[Users] Routing Error? No ping! Freeswan 1.99 w/ x.509 and SSH Sentinel 1.4 Roadwarrior Client

From: Jonathan K. Poon (PoonJ_at_hotmail.com)
Date: Thu Nov 28 2002 - 23:43:07 CET

• Next message: Mark van Proctor: "[Users] RedHat RPMs on http://www.freeswan.ca"
• Previous message: Stephen J. Bevan: "Re: [Users] rp_filter on ipsec0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey all,

I think I am experiencing a routing error, but I don't know where to start to see what I could do to allieviate the problem.

I am using freeswan 1.99 w/ x.509 certificate support while the roadwarrior client is using the SSH Sentinel 1.4. The setup I currently have is for Virtual IP support. The private network on behind the freeswan gateway is using the 192.168.1.0/24 subnet, and the Virtual IP is set to 192.168.1.200/32.

I currently have this setup on the freeswan gateway server. It acts not only as the ipsec gateway, but the network gateway as well, using ipchains for firewalling. the network card configuration is as follows:

eth0 --> 192.168.1.254 (Internal network)
eth1 --> <external ip>
ipsec0 --> <external ip>

I am able to pass the diagnostics and have a successful connection. However, when I try to ping the computers behind the freeswan gateway, I experience problems with the pings timing out on the roadwarrior side of the connection. however...on the server, I am doing a tcpdump on all three of the interfaces. Here, 192.168.1.3 is a computer behind the gateway on the LAN, while 192.168.1.200 is the SSH Sentinel roadwarrior client. Here is the output for eth0 (the internal network card on the server):

tcpdump: listening on eth0
14:21:29.765131 192.168.1.200 > 192.168.1.3: icmp: echo request
14:21:29.765620 arp who-has 192.168.1.200 tell 192.168.1.3
14:21:29.771159 arp reply 192.168.1.200 is-at 0:90:27:dc:ed:41
14:21:29.771488 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:21:30.844450 192.168.1.200 > 192.168.1.3: icmp: echo request
14:21:30.844861 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:21:31.847884 192.168.1.200 > 192.168.1.3: icmp: echo request
14:21:31.848375 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:21:32.848666 192.168.1.200 > 192.168.1.3: icmp: echo request
14:21:32.849079 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:21:35.841152 arp who-has 192.168.1.3 tell 192.168.1.254
14:21:35.841571 arp reply 192.168.1.3 is-at 0:40:33:57:14:bb

Here is the output on ipsec0

tcpdump: listening on ipsec0
14:23:27.210202 192.168.1.200 > 192.168.1.3: icmp: echo request
14:23:27.210879 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:23:28.505126 192.168.1.200 > 192.168.1.3: icmp: echo request
14:23:28.505668 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:23:29.505638 192.168.1.200 > 192.168.1.3: icmp: echo request
14:23:29.506206 192.168.1.3 > 192.168.1.200: icmp: echo reply
14:23:30.505906 192.168.1.200 > 192.168.1.3: icmp: echo request
14:23:30.506492 192.168.1.3 > 192.168.1.200: icmp: echo reply

Obviously, the packets are getting through and there is also a echo reply by the internal computer on the network. However, I dont get packets back on the roadwarrior client. For some reason, the packets are not going back through the tunnel. I was thinking that it could have been a routing error, but here is the routing table for both the linux system and the ipsec daemon.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
255.255.255.255 * 255.255.255.255 UH 0 0 0 eth0
mail2.gwfund.co 67.112.12.97 255.255.255.255 UGH 0 0 0 ipsec0
192.168.1.200 67.112.12.97 255.255.255.255 UGH 0 0 0 ipsec0
67.112.12.96 * 255.255.255.252 U 0 0 0 eth1
67.112.12.96 * 255.255.255.252 U 0 0 0 ipsec0
192.168.2.0 67.112.12.97 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 67.112.12.97 0.0.0.0 UG 0 0 0 eth1

burrito:/etc# ipsec eroute
448 67.112.12.98/32 -> 67.119.198.130/32 => tun0x1008_at_67.119.198.130
151 67.112.12.98/32 -> 192.168.2.0/24 => tun0x1004_at_67.119.198.130
80 192.168.1.0/24 -> 67.119.198.130/32 => tun0x1006_at_67.119.198.130
14 192.168.1.0/24 -> 192.168.1.200/32 => tun0x100c_at_63.193.113.176
73 192.168.1.0/24 -> 192.168.2.0/24 => tun0x1002_at_67.119.198.130

Seeing this information, the tunnel does seem to be setup correctly...but no packets are going through, which is confusing me heavily on this problem. Anyone here have any ideas as to why no pings are going back to the roadwarrior client?

Below contains the output for additional information on the client and the ipsec barf for all of the rest of the information:

Please email me at poonj_at_hotmail.com if you have any suggestions. I appreciate your help.

Thanks again.

-Jonathan Poon
PoonJ_at_hotmail.com

Here is the output from the Windows SSH Sentinel Roadwarrior Client for ip information

Ethernet adapter {630905C7-1DF4-4DDE-941B-5752FAF7152C}:

        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : SSH Virtual NIC
        Physical Address. . . . . . . . . : 0A-B2-87-74-33-7E
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 1.1.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.254
        Primary WINS Server . . . . . . . : 192.168.2.254
        Lease Obtained. . . . . . . . . . : Thursday, November 28, 2002 2:04:44 PM
        Lease Expires . . . . . . . . . . : Monday, January 18, 2038 7:14:07 PM

Here is an IPSEC BARF

burrito
Thu Nov 28 14:09:48 PST 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.2.20 (root_at_burrito) (gcc version 2.95.4 20011002 (Debian prerelease)) #14 Fri Nov 15 22:50:52 PST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
14 192.168.1.0/24 -> 192.168.1.200/32 => tun0x100c_at_63.193.113.176
82 192.168.1.0/24 -> 192.168.2.0/24 => tun0x1002_at_67.119.198.130
155 67.112.12.98/32 -> 192.168.2.0/24 => tun0x1004_at_67.119.198.130
81 192.168.1.0/24 -> 67.119.198.130/32 => tun0x1006_at_67.119.198.130
462 67.112.12.98/32 -> 67.119.198.130/32 => tun0x1008_at_67.119.198.130
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
67.119.198.130 67.112.12.97 255.255.255.255 UGH 0 0 0 ipsec0
192.168.1.200 67.112.12.97 255.255.255.255 UGH 0 0 0 ipsec0
67.112.12.96 0.0.0.0 255.255.255.252 U 0 0 0 eth1
67.112.12.96 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
192.168.2.0 67.112.12.97 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 67.112.12.97 0.0.0.0 UG 0 0 0 eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1008_at_67.119.198.130 IPIP: dir=out src=67.112.12.98 life(c,s,h)=bytes(9012,0,0)addtime(2901,0,0)usetime(2084,0,0)packets(72,0,0) idle=274
tun0x1006_at_67.119.198.130 IPIP: dir=out src=67.112.12.98 life(c,s,h)=bytes(9537,0,0)addtime(2901,0,0)usetime(2899,0,0)packets(81,0,0) idle=117
tun0x1004_at_67.119.198.130 IPIP: dir=out src=67.112.12.98 life(c,s,h)=bytes(18663,0,0)addtime(2901,0,0)usetime(2815,0,0)packets(155,0,0) idle=51
tun0x1002_at_67.119.198.130 IPIP: dir=out src=67.112.12.98 life(c,s,h)=bytes(14585,0,0)addtime(2901,0,0)usetime(2805,0,0)packets(82,0,0) idle=47
tun0x100c_at_63.193.113.176 IPIP: dir=out src=67.112.12.98 life(c,s,h)=bytes(1569,0,0)addtime(782,0,0)usetime(771,0,0)packets(14,0,0) idle=656
tun0x100a_at_63.193.113.176 IPIP: dir=out src=67.112.12.98 life(c,s,h)=addtime(2896,0,0)
esp0xbbd9eaa0_at_67.119.198.130 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0x6003ea339b2abe6c ooowin=64 seq=72 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(11328,0,0)addtime(2901,0,0)usetime(2084,0,0)packets(72,0,0) idle=274
esp0xbbd9ea9f_at_67.119.198.130 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0x74fd465cc6e95639 ooowin=64 seq=81 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(12296,0,0)addtime(2901,0,0)usetime(2899,0,0)packets(81,0,0) idle=117
esp0xbbd9ea9e_at_67.119.198.130 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0x6f810419ea14423d ooowin=64 seq=155 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(23920,0,0)addtime(2901,0,0)usetime(2815,0,0)packets(155,0,0) idle=51
esp0xbbd9ea9d_at_67.119.198.130 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0x84d506c6cc30c91b ooowin=64 seq=82 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(17360,0,0)addtime(2901,0,0)usetime(2805,0,0)packets(82,0,0) idle=47
tun0x100b_at_67.112.12.98 IPIP: dir=in src=63.193.113.176 policy=192.168.1.200/32->192.168.1.0/24 flags=0x8<> life(c,s,h)=bytes(1134,0,0)addtime(782,0,0)usetime(772,0,0)packets(14,0,0) idle=656
tun0x1009_at_67.112.12.98 IPIP: dir=in src=63.193.113.176 policy=192.168.1.200/32->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(2896,0,0)
tun0x1007_at_67.112.12.98 IPIP: dir=in src=67.119.198.130 policy=67.119.198.130/32->67.112.12.98/32 flags=0x8<> life(c,s,h)=bytes(9690,0,0)addtime(2901,0,0)usetime(2084,0,0)packets(66,0,0) idle=274
tun0x1005_at_67.112.12.98 IPIP: dir=in src=67.119.198.130 policy=67.119.198.130/32->192.168.1.0/24 flags=0x8<> life(c,s,h)=bytes(9420,0,0)addtime(2901,0,0)usetime(2899,0,0)packets(81,0,0) idle=117
tun0x1003_at_67.112.12.98 IPIP: dir=in src=67.119.198.130 policy=192.168.2.0/24->67.112.12.98/32 flags=0x8<> life(c,s,h)=bytes(16130,0,0)addtime(2901,0,0)usetime(2815,0,0)packets(191,0,0) idle=51
tun0x1001_at_67.112.12.98 IPIP: dir=in src=67.119.198.130 policy=192.168.2.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=bytes(14540,0,0)addtime(2901,0,0)usetime(2805,0,0)packets(83,0,0) idle=23
esp0x80c4b81b_at_63.193.113.176 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0xdf508fa112d2a64a ooowin=64 seq=14 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(2024,0,0)addtime(782,0,0)usetime(771,0,0)packets(14,0,0) idle=656
esp0x630caaa6_at_63.193.113.176 ESP_3DES_HMAC_MD5: dir=out src=67.112.12.98 iv_bits=64bits iv=0xe5b63b27637cbdbe ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(2896,0,0)
esp0x4bd33262_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=63.193.113.176 iv_bits=64bits iv=0x7578ea32eeccf7e6 ooowin=64 seq=14 bit=0x000003fff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(1134,0,0)addtime(782,0,0)usetime(772,0,0)packets(14,0,0) idle=656
esp0x4bd33261_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=63.193.113.176 iv_bits=64bits iv=0x9cc1101915438723 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(2896,0,0)
esp0x4bd33260_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=67.119.198.130 iv_bits=64bits iv=0x9210d5a6d5c86d5f ooowin=64 seq=66 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(9690,0,0)addtime(2901,0,0)usetime(2084,0,0)packets(66,0,0) idle=274
esp0x4bd3325f_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=67.119.198.130 iv_bits=64bits iv=0xb3585587301efcd9 ooowin=64 seq=81 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(9420,0,0)addtime(2901,0,0)usetime(2899,0,0)packets(81,0,0) idle=117
esp0x4bd3325e_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=67.119.198.130 iv_bits=64bits iv=0xd9ed188ce8a206cb ooowin=64 seq=191 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(16130,0,0)addtime(2901,0,0)usetime(2815,0,0)packets(191,0,0) idle=51
esp0x4bd3325d_at_67.112.12.98 ESP_3DES_HMAC_MD5: dir=in src=67.119.198.130 iv_bits=64bits iv=0x1b396d1f79cd7f62 ooowin=64 seq=83 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(14540,0,0)addtime(2901,0,0)usetime(2805,0,0)packets(83,0,0) idle=23
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1008_at_67.119.198.130 esp0xbbd9eaa0_at_67.119.198.130
tun0x1006_at_67.119.198.130 esp0xbbd9ea9f_at_67.119.198.130
tun0x1004_at_67.119.198.130 esp0xbbd9ea9e_at_67.119.198.130
tun0x1002_at_67.119.198.130 esp0xbbd9ea9d_at_67.119.198.130
tun0x100c_at_63.193.113.176 esp0x80c4b81b_at_63.193.113.176
tun0x100a_at_63.193.113.176 esp0x630caaa6_at_63.193.113.176
tun0x100b_at_67.112.12.98 esp0x4bd33262_at_67.112.12.98
tun0x1009_at_67.112.12.98 esp0x4bd33261_at_67.112.12.98
tun0x1007_at_67.112.12.98 esp0x4bd33260_at_67.112.12.98
tun0x1005_at_67.112.12.98 esp0x4bd3325f_at_67.112.12.98
tun0x1003_at_67.112.12.98 esp0x4bd3325e_at_67.112.12.98
tun0x1001_at_67.112.12.98 esp0x4bd3325d_at_67.112.12.98
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
9e762eb0 2334 9daf20a0 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 9daf20a0 2334 9e762eb0
pf_key_registered: 3 9daf20a0 2334 9e762eb0
pf_key_registered: 9 9daf20a0 2334 9e762eb0
pf_key_registered: 10 9daf20a0 2334 9e762eb0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 67.112.12.98
000
000 "RW_Cert_VPN"[2]: 192.168.1.0/24===67.112.12.98[C=US, ST=CA, L=Berkeley, O=Great Western Funding, CN=V.K Chopra, E=vk_at_gwfund.com]---67.112.12.97...63.193.113.176[CN=vk_at_gwfund.com]===192.168.1.200/32
000 "RW_Cert_VPN"[2]: ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "RW_Cert_VPN"[2]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "RW_Cert_VPN"[2]: newest ISAKMP SA: #8; newest IPsec SA: #9; eroute owner: #9
000 "RW_Cert_SecuredConnection"[1]: 67.112.12.98[C=US, ST=CA, L=Berkeley, O=Great Western Funding, CN=V.K Chopra, E=vk_at_gwfund.com]---67.112.12.97...63.193.113.176[CN=vk_at_gwfund.com]
000 "RW_Cert_SecuredConnection"[1]: ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "RW_Cert_SecuredConnection"[1]: policy: RSASIG+ENCRYPT+PFS; interface: eth1; unrouted
000 "RW_Cert_SecuredConnection"[1]: newest ISAKMP SA: #6; newest IPsec SA: #0; eroute owner: #0
000 "berkeleygw-concordgw": 67.112.12.98[@burrito.gwfund.com]---67.112.12.97...67.119.198.129---67.119.198.130[@taco.gwfund.com]
000 "berkeleygw-concordgw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "berkeleygw-concordgw": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "berkeleygw-concordgw": newest ISAKMP SA: #0; newest IPsec SA: #5; eroute owner: #5
000 "berkeleynet-concordgw": 192.168.1.0/24===67.112.12.98[@burrito.gwfund.com]---67.112.12.97...67.119.198.129---67.119.198.130[@taco.gwfund.com]
000 "berkeleynet-concordgw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "berkeleynet-concordgw": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "berkeleynet-concordgw": newest ISAKMP SA: #0; newest IPsec SA: #4; eroute owner: #4
000 "berkeleygw-concordnet": 67.112.12.98[@burrito.gwfund.com]---67.112.12.97...67.119.198.129---67.119.198.130[@taco.gwfund.com]===192.168.2.0/24
000 "berkeleygw-concordnet": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "berkeleygw-concordnet": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "berkeleygw-concordnet": newest ISAKMP SA: #0; newest IPsec SA: #3; eroute owner: #3
000 "berkeleynet-concordnet": 192.168.1.0/24===67.112.12.98[@burrito.gwfund.com]---67.112.12.97...67.119.198.129---67.119.198.130[@taco.gwfund.com]===192.168.2.0/24
000 "berkeleynet-concordnet": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "berkeleynet-concordnet": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "berkeleynet-concordnet": newest ISAKMP SA: #10; newest IPsec SA: #2; eroute owner: #2
000 "RW_Cert_SecuredConnection": 67.112.12.98[C=US, ST=CA, L=Berkeley, O=Great Western Funding, CN=V.K Chopra, E=vk_at_gwfund.com]---67.112.12.97...%any
000 "RW_Cert_SecuredConnection": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "RW_Cert_SecuredConnection": policy: RSASIG+ENCRYPT+PFS; interface: eth1; unrouted
000 "RW_Cert_SecuredConnection": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "RW_Cert_VPN": 192.168.1.0/24===67.112.12.98[C=US, ST=CA, L=Berkeley, O=Great Western Funding, CN=V.K Chopra, E=vk_at_gwfund.com]---67.112.12.97...%any===192.168.1.200/32
000 "RW_Cert_VPN": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "RW_Cert_VPN": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "RW_Cert_VPN": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #5: "berkeleygw-concordgw" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25332s; newest IPSEC; eroute owner
000 #5: "berkeleygw-concordgw" esp.bbd9eaa0_at_67.119.198.130 esp.4bd33260_at_67.112.12.98 tun.1008_at_67.119.198.130 tun.1007_at_67.112.12.98
000 #4: "berkeleynet-concordgw" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24875s; newest IPSEC; eroute owner
000 #4: "berkeleynet-concordgw" esp.bbd9ea9f_at_67.119.198.130 esp.4bd3325f_at_67.112.12.98 tun.1006_at_67.119.198.130 tun.1005_at_67.112.12.98
000 #3: "berkeleygw-concordnet" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25074s; newest IPSEC; eroute owner
000 #3: "berkeleygw-concordnet" esp.bbd9ea9e_at_67.119.198.130 esp.4bd3325e_at_67.112.12.98 tun.1004_at_67.119.198.130 tun.1003_at_67.112.12.98
000 #2: "berkeleynet-concordnet" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25206s; newest IPSEC; eroute owner
000 #2: "berkeleynet-concordnet" esp.bbd9ea9d_at_67.119.198.130 esp.4bd3325d_at_67.112.12.98 tun.1002_at_67.119.198.130 tun.1001_at_67.112.12.98
000 #1: "berkeleynet-concordnet" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 698s
000 #10: "berkeleynet-concordnet" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2694s; newest ISAKMP
000 #7: "RW_Cert_VPN"[2] 63.193.113.176 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 434s
000 #7: "RW_Cert_VPN"[2] 63.193.113.176 esp.630caaa6_at_63.193.113.176 esp.4bd33261_at_67.112.12.98 tun.100a_at_63.193.113.176 tun.1009_at_67.112.12.98
000 #6: "RW_Cert_SecuredConnection"[1] 63.193.113.176 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 11233s; newest ISAKMP
000 #9: "RW_Cert_VPN"[2] 63.193.113.176 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2547s; newest IPSEC; eroute owner
000 #9: "RW_Cert_VPN"[2] 63.193.113.176 esp.80c4b81b_at_63.193.113.176 esp.4bd33262_at_67.112.12.98 tun.100c_at_63.193.113.176 tun.100b_at_67.112.12.98
000 #8: "RW_Cert_VPN"[2] 63.193.113.176 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 13347s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
dummy Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:90:27:DC:ED:41
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1194 errors:0 dropped:0 overruns:0 frame:0
TX packets:1797 errors:0 dropped:0 overruns:0 carrier:0
collisions:2 txqueuelen:100
RX bytes:120365 (117.5 KiB) TX bytes:223712 (218.4 KiB)
Interrupt:11 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 02:00:08:E3:AE:FB
inet addr:67.112.12.98 Bcast:67.112.12.99 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6962 errors:0 dropped:0 overruns:0 frame:0
TX packets:6444 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:100
RX bytes:946037 (923.8 KiB) TX bytes:893209 (872.2 KiB)
Interrupt:10 Base address:0xc800
ipsec0 Link encap:Ethernet HWaddr 02:00:08:E3:AE:FB
inet addr:67.112.12.98 Mask:255.255.255.252
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:1075 errors:0 dropped:3 overruns:0 frame:0
TX packets:1100 errors:0 dropped:16 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:104870 (102.4 KiB) TX bytes:213636 (208.6 KiB)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:821 errors:0 dropped:0 overruns:0 frame:0
TX packets:821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:65861 (64.3 KiB) TX bytes:65861 (64.3 KiB)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
burrito
+ _________________________ hostname/ipaddress
+ hostname --ip-address
67.112.12.98
+ _________________________ uptime
+ uptime
14:09:48 up 1:51, 1 user, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ egrep -i 'ppid|pluto|ipsec|klips'
+ ps alxwf
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 2769 816 0 0 2024 940 wait4 S pts/0 0:00 \_ sh /usr/local/sbin/ipsec barf
000 0 2770 2769 10 0 2044 988 wait4 S pts/0 0:00 \_ sh /usr/local/lib/ipsec/barf
000 0 2811 2770 10 0 1328 440 pipe_r S pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips
100 0 753 1 0 0 1280 464 select S ? 0:00 /usr/local/sbin/dhcprelay ipsec0,ipsec1 eth0 192.168.1.254
040 0 2327 1 0 0 2032 956 wait4 S pts/0 0:00 sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
040 0 2332 2327 0 0 2032 956 wait4 S pts/0 0:00 \_ sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --dump --load %search --start %search --wait --pre --post --log daemon.error --pid /var/run/pluto.pid
100 0 2334 2332 0 0 1960 1012 select S pts/0 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-none --uniqueids
000 0 2337 2334 0 0 1296 284 select S pts/0 0:00 | \_ _pluto_adns 7 10
000 0 2333 2327 0 0 2028 956 pipe_r S pts/0 0:00 \_ sh /usr/local/lib/ipsec/_plutoload --load %search --start %search --wait --post
000 0 2328 1 0 0 1248 472 pipe_r S pts/0 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routephys=eth1
routevirt=ipsec0
routevirt=ipsec0
routeaddr=67.112.12.98
routeaddr=67.112.12.98
routenexthop=67.112.12.97
routenexthop=67.112.12.97
defaultroutephys=eth1
defaultroutevirt=ipsec0
defaultrouteaddr=67.112.12.98
defaultroutenexthop=67.112.12.97
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
authby=rsasig
disablearrivalcheck=no
conn RW_Cert_VPN
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
left=67.112.12.98
leftnexthop=67.112.12.97
leftsubnet=192.168.1.0/24
leftcert=vk.pem
right=%any
rightsubnet=192.168.1.200/32
rightrsasigkey=%cert
type=tunnel
auto=add
conn RW_Cert_SecuredConnection
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
left=67.112.12.98
leftnexthop=67.112.12.97
leftcert=vk.pem
right=%any
rightrsasigkey=%cert
type=transport
auto=add
conn berkeleynet-concordnet
left=67.112.12.98
leftnexthop=67.112.12.97
leftsubnet=192.168.1.0/24
leftid=@burrito.gwfund.com
leftrsasigkey=[keyid AQODZIkRL]
right=67.119.198.130
rightnexthop=67.119.198.129
rightsubnet=192.168.2.0/24
rightid=@taco.gwfund.com
rightrsasigkey=[keyid AQN7Y3jCG]
auto=start
conn berkeleygw-concordnet
left=67.112.12.98
leftnexthop=67.112.12.97
leftid=@burrito.gwfund.com
leftrsasigkey=[keyid AQODZIkRL]
right=67.119.198.130
rightnexthop=67.119.198.129
rightsubnet=192.168.2.0/24
rightid=@taco.gwfund.com
rightrsasigkey=[keyid AQN7Y3jCG]
auto=start
conn berkeleynet-concordgw
left=67.112.12.98
leftnexthop=67.112.12.97
leftsubnet=192.168.1.0/24
leftid=@burrito.gwfund.com
leftrsasigkey=[keyid AQODZIkRL]
right=67.119.198.130
rightnexthop=67.119.198.129
rightid=@taco.gwfund.com
rightrsasigkey=[keyid AQN7Y3jCG]
auto=start
conn berkeleygw-concordgw
left=67.112.12.98
leftnexthop=67.112.12.97
leftid=@burrito.gwfund.com
leftrsasigkey=[keyid AQODZIkRL]
right=67.119.198.130
rightnexthop=67.119.198.129
rightid=@taco.gwfund.com
rightrsasigkey=[keyid AQN7Y3jCG]
auto=start
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
@burrito.gwfund.com: RSA {
# RSA 2048 bits burrito Sun Sep 1 13:53:33 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQODZIkRL]
#IN KEY 0x4200 4 1 [keyid AQODZIkRL]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
@vk.gwfund.com: RSA vk.key fluffy
@poonj.gwfund.com: RSA poonj.key pooney
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 3848
-rwxr-xr-x 1 root root 11183 Nov 15 22:52 _confread
-rwxr-xr-x 1 root staff 11183 Nov 15 22:46 _confread.old
-rwxr-xr-x 1 root root 37484 Nov 15 22:52 _copyright
-rwxr-xr-x 1 root staff 37484 Nov 15 22:46 _copyright.old
-rwxr-xr-x 1 root root 2163 Nov 15 22:52 _include
-rwxr-xr-x 1 root staff 2163 Nov 15 22:46 _include.old
-rwxr-xr-x 1 root root 1472 Nov 15 22:52 _keycensor
-rwxr-xr-x 1 root staff 1472 Nov 15 22:46 _keycensor.old
-rwxr-xr-x 1 root root 63912 Nov 15 22:52 _pluto_adns
-rwxr-xr-x 1 root staff 63912 Nov 15 22:46 _pluto_adns.old
-rwxr-xr-x 1 root root 3495 Nov 15 22:52 _plutoload
-rwxr-xr-x 1 root staff 3495 Nov 15 22:46 _plutoload.old
-rwxr-xr-x 1 root root 4730 Nov 15 22:52 _plutorun
-rwxr-xr-x 1 root staff 4730 Nov 15 22:46 _plutorun.old
-rwxr-xr-x 1 root root 7530 Nov 15 22:52 _realsetup
-rwxr-xr-x 1 root staff 7530 Nov 15 22:46 _realsetup.old
-rwxr-xr-x 1 root root 1971 Nov 15 22:52 _secretcensor
-rwxr-xr-x 1 root staff 1971 Nov 15 22:46 _secretcensor.old
-rwxr-xr-x 1 root root 7062 Nov 15 22:52 _startklips
-rwxr-xr-x 1 root staff 7062 Nov 15 22:46 _startklips.old
-rwxr-xr-x 1 root root 5014 Nov 15 22:52 _updown
-rwxr-xr-x 1 root staff 5014 Nov 15 22:46 _updown.old
-rwxr-xr-x 1 root root 9099 Nov 15 22:52 _updown.x509
-rwxr-xr-x 1 root staff 9099 Nov 15 22:46 _updown.x509.old
-rwxr-xr-x 1 root root 13335 Nov 15 22:52 auto
-rwxr-xr-x 1 root staff 13335 Nov 15 22:46 auto.old
-rwxr-xr-x 1 root root 7198 Nov 15 22:52 barf
-rwxr-xr-x 1 root staff 7198 Nov 15 22:46 barf.old
-rwxr-xr-x 1 root root 816 Nov 15 22:52 calcgoo
-rwxr-xr-x 1 root staff 816 Nov 15 22:46 calcgoo.old
-rwxr-xr-x 1 root root 195032 Nov 15 22:52 eroute
-rwxr-xr-x 1 root root 87409 Nov 15 22:52 ikeping
-rwxr-xr-x 1 root root 87409 Nov 15 22:46 ikeping.old
-rwxr-xr-x 1 root root 2915 Nov 15 22:52 ipsec
-rwxr-xr-x 1 root staff 2915 Nov 15 22:46 ipsec.old
-rw-r--r-- 1 root root 1950 Nov 15 22:52 ipsec_pr.template
-rwxr-xr-x 1 root root 138627 Nov 15 22:52 klipsdebug
-rwxr-xr-x 1 root root 2437 Nov 15 22:52 look
-rwxr-xr-x 1 root staff 2437 Nov 15 22:46 look.old
-rwxr-xr-x 1 root root 16157 Nov 15 22:52 manual
-rwxr-xr-x 1 root staff 16157 Nov 15 22:46 manual.old
-rwxr-xr-x 1 root root 1847 Nov 15 22:52 newhostkey
-rwxr-xr-x 1 root staff 1847 Nov 15 22:46 newhostkey.old
-rwxr-xr-x 1 root root 114866 Nov 15 22:52 pf_key
-rwxr-xr-x 1 root root 861183 Nov 15 22:52 pluto
-rwxr-xr-x 1 root staff 861183 Nov 15 22:46 pluto.old
-rwxr-xr-x 1 root root 43665 Nov 15 22:52 ranbits
-rwxr-xr-x 1 root staff 43665 Nov 15 22:46 ranbits.old
-rwxr-xr-x 1 root root 70046 Nov 15 22:52 rsasigkey
-rwxr-xr-x 1 root staff 70046 Nov 15 22:46 rsasigkey.old
-rwxr-xr-x 1 root root 16671 Nov 15 22:52 send-pr
-rwxr-xr-x 1 root staff 16671 Nov 15 22:46 send-pr.old
lrwxrwxrwx 1 root root 17 Nov 15 22:52 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Nov 15 22:52 showdefaults
-rwxr-xr-x 1 root staff 1041 Nov 15 22:46 showdefaults.old
-rwxr-xr-x 1 root root 4205 Nov 15 22:52 showhostkey
-rwxr-xr-x 1 root staff 4205 Nov 15 22:46 showhostkey.old
-rwxr-xr-x 1 root root 222744 Nov 15 22:52 spi
-rwxr-xr-x 1 root root 172355 Nov 15 22:52 spigrp
-rwxr-xr-x 1 root root 55922 Nov 15 22:52 tncfg
-rwxr-xr-x 1 root root 3353 Nov 15 22:52 verify
-rwxr-xr-x 1 root staff 3353 Nov 15 22:46 verify.old
-rwxr-xr-x 1 root root 128625 Nov 15 22:52 whack
-rwxr-xr-x 1 root staff 128625 Nov 15 22:46 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $

# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.

# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.old
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $

# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.

# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT
else
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT
else
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509.old
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT
else
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT
else
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 65861 821 0 0 0 0 0 0 65861 821 0 0 0 0 0 0
dummy: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 104870 1075 0 3 0 0 0 0 213636 1100 0 16 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0: 120365 1194 0 0 0 0 0 0 223712 1797 0 0 0 2 0 0
eth1: 946037 6962 0 0 0 0 0 0 893209 6444 3 0 0 0 3 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 FFFFFFFF 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ipsec0 82C67743 610C7043 0007 0 0 0 FFFFFFFF 0 0 0
ipsec0 C801A8C0 610C7043 0007 0 0 0 FFFFFFFF 0 0 0
eth1 600C7043 00000000 0001 0 0 0 FCFFFFFF 0 0 0
ipsec0 600C7043 00000000 0001 0 0 0 FCFFFFFF 0 0 0
ipsec0 0002A8C0 610C7043 0003 0 0 0 00FFFFFF 0 0 0
eth0 0001A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 00000000 610C7043 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux burrito 2.2.20 #14 Fri Nov 15 22:50:52 PST 2002 i686 unknown
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.99
+ _________________________ iptables/list
+ iptables -L -v -n
/usr/local/lib/ipsec/barf: iptables: command not found
+ _________________________ ipchains/list
+ ipchains -L -v -n
Chain input (policy DENY: 9 packets, 802 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
120 39634 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 67.112.12.98 * -> 500
1085 163K ACCEPT esp ------ 0xFF 0x00 * 0.0.0.0/0 67.112.12.98 n/a
0 0 ACCEPT ah ------ 0xFF 0x00 * 0.0.0.0/0 67.112.12.98 n/a
1072 105K ACCEPT all ------ 0xFF 0x00 ipsec0 0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 ipsec1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 67.112.12.98 192.168.1.0/24 137:139 -> 137:139
67 11852 DENY all ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 240.0.0.0/5 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 169.254.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 192.0.2.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 0.0.0.0/0 0.0.0.0 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 0.0.0.0/0 192.168.1.255 n/a
0 0 DENY all ------ 0xFF 0x00 eth1 0.0.0.0/0 192.168.1.0 n/a
0 0 DENY !udp ------ 0xFF 0x00 eth1 0.0.0.0/0 224.0.0.0/4 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 224.0.0.0/4 * -> *
423 51570 LANlinux all ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 n/a
656 49379 ACCEPT all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a
1 28 DHCP all ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
5631 637K INETlinu all ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 n/a
0 0 ACCEPT all ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 n/a
818 65628 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
42 2890 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
180 16004 LANinet all ------ 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 n/a
82 7512 ACCEPT all ------ 0xFF 0x00 eth0 192.168.2.0/24 192.168.1.0/24 n/a
79 6940 ACCEPT all ------ 0xFF 0x00 eth0 67.119.198.130 192.168.1.0/24 n/a
48 2880 ACCEPT all ------ 0xFF 0x00 eth0 192.168.1.200 192.168.1.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.200 n/a
0 0 ACCEPT all ------ 0xFF 0x00 ipsec0 192.168.1.200 192.168.1.0/24 n/a
48 2880 ACCEPT all ------ 0xFF 0x00 ipsec0 192.168.1.0/24 192.168.1.200 n/a
161 14368 ACCEPT all ------ 0xFF 0x00 ipsec0 0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 ipsec1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy REJECT: 9 packets, 655 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
81 25389 ACCEPT udp ------ 0xFF 0x00 * 67.112.12.98 67.119.198.130 * -> *
0 0 ACCEPT esp ------ 0xFF 0x00 * 67.112.12.98 67.119.198.130 n/a
0 0 ACCEPT ah ------ 0xFF 0x00 * 67.112.12.98 67.119.198.130 n/a
1035 119K ACCEPT all ------ 0xFF 0x00 ipsec0 0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 ipsec1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT icmp ------ 0xFF 0x00 * 67.112.12.98 67.119.198.130 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 67.112.12.98 192.168.2.0/24 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.254 67.119.198.130 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.254 192.168.2.0/24 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.0/24 67.119.198.130 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.0/24 192.168.2.0/24 * -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 * 192.168.1.0/24 192.168.2.0/24 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 * 67.112.12.98 67.119.198.130 137:139 -> *
6 576 ACCEPT udp ------ 0xFF 0x00 * 67.112.12.98 192.168.2.0/24 137:139 -> *
0 0 ACCEPT udp ------ 0xFF 0x00 * 192.168.1.254 67.119.198.130 137:139 -> *
7 844 ACCEPT udp ------ 0xFF 0x00 * 192.168.1.254 192.168.2.0/24 137:139 -> *
0 0 ACCEPT udp ------ 0xFF 0x00 * 192.168.1.0/24 67.119.198.130 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 * 192.168.1.0/24 192.168.2.0/24 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 * 192.168.1.0/24 192.168.1.200 * -> *
5240 601K ACCEPT all ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 n/a
1455 192K ACCEPT all ------ 0xFF 0x00 eth0 0.0.0.0/0 192.168.1.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 67 -> 68
818 65628 ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 42
0 0 - tcp ------ 0x01 0x04 * 0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 - tcp ------ 0x01 0x04 * 0.0.0.0/0 0.0.0.0/0 * -> 143
Chain LANlinux (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 80
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 53
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 42
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 110
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 143
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 22
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 67
3 144 ACCEPT tcp -y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 137:139
0 0 DENY tcp -y--l- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> *
196 16217 ACCEPT tcp !y---- 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> *
163 31841 UDPpoli udp ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> *
61 3368 ICMPpoli icmp ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> *
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain INETlinu (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 DENY all ----l- 0xFF 0x00 eth1 0.0.0.0/0 192.168.1.0/24 n/a
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 80
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 53
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 42
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 110
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 143
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 25
2 96 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 22
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 1227
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 5100
0 0 DENY tcp -y--l- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> *
5399 595K ACCEPT tcp !y---- 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 80
1 61 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 110
0 0 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> 22
228 42381 UDPpoli udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> *
1 102 ICMPpoli icmp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> *
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain DHCP (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 68 -> 67
0 0 ACCEPT tcp -y---- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 68 -> 67
0 0 ACCEPT tcp !y---- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 68 -> 67
1 28 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain LANinet (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
20 960 MASQ tcp -y---- 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 * -> *
155 14690 MASQ tcp !y---- 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 * -> *
5 354 MASQ udp ------ 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 * -> *
0 0 MASQ icmp ------ 0xFF 0x00 eth1 192.168.1.0/24 0.0.0.0/0 * -> *
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain ICMPpoli (2 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
0 0 ACCEPT icmp ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 0 -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 5 -> *
0 0 ACCEPT icmp ------ 0xFF 0x00 eth1 67.112.12.98 0.0.0.0/0 8 -> *
1 102 ACCEPT icmp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 * -> *
61 3368 ACCEPT icmp ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> *
0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain UDPpoli (2 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
7 484 ACCEPT udp ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 * -> 123
148 28712 ACCEPT udp ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 137:139 -> *
8 2645 ACCEPT udp ------ 0xFF 0x00 eth0 192.168.1.0/24 192.168.1.0/24 68 -> 67
223 41991 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 53 -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth1 0.0.0.0/0 67.112.12.98 123 -> *
5 390 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
Chains are empty. (ie. ipfwadm has not been used on them).
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
Chains are empty. (ie. ipfwadm has not been used on them).
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
Chains are empty. (ie. ipfwadm has not been used on them).
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
/usr/local/lib/ipsec/barf: iptables: command not found
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
IP masquerading entries
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
IP masquerading entries
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
/usr/local/lib/ipsec/barf: iptables: command not found
+ _________________________ proc/modules
+ cat /proc/modules
ip_masq_vdolive 1552 0 (unused)
ip_masq_cuseeme 1296 0 (unused)
ip_masq_quake 1588 0 (unused)
ip_masq_irc 2288 0 (unused)
ip_masq_raudio 3184 0 (unused)
ip_masq_ftp 3808 0 (unused)
tulip 30560 1 (autoclean)
eepro100 16552 1 (autoclean)
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 529264640 83963904 445300736 41291776 26087424 38211584
Swap: 764940288 0 764940288
MemTotal: 516860 kB
MemFree: 434864 kB
MemShared: 40324 kB
Buffers: 25476 kB
Cached: 37316 kB
SwapTotal: 747012 kB
SwapFree: 747012 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Nov 28 14:09 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
CONFIG_SYSVIPC=y
# CONFIG_IDE_CHIPSETS is not set
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK=y
# CONFIG_IP_MULTIPLE_TABLES is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_NETLINK_DEV=y
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
CONFIG_IP_MASQUERADE_IPPORTFW=y
CONFIG_IP_MASQUERADE_MFW=y
CONFIG_IP_ROUTER=y
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# CONFIG_IP_ALIAS is not set
# CONFIG_IPV6 is not set
# CONFIG_IPX is not set
CONFIG_IPSEC=y
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_SCSI_IPS is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_FBCON_IPLAN2P2 is not set
# CONFIG_FBCON_IPLAN2P4 is not set
# CONFIG_FBCON_IPLAN2P8 is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search gwfund.com
search localhost
nameserver 192.168.1.254
nameserver 206.13.31.12
nameserver 206.13.28.12
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 2
drwxr-xr-x 8 root root 1024 Apr 26 2002 2.2.20-compact
drwxr-xr-x 4 root root 1024 Nov 15 22:51 2.2.20
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
80160284 netif_rx_R2gig_b0783f6b
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.2.20:
2.2.20-compact:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '9635,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Nov 28 13:21:23 burrito ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Nov 28 13:21:24 burrito ipsec_setup: KLIPS debug `none'
Nov 28 13:21:24 burrito ipsec_setup: KLIPS ipsec0 on eth1 67.112.12.98/255.255.255.252 broadcast 67.112.12.99
Nov 28 13:21:24 burrito ipsec_setup: ...FreeS/WAN IPsec started
Nov 28 13:21:26 burrito ipsec__plutorun: 104 "berkeleynet-concordnet" #1: STATE_MAIN_I1: initiate
Nov 28 13:21:26 burrito ipsec__plutorun: 106 "berkeleynet-concordnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 28 13:21:26 burrito ipsec__plutorun: 108 "berkeleynet-concordnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 28 13:21:26 burrito ipsec__plutorun: 004 "berkeleynet-concordnet" #1: STATE_MAIN_I4: ISAKMP SA established
Nov 28 13:21:26 burrito ipsec__plutorun: 112 "berkeleynet-concordnet" #2: STATE_QUICK_I1: initiate
Nov 28 13:21:26 burrito ipsec__plutorun: 004 "berkeleynet-concordnet" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Nov 28 13:21:27 burrito ipsec__plutorun: 112 "berkeleygw-concordnet" #3: STATE_QUICK_I1: initiate
Nov 28 13:21:27 burrito ipsec__plutorun: 004 "berkeleygw-concordnet" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Nov 28 13:21:27 burrito ipsec__plutorun: 112 "berkeleynet-concordgw" #4: STATE_QUICK_I1: initiate
Nov 28 13:21:27 burrito ipsec__plutorun: 004 "berkeleynet-concordgw" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Nov 28 13:21:27 burrito ipsec__plutorun: 112 "berkeleygw-concordgw" #5: STATE_QUICK_I1: initiate
Nov 28 13:21:27 burrito ipsec__plutorun: 004 "berkeleygw-concordgw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
Nov 28 13:58:47 burrito kernel: device ipsec0 entered promiscuous mode
Nov 28 13:59:04 burrito kernel: device ipsec0 left promiscuous mode
+ _________________________ plog
+ sed -n '10303,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Nov 28 13:21:24 burrito ipsec__plutorun: Starting Pluto subsystem...
Nov 28 13:21:24 burrito pluto[2334]: Starting Pluto (FreeS/WAN Version 1.99)
Nov 28 13:21:24 burrito pluto[2334]: including X.509 patch (Version 0.9.15)
Nov 28 13:21:24 burrito pluto[2334]: Changing to directory '/etc/ipsec.d/cacerts'
Nov 28 13:21:24 burrito pluto[2334]: loaded cacert file 'cacert.pem' (1574 bytes)
Nov 28 13:21:24 burrito pluto[2334]: Changing to directory '/etc/ipsec.d/crls'
Nov 28 13:21:24 burrito pluto[2334]: loaded crl file 'crl.pem' (670 bytes)
Nov 28 13:21:24 burrito pluto[2334]: loaded my default X.509 cert file '/etc/x509cert.der' (1167 bytes)
Nov 28 13:21:24 burrito pluto[2334]: added connection description "berkeleynet-concordnet"
Nov 28 13:21:24 burrito pluto[2334]: added connection description "berkeleygw-concordnet"
Nov 28 13:21:24 burrito pluto[2334]: loaded host cert file '/etc/ipsec.d/vk.pem' (4922 bytes)
Nov 28 13:21:24 burrito pluto[2334]: added connection description "RW_Cert_VPN"
Nov 28 13:21:25 burrito pluto[2334]: loaded host cert file '/etc/ipsec.d/vk.pem' (4922 bytes)
Nov 28 13:21:25 burrito pluto[2334]: added connection description "RW_Cert_SecuredConnection"
Nov 28 13:21:25 burrito pluto[2334]: added connection description "berkeleynet-concordgw"
Nov 28 13:21:25 burrito pluto[2334]: added connection description "berkeleygw-concordgw"
Nov 28 13:21:25 burrito pluto[2334]: listening for IKE messages
Nov 28 13:21:25 burrito pluto[2334]: adding interface ipsec0/eth1 67.112.12.98
Nov 28 13:21:25 burrito pluto[2334]: loading secrets from "/etc/ipsec.secrets"
Nov 28 13:21:25 burrito pluto[2334]: loaded private key file '/etc/ipsec.d/private/vk.key' (3317 bytes)
Nov 28 13:21:25 burrito pluto[2334]: loaded private key file '/etc/ipsec.d/private/poonj.key' (3349 bytes)
Nov 28 13:21:26 burrito pluto[2334]: "berkeleynet-concordnet" #1: initiating Main Mode
Nov 28 13:21:26 burrito pluto[2334]: "berkeleynet-concordnet" #1: Peer ID is ID_FQDN: '@taco.gwfund.com'
Nov 28 13:21:26 burrito pluto[2334]: "berkeleynet-concordnet" #1: ISAKMP SA established
Nov 28 13:21:26 burrito pluto[2334]: "berkeleynet-concordnet" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Nov 28 13:21:26 burrito pluto[2334]: "berkeleynet-concordnet" #2: sent QI2, IPsec SA established
Nov 28 13:21:26 burrito pluto[2334]: "berkeleygw-concordnet" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Nov 28 13:21:27 burrito pluto[2334]: "berkeleygw-concordnet" #3: sent QI2, IPsec SA established
Nov 28 13:21:27 burrito pluto[2334]: "berkeleynet-concordgw" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Nov 28 13:21:27 burrito pluto[2334]: "berkeleynet-concordgw" #4: sent QI2, IPsec SA established
Nov 28 13:21:27 burrito pluto[2334]: "berkeleygw-concordgw" #5: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Nov 28 13:21:27 burrito pluto[2334]: "berkeleygw-concordgw" #5: sent QI2, IPsec SA established
Nov 28 13:21:31 burrito pluto[2334]: packet from 63.193.113.176:500: ignoring Vendor ID payload
Nov 28 13:21:31 burrito pluto[2334]: "RW_Cert_VPN"[1] 63.193.113.176 #6: responding to Main Mode from unknown peer 63.193.113.176
Nov 28 13:21:31 burrito pluto[2334]: "RW_Cert_VPN"[1] 63.193.113.176 #6: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 28 13:21:31 burrito pluto[2334]: "RW_Cert_VPN"[1] 63.193.113.176 #6: Peer ID is ID_DER_ASN1_DN: 'CN=vk_at_gwfund.com'
Nov 28 13:21:31 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: deleting connection "RW_Cert_VPN" instance with peer 63.193.113.176
Nov 28 13:21:31 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: sent MR3, ISAKMP SA established
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #7: responding to Quick Mode
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #7: IPsec SA established
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: ignoring Delete SA payload
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: received and ignored informational message
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: ignoring Delete SA payload
Nov 28 13:21:32 burrito pluto[2334]: "RW_Cert_SecuredConnection"[1] 63.193.113.176 #6: received and ignored informational message
Nov 28 13:56:45 burrito pluto[2334]: packet from 63.193.113.176:500: ignoring Vendor ID payload
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #8: responding to Main Mode from unknown peer 63.193.113.176
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #8: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #8: Peer ID is ID_DER_ASN1_DN: 'CN=vk_at_gwfund.com'
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #8: sent MR3, ISAKMP SA established
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #9: responding to Quick Mode
Nov 28 13:56:45 burrito pluto[2334]: "RW_Cert_VPN"[2] 63.193.113.176 #9: IPsec SA established
Nov 28 14:08:14 burrito pluto[2334]: "berkeleynet-concordnet" #10: initiating Main Mode to replace #1
Nov 28 14:08:15 burrito pluto[2334]: "berkeleynet-concordnet" #10: Peer ID is ID_FQDN: '@taco.gwfund.com'
Nov 28 14:08:15 burrito pluto[2334]: "berkeleynet-concordnet" #10: ISAKMP SA established
+ _________________________ date
+ date
Thu Nov 28 14:09:49 PST 2002

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Mark van Proctor: "[Users] RedHat RPMs on http://www.freeswan.ca"
• Previous message: Stephen J. Bevan: "Re: [Users] rp_filter on ipsec0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 30 2002 - 05:21:00 CET