 7963M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 190K packets, 114M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12M packets, 8110M bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 235424 2
ppp_deflate 39456 0 (autoclean)
bsd_comp 4032 0 (autoclean)
ppp_async 6080 0 (autoclean)
af_packet 11528 0 (autoclean)
ipv6 123424 -1 (autoclean)
isa-pnp 27816 0 (unused)
ppp_mppe 20128 0
ppp_generic 14984 0 [ppp_deflate bsd_comp ppp_async ppp_mppe]
slhc 4432 0 [ppp_generic]
ne2k-pci 4800 1
8390 5856 0 [ne2k-pci]
e100 69272 2
ipt_state 608 15 (autoclean)
ipt_MASQUERADE 1216 7 (autoclean)
iptable_mangle 2144 0 (autoclean) (unused)
iptable_filter 1728 1 (autoclean)
ip_conntrack_ftp 3200 0 (unused)
ip_nat_ftp 2944 0 (unused)
iptable_nat 12756 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 12652 3 [ipt_state ipt_MASQUERADE ip_conntrack_ftp ip_nat_ftp iptable_nat]
ipt_LOG 3168 1
ip_tables 10400 8 [ipt_state ipt_MASQUERADE iptable_mangle iptable_filter iptable_nat ipt_LOG]
reiserfs 158816 2
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 261537792 255651840 5885952 0 81801216 75206656
Swap: 526376960 0 526376960
MemTotal: 255408 kB
MemFree: 5748 kB
MemShared: 0 kB
Buffers: 79884 kB
Cached: 73444 kB
SwapCached: 0 kB
Active: 72224 kB
Inactive: 87288 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 255408 kB
LowFree: 5748 kB
SwapTotal: 514040 kB
SwapFree: 514040 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jul 23 09:25 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
CONFIG_MTD_OBSOLETE_CHIPS=y
CONFIG_CIPHER_TWOFISH=m
CONFIG_MD_MULTIPATH=m
CONFIG_NETLINK_DEV=m
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_PSD=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_IPLIMIT=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
# IP: Virtual Server Configuration
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
# IPVS scheduler
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
# IPVS application helper
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
# IPv6: Netfilter Configuration
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_ATM_CLIP=y
CONFIG_ATM_CLIP_NO_ICMP=y
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
# CONFIG_IDEDMA_PCI_WIP is not set
CONFIG_IDE_CHIPSETS=y
CONFIG_SCSI_IPS=m
# CONFIG_SCSI_IZIP_EPP16 is not set
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
# CONFIG_TULIP_MMIO is not set
CONFIG_HIPPI=y
CONFIG_PLIP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
CONFIG_WANPIPE_FR=y
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_PCMCIA_XIRTULIP=m
CONFIG_HISAX_FRITZ_PCIPNP=m
CONFIG_SERIAL_MULTIPORT=y
CONFIG_INPUT_GRIP=m
CONFIG_FBCON_IPLAN2P2=m
CONFIG_FBCON_IPLAN2P4=m
CONFIG_FBCON_IPLAN2P8=m
CONFIG_USB_AIPTEK=m
CONFIG_USB_SERIAL_IPAQ=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#
#
#
# print most on tty10 and on the xconsole pipe
#
kern.warn;*.err;authpriv.none /dev/tty10
kern.warn;*.err;authpriv.none |/dev/xconsole
*.emerg *
# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert root
#
# all email-messages in one file
#
mail.* -/var/log/mail
#
# all news-messages
#
# these files are rotated and examined by "news.daily"
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.* -/var/log/news.all
#
# Warnings in one file
#
*.=warn;*.=err -/var/log/warn
*.crit /var/log/warn
#
# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages
#
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages
#
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
kern.* -/var/log/firewall
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '46435,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Jul 23 09:23:23 cse52 ipsec_setup: Starting FreeS/WAN IPsec 1.95...
Jul 23 09:23:24 cse52 kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.95
Jul 23 09:23:24 cse52 ipsec_setup: KLIPS debug `none'
Jul 23 09:23:24 cse52 ipsec_setup: KLIPS ipsec0 on eth1:1 212.21.84.30/255.255.255.224 broadcast 212.21.84.31
Jul 23 09:23:24 cse52 ipsec__plutorun: Starting Pluto subsystem...
Jul 23 09:23:24 cse52 Pluto[15376]: Starting Pluto (FreeS/WAN Version 1.95)
Jul 23 09:23:24 cse52 Pluto[15376]: including X.509 patch (Version 0.9.8)
Jul 23 09:23:24 cse52 Pluto[15376]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 23 09:23:24 cse52 Pluto[15376]: loaded cacert file 'RootCA.der' (1247 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: Changing to directory '/etc/ipsec.d/crls'
Jul 23 09:23:24 cse52 Pluto[15376]: loaded crl file 'crl.pem' (727 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded my X.509 cert file '/etc/x509cert.der' (1290 bytes)
Jul 23 09:23:24 cse52 ipsec_setup: ...FreeS/WAN IPsec started
Jul 23 09:23:24 cse52 ipsec_setup: ^M^[[115C^[[10D^[[1;32mdone^[[m^O
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: added connection description "softvig_dekra1"
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: added connection description "mobile1_fps"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_bsr"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dekra1"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile1_dekra1"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dmz"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile1_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_bsr"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/caranonbreq.pem' (1598 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "NB_carano"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_fps"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_dmz"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "softvig_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_bsr"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile2_fps"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile2_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: listening for IKE messages
Jul 23 09:23:26 cse52 Pluto[15376]: adding interface ipsec0/eth1:1 212.21.84.30
Jul 23 09:23:26 cse52 Pluto[15376]: loading secrets from "/etc/ipsec.secrets"
Jul 23 09:23:26 cse52 Pluto[15376]: "softvig_dekra1" #1: initiating Main Mode
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Peer ID is ID_DER_ASN1_DN: 'C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de'
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Next CRL update was expected on Dec 29 16:11:44 UTC 2001
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Next CRL update was expected on Dec 29 16:11:44 UTC 2001
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: ISAKMP SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #2: sent QI2, IPsec SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra2" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:28 cse52 ipsec__plutorun: 104 "softvig_dekra1" #1: STATE_MAIN_I1: initiate
Jul 23 09:23:28 cse52 ipsec__plutorun: 106 "softvig_dekra1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 23 09:23:28 cse52 ipsec__plutorun: 108 "softvig_dekra1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 23 09:23:28 cse52 ipsec__plutorun: 004 "softvig_dekra1" #1: STATE_MAIN_I4: ISAKMP SA established
Jul 23 09:23:28 cse52 ipsec__plutorun: 112 "softvig_dekra1" #2: STATE_QUICK_I1: initiate
Jul 23 09:23:28 cse52 ipsec__plutorun: 004 "softvig_dekra1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra2" #3: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_dekra2" #3: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_dekra2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_bsr" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #5: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_bsr" #4: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_bsr" #4: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_bsr" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_fps" #6: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #5: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_fps" #6: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_fps" #6: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_fps" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #7: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:30 cse52 Pluto[15376]: "softvig_carano" #7: sent QI2, IPsec SA established
Jul 23 09:23:30 cse52 ipsec__plutorun: 112 "softvig_carano" #7: STATE_QUICK_I1: initiate
Jul 23 09:23:30 cse52 ipsec__plutorun: 004 "softvig_carano" #7: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:37 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:23:53 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:24:27 cse52 Pluto[15376]: packet from 217.9.44.34:500: Main Mode message is part of an unknown exchange
Jul 23 09:24:58 cse52 Pluto[15376]: packet from 217.9.44.96:500: Main Mode message is part of an unknown exchange
+ _________________________ plog
+ sed -n '46439,$p' /var/log/messages
+ egrep -i pluto
+ cat
Jul 23 09:23:24 cse52 ipsec__plutorun: Starting Pluto subsystem...
Jul 23 09:23:24 cse52 Pluto[15376]: Starting Pluto (FreeS/WAN Version 1.95)
Jul 23 09:23:24 cse52 Pluto[15376]: including X.509 patch (Version 0.9.8)
Jul 23 09:23:24 cse52 Pluto[15376]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 23 09:23:24 cse52 Pluto[15376]: loaded cacert file 'RootCA.der' (1247 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: Changing to directory '/etc/ipsec.d/crls'
Jul 23 09:23:24 cse52 Pluto[15376]: loaded crl file 'crl.pem' (727 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded my X.509 cert file '/etc/x509cert.der' (1290 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: added connection description "softvig_dekra1"
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:24 cse52 Pluto[15376]: added connection description "mobile1_fps"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_bsr"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dekra1"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile1_dekra1"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dmz"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile1_dekra2"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "mobile2_bsr"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/caranonbreq.pem' (1598 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "NB_carano"
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:25 cse52 Pluto[15376]: added connection description "softvig_fps"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_dmz"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/softvig-polen-cert.pem' (5115 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "softvig_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_bsr"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile2_fps"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile2-cert.pem' (5171 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile2_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/mobile1-cert.pem' (5128 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: loaded host cert file '/etc/ipsec.d/cse52cert.pem' (5192 bytes)
Jul 23 09:23:26 cse52 Pluto[15376]: added connection description "mobile1_carano"
Jul 23 09:23:26 cse52 Pluto[15376]: listening for IKE messages
Jul 23 09:23:26 cse52 Pluto[15376]: adding interface ipsec0/eth1:1 212.21.84.30
Jul 23 09:23:26 cse52 Pluto[15376]: loading secrets from "/etc/ipsec.secrets"
Jul 23 09:23:26 cse52 Pluto[15376]: "softvig_dekra1" #1: initiating Main Mode
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Peer ID is ID_DER_ASN1_DN: 'C=PL, ST=POLEN, L=STETIN, O=SOFTVIG, OU=SOFTVIG, CN=Elmar Grote, E=admin_at_carano.de'
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Next CRL update was expected on Dec 29 16:11:44 UTC 2001
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: Next CRL update was expected on Dec 29 16:11:44 UTC 2001
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #1: ISAKMP SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra1" #2: sent QI2, IPsec SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra2" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:28 cse52 ipsec__plutorun: 104 "softvig_dekra1" #1: STATE_MAIN_I1: initiate
Jul 23 09:23:28 cse52 ipsec__plutorun: 106 "softvig_dekra1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 23 09:23:28 cse52 ipsec__plutorun: 108 "softvig_dekra1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 23 09:23:28 cse52 ipsec__plutorun: 004 "softvig_dekra1" #1: STATE_MAIN_I4: ISAKMP SA established
Jul 23 09:23:28 cse52 ipsec__plutorun: 112 "softvig_dekra1" #2: STATE_QUICK_I1: initiate
Jul 23 09:23:28 cse52 ipsec__plutorun: 004 "softvig_dekra1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:28 cse52 Pluto[15376]: "softvig_dekra2" #3: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_dekra2" #3: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_dekra2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_bsr" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #5: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_bsr" #4: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_bsr" #4: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_bsr" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_fps" #6: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #5: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_fps" #6: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 ipsec__plutorun: 112 "softvig_fps" #6: STATE_QUICK_I1: initiate
Jul 23 09:23:29 cse52 ipsec__plutorun: 004 "softvig_fps" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:29 cse52 Pluto[15376]: "softvig_carano" #7: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Jul 23 09:23:30 cse52 Pluto[15376]: "softvig_carano" #7: sent QI2, IPsec SA established
Jul 23 09:23:30 cse52 ipsec__plutorun: 112 "softvig_carano" #7: STATE_QUICK_I1: initiate
Jul 23 09:23:30 cse52 ipsec__plutorun: 004 "softvig_carano" #7: STATE_QUICK_I2: sent QI2, IPsec SA established
Jul 23 09:23:37 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:23:53 cse52 Pluto[15376]: packet from 217.9.45.175:500: Main Mode message is part of an unknown exchange
Jul 23 09:24:27 cse52 Pluto[15376]: packet from 217.9.44.34:500: Main Mode message is part of an unknown exchange
Jul 23 09:24:58 cse52 Pluto[15376]: packet from 217.9.44.96:500: Main Mode message is part of an unknown exchange
+ _________________________ date
+ date
Tue Jul 23 09:25:07 CEST 2002
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:26 CEST