From: julien Touche (julien.touche_at_lycos.com)
Date: Tue Dec 10 2002 - 22:46:09 CET
>
> Your barf has no issues with its interfaces in that excerpt - I don't see the
> ipsecN interface error. As I said earlier, can you take the barf when you get
> the error message, so we get a "snapshot" of what's causing the problem?
>
crimson:~# ipsec auto --up touche-win
022 "touche-win": we have no ipsecN interface for either end of this
connection
crimson:~# ipsec barf > barf
Regards
Julien Touche
crimson
Tue Dec 10 22:39:50 CET 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.19-grsec (root_at_crimson) (gcc version 2.95.4 20011006 (Debian prerelease)) #2 SMP Wed Aug 14 17:43:19 CEST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.4.1 0.0.0.0 255.255.255.255 UH 40 0 0 tun4
193.253.160.3 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
193.253.160.3 0.0.0.0 255.255.255.255 UH 40 0 0 ipsec0
192.168.32.233 0.0.0.0 255.255.255.255 UH 40 0 0 tun32
192.168.4.0 0.0.0.0 255.255.255.0 U 40 0 0 tun4
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec1
192.168.32.0 0.0.0.0 255.255.255.0 U 40 0 0 tun32
0.0.0.0 193.253.160.3 0.0.0.0 UG 40 0 0 ppp0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1492) -> 1492
ipsec1 -> eth1 mtu=16260(1500) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c0a78440 17065 c0d30ec0 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c0d30ec0 17065 c0a78440
pf_key_registered: 3 c0d30ec0 17065 c0a78440
pf_key_registered: 9 c0d30ec0 17065 c0a78440
pf_key_registered: 10 c0d30ec0 17065 c0a78440
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 81.48.222.54
000
000 "touche-win": 192.168.2.1...192.168.2.11
000 "touche-win": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3
000 "touche-win": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY; interface: ; unrouted
000 "touche-win": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-pgp": 192.168.2.0/24===81.48.222.54---193.253.160.3...1.0.0.1
000 "touche-pgp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3
000 "touche-pgp": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY; interface: ppp0; unrouted
000 "touche-pgp": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-netclust": 192.168.2.1...192.168.2.2
000 "touche-netclust": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 240s; rekey_fuzz: 25%; keyingtries: 5
000 "touche-netclust": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted
000 "touche-netclust": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "touche-win2": 192.168.2.1...192.168.2.11
000 "touche-win2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "touche-win2": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted
000 "touche-win2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:A0:24:6B:75:8F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12635193 errors:0 dropped:0 overruns:0 frame:0
TX packets:9944553 errors:0 dropped:0 overruns:0 carrier:1
collisions:757 txqueuelen:100
RX bytes:391542283 (373.4 MiB) TX bytes:1014506622 (967.5 MiB)
Interrupt:10 Base address:0x300
eth1 Link encap:Ethernet HWaddr 00:50:FC:1F:C5:04
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12338692 errors:0 dropped:0 overruns:0 frame:0
TX packets:15265537 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1140992147 (1.0 GiB) TX bytes:444284723 (423.7 MiB)
Interrupt:11 Base address:0x6400
ipsec0 Link encap:Point-to-Point Protocol
inet addr:81.48.222.54 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:Ethernet HWaddr 00:50:FC:1F:C5:04
inet addr:192.168.2.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:118252 errors:0 dropped:0 overruns:0 frame:0
TX packets:118252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38487848 (36.7 MiB) TX bytes:38487848 (36.7 MiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:81.48.222.54 P-t-P:193.253.160.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:7851 errors:0 dropped:0 overruns:0 frame:0
TX packets:4844 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3307858 (3.1 MiB) TX bytes:799727 (780.9 KiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit1 Link encap:IPv6-in-IPv4
UP POINTOPOINT RUNNING NOARP MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun4 Link encap:Point-to-Point Protocol
inet addr:192.168.2.1 P-t-P:192.168.4.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:70728 (69.0 KiB)
tun32 Link encap:Point-to-Point Protocol
inet addr:192.168.2.1 P-t-P:192.168.32.233 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:422 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:35448 (34.6 KiB)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
crimson.touche.www
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.2.1
+ _________________________ uptime
+ uptime
22:39:51 up 30 days, 12:51, 1 user, load average: 0.34, 0.24, 0.22
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 25152 16017 9 0 2124 984 wait4 S pts/2 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf
000 0 8787 25152 9 0 2132 1028 wait4 S pts/2 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf
000 0 6326 8787 9 0 1328 436 pipe_w S pts/2 0:00 \_ egrep -i ppid|pluto|ipsec|klips
040 0 10301 1 9 0 2124 1004 wait4 S ? 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --uniqueids yes --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
040 0 10002 10301 9 0 2124 1004 wait4 S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --uniqueids yes --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
100 0 17065 10002 9 0 1764 784 select S ? 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-all --uniqueids
000 0 1606 17065 9 0 1300 284 select S ? 0:00 | \_ _pluto_adns -d 7 10
000 0 15164 10301 8 0 2120 1016 pipe_w S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --start %search --wait no --post
000 0 19413 1 9 0 1248 468 pipe_w S ? 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
#dr: no default route
# no default route
# no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# GNU Linux - FreeSWAN
# /etc/ipsec.conf
# $Id: ipsec.conf,v 1.3 2001/08/06 17:17:30 hshoexer Exp $
#-----------------------------------------------------------------------------#
config setup
#interfaces=%defaultroute
## if more than one interface
interfaces="ipsec0=ppp0 ipsec1=eth1"
#interfaces="ipsec0=ppp0"
#interfaces="ipsec1=eth1"
forwardcontrol=no
syslog=daemon.error
## Debug-logging controls: "none" for (almost) none, "all" for lots.
## For negotiation problems plutodebug is most relevant. klipsdebug
## applies mainly to attempts to use an already-established connection
klipsdebug=none
#klipsdebug=all
#plutodebug=none
plutodebug=all
# Close down old connection when new one using same ID shows up.
uniqueids=yes
pluto=yes
## list of tunnels to load in db at startup
## ok if auto=add|start
plutoload=%search
## list of tunnels to load at startup
## ok if auto=start
plutostart=%search
## wait for establishing tunnel before next
plutowait=no
conn %default
# How to authenticate gateways
#authby=rsasig
## How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# Default is to load all connection descriptions
# but not try to start the connection
# Some conns may over-ride this with auto=start
#auto=start
auto=add
## authentification: esp (default) or ah
auth=esp
# keyexchange=ike
# keylife=8h
# pfs=yes
# rekeymargin=9m
# rekeyfuzz=25%
## conf freeswan-pgpnet by common secret
#conn touche-WIN
# type=tunnel
# auto=add
#
# left=192.168.2.1
# right=192.168.2.10
# keyexchange=ike
# keylife=8h
# keyingtries=3
# pfs=yes
# rekeymargin=9m
# rekeyfuzz=25%
conn touche-pgp
type=tunnel
auto=add
left=81.48.222.54
leftnexthop=193.253.160.3
leftsubnet=192.168.2.0/24
right=1.0.0.1
#rightsubnet=192.168.5.0/255.255.255.224
## don't retry all time
keyingtries=3
## prevent freeswan to reinitiate conn
rekey=no
keyexchange=ike
keylife=8h
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
## connexion test avec pgpnet host2host -> ok
## PGP: proposal 3DES / SHA1-MD5 / DH 1024 / none
conn touche-win
type=tunnel
auto=add
left=192.168.2.1
right=192.168.2.11
## don't retry all time
keyingtries=3
## prevent freeswan to reinitiate conn
rekey=no
keyexchange=ike
keylife=8h
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
## connexion test avec win2k ipsec host2host
conn touche-win2
type=tunnel
auto=add
left=192.168.2.1
right=192.168.2.11
## don't retry all time
keyingtries=3
## freeswan/openbsd
conn touche-netclust
auto=add
left=192.168.2.1
right=192.168.2.2
ikelifetime=1h
keyingtries=5
keylife=1h
keyexchange=ike
rekeymargin=4m
rekeyfuzz=25%
pfs=yes
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# GNU Linux - FreeSWAN
# /etc/ipsec.secrets
# $Id: ipsec.secrets,v 1.3 2001/08/06 17:17:30 hshoexer Exp $
##
## IPsec VPN conf for www/2002
##
## by Julien Touche
##
## last update: 02-04-2002
##
## RSA Auth
: RSA {
# RSA 4096 bits crimson Fri Feb 15 11:41:31 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNaK8Yu6]
#IN KEY 0x4200 4 1 [keyid AQNaK8Yu6]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
## Shared secret auth
############################ Paris/2002 #######################################
## ? @touche - @ext1
81.48.222.54 212.198.37.93: PSK "[sums to e750...]"
## ? @touche - @pgp
81.48.222.54 1.0.0.1: PSK "[sums to dd02...]"
## ? @touche - @ext2
#192.168.2.1 192.168.5.32: PSK "[sums to e750...]"
## touche tests
192.168.2.1 192.168.2.11: PSK "[sums to dd02...]"
192.168.2.1 192.168.2.2: PSK "[sums to dd02...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 3572
-rwxr-xr-x 1 root root 11102 Aug 14 10:53 _confread
-rwxr-xr-x 1 root staff 11085 Apr 20 2002 _confread.old
-rwxr-xr-x 1 root root 37647 Aug 14 10:53 _copyright
-rwxr-xr-x 1 root staff 37627 Apr 20 2002 _copyright.old
-rwxr-xr-x 1 root root 2163 Aug 14 10:53 _include
-rwxr-xr-x 1 root staff 2163 Apr 20 2002 _include.old
-rwxr-xr-x 1 root root 1472 Aug 14 10:53 _keycensor
-rwxr-xr-x 1 root staff 1472 Apr 20 2002 _keycensor.old
-rwxr-xr-x 1 root root 63403 Aug 14 10:53 _pluto_adns
-rwxr-xr-x 1 root staff 60931 Apr 20 2002 _pluto_adns.old
-rwxr-xr-x 1 root root 3495 Aug 14 10:53 _plutoload
-rwxr-xr-x 1 root staff 3495 Apr 20 2002 _plutoload.old
-rwxr-xr-x 1 root root 4376 Aug 14 10:53 _plutorun
-rwxr-xr-x 1 root staff 4265 Apr 20 2002 _plutorun.old
-rwxr-xr-x 1 root root 7450 Aug 14 10:53 _realsetup
-rwxr-xr-x 1 root staff 7294 Apr 20 2002 _realsetup.old
-rwxr-xr-x 1 root root 1971 Aug 14 10:53 _secretcensor
-rwxr-xr-x 1 root staff 1971 Apr 20 2002 _secretcensor.old
-rwxr-xr-x 1 root root 6933 Aug 14 10:53 _startklips
-rwxr-xr-x 1 root staff 6839 Apr 20 2002 _startklips.old
-rwxr-xr-x 1 root root 5014 Aug 14 10:53 _updown
-rwxr-xr-x 1 root staff 5014 Apr 20 2002 _updown.old
-rwxr-xr-x 1 root root 11404 Aug 14 10:53 auto
-rwxr-xr-x 1 root staff 10912 Apr 20 2002 auto.old
-rwxr-xr-x 1 root root 7195 Aug 14 10:53 barf
-rwxr-xr-x 1 root staff 7132 Apr 20 2002 barf.old
-rwxr-xr-x 1 root root 816 Aug 14 10:53 calcgoo
-rwxr-xr-x 1 root root 194519 Aug 14 10:53 eroute
-rwxr-xr-x 1 root root 86680 Aug 14 10:53 ikeping
-rwxr-xr-x 1 root root 86656 Apr 20 2002 ikeping.old
-rwxr-xr-x 1 root root 2916 Aug 14 10:53 ipsec
-rwxr-xr-x 1 root staff 2915 Apr 20 2002 ipsec.old
-rw-r--r-- 1 root root 1950 Aug 14 10:53 ipsec_pr.template
-rwxr-xr-x 1 root root 137566 Aug 14 10:53 klipsdebug
-rwxr-xr-x 1 root root 2437 Aug 14 10:53 look
-rwxr-xr-x 1 root staff 2437 Apr 20 2002 look.old
-rwxr-xr-x 1 root root 16157 Aug 14 10:53 manual
-rwxr-xr-x 1 root staff 16157 Apr 20 2002 manual.old
-rwxr-xr-x 1 root root 1847 Aug 14 10:53 newhostkey
-rwxr-xr-x 1 root staff 1847 Apr 20 2002 newhostkey.old
-rwxr-xr-x 1 root root 114353 Aug 14 10:53 pf_key
-rwxr-xr-x 1 root root 754815 Aug 14 10:53 pluto
-rwxr-xr-x 1 root staff 752348 Apr 20 2002 pluto.old
-rwxr-xr-x 1 root root 43828 Aug 14 10:53 ranbits
-rwxr-xr-x 1 root staff 43808 Apr 20 2002 ranbits.old
-rwxr-xr-x 1 root root 67745 Aug 14 10:53 rsasigkey
-rwxr-xr-x 1 root staff 67725 Apr 20 2002 rsasigkey.old
-rwxr-xr-x 1 root root 16671 Aug 14 10:53 send-pr
-rwxr-xr-x 1 root staff 16671 Apr 20 2002 send-pr.old
lrwxrwxrwx 1 root root 22 Aug 14 10:53 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Aug 14 10:53 showdefaults
-rwxr-xr-x 1 root staff 1041 Apr 20 2002 showdefaults.old
-rwxr-xr-x 1 root root 4205 Aug 14 10:53 showhostkey
-rwxr-xr-x 1 root staff 3484 Apr 20 2002 showhostkey.old
-rwxr-xr-x 1 root root 220471 Aug 14 10:53 spi
-rwxr-xr-x 1 root root 171938 Aug 14 10:53 spigrp
-rwxr-xr-x 1 root root 55989 Aug 14 10:53 tncfg
-rwxr-xr-x 1 root root 16568 Aug 14 10:53 uml_netjig
-rwxr-xr-x 1 root root 3353 Aug 14 10:53 verify
-rwxr-xr-x 1 root root 122536 Aug 14 10:53 whack
-rwxr-xr-x 1 root staff 122182 Apr 20 2002 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.old
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:38487848 118252 0 0 0 0 0 0 38487848 118252 0 0 0 0 0 0
eth0:391542685 12635198 0 0 0 0 0 0 1014506870 9944555 0 0 0 757 1 0
eth1:1140992319 12338693 0 0 0 0 0 0 444284809 15265538 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
tun32: 0 0 0 0 0 0 0 0 35448 422 0 0 0 0 0 0
tun4: 0 0 0 0 0 0 0 0 70728 842 0 0 0 0 0 0
ppp0: 3308150 7856 0 0 0 0 0 0 799931 4846 0 0 0 0 0 0
sit1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
tun4 0104A8C0 00000000 0005 0 0 0 FFFFFFFF 40 0 0
ppp0 03A0FDC1 00000000 0005 0 0 0 FFFFFFFF 40 0 0
ipsec0 03A0FDC1 00000000 0005 0 0 0 FFFFFFFF 40 0 0
tun32 E920A8C0 00000000 0005 0 0 0 FFFFFFFF 40 0 0
tun4 0004A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
ipsec1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
tun32 0020A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
ppp0 00000000 03A0FDC1 0003 0 0 0 00000000 40 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter ppp0/rp_filter tun32/rp_filter tun4/rp_filter
all/rp_filter:1
default/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
ipsec1/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
tun32/rp_filter:1
tun4/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux crimson 2.4.19-grsec #2 SMP Wed Aug 14 17:43:19 CEST 2002 i586 unknown unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.98b
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 9 packets, 452 bytes)
pkts bytes target prot opt in out source destination
4 496 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8000
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun1 * 192.168.4.0/24 192.168.2.0/24
0 0 ACCEPT icmp -- * * 80.11.4.79 0.0.0.0/0
0 0 ACCEPT icmp -- * * 193.49.200.148 0.0.0.0/0
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:80
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:143
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:192
0 0 DROP tcp -- * * !192.168.2.0/24 127.0.0.1 tcp dpt:10000
18 2134 ACCEPT udp -- * * 192.168.2.2 0.0.0.0/0 udp dpt:161
0 0 REJECT udp -- * * !192.168.2.2 0.0.0.0/0 udp dpt:161 reject-with icmp-port-unreachable
0 0 loopback all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 BLACKLIST all -- * * 239.2.9.57 0.0.0.0/0
0 0 BLACKLIST all -- * * 207.46.226.40 0.0.0.0/0
0 0 BLACKLIST all -- * * 204.253.104.45 0.0.0.0/0
0 0 BLACKLIST all -- * * 212.43.218.207 0.0.0.0/0
0 0 BLACKLIST all -- * * 62.210.148.2 0.0.0.0/0
1682 144K ACCEPT all -- !ppp0 * 192.168.2.0/24 192.168.2.0/24
0 0 RESERVED all -- ppp0 * 10.0.0.0/8 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 172.16.0.0/12 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 192.168.0.0/16 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.1 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.2 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.4 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.5 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.6 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.9 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.13 0.0.0.0/0
0 0 RESERVED all -- ppp0 * 224.0.0.15 0.0.0.0/0
131 7336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:32769:65535 dpts:33434:33523
0 0 DNS udp -- * * 192.168.2.2 0.0.0.0/0 udp spt:53
0 0 PUBLIC tcp -- * * 0.0.0.0/0 81.48.222.54 tcp dpt:80
0 0 PUBLIC udp -- * * 0.0.0.0/0 81.48.222.54 udp dpt:80
0 0 PUBLIC tcp -- * * 0.0.0.0/0 81.48.222.54 tcp dpt:25
0 0 PUBLIC udp -- * * 0.0.0.0/0 81.48.222.54 udp dpt:25
0 0 PUBLIC tcp -- * * 0.0.0.0/0 81.48.222.54 tcp dpt:22
0 0 PUBLIC udp -- * * 0.0.0.0/0 81.48.222.54 udp dpt:22
0 0 PUBLIC tcp -- * * 0.0.0.0/0 81.48.222.54 tcp dpt:113
0 0 PUBLIC udp -- * * 0.0.0.0/0 81.48.222.54 udp dpt:113
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F state INVALID,NEW,RELATED
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 state INVALID,NEW,RELATED
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 state INVALID,NEW,RELATED
2528 135K STATEFUL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 1171 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
18 1512 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 SCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:139
6780 2963K STATEFUL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1992 packets, 223K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 239.2.11.71
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun1 192.168.2.0/24 192.168.4.0/24
0 0 loopback all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 BLOCK_OUT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 BLOCK_OUT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:139
Chain ACCEPTnLOG (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (accept) '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BLACKLIST (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (blacklisted drop) '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BLOCK_OUT (12 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CLIENT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CLOSED (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (closed port drop) '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DHCP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (DHCP accept) '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DMZ (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (DMZ drop) '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DNS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DROPICMP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DROPnLOG (1 references)
pkts bytes target prot opt in out source destination
38 2964 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 flags:!0x16/0x02
0 0 DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
2227 109K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
262 22810 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain HIGHPORT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MON_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OPENPORT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PUBLIC (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RESERVED (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SCAN (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (possible port scan) '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain SERVICEDROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `gShield (service drop) '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain STATEFUL (2 references)
pkts bytes target prot opt in out source destination
6451 2946K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
329 17488 ACCEPT all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
2528 135K DROPnLOG all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loopback (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1408K packets, 90M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 79477 packets, 5507K bytes)
pkts bytes target prot opt in out source destination
294 15437 MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 53176 packets, 3314K bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 25M packets, 14G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3699K packets, 329M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 21M packets, 14G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3568K packets, 271M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 25M packets, 14G bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 237952 3
ip6table_filter 1856 0 (autoclean) (unused)
ip6_tables 11616 1 [ip6table_filter]
pppoe 8288 0 (unused)
pppox 1304 1 [pppoe]
ipt_MASQUERADE 1312 1 (autoclean)
ipt_state 576 5 (autoclean)
ipt_LOG 3264 7 (autoclean)
ipt_REJECT 2688 5 (autoclean)
iptable_mangle 2144 0 (autoclean) (unused)
ppp_deflate 39424 0 (autoclean)
bsd_comp 3872 0 (autoclean)
ppp_async 6816 1 (autoclean)
ppp_generic 22316 5 (autoclean) [pppoe pppox ppp_deflate bsd_comp ppp_async]
slhc 4544 0 (autoclean) [ppp_generic]
tun 3648 6 (autoclean)
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 37572608 35389440 2183168 0 1413120 25788416
Swap: 210558976 13271040 197287936
MemTotal: 36692 kB
MemFree: 2132 kB
MemShared: 0 kB
Buffers: 1380 kB
Cached: 22696 kB
SwapCached: 2488 kB
Active: 22624 kB
Inactive: 5628 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 36692 kB
LowFree: 2132 kB
SwapTotal: 205624 kB
SwapFree: 192664 kB
+ _________________________ dev/ipsec-ls
+ ls -l /dev/ipsec
c-w------- 1 root root 36, 10 Dec 2 21:20 /dev/ipsec
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Dec 10 22:39 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IPV6=y
# IPv6: Netfilter Configuration
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_LIMIT=y
CONFIG_IP6_NF_MATCH_MAC=y
CONFIG_IP6_NF_MATCH_MULTIPORT=y
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_LOG=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_TARGET_MARK=y
# CONFIG_IPX is not set
CONFIG_IPSEC=y
# IPSec options (FreeS/WAN)
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_TULIP is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
CONFIG_SLIP=y
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
# CONFIG_FBCON_IPLAN2P2 is not set
# CONFIG_FBCON_IPLAN2P4 is not set
# CONFIG_FBCON_IPLAN2P8 is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* /var/log/mail.log
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.err;*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
*.err;*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none @log.touche.www
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /dev/tty6
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search touche.www
nameserver 192.168.2.2
#nameserver 192.168.2.1
#nameserver 193.49.200.16
#nameserver 193.252.19.10 #ns.wanadoo.fr
#nameserver 193.252.19.11 #ns2.wanadoo.fr
#nameserver 193.49.160.1 #sem.renater.fr
#nameserver 193.49.200.16 #ns.ensicaen.ismra.fr
#nameserver NSERVER.APPLE.COM 17.254.0.50
#nameserver NSERVER2.APPLE.COM 17.254.0.59
#nameserver NSERVER.EURO.APPLE.COM 194.151.19.41
#nameserver NSERVER.ASIA.APPLE.COM 203.120.14.5
#nameserver NS.WATSON.IBM.COM 198.81.209.2
#nameserver NS.ALMADEN.IBM.COM 198.4.83.35
#nameserver NS.AUSTIN.IBM.COM 192.35.232.34
#nameserver NS.ERS.IBM.COM 204.146.173.35
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 20
drwxr-xr-x 5 root root 4096 Jul 23 15:35 2.4.17
drwxr-xr-x 3 root root 4096 Aug 14 12:45 2.4.18-586tsc
drwxr-xr-x 4 root root 4096 Aug 20 12:16 2.4.19-grsec
drwxr-xr-x 4 root root 4096 Aug 20 12:17 2.4.17-tj.old
drwxr-xr-x 4 root root 4096 Aug 20 12:17 2.4.17-tj
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c026afc0 netif_rx_Rsmp_a21f0f2d
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.17:
2.4.17-tj:
2.4.17-tj.old:
2.4.18-586tsc: U netif_rx_R5165df39
2.4.19-grsec: U netif_rx_Rsmp_a21f0f2d
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '7511,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Dec 10 22:20:21 crimson ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
Dec 10 22:20:22 crimson ipsec_setup: Using /lib/modules/2.4.19-grsec/kernel/net/ipsec/ipsec.o
Dec 10 22:20:22 crimson kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.98b
Dec 10 22:20:22 crimson ipsec_setup: KLIPS debug `none'
Dec 10 22:20:22 crimson ipsec_setup: KLIPS ipsec0 on ppp0 81.48.222.54/255.255.255.255 pointopoint 193.253.160.3
Dec 10 22:20:23 crimson ipsec_setup: KLIPS ipsec1 on eth1 192.168.2.1/255.255.255.0 broadcast 192.168.2.255
Dec 10 22:20:23 crimson ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not work
Dec 10 22:20:23 crimson ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1', should be 0)
Dec 10 22:20:23 crimson ipsec_setup: ...FreeS/WAN IPsec started
Dec 10 22:20:28 crimson ipsec__plutorun: 003 IP interfaces tun4 and tun32 share address 192.168.2.1!
Dec 10 22:20:28 crimson ipsec__plutorun: 003 IP interfaces tun4 and eth1 share address 192.168.2.1!
Dec 10 22:20:28 crimson ipsec__plutorun: 003 IP interfaces tun32 and eth1 share address 192.168.2.1!
+ _________________________ plog
+ sed -n '49007,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Dec 10 22:20:23 crimson ipsec__plutorun: Starting Pluto subsystem...
Dec 10 22:20:23 crimson pluto[17065]: Starting Pluto (FreeS/WAN Version 1.98b)
Dec 10 22:20:23 crimson pluto[17065]: | opening /dev/urandom
Dec 10 22:20:23 crimson pluto[17065]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Dec 10 22:20:23 crimson pluto[17065]: | process 17065 listening for PF_KEY_V2 on file descriptor 6
Dec 10 22:20:23 crimson pluto[17065]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH
Dec 10 22:20:23 crimson pluto[17065]: | 02 07 00 02 02 00 00 00 01 00 00 00 a9 42 00 00
Dec 10 22:20:23 crimson pluto[17065]: | pfkey_get: SADB_REGISTER message 1
Dec 10 22:20:23 crimson pluto[17065]: | AH registered with kernel.
Dec 10 22:20:23 crimson pluto[17065]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP
Dec 10 22:20:23 crimson pluto[17065]: | 02 07 00 03 02 00 00 00 02 00 00 00 a9 42 00 00
Dec 10 22:20:23 crimson pluto[17065]: | pfkey_get: SADB_REGISTER message 2
Dec 10 22:20:23 crimson pluto[17065]: | ESP registered with kernel.
Dec 10 22:20:23 crimson pluto[17065]: | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP
Dec 10 22:20:23 crimson pluto[17065]: | 02 07 00 0a 02 00 00 00 03 00 00 00 a9 42 00 00
Dec 10 22:20:23 crimson pluto[17065]: | pfkey_get: SADB_REGISTER message 3
Dec 10 22:20:23 crimson pluto[17065]: | IPCOMP registered with kernel.
Dec 10 22:20:23 crimson pluto[17065]: | finish_pfkey_msg: SADB_REGISTER message 4 for IPIP
Dec 10 22:20:23 crimson pluto[17065]: | 02 07 00 09 02 00 00 00 04 00 00 00 a9 42 00 00
Dec 10 22:20:23 crimson pluto[17065]: | pfkey_get: SADB_REGISTER message 4
Dec 10 22:20:23 crimson pluto[17065]: | IPIP registered with kernel.
Dec 10 22:20:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:20:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:20:26 crimson pluto[17065]: |
Dec 10 22:20:26 crimson pluto[17065]: | *received whack message
Dec 10 22:20:26 crimson pluto[17065]: added connection description "touche-win"
Dec 10 22:20:26 crimson pluto[17065]: | 192.168.2.1...192.168.2.11
Dec 10 22:20:26 crimson pluto[17065]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY
Dec 10 22:20:26 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 117 seconds
Dec 10 22:20:26 crimson pluto[17065]: |
Dec 10 22:20:26 crimson pluto[17065]: | *received whack message
Dec 10 22:20:26 crimson pluto[17065]: added connection description "touche-win2"
Dec 10 22:20:26 crimson pluto[17065]: | 192.168.2.1...192.168.2.11
Dec 10 22:20:26 crimson pluto[17065]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Dec 10 22:20:26 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 117 seconds
Dec 10 22:20:27 crimson pluto[17065]: |
Dec 10 22:20:27 crimson pluto[17065]: | *received whack message
Dec 10 22:20:27 crimson pluto[17065]: added connection description "touche-netclust"
Dec 10 22:20:27 crimson pluto[17065]: | 192.168.2.1...192.168.2.2
Dec 10 22:20:27 crimson pluto[17065]: | ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 240s; rekey_fuzz: 25%; keyingtries: 5; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Dec 10 22:20:27 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 116 seconds
Dec 10 22:20:28 crimson pluto[17065]: |
Dec 10 22:20:28 crimson pluto[17065]: | *received whack message
Dec 10 22:20:28 crimson pluto[17065]: added connection description "touche-pgp"
Dec 10 22:20:28 crimson pluto[17065]: | 192.168.2.0/24===81.48.222.54---193.253.160.3...1.0.0.1
Dec 10 22:20:28 crimson pluto[17065]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY
Dec 10 22:20:28 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 115 seconds
Dec 10 22:20:28 crimson pluto[17065]: |
Dec 10 22:20:28 crimson pluto[17065]: | *received whack message
Dec 10 22:20:28 crimson pluto[17065]: listening for IKE messages
Dec 10 22:20:28 crimson pluto[17065]: | found lo with address 127.0.0.1
Dec 10 22:20:28 crimson pluto[17065]: | found eth1 with address 192.168.2.1
Dec 10 22:20:28 crimson pluto[17065]: | found tun32 with address 192.168.2.1
Dec 10 22:20:28 crimson pluto[17065]: | found tun4 with address 192.168.2.1
Dec 10 22:20:28 crimson pluto[17065]: | found ppp0 with address 81.48.222.54
Dec 10 22:20:28 crimson pluto[17065]: | found ipsec0 with address 81.48.222.54
Dec 10 22:20:28 crimson pluto[17065]: | found ipsec1 with address 192.168.2.1
Dec 10 22:20:28 crimson pluto[17065]: adding interface ipsec0/ppp0 81.48.222.54
Dec 10 22:20:28 crimson pluto[17065]: IP interfaces tun4 and tun32 share address 192.168.2.1!
Dec 10 22:20:28 crimson pluto[17065]: IP interfaces tun4 and eth1 share address 192.168.2.1!
Dec 10 22:20:28 crimson pluto[17065]: IP interfaces tun32 and eth1 share address 192.168.2.1!
Dec 10 22:20:28 crimson pluto[17065]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Dec 10 22:20:28 crimson pluto[17065]: | found 80 with address fe80:0000:0000:0000:0000:0000:5130:de36
Dec 10 22:20:28 crimson pluto[17065]: | IP interface 80 fe80::5130:de36 has no matching ipsec* interface -- ignored
Dec 10 22:20:28 crimson pluto[17065]: loading secrets from "/etc/ipsec.secrets"
Dec 10 22:20:28 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 115 seconds
Dec 10 22:22:23 crimson pluto[17065]: |
Dec 10 22:22:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:22:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 3480 seconds
Dec 10 22:22:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:22:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:24:23 crimson pluto[17065]: |
Dec 10 22:24:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:24:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 3360 seconds
Dec 10 22:24:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:24:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:26:23 crimson pluto[17065]: |
Dec 10 22:26:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:26:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 3240 seconds
Dec 10 22:26:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:26:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:28:23 crimson pluto[17065]: |
Dec 10 22:28:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:28:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 3120 seconds
Dec 10 22:28:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:28:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:30:23 crimson pluto[17065]: |
Dec 10 22:30:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:30:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 3000 seconds
Dec 10 22:30:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:30:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:32:23 crimson pluto[17065]: |
Dec 10 22:32:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:32:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 2880 seconds
Dec 10 22:32:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:32:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:34:23 crimson pluto[17065]: |
Dec 10 22:34:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:34:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 2760 seconds
Dec 10 22:34:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:34:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:34:29 crimson pluto[17065]: |
Dec 10 22:34:29 crimson pluto[17065]: | *received whack message
Dec 10 22:34:29 crimson pluto[17065]: attempt to redefine connection "touche-win"
Dec 10 22:34:29 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 114 seconds
Dec 10 22:34:42 crimson pluto[17065]: |
Dec 10 22:34:42 crimson pluto[17065]: | *received whack message
Dec 10 22:34:42 crimson pluto[17065]: "touche-win": deleting connection
Dec 10 22:34:42 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 101 seconds
Dec 10 22:34:44 crimson pluto[17065]: |
Dec 10 22:34:44 crimson pluto[17065]: | *received whack message
Dec 10 22:34:44 crimson pluto[17065]: added connection description "touche-win"
Dec 10 22:34:44 crimson pluto[17065]: | 192.168.2.1...192.168.2.11
Dec 10 22:34:44 crimson pluto[17065]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+DONTREKEY
Dec 10 22:34:44 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 99 seconds
Dec 10 22:36:23 crimson pluto[17065]: |
Dec 10 22:36:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:36:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 2640 seconds
Dec 10 22:36:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:36:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:36:46 crimson pluto[17065]: |
Dec 10 22:36:46 crimson pluto[17065]: | *received whack message
Dec 10 22:36:46 crimson pluto[17065]: "touche-win": terminating SAs using this connection
Dec 10 22:36:46 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 97 seconds
Dec 10 22:36:50 crimson pluto[17065]: |
Dec 10 22:36:50 crimson pluto[17065]: | *received whack message
Dec 10 22:36:50 crimson pluto[17065]: attempt to redefine connection "touche-win"
Dec 10 22:36:50 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 93 seconds
Dec 10 22:37:00 crimson pluto[17065]: |
Dec 10 22:37:00 crimson pluto[17065]: | *received whack message
Dec 10 22:37:00 crimson pluto[17065]: "touche-win": we have no ipsecN interface for either end of this connection
Dec 10 22:37:00 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 83 seconds
Dec 10 22:38:23 crimson pluto[17065]: |
Dec 10 22:38:23 crimson pluto[17065]: | *time to handle event
Dec 10 22:38:23 crimson pluto[17065]: | event after this is EVENT_REINIT_SECRET in 2520 seconds
Dec 10 22:38:23 crimson pluto[17065]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Dec 10 22:38:23 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 120 seconds
Dec 10 22:39:43 crimson pluto[17065]: |
Dec 10 22:39:43 crimson pluto[17065]: | *received whack message
Dec 10 22:39:43 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 40 seconds
Dec 10 22:39:51 crimson pluto[17065]: |
Dec 10 22:39:51 crimson pluto[17065]: | *received whack message
Dec 10 22:39:51 crimson pluto[17065]: | next event EVENT_SHUNT_SCAN in 32 seconds
+ _________________________ date
+ date
Tue Dec 10 22:39:55 CET 2002
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Dec 12 2002 - 05:21:05 CET