From: julien Touche (julien.touche_at_lycos.com)
Date: Mon Dec 09 2002 - 22:22:25 CET
Sam Sgro wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>>tun0, tun1, eth1 and ipsec1 have the same IP (the internal one)
>>and when tun? are up i can't connect either in my internal network,
>>either the external one.
>>It stops on "phase 1 R ident: [|sa]" (no response from gateway)
>>and "ipsec --auto up conn" returns:
>>"we have no ipsecN interface for either end of this connection"
>
>
> Pluto is attempting to add the connection to its internal database, and has
> compared the IP addresses of the ipsecN interfaces to the entries in "left"
> or "right", and failed to find a match. Do you get any errors on FreeS/WAN
> start that indicate some issue with the interfaces?
>
the problem, i think, is pluto must be concerned only about its
interface (which i defined ipsec[01] corresponding to ppp0 and eth1).
others may be ignored.
Pluto database list all if or only the ipsec?/corresponding if ?
Regards
Julien Touche
crimson
Mon Dec 9 22:04:00 CET 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.19-grsec (root_at_crimson) (gcc version 2.95.4 20011006 (Debian prerelease)) #2 SMP Wed Aug 14 17:43:19 CEST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.4.1 0.0.0.0 255.255.255.255 UH 40 0 0 tun4
193.253.160.3 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
193.253.160.3 0.0.0.0 255.255.255.255 UH 40 0 0 ipsec0
192.168.32.233 0.0.0.0 255.255.255.255 UH 40 0 0 tun32
192.168.4.0 0.0.0.0 255.255.255.0 U 40 0 0 tun4
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec1
192.168.32.0 0.0.0.0 255.255.255.0 U 40 0 0 tun32
0.0.0.0 193.253.160.3 0.0.0.0 UG 40 0 0 ppp0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1492) -> 1492
ipsec1 -> eth1 mtu=16260(1500) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c1b07460 29310 c126b760 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c126b760 29310 c1b07460
pf_key_registered: 3 c126b760 29310 c1b07460
pf_key_registered: 9 c126b760 29310 c1b07460
pf_key_registered: 10 c126b760 29310 c1b07460
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 193.252.8.125
000
000 "touche-pgp": 192.168.2.0/24===193.252.8.125---193.253.160.3...217.128.181.83
000 "touche-pgp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3
000 "touche-pgp": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY; interface: ppp0; unrouted
000 "touche-pgp": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-netclust": 192.168.2.1...192.168.2.2
000 "touche-netclust": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 240s; rekey_fuzz: 25%; keyingtries: 5
000 "touche-netclust": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted
000 "touche-netclust": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-win2": 192.168.2.1...192.168.2.11
000 "touche-win2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "touche-win2": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted
000 "touche-win2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-win": 192.168.2.1...192.168.2.11
000 "touche-win": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3
000 "touche-win": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY; interface: ; unrouted
000 "touche-win": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:A0:24:6B:75:8F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12471861 errors:0 dropped:0 overruns:0 frame:0
TX packets:9819202 errors:0 dropped:0 overruns:0 carrier:1
collisions:728 txqueuelen:100
RX bytes:246727565 (235.2 MiB) TX bytes:997239685 (951.0 MiB)
Interrupt:10 Base address:0x300
eth1 Link encap:Ethernet HWaddr 00:50:FC:1F:C5:04
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12206080 errors:0 dropped:0 overruns:0 frame:0
TX packets:15079821 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1123245324 (1.0 GiB) TX bytes:297246805 (283.4 MiB)
Interrupt:11 Base address:0x6400
ipsec0 Link encap:Point-to-Point Protocol
inet addr:193.252.8.125 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:Ethernet HWaddr 00:50:FC:1F:C5:04
inet addr:192.168.2.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:116855 errors:0 dropped:0 overruns:0 frame:0
TX packets:116855 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38283818 (36.5 MiB) TX bytes:38283818 (36.5 MiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:193.252.8.125 P-t-P:193.253.160.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:174358 errors:0 dropped:0 overruns:0 frame:0
TX packets:141088 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:201151478 (191.8 MiB) TX bytes:14231206 (13.5 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit1 Link encap:IPv6-in-IPv4
UP POINTOPOINT RUNNING NOARP MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4295 (4.1 KiB)
tun4 Link encap:Point-to-Point Protocol
inet addr:192.168.2.1 P-t-P:192.168.4.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:21168 (20.6 KiB)
tun32 Link encap:Point-to-Point Protocol
inet addr:192.168.2.1 P-t-P:192.168.32.233 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:10668 (10.4 KiB)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
crimson.touche.www
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.2.1
+ _________________________ uptime
+ uptime
22:04:01 up 29 days, 12:15, 1 user, load average: 0.07, 0.19, 0.23
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 10584 16017 9 0 2124 984 wait4 S pts/2 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf
000 0 28925 10584 9 0 2132 1028 wait4 S pts/2 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf
000 0 30106 28925 9 0 1328 436 pipe_w S pts/2 0:00 \_ egrep -i ppid|pluto|ipsec|klips
040 0 5676 1 9 0 2124 916 wait4 S ? 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --uniqueids yes --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
040 0 31042 5676 9 0 2124 908 wait4 S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --uniqueids yes --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
100 0 29310 31042 9 0 1764 780 select S ? 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-all --uniqueids
000 0 14199 29310 9 0 1300 284 select S ? 0:00 | \_ _pluto_adns -d 7 10
000 0 3042 5676 8 0 2116 1012 pipe_w S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --start %search --wait no --post
000 0 31682 1 9 0 1252 472 pipe_w S ? 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
#dr: no default route
# no default route
# no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# GNU Linux - FreeSWAN
# /etc/ipsec.conf
# $Id: ipsec.conf,v 1.3 2001/08/06 17:17:30 hshoexer Exp $
#-----------------------------------------------------------------------------#
config setup
#interfaces=%defaultroute
## if more than one interface
interfaces="ipsec0=ppp0 ipsec1=eth1"
#interfaces="ipsec0=ppp0"
#interfaces="ipsec1=eth1"
forwardcontrol=no
syslog=daemon.error
## Debug-logging controls: "none" for (almost) none, "all" for lots.
## For negotiation problems plutodebug is most relevant. klipsdebug
## applies mainly to attempts to use an already-established connection
klipsdebug=none
#klipsdebug=all
#plutodebug=none
plutodebug=all
# Close down old connection when new one using same ID shows up.
uniqueids=yes
pluto=yes
## list of tunnels to load in db at startup
## ok if auto=add|start
plutoload=%search
## list of tunnels to load at startup
## ok if auto=start
plutostart=%search
## wait for establishing tunnel before next
plutowait=no
conn %default
# How to authenticate gateways
#authby=rsasig
## How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# Default is to load all connection descriptions
# but not try to start the connection
# Some conns may over-ride this with auto=start
#auto=start
auto=add
## authentification: esp (default) or ah
auth=esp
# keyexchange=ike
# keylife=8h
# pfs=yes
# rekeymargin=9m
# rekeyfuzz=25%
## conf freeswan-pgpnet by common secret
#conn touche-WIN
# type=tunnel
# auto=add
#
# left=192.168.2.1
# right=192.168.2.10
# keyexchange=ike
# keylife=8h
# keyingtries=3
# pfs=yes
# rekeymargin=9m
# rekeyfuzz=25%
conn touche-pgp
type=tunnel
auto=add
left=193.252.8.125
leftnexthop=193.253.160.3
leftsubnet=192.168.2.0/24
right=217.128.181.83
#rightsubnet=192.168.5.0/255.255.255.224
## don't retry all time
keyingtries=3
## prevent freeswan to reinitiate conn
rekey=no
keyexchange=ike
keylife=8h
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
## connexion test avec pgpnet host2host -> ok
## PGP: proposal 3DES / SHA1-MD5 / DH 1024 / none
conn touche-win
type=tunnel
auto=add
left=192.168.2.1
right=192.168.2.11
## don't retry all time
keyingtries=3
## prevent freeswan to reinitiate conn
rekey=no
keyexchange=ike
keylife=8h
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
## connexion test avec win2k ipsec host2host
conn touche-win2
type=tunnel
auto=add
left=192.168.2.1
right=192.168.2.11
## don't retry all time
keyingtries=3
## freeswan/openbsd
conn touche-netclust
auto=add
left=192.168.2.1
right=192.168.2.2
ikelifetime=1h
keyingtries=5
keylife=1h
keyexchange=ike
rekeymargin=4m
rekeyfuzz=25%
pfs=yes
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# GNU Linux - FreeSWAN
# /etc/ipsec.secrets
# $Id: ipsec.secrets,v 1.3 2001/08/06 17:17:30 hshoexer Exp $
##
## IPsec VPN conf for www/2002
##
## by Julien Touche
##
## last update: 02-04-2002
##
## RSA Auth
: RSA {
# RSA 4096 bits crimson Fri Feb 15 11:41:31 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNaK8Yu6]
#IN KEY 0x4200 4 1 [keyid AQNaK8Yu6]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
## Shared secret auth
############################ Paris/2002 #######################################
## ? @touche - @ext1
193.252.8.125 212.198.37.93: PSK "[sums to e750...]"
## ? @touche - @pgp
193.252.8.125 217.128.181.83: PSK "[sums to dd02...]"
## ? @touche - @ext2
#192.168.2.1 192.168.5.32: PSK "[sums to e750...]"
## touche tests
192.168.2.1 192.168.2.11: PSK "[sums to dd02...]"
192.168.2.1 192.168.2.2: PSK "[sums to dd02...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 3572
-rwxr-xr-x 1 root root 11102 Aug 14 10:53 _confread
-rwxr-xr-x 1 root staff 11085 Apr 20 2002 _confread.old
-rwxr-xr-x 1 root root 37647 Aug 14 10:53 _copyright
-rwxr-xr-x 1 root staff 37627 Apr 20 2002 _copyright.old
-rwxr-xr-x 1 root root 2163 Aug 14 10:53 _include
-rwxr-xr-x 1 root staff 2163 Apr 20 2002 _include.old
-rwxr-xr-x 1 root root 1472 Aug 14 10:53 _keycensor
-rwxr-xr-x 1 root staff 1472 Apr 20 2002 _keycensor.old
-rwxr-xr-x 1 root root 63403 Aug 14 10:53 _pluto_adns
-rwxr-xr-x 1 root staff 60931 Apr 20 2002 _pluto_adns.old
-rwxr-xr-x 1 root root 3495 Aug 14 10:53 _plutoload
-rwxr-xr-x 1 root staff 3495 Apr 20 2002 _plutoload.old
-rwxr-xr-x 1 root root 4376 Aug 14 10:53 _plutorun
-rwxr-xr-x 1 root staff 4265 Apr 20 2002 _plutorun.old
-rwxr-xr-x 1 root root 7450 Aug 14 10:53 _realsetup
-rwxr-xr-x 1 root staff 7294 Apr 20 2002 _realsetup.old
-rwxr-xr-x 1 root root 1971 Aug 14 10:53 _secretcensor
-rwxr-xr-x 1 root staff 1971 Apr 20 2002 _secretcensor.old
-rwxr-xr-x 1 root root 6933 Aug 14 10:53 _startklips
-rwxr-xr-x 1 root staff 6839 Apr 20 2002 _startklips.old
-rwxr-xr-x 1 root root 5014 Aug 14 10:53 _updown
-rwxr-xr-x 1 root staff 5014 Apr 20 2002 _updown.old
-rwxr-xr-x 1 root root 11404 Aug 14 10:53 auto
-rwxr-xr-x 1 root staff 10912 Apr 20 2002 auto.old
-rwxr-xr-x 1 root root 7195 Aug 14 10:53 barf
-rwxr-xr-x 1 root staff 7132 Apr 20 2002 barf.old
-rwxr-xr-x 1 root root 816 Aug 14 10:53 calcgoo
-rwxr-xr-x 1 root root 194519 Aug 14 10:53 eroute
-rwxr-xr-x 1 root root 86680 Aug 14 10:53 ikeping
-rwxr-xr-x 1 root root 86656 Apr 20 2002 ikeping.old
-rwxr-xr-x 1 root root 2916 Aug 14 10:53 ipsec
-rwxr-xr-x 1 root staff 2915 Apr 20 2002 ipsec.old
-rw-r--r-- 1 root root 1950 Aug 14 10:53 ipsec_pr.template
-rwxr-xr-x 1 root root 137566 Aug 14 10:53 klipsdebug
-rwxr-xr-x 1 root root 2437 Aug 14 10:53 look
-rwxr-xr-x 1 root staff 2437 Apr 20 2002 look.old
-rwxr-xr-x 1 root root 16157 Aug 14 10:53 manual
-rwxr-xr-x 1 root staff 16157 Apr 20 2002 manual.old
-rwxr-xr-x 1 root root 1847 Aug 14 10:53 newhostkey
-rwxr-xr-x 1 root staff 1847 Apr 20 2002 newhostkey.old
-rwxr-xr-x 1 root root 114353 Aug 14 10:53 pf_key
-rwxr-xr-x 1 root root 754815 Aug 14 10:53 pluto
-rwxr-xr-x 1 root staff 752348 Apr 20 2002 pluto.old
-rwxr-xr-x 1 root root 43828 Aug 14 10:53 ranbits
-rwxr-xr-x 1 root staff 43808 Apr 20 2002 ranbits.old
-rwxr-xr-x 1 root root 67745 Aug 14 10:53 rsasigkey
-rwxr-xr-x 1 root staff 67725 Apr 20 2002 rsasigkey.old
-rwxr-xr-x 1 root root 16671 Aug 14 10:53 send-pr
-rwxr-xr-x 1 root staff 16671 Apr 20 2002 send-pr.old
lrwxrwxrwx 1 root root 22 Aug 14 10:53 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Aug 14 10:53 showdefaults
-rwxr-xr-x 1 root staff 1041 Apr 20 2002 showdefaults.old
-rwxr-xr-x 1 root root 4205 Aug 14 10:53 showhostkey
-rwxr-xr-x 1 root staff 3484 Apr 20 2002 showhostkey.old
-rwxr-xr-x 1 root root 220471 Aug 14 10:53 spi
-rwxr-xr-x 1 root root 171938 Aug 14 10:53 spigrp
-rwxr-xr-x 1 root root 55989 Aug 14 10:53 tncfg
-rwxr-xr-x 1 root root 16568 Aug 14 10:53 uml_netjig
-rwxr-xr-x 1 root root 3353 Aug 14 10:53 verify
-rwxr-xr-x 1 root root 122536 Aug 14 10:53 whack
-rwxr-xr-x 1 root staff 122182 Apr 20 2002 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.old
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:38283818 116855 0 0 0 0 0 0 38283818 116855 0 0 0 0 0 0
eth0:246727565 12471861 0 0 0 0 0 0 997239685 9819202 0 0 0 728 1 0
eth1:1123245508 12206082 0 0 0 0 0 0 297246915 15079822 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ppp0:201151478 174358 0 0 0 0 0 0 14231206 141088 0 0 0 0 0 0
sit1: 0 0 0 0 0 0 0 0 4295 28 0 0 0 0 0 0
tun32: 0 0 0 0 0 0 0 0 10668 127 0 0 0 0 0 0
tun4: 0 0 0 0 0 0 0 0 21168 252 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
tun4 0104A8C0 00000000 0005 0 0 0 FFFFFFFF 40 0 0
ppp0 03A0FDC1 00000000 0005 0 0 0 FFFFFFFF 40 0 0
ipsec0 03A0FDC1 00000000 0005 0 0 0 FFFFFFFF 40 0 0
tun32 E920A8C0 00000000 0005 0 0 0 FFFFFFFF 40 0 0
tun4 0004A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
ipsec1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
tun32 0020A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
ppp0 00000000 03A0FDC1 0003 0 0 0 00000000 40 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter ppp0/rp_filter tun32/rp_filter tun4/rp_filter
all/rp_filter:1
default/rp_filter:1
eth1/rp_filter:0
ipsec0/rp_filter:1
ipsec1/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
tun32/rp_filter:1
tun4/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux crimson 2.4.19-grsec #2 SMP Wed Aug 14 17:43:19 CEST 2002 i586 unknown unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.98b
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 4 packets, 196 bytes)
pkts bytes target prot opt in out source destination
10 1704 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8000
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun1 * 192.168.4.0/24 192.168.2.0/24
0 0 ACCEPT icmp -- * * 80.11.4.79 0.0.0.0/0
0 0 ACCEPT icmp -- * * 193.49.200.148 0.0.0.0/0
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:80
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:143
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:192
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:10000
387 45875 ACCEPT udp -- * * 192.168.2.2 0.0.0.0/0 udp dpt:161
0 0 REJECT udp -- * * !192.168.2.2 0.0.0.0/0 udp dpt:161 reject-with icmp-port-unreachable
110 6380 loopback all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 BLACKLIST all -- * * 239.2.9.57 0.0.0.0/0
0 0 BLACKLIST all -- * * 207.46.226.40 0.0.0.0/0
0 0 BLACKLIST all -- * * 204.253.104.45 0.0.0.0/0
0 0 BLACKLIST all -- * * 212.43.218.207 0.0.0.0/0
0 0 BLACKLIST all -- * * 62.210.148.2 0.0.0.0/0
5752 625K ACCEPT all -- !ppp0 * 192.168.2.0/24 192.168.2.0/24
0 0 RESERVED all -- ppp0 * 10.0.0.0/8 0.0.0.0/0
1 78 RESERVED all -- ppp0 * 172.16.0.0/12 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 192.168.0.0/16 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.1 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.2 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.4 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.5 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.6 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.9 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.13 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.15 0.0.0.0/0
31 2708 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523
0 0 DNS udp -- * * 192.168.2.2 0.0.0.0/0 udp spt:53
195 15937 PUBLIC tcp -- * * 0.0.0.0/0 193.252.8.125 tcp dpt:80
0 0 PUBLIC udp -- * * 0.0.0.0/0 193.252.8.125 udp dpt:80
0 0 PUBLIC tcp -- * * 0.0.0.0/0 193.252.8.125 tcp dpt:25
0 0 PUBLIC udp -- * * 0.0.0.0/0 193.252.8.125 udp dpt:25
38 1640 PUBLIC tcp -- * * 0.0.0.0/0 193.252.8.125 tcp dpt:22
0 0 PUBLIC udp -- * * 0.0.0.0/0 193.252.8.125 udp dpt:22
3 180 PUBLIC tcp -- * * 0.0.0.0/0 193.252.8.125 tcp dpt:113
0 0 PUBLIC udp -- * * 0.0.0.0/0 193.252.8.125 udp dpt:113
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F state INVALID,NEW,RELATED
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 state INVALID,NEW,RELATED
2 80 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 state INVALID,NEW,RELATED
2082 2194K STATEFUL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 2 packets, 157 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
385 32340 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:139
150K 119M STATEFUL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 11758 packets, 1198K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 239.2.11.71
8 1172 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun1 192.168.2.0/24 192.168.4.0/24
110 6380 loopback all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:139
Chain ACCEPTnLOG (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (accept) '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BLACKLIST (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (blacklisted drop) '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BLOCK_OUT (12 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CLIENT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CLOSED (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (closed port drop) '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DHCP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (DHCP accept) '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DMZ (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (DMZ drop) '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DNS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DROPICMP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DROPnLOG (1 references)
pkts bytes target prot opt in out source destination
109 8502 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 flags:!0x16/0x02
0 0 DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
118 5828 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
261 20871 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
16 1284 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain HIGHPORT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MON_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OPENPORT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PUBLIC (8 references)
pkts bytes target prot opt in out source destination
236 17757 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RESERVED (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
1 78 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SCAN (5 references)
pkts bytes target prot opt in out source destination
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (possible port scan) '
2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SERVICEDROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (service drop) '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain STATEFUL (2 references)
pkts bytes target prot opt in out source destination
148K 121M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3697 231K ACCEPT all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
504 36485 DROPnLOG all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loopback (2 references)
pkts bytes target prot opt in out source destination
110 6380 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1394K packets, 89M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 75590 packets, 5276K bytes)
pkts bytes target prot opt in out source destination
3340 203K MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 50213 packets, 3161K bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 25M packets, 14G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3664K packets, 326M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 21M packets, 13G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3530K packets, 266M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 24M packets, 14G bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 237952 3
ip6table_filter 1856 0 (autoclean) (unused)
ip6_tables 11616 1 [ip6table_filter]
pppoe 8288 0 (unused)
pppox 1304 1 [pppoe]
ipt_MASQUERADE 1312 1 (autoclean)
ipt_state 576 5 (autoclean)
ipt_LOG 3264 7 (autoclean)
ipt_REJECT 2688 5 (autoclean)
iptable_mangle 2144 0 (autoclean) (unused)
ppp_deflate 39424 0 (autoclean)
bsd_comp 3872 0 (autoclean)
ppp_async 6816 1 (autoclean)
ppp_generic 22316 3 (autoclean) [pppoe pppox ppp_deflate bsd_comp ppp_async]
slhc 4544 0 (autoclean) [ppp_generic]
tun 3648 6 (autoclean)
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 37572608 32686080 4886528 0 1167360 21864448
Swap: 210558976 13139968 197419008
MemTotal: 36692 kB
MemFree: 4772 kB
MemShared: 0 kB
Buffers: 1140 kB
Cached: 18548 kB
SwapCached: 2804 kB
Active: 18728 kB
Inactive: 6848 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 36692 kB
LowFree: 4772 kB
SwapTotal: 205624 kB
SwapFree: 192792 kB
+ _________________________ dev/ipsec-ls
+ ls -l /dev/ipsec
c-w------- 1 root root 36, 10 Dec 2 21:20 /dev/ipsec
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Dec 9 22:04 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IPV6=y
# IPv6: Netfilter Configuration
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_LIMIT=y
CONFIG_IP6_NF_MATCH_MAC=y
CONFIG_IP6_NF_MATCH_MULTIPORT=y
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_LOG=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_TARGET_MARK=y
# CONFIG_IPX is not set
CONFIG_IPSEC=y
# IPSec options (FreeS/WAN)
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_TULIP is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
CONFIG_SLIP=y
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
# CONFIG_FBCON_IPLAN2P2 is not set
# CONFIG_FBCON_IPLAN2P4 is not set
# CONFIG_FBCON_IPLAN2P8 is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* /var/log/mail.log
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.err;*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
*.err;*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none @log.touche.www
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /dev/tty6
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search touche.www
nameserver 192.168.2.2
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 20
drwxr-xr-x 5 root root 4096 Jul 23 15:35 2.4.17
drwxr-xr-x 3 root root 4096 Aug 14 12:45 2.4.18-586tsc
drwxr-xr-x 4 root root 4096 Aug 20 12:16 2.4.19-grsec
drwxr-xr-x 4 root root 4096 Aug 20 12:17 2.4.17-tj.old
drwxr-xr-x 4 root root 4096 Aug 20 12:17 2.4.17-tj
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c026afc0 netif_rx_Rsmp_a21f0f2d
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.17:
2.4.17-tj:
2.4.17-tj.old:
2.4.18-586tsc: U netif_rx_R5165df39
2.4.19-grsec: U netif_rx_Rsmp_a21f0f2d
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '4688,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Dec 9 21:50:19 crimson ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
Dec 9 21:50:20 crimson ipsec_setup: Using /lib/modules/2.4.19-grsec/kernel/net/ipsec/ipsec.o
Dec 9 21:50:20 crimson kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.98b
Dec 9 21:50:20 crimson ipsec_setup: KLIPS debug `none'
Dec 9 21:50:21 crimson ipsec_setup: KLIPS ipsec0 on ppp0 193.252.8.125/255.255.255.255 pointopoint 193.253.160.3
Dec 9 21:50:21 crimson ipsec_setup: KLIPS ipsec1 on eth1 192.168.2.1/255.255.255.0 broadcast 192.168.2.255
Dec 9 21:50:22 crimson ipsec_setup: ...FreeS/WAN IPsec started
Dec 9 21:50:27 crimson ipsec__plutorun: 003 IP interfaces tun4 and tun32 share address 192.168.2.1!
Dec 9 21:50:27 crimson ipsec__plutorun: 003 IP interfaces tun4 and eth1 share address 192.168.2.1!
Dec 9 21:50:27 crimson ipsec__plutorun: 003 IP interfaces tun32 and eth1 share address 192.168.2.1!
Dec 9 22:03:46 crimson ipsec_setup: FreeS/WAN IPsec apparently already running, start aborted
+ _________________________ plog
+ sed -n '30585,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Dec 9 21:50:22 crimson ipsec__plutorun: Starting Pluto subsystem...
Dec 9 21:50:22 crimson pluto[29310]: Starting Pluto (FreeS/WAN Version 1.98b)
Dec 9 21:50:22 crimson pluto[29310]: | opening /dev/urandom
Dec 9 21:50:22 crimson pluto[29310]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Dec 9 21:50:22 crimson pluto[29310]: | process 29310 listening for PF_KEY_V2 on file descriptor 6
Dec 9 21:50:22 crimson pluto[29310]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH
Dec 9 21:50:22 crimson pluto[29310]: | 02 07 00 02 02 00 00 00 01 00 00 00 7e 72 00 00
Dec 9 21:50:22 crimson pluto[29310]: | pfkey_get: SADB_REGISTER message 1
Dec 9 21:50:22 crimson pluto[29310]: | AH registered with kernel.
Dec 9 21:50:22 crimson pluto[29310]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP
Dec 9 21:50:22 crimson pluto[29310]: | 02 07 00 03 02 00 00 00 02 00 00 00 7e 72 00 00
Dec 9 21:50:22 crimson pluto[29310]: | pfkey_get: SADB_REGISTER message 2
Dec 9 21:50:22 crimson pluto[29310]: | ESP registered with kernel.
Dec 9 21:50:22 crimson pluto[29310]: | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP
Dec 9 21:50:22 crimson pluto[29310]: | 02 07 00 0a 02 00 00 00 03 00 00 00 7e 72 00 00
Dec 9 21:50:22 crimson pluto[29310]: | pfkey_get: SADB_REGISTER message 3
Dec 9 21:50:22 crimson pluto[29310]: | IPCOMP registered with kernel.
Dec 9 21:50:22 crimson pluto[29310]: | finish_pfkey_msg: SADB_REGISTER message 4 for IPIP
Dec 9 21:50:22 crimson pluto[29310]: | 02 07 00 09 02 00 00 00 04 00 00 00 7e 72 00 00
Dec 9 21:50:22 crimson pluto[29310]: | pfkey_get: SADB_REGISTER message 4
Dec 9 21:50:22 crimson pluto[29310]: | IPIP registered with kernel.
Dec 9 21:50:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 21:50:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 21:50:24 crimson pluto[29310]: |
Dec 9 21:50:24 crimson pluto[29310]: | *received whack message
Dec 9 21:50:24 crimson pluto[29310]: added connection description "touche-win"
Dec 9 21:50:24 crimson pluto[29310]: | 192.168.2.1...192.168.2.11
Dec 9 21:50:24 crimson pluto[29310]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY
Dec 9 21:50:24 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 118 seconds
Dec 9 21:50:25 crimson pluto[29310]: |
Dec 9 21:50:25 crimson pluto[29310]: | *received whack message
Dec 9 21:50:25 crimson pluto[29310]: added connection description "touche-win2"
Dec 9 21:50:25 crimson pluto[29310]: | 192.168.2.1...192.168.2.11
Dec 9 21:50:25 crimson pluto[29310]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Dec 9 21:50:25 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 117 seconds
Dec 9 21:50:26 crimson pluto[29310]: |
Dec 9 21:50:26 crimson pluto[29310]: | *received whack message
Dec 9 21:50:26 crimson pluto[29310]: added connection description "touche-netclust"
Dec 9 21:50:26 crimson pluto[29310]: | 192.168.2.1...192.168.2.2
Dec 9 21:50:26 crimson pluto[29310]: | ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 240s; rekey_fuzz: 25%; keyingtries: 5; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Dec 9 21:50:26 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 116 seconds
Dec 9 21:50:27 crimson pluto[29310]: |
Dec 9 21:50:27 crimson pluto[29310]: | *received whack message
Dec 9 21:50:27 crimson pluto[29310]: added connection description "touche-pgp"
Dec 9 21:50:27 crimson pluto[29310]: | 192.168.2.0/24===193.252.8.125---193.253.160.3...217.128.181.83
Dec 9 21:50:27 crimson pluto[29310]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY
Dec 9 21:50:27 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 115 seconds
Dec 9 21:50:27 crimson pluto[29310]: |
Dec 9 21:50:27 crimson pluto[29310]: | *received whack message
Dec 9 21:50:27 crimson pluto[29310]: listening for IKE messages
Dec 9 21:50:27 crimson pluto[29310]: | found lo with address 127.0.0.1
Dec 9 21:50:27 crimson pluto[29310]: | found eth1 with address 192.168.2.1
Dec 9 21:50:27 crimson pluto[29310]: | found ppp0 with address 193.252.8.125
Dec 9 21:50:27 crimson pluto[29310]: | found tun32 with address 192.168.2.1
Dec 9 21:50:27 crimson pluto[29310]: | found tun4 with address 192.168.2.1
Dec 9 21:50:27 crimson pluto[29310]: | found ipsec0 with address 193.252.8.125
Dec 9 21:50:27 crimson pluto[29310]: | found ipsec1 with address 192.168.2.1
Dec 9 21:50:27 crimson pluto[29310]: IP interfaces tun4 and tun32 share address 192.168.2.1!
Dec 9 21:50:27 crimson pluto[29310]: IP interfaces tun4 and eth1 share address 192.168.2.1!
Dec 9 21:50:27 crimson pluto[29310]: IP interfaces tun32 and eth1 share address 192.168.2.1!
Dec 9 21:50:27 crimson pluto[29310]: adding interface ipsec0/ppp0 193.252.8.125
Dec 9 21:50:27 crimson pluto[29310]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Dec 9 21:50:27 crimson pluto[29310]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Dec 9 21:50:27 crimson pluto[29310]: | found 80 with address fe80:0000:0000:0000:0250:fcff:fe1f:c504
Dec 9 21:50:27 crimson pluto[29310]: | IP interface 80 fe80::250:fcff:fe1f:c504 has no matching ipsec* interface -- ignored
Dec 9 21:50:27 crimson pluto[29310]: | IP interface lo ::1 has no matching ipsec* interface -- ignored
Dec 9 21:50:27 crimson pluto[29310]: loading secrets from "/etc/ipsec.secrets"
Dec 9 21:50:27 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 115 seconds
Dec 9 21:52:22 crimson pluto[29310]: |
Dec 9 21:52:22 crimson pluto[29310]: | *time to handle event
Dec 9 21:52:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 3480 seconds
Dec 9 21:52:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 21:52:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 21:54:22 crimson pluto[29310]: |
Dec 9 21:54:22 crimson pluto[29310]: | *time to handle event
Dec 9 21:54:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 3360 seconds
Dec 9 21:54:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 21:54:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 21:56:22 crimson pluto[29310]: |
Dec 9 21:56:22 crimson pluto[29310]: | *time to handle event
Dec 9 21:56:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 3240 seconds
Dec 9 21:56:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 21:56:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 21:58:22 crimson pluto[29310]: |
Dec 9 21:58:22 crimson pluto[29310]: | *time to handle event
Dec 9 21:58:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 3120 seconds
Dec 9 21:58:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 21:58:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 22:00:22 crimson pluto[29310]: |
Dec 9 22:00:22 crimson pluto[29310]: | *time to handle event
Dec 9 22:00:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 3000 seconds
Dec 9 22:00:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 22:00:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 22:02:22 crimson pluto[29310]: |
Dec 9 22:02:22 crimson pluto[29310]: | *time to handle event
Dec 9 22:02:22 crimson pluto[29310]: | event after this is EVENT_REINIT_SECRET in 2880 seconds
Dec 9 22:02:22 crimson pluto[29310]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 9 22:02:22 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 9 22:04:01 crimson pluto[29310]: |
Dec 9 22:04:01 crimson pluto[29310]: | *received whack message
Dec 9 22:04:01 crimson pluto[29310]: | next event EVENT_SHUNT_SCAN in 21 seconds
+ _________________________ date
+ date
Mon Dec 9 22:04:07 CET 2002
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Dec 11 2002 - 05:21:06 CET