From: bruceablk_at_ida.net
Date: Thu Dec 26 2002 - 18:44:20 CET
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (7.20 hits, 5 required)
SPAM: INVALID_DATE (1.5 points) Invalid Date: header (not RFC 2822)
SPAM: NO_REAL_NAME (1.3 points) From: does not include a real name
SPAM: DEAR_SOMEBODY (0.1 points) BODY: Contains 'Dear Somebody'
SPAM: BALANCE_FOR_LONG_20K (-0.7 points) BODY: Message text is over 20K in size
SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low)
SPAM: [score: 0]
SPAM: KNOWN_MAILING_LIST (-0.1 points) Email came from some known mailing list software
SPAM: DATE_IN_PAST_03_06 (0.3 points) Date: is 3 to 6 hours before Received: date
SPAM: MSG_ID_ADDED_BY_MTA_2 (0.1 points) 'Message-Id' was added by a relay (2)
SPAM: RCVD_IN_MULTIHOP_DSBL (0.8 points) RBL: Received via a relay in multihop.dsbl.org
SPAM: [RBL check: found 4.203.228.204.multihop.dsbl.org]
SPAM: RCVD_IN_RFCI (2.3 points) RBL: Received via a relay in ipwhois.rfc-ignorant.org
SPAM: [RBL check: found 4.203.228.204.ipwhois.rfc-ignorant.org., type: 127.0.0.6]
SPAM: RCVD_IN_UNCONFIRMED_DSBL (0.8 points) RBL: Received via a relay in unconfirmed.dsbl.org
SPAM: [RBL check: found 4.203.228.204.unconfirmed.dsbl.org]
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
Dear List,
I tried to get FreeS/WAN working with both SSH Sentinel and Windows 2000
ipsec according to Nate Carlson's how to. If I don't get this working I am
going to have to fall back on a commercial solution such as Cisco or Sonic
Wall. I would really like to use FreeS/WAN + X.509.
My log indicates that an SA is established for ISAKMP and IPsec. However I
cannot get to any resources. FreeS/WAN is not my gateway for the
workstations on my LAN, would that matter?
I would appreciate any help that I could get to get this working. I have
been succesful with many other Open Source tools, this one is kicking my
butt.
Bruce
Here is a tcpdump of my ipsec0 interface:
[root_at_warrior etc]# tcpdump -nl -i ipsec0
tcpdump: listening on ipsec0
18:06:20.460796 111.222.333.61.isakmp > 206.206.30.187.isakmp: isakmp:
phase 1 ? ident: [|sa] (DF)
18:06:21.270172 111.222.333.61.isakmp > 206.206.30.187.isakmp: isakmp:
phase 1 ? ident: [|ke] (DF)
18:06:23.409274 111.222.333.61.isakmp > 206.206.30.187.isakmp: isakmp:
phase 1 ? ident[E]: [|id] (DF)
18:06:23.500251 111.222.333.61.isakmp > 206.206.30.187.isakmp: isakmp:
phase 1 ? ident[E]: [|id] (DF)
18:06:24.942591 111.222.333.61.isakmp > 206.206.30.187.isakmp: isakmp:
phase 2/others ? oakley-quick[E]: [|hash] (DF)
18:06:25.365236 206.206.30.187 > 172.17.5.20: icmp: echo request
18:06:29.395544 206.206.30.187 > 172.17.5.20: icmp: echo request
18:06:30.615994 206.206.30.187 > 172.17.5.20: icmp: echo request
18:06:31.616496 206.206.30.187 > 172.17.5.20: icmp: echo request
18:06:32.616738 206.206.30.187 > 172.17.5.20: icmp: echo request
10 packets received by filter
0 packets dropped by kernel
Here is a barf:
warrior.domain.com
Fri Dec 20 17:59:01 MST 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.18-14 (bhcompile_at_stripples.devel.redhat.com) (gcc
version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)) #1 Wed Sep 4 11:57:57 EDT
2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0 172.17.0.0/16 -> 206.206.30.187/32 =>
tun0x1002_at_206.206.30.187
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
206.206.30.187 111.222.333.57 255.255.255.255 UGH 40 0 0
ipsec0
111.222.333.56 0.0.0.0 255.255.255.248 U 40 0 0
eth1
111.222.333.56 0.0.0.0 255.255.255.248 U 40 0 0
ipsec0
172.17.5.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 111.222.333.57 0.0.0.0 UG 40 0 0
eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0x8785548f_at_111.222.333.61 ESP_3DES_HMAC_MD5: dir=in src=206.206.30.187
iv_bits=64bits iv=0x9a7f0f8f7567bd04 ooowin=64 seq=9 bit=0x1ff alen=128
aklen=128 eklen=192 life(c,s,h)=bytes(720,0,0)addtime(152,0,0)usetime
(151,0,0)packets(9,0,0) idle=127
tun0x1001_at_111.222.333.61 IPIP: dir=in src=206.206.30.187
policy=206.206.30.187/32->172.17.0.0/16 flags=0x8<> life(c,s,h)=bytes
(720,0,0)addtime(152,0,0)usetime(151,0,0)packets(9,0,0) idle=127
tun0x1002_at_206.206.30.187 IPIP: dir=out src=111.222.333.61 life(c,s,h)
=addtime(151,0,0)
esp0x136d3e7a_at_206.206.30.187 ESP_3DES_HMAC_MD5: dir=out src=111.222.333.61
iv_bits=64bits iv=0xab57bb568dc24f5e ooowin=64 alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(151,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1001_at_111.222.333.61 esp0x8785548f_at_111.222.333.61
tun0x1002_at_206.206.30.187 esp0x136d3e7a_at_206.206.30.187
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c1135560 1513 c2e8adb4 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c2e8adb4 1513 c1135560
pf_key_registered: 3 c2e8adb4 1513 c1135560
pf_key_registered: 9 c2e8adb4 1513 c1135560
pf_key_registered: 10 c2e8adb4 1513 c1135560
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 111.222.333.61
000
000 "warrior"[2]: 172.17.0.0/16===111.222.333.61[C=US, ST=State, L=City,
O=Company Name, OU=FreeSWAN Gateway, CN=warrior.domain.com,
E=is_at_domain.com]---111.222.333.57...111.222.333.57---206.206.30.187[C=US,
ST=State, L=City, O=Company Name, OU=IS bblack, CN=bblack_at_domain.com,
E=bblack_at_domain.com]
000 "warrior"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "warrior"[2]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
eth1; erouted
000 "warrior"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; eroute
owner: #2
000 "warrior": 172.17.0.0/16===111.222.333.61[C=US, ST=State, L=City,
O=Company Name, OU=FreeSWAN Gateway, CN=warrior.domain.com,
E=is_at_domain.com]---111.222.333.57...111.222.333.57---%any
000 "warrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "warrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
eth1; unrouted
000 "warrior": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner:
#0
000
000 #2: "warrior"[2] 206.206.30.187 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3180s; newest IPSEC; eroute owner
000 #2: "warrior"[2] 206.206.30.187 esp.136d3e7a_at_206.206.30.187
esp.8785548f_at_111.222.333.61 tun.1002_at_206.206.30.187 tun.1001_at_111.222.333.61
000 #1: "warrior"[2] 206.206.30.187 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3177s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:C0:B1:04:EE
inet addr:172.17.5.11 Bcast:172.17.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:874 errors:0 dropped:0 overruns:0 frame:0
TX packets:243 errors:2 dropped:0 overruns:0 carrier:6
collisions:0 txqueuelen:100
RX bytes:90531 (88.4 Kb) TX bytes:21928 (21.4 Kb)
Interrupt:11 Base address:0x5c00
eth1 Link encap:Ethernet HWaddr 00:10:4B:26:92:F6
inet addr:111.222.333.61 Bcast:207.108.232.63
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:15 dropped:0 overruns:0 frame:24
TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:40724 (39.7 Kb) TX bytes:21871 (21.3 Kb)
Interrupt:10 Base address:0xfc40
ipsec0 Link encap:Ethernet HWaddr 00:10:4B:26:92:F6
inet addr:111.222.333.61 Mask:255.255.255.248
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:540 (540.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:700 (700.0 b) TX bytes:700 (700.0 b)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
warrior.domain.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
111.222.333.61
+ _________________________ uptime
+ uptime
5:59pm up 11 min, 1 user, load average: 0.18, 0.84, 0.60
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
000 0 1584 1270 16 0 3752 1028 wait4 S pts/0
0:00 \_ /bin/sh /usr/local/sbin/ipsec barf
000 0 1585 1584 16 0 3768 1072 wait4 S pts/0
0:00 \_ /bin/sh /usr/local/lib/ipsec/barf
000 0 1625 1585 17 0 1380 444 pipe_w S pts/0
0:00 \_ grep -E -i ppid|pluto|ipsec|klips
040 0 1506 1 19 0 2116 1064 wait4 S pts/0
0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids
040 0 1511 1506 19 0 2116 1072 wait4 S pts/0 0:00
\_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqu
100 0 1513 1511 15 0 1952 1004 schedu S pts/0 0:01 |
\_ /usr/local/lib/ipsec/pluto --nofork --debug-none --uniq
000 0 1521 1513 20 0 1300 244 schedu S pts/0 0:00
| \_ _pluto_adns 7 10
000 0 1512 1506 15 0 2104 1064 pipe_w S pts/0 0:00
\_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st
000 0 1507 1 19 0 1244 348 pipe_w S pts/0 0:00
logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routephys=eth1
routevirt=ipsec0
routevirt=ipsec0
routeaddr=111.222.333.61
routeaddr=111.222.333.61
routenexthop=111.222.333.57
routenexthop=111.222.333.57
defaultroutephys=eth1
defaultroutevirt=ipsec0
defaultrouteaddr=111.222.333.61
defaultroutenexthop=111.222.333.57
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# VPN connection
conn warrior
left=%defaultroute
leftsubnet=172.17.0.0/16
leftcert=certs/freeswan_cert.pem
rightnexthop=%defaultroute
right=%any
auto=add
pfs=yes
leftupdown=/usr/local/lib/ipsec/_updown.x509
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA /etc/ipsec.d/private/freeswan_key.pem "[sums to 1347...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 2652
-rwxr-xr-x 1 root root 11183 Nov 4 16:01 _confread
-rwxr-xr-x 1 root root 46389 Nov 4 16:01 _copyright
-rwxr-xr-x 1 root root 2163 Nov 4 16:01 _include
-rwxr-xr-x 1 root root 1472 Nov 4 16:01 _keycensor
-rwxr-xr-x 1 root root 72267 Nov 4 16:01 _pluto_adns
-rwxr-xr-x 1 root root 3495 Nov 4 16:01 _plutoload
-rwxr-xr-x 1 root root 4730 Nov 4 16:01 _plutorun
-rwxr-xr-x 1 root root 7530 Nov 4 16:01 _realsetup
-rwxr-xr-x 1 root root 1971 Nov 4 16:01 _secretcensor
-rwxr-xr-x 1 root root 7062 Nov 4 16:01 _startklips
-rwxr-xr-x 1 root root 5014 Nov 4 16:01 _updown
-rwxr-xr-x 1 root root 9099 Nov 4 16:01 _updown.x509
-rwxr-xr-x 1 root root 13335 Nov 4 16:01 auto
-rwxr-xr-x 1 root root 7198 Nov 4 16:01 barf
-rwxr-xr-x 1 root root 816 Nov 4 16:01 calcgoo
-rwxr-xr-x 1 root root 225301 Nov 4 16:01 eroute
-rwxr-xr-x 1 root root 98086 Nov 4 16:01 ikeping
-rwxr-xr-x 1 root root 2915 Nov 4 16:01 ipsec
-rw-r--r-- 1 root root 1950 Nov 4 16:01 ipsec_pr.template
-rwxr-xr-x 1 root root 161926 Nov 4 16:01 klipsdebug
-rwxr-xr-x 1 root root 2437 Nov 4 16:01 look
-rwxr-xr-x 1 root root 16157 Nov 4 16:01 manual
-rwxr-xr-x 1 root root 1847 Nov 4 16:01 newhostkey
-rwxr-xr-x 1 root root 139777 Nov 4 16:01 pf_key
-rwxr-xr-x 1 root root 910378 Nov 4 16:01 pluto
-rwxr-xr-x 1 root root 52710 Nov 4 16:01 ranbits
-rwxr-xr-x 1 root root 77794 Nov 4 16:01 rsasigkey
-rwxr-xr-x 1 root root 16671 Nov 4 16:01 send-pr
lrwxrwxrwx 1 root root 22 Dec 3 18:35 setup -
> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Nov 4 16:01 showdefaults
-rwxr-xr-x 1 root root 4205 Nov 4 16:01 showhostkey
-rwxr-xr-x 1 root root 246310 Nov 4 16:01 spi
-rwxr-xr-x 1 root root 202042 Nov 4 16:01 spigrp
-rwxr-xr-x 1 root root 71167 Nov 4 16:01 tncfg
-rwxr-xr-x 1 root root 16876 Nov 4 16:01 uml_netjig
-rwxr-xr-x 1 root root 3353 Nov 4 16:01 verify
-rwxr-xr-x 1 root root 141961 Nov 4 16:01 whack
+ _________________________ ipsec/updowns
++ egrep updown
++ ls /usr/local/lib/ipsec
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0
$parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7
and
# "SIOCADDRT: Network is unreachable" means
that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop
setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0
2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask
$PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!)
gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
coming up
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/
$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
going down
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/
$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0
$parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0
$parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7
and
# "SIOCADDRT: Network is unreachable" means
that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop
setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!)
gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL"
== "17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT ==
$PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL"
== "17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL
\
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL
\
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -
- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL"
== "17" ]
then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p
$PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT ==
$PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL"
== "17" ]
then
iptables -D FORWARD -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -D FORWARD -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT ==
$PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
coming up
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/
$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
going down
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/
$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 700 10 0 0 0 0 0 0
700 10 0 0 0 0 0 0
eth0: 90531 874 0 0 0 0 0 0
21928 243 2 0 0 0 6 0
eth1: 40724 89 15 0 0 24 0 0
21871 60 0 0 0 0 0 0
ipsec0: 540 9 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
ipsec0 BB1ECECE 39E86CCF 0007 0 0 0 FFFFFFFF
40 0
0
eth1 38E86CCF 00000000 0001 0 0 0 F8FFFFFF
40 0
0
ipsec0 38E86CCF 00000000 0001 0 0 0 F8FFFFFF
40 0
0
eth0 000511AC 00000000 0001 0 0 0 00FFFFFF
40 0
0
lo 0000007F 00000000 0001 0 0 0 000000FF
40 0
0
eth1 00000000 39E86CCF 0003 0 0 0 00000000
40 0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux warrior.domain.com 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
i586 i386 GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.99
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
656 96175 RH-Lokkit-0-50-INPUT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source
destination
8 480 ACCEPT all -- ipsec0 * 206.206.30.187
172.17.0.0/16
0 0 ACCEPT all -- * ipsec0 172.17.0.0/16
206.206.30.187
Chain OUTPUT (policy ACCEPT 290 packets, 39163 bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Lokkit-0-50-INPUT (1 references)
pkts bytes target prot opt in out source
destination
1 103 ACCEPT udp -- * * 172.17.5.20
0.0.0.0/0 udp spt:53 dpts:1025:65535
53 37048 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500
9 1008 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
10 700 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
577 56502 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0
4 620 ACCEPT udp -- * * 207.108.224.1
0.0.0.0/0 udp spt:53
1 146 ACCEPT udp -- * * 204.147.80.5
0.0.0.0/0 udp spt:53
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp reject-with icmp-port-unreachable
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ cat /proc/modules
iptable_mangle 2680 0 (autoclean) (unused)
iptable_nat 18872 0 (autoclean) (unused)
ip_conntrack 20316 1 (autoclean) [iptable_nat]
ipsec 254528 2
autofs 12228 0 (autoclean) (unused)
3c59x 29392 1
tulip 42304 1
ipt_REJECT 3448 2 (autoclean)
iptable_filter 2316 1 (autoclean)
ip_tables 14456 6 [iptable_mangle iptable_nat ipt_REJECT
iptable_filter]
ide-scsi 9616 0
scsi_mod 102184 1 [ide-scsi]
ide-cd 31432 0
cdrom 30976 0 [ide-cd]
ext3 64224 5
jbd 48180 5 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 63295488 47906816 15388672 0 11317248 25300992
Swap: 134144000 0 134144000
MemTotal: 61812 kB
MemFree: 15028 kB
MemShared: 0 kB
Buffers: 11052 kB
Cached: 24708 kB
SwapCached: 0 kB
Active: 27904 kB
Inact_dirty: 1336 kB
Inact_clean: 10408 kB
Inact_target: 7928 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 61812 kB
LowFree: 15028 kB
SwapTotal: 131000 kB
SwapFree: 131000 kB
Committed_AS: 10956 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -
l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /pr
oc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Dec 20
17:59 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Dec 20
17:59 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Dec 20 17:59 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Dec 20
17:59 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Dec 20
17:59 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Dec 20
17:59 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*
/dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.*
/var/log/secure
# Log all the mail messages in one place.
mail.*
/var/log/maillog
# Log cron stuff
cron.*
/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit
/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search domain.com hq.domain.com
nameserver 207.108.224.1
nameserver 204.147.80.5
nameserver 172.17.5.20
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 1
drwxr-xr-x 4 root root 1024 Dec 3 07:56 2.4.18-14
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c01d64e0 netif_rx_R12648b39
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
/usr/local/lib/ipsec/barf: line 111: nm: command not found
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1464,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Dec 20 17:55:26 warrior ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Dec 20 17:55:30 warrior ipsec_setup: Using /lib/modules/2.4.18-
14/kernel/net/ipsec/ipsec.o
Dec 20 17:55:30 warrior kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 1.99
Dec 20 17:55:30 warrior /etc/hotplug/net.agent: invoke ifup ipsec0
Dec 20 17:55:31 warrior /etc/hotplug/net.agent: invoke ifup ipsec1
Dec 20 17:55:31 warrior /etc/hotplug/net.agent: invoke ifup ipsec2
Dec 20 17:55:32 warrior ipsec_setup: KLIPS debug `none'
Dec 20 17:55:33 warrior ipsec_setup: KLIPS ipsec0 on eth1
111.222.333.61/255.255.255.248 broadcast 207.108.232.63
Dec 20 17:55:34 warrior ipsec_setup: ...FreeS/WAN IPsec started
Dec 20 17:55:34 warrior /etc/hotplug/net.agent: invoke ifup ipsec3
Dec 20 17:56:42 warrior kernel: device ipsec0 entered promiscuous mode
Dec 20 17:58:44 warrior kernel: device ipsec0 left promiscuous mode
+ _________________________ plog
+ sed -n '55754,$p' /var/log/secure
+ egrep -i pluto
+ cat
Dec 20 17:55:33 warrior ipsec__plutorun: Starting Pluto subsystem...
Dec 20 17:55:34 warrior pluto[1513]: Starting Pluto (FreeS/WAN Version
1.99)
Dec 20 17:55:34 warrior pluto[1513]: including X.509 patch (Version
0.9.15)
Dec 20 17:55:34 warrior pluto[1513]: Changing to
directory '/etc/ipsec.d/cacerts'
Dec 20 17:55:34 warrior pluto[1513]: loaded cacert file 'cacert.pem'
(1724 bytes)
Dec 20 17:55:34 warrior pluto[1513]: Changing to
directory '/etc/ipsec.d/crls'
Dec 20 17:55:34 warrior pluto[1513]: loaded crl file 'freeswan_crl.pem'
(719 bytes)
Dec 20 17:55:34 warrior pluto[1513]: loaded my default X.509 cert
file '/etc/x509cert.der' (1316 bytes)
Dec 20 17:55:38 warrior pluto[1513]: loaded host cert
file '/etc/ipsec.d/certs/freeswan_cert.pem' (5309 bytes)
Dec 20 17:55:38 warrior pluto[1513]: added connection description "warrior"
Dec 20 17:55:39 warrior pluto[1513]: listening for IKE messages
Dec 20 17:55:39 warrior pluto[1513]: adding interface ipsec0/eth1
111.222.333.61
Dec 20 17:55:39 warrior pluto[1513]: loading secrets
from "/etc/ipsec.secrets"
Dec 20 17:55:39 warrior pluto[1513]: loaded private key
file '/etc/ipsec.d/private/freeswan_key.pem' (1743 bytes)
Dec 20 17:56:02 warrior pluto[1513]: packet from 206.206.30.187:500:
Informational Exchange is for an unknown (expired?) SA
Dec 20 17:56:25 warrior pluto[1513]: packet from 206.206.30.187:500:
ignoring Vendor ID payload
Dec 20 17:56:25 warrior pluto[1513]: "warrior"[1] 206.206.30.187 #1:
responding to Main Mode from unknown peer 206.206.30.187
Dec 20 17:56:27 warrior pluto[1513]: "warrior"[1] 206.206.30.187 #1: Peer
ID is ID_DER_ASN1_DN: 'C=US, ST=State, L=City, O=Company Name, OU=IS
bblack, CN=bblack_at_domain.com, E=bblack_at_domain.com'
Dec 20 17:56:27 warrior pluto[1513]: "warrior"[2] 206.206.30.187 #1:
deleting connection "warrior" instance with peer 206.206.30.187
Dec 20 17:56:28 warrior pluto[1513]: "warrior"[2] 206.206.30.187 #1: sent
MR3, ISAKMP SA established
Dec 20 17:56:28 warrior pluto[1513]: "warrior"[2] 206.206.30.187 #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 20 17:56:29 warrior pluto[1513]: "warrior"[2] 206.206.30.187 #2:
responding to Quick Mode
Dec 20 17:56:31 warrior pluto[1513]: "warrior"[2] 206.206.30.187 #2: IPsec
SA established
+ _________________________ date
+ date
Fri Dec 20 17:59:08 MST 2002
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Mon Dec 30 2002 - 05:21:12 CET