From: Alessandro (magobin_at_libero.it)
Date: Sun Jan 12 2003 - 13:36:52 CET
Hi again, this morning I've done some test with my freeswan server and
win2000 client putting leftnexthop=%direct, now the error reported is
different, it says:
- encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
..reading the old post I power on oakley in registry windows and I saw that
the problem now is certificate windows client! Waht can I do?...any
suggest?...below is my barf(update) and oakley output
Thank's in advance for any tips!
Alessandro
*****BARF OUTPUT******
proxy.example.com
Sun Jan 12 11:40:38 CET 2003
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.20 (root_at_proxy.example.com) (gcc version 3.2 20020903 (Red
Hat Linux 8.0 3.2-7)) #1 SMP lun dic 16 10:45:24 CET 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.31.16.182 10.23.5.200 255.255.255.255 UGH 40 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
eth1
10.31.231.0 10.23.5.200 255.255.255.0 UG 40 0 0
eth0
10.23.5.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
10.23.5.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0
eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
d7830de0 13813 d00bfb20 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 d00bfb20 13813 d7830de0
pf_key_registered: 3 d00bfb20 13813 d7830de0
pf_key_registered: 9 d00bfb20 13813 d7830de0
pf_key_registered: 10 d00bfb20 13813 d7830de0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.23.5.243
000
000 "roadwarrior": 10.23.5.243[C=it, ST=italia, L=bolzano, O=internet,
CN=proxy.example.com, E=magobin_at_example.com]...%any
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
eth0; unrouted
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:04:C0:E9:33
inet addr:10.23.5.243 Bcast:10.23.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90056 errors:0 dropped:0 overruns:0 frame:0
TX packets:7688 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:9753150 (9.3 Mb) TX bytes:4616950 (4.4 Mb)
Interrupt:5 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:E0:4C:66:6C:86
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19382 errors:0 dropped:0 overruns:0 frame:0
TX packets:7607 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5284298 (5.0 Mb) TX bytes:1416031 (1.3 Mb)
Interrupt:10 Base address:0x1000
ipsec0 Link encap:Ethernet HWaddr 00:50:04:C0:E9:33
inet addr:10.23.5.243 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:46 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:816 (816.0 b)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:13941 errors:0 dropped:0 overruns:0 frame:0
TX packets:13941 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:877190 (856.6 Kb) TX bytes:877190 (856.6 Kb)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
proxy.example.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.1.100 10.23.5.243
+ _________________________ uptime
+ uptime
11:40am up 2 days, 3:21, 2 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 13943 902 9 0 3600 1048 wait4 S tty2 0:00 \_
/bin/sh /usr/local/sbin/ipsec barf
000 0 13944 13943 16 0 3624 1100 wait4 S tty2 0:00
\_ /bin/sh /usr/local/lib/ipsec/barf
000 0 13984 13944 15 0 1452 448 pipe_w S tty2 0:00
\_ grep -E -i ppid|pluto|ipsec|klips
040 0 13806 1 9 0 2020 944 wait4 S tty2 0:00 /bin/sh
/usr/local/lib/ipsec/_plutorun --debug none --uniqueids
040 0 13810 13806 9 0 2020 952 wait4 S tty2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqu
100 0 13813 13810 9 0 2016 952 do_sel S tty2 0:00 | \_
/usr/local/lib/ipsec/pluto --nofork --debug-none --uniq
000 0 13815 13813 9 0 1384 252 do_sel S tty2 0:00 |
\_ _pluto_adns 7 10
000 0 13811 13806 8 0 2008 948 pipe_w S tty2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st
000 0 13807 1 9 0 1328 460 pipe_w S tty2 0:00
logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
# left=%defaultroute
# right=%opportunistic
# keylife=1h
# rekey=no
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#leftid=@myhostname.example.com
# uncomment this next line to enable it
#auto=route
# sample VPN connection
#conn sample
# Left security gateway, subnet behind it, next hop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
#auto=add
conn roadwarrior-net
leftsubnet=10.23.5.0/24
leftnexthop=%direct
also=roadwarrior
conn roadwarrior
right=%any
left=10.23.5.243
leftnexthop=%direct
leftcert=proxy.example.com.pem
auto=add
pfs=yes
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
# RSA 2192 bits proxy.example.com Wed Jan 8 13:58:20 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOHvmkja]
#IN KEY 0x4200 4 1 [keyid AQOHvmkja]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 5288
-rwxr-xr-x 1 root root 11183 Jan 8 15:03 _confread
-rwxr-xr-x 1 root root 11183 Jan 8 14:20 _confread.old
-rwxr-xr-x 1 root root 47903 Jan 8 15:03 _copyright
-rwxr-xr-x 1 root root 47903 Jan 8 14:20 _copyright.old
-rwxr-xr-x 1 root root 2163 Jan 8 15:03 _include
-rwxr-xr-x 1 root root 2163 Jan 8 14:20 _include.old
-rwxr-xr-x 1 root root 1472 Jan 8 15:03 _keycensor
-rwxr-xr-x 1 root root 1472 Jan 8 14:20 _keycensor.old
-rwxr-xr-x 1 root root 70787 Jan 8 15:03 _pluto_adns
-rwxr-xr-x 1 root root 70787 Jan 8 14:20 _pluto_adns.old
-rwxr-xr-x 1 root root 3495 Jan 8 15:03 _plutoload
-rwxr-xr-x 1 root root 3495 Jan 8 14:20 _plutoload.old
-rwxr-xr-x 1 root root 4730 Jan 8 15:03 _plutorun
-rwxr-xr-x 1 root root 4730 Jan 8 14:20 _plutorun.old
-rwxr-xr-x 1 root root 7530 Jan 8 15:03 _realsetup
-rwxr-xr-x 1 root root 7530 Jan 8 14:20 _realsetup.old
-rwxr-xr-x 1 root root 1971 Jan 8 15:03 _secretcensor
-rwxr-xr-x 1 root root 1971 Jan 8 14:20 _secretcensor.old
-rwxr-xr-x 1 root root 7062 Jan 8 15:03 _startklips
-rwxr-xr-x 1 root root 7062 Jan 8 14:20 _startklips.old
-rwxr-xr-x 1 root root 5014 Jan 8 15:03 _updown
-rwxr-xr-x 1 root root 5014 Jan 8 14:20 _updown.old
-rwxr-xr-x 1 root root 9099 Jan 8 15:03 _updown.x509
-rwxr-xr-x 1 root root 9099 Jan 8 14:20 _updown.x509.old
-rwxr-xr-x 1 root root 13335 Jan 8 15:03 auto
-rwxr-xr-x 1 root root 13335 Jan 8 14:20 auto.old
-rwxr-xr-x 1 root root 7198 Jan 8 15:03 barf
-rwxr-xr-x 1 root root 7198 Jan 8 14:20 barf.old
-rwxr-xr-x 1 root root 816 Jan 8 15:03 calcgoo
-rwxr-xr-x 1 root root 816 Jan 8 14:20 calcgoo.old
-rwxr-xr-x 1 root root 318737 Jan 8 15:03 eroute
-rwxr-xr-x 1 root root 142074 Jan 8 15:03 ikeping
-rwxr-xr-x 1 root root 142074 Jan 8 14:20 ikeping.old
-rwxr-xr-x 1 root root 2915 Jan 8 15:03 ipsec
-rwxr-xr-x 1 root root 2915 Jan 8 14:20 ipsec.old
-rw-r--r-- 1 root root 1950 Jan 8 15:03 ipsec_pr.template
-rwxr-xr-x 1 root root 169458 Jan 8 15:03 klipsdebug
-rwxr-xr-x 1 root root 2437 Jan 8 15:03 look
-rwxr-xr-x 1 root root 2437 Jan 8 14:20 look.old
-rwxr-xr-x 1 root root 16157 Jan 8 15:03 manual
-rwxr-xr-x 1 root root 16157 Jan 8 14:20 manual.old
-rwxr-xr-x 1 root root 1847 Jan 8 15:03 newhostkey
-rwxr-xr-x 1 root root 1847 Jan 8 14:20 newhostkey.old
-rwxr-xr-x 1 root root 144001 Jan 8 15:03 pf_key
-rwxr-xr-x 1 root root 1206329 Jan 8 15:03 pluto
-rwxr-xr-x 1 root root 1206329 Jan 8 14:20 pluto.old
-rwxr-xr-x 1 root root 52408 Jan 8 15:03 ranbits
-rwxr-xr-x 1 root root 52408 Jan 8 14:20 ranbits.old
-rwxr-xr-x 1 root root 78550 Jan 8 15:03 rsasigkey
-rwxr-xr-x 1 root root 78550 Jan 8 14:20 rsasigkey.old
-rwxr-xr-x 1 root root 16671 Jan 8 15:03 send-pr
-rwxr-xr-x 1 root root 16671 Jan 8 14:20 send-pr.old
lrwxrwxrwx 1 root root 22 Jan 8 15:03 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Jan 8 15:03 showdefaults
-rwxr-xr-x 1 root root 1041 Jan 8 14:20 showdefaults.old
-rwxr-xr-x 1 root root 4205 Jan 8 15:03 showhostkey
-rwxr-xr-x 1 root root 4205 Jan 8 14:20 showhostkey.old
-rwxr-xr-x 1 root root 333138 Jan 8 15:03 spi
-rwxr-xr-x 1 root root 268579 Jan 8 15:03 spigrp
-rwxr-xr-x 1 root root 60159 Jan 8 15:03 tncfg
-rwxr-xr-x 1 root root 16056 Jan 8 15:03 uml_netjig
-rwxr-xr-x 1 root root 3353 Jan 8 15:03 verify
-rwxr-xr-x 1 root root 3353 Jan 8 14:20 verify.old
-rwxr-xr-x 1 root root 225695 Jan 8 15:03 whack
-rwxr-xr-x 1 root root 225695 Jan 8 14:20 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming
up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.old
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming
up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming
up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509.old
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming
up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 877190 13941 0 0 0 0 0 0 877190
13941 0 0 0 0 0 0
eth0: 9753150 90056 0 0 0 0 0 0 4616950
7688 0 0 0 0 0 0
eth1: 5284298 19382 0 0 0 0 0 0 1416031
7607 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 816
4 0 46 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask
MTU Window IRTT
eth0 B6101F0A C805170A 0007 0 0 0 FFFFFFFF 40
0 0
eth1 0001A8C0 00000000 0001 0 0 0 00FFFFFF 40
0 0
eth0 00E71F0A C805170A 0003 0 0 0 00FFFFFF 40
0 0
eth0 0005170A 00000000 0001 0 0 0 00FFFFFF 40
0 0
ipsec0 0005170A 00000000 0001 0 0 0 00FFFFFF 40
0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 40
0 0
eth1 00000000 0101A8C0 0003 0 0 0 00000000 40
0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux proxy.example.com 2.4.20 #1 SMP lun dic 16 10:45:24 CET 2002 i686 i686
i386 GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.99
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 46894 packets, 8040K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 24238 packets, 5266K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 12974 packets, 1985K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1925 packets, 119K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1925 packets, 119K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 47082 packets, 8053K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 46893 packets, 8040K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 24236 packets, 5266K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 24236 packets, 5266K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 272256 2
iptable_mangle 2744 0 (autoclean) (unused)
iptable_nat 21624 0 (autoclean) (unused)
ip_conntrack 29664 1 (autoclean) [iptable_nat]
iptable_filter 2380 0 (autoclean) (unused)
vfat 13292 1 (autoclean)
fat 40152 0 (autoclean) [vfat]
cls_route 5592 0 (unused)
cls_u32 6332 1
cls_fw 3704 0 (unused)
sch_prio 4288 0 (unused)
sch_sfq 4224 0 (unused)
sch_tbf 3680 1
sch_cbq 14624 2
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 395366400 390172672 5193728 0 150679552 81645568
Swap: 838934528 413696 838520832
MemTotal: 386100 kB
MemFree: 5072 kB
MemShared: 0 kB
Buffers: 147148 kB
Cached: 79400 kB
SwapCached: 332 kB
Active: 115976 kB
Inactive: 133004 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 386100 kB
LowFree: 5072 kB
SwapTotal: 819272 kB
SwapFree: 818868 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jan 12 11:40
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jan 12 11:40
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jan 12 11:40 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jan 12 11:40
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jan 12 11:40
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jan 12 11:40
/proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
CONFIG_NETLINK_DEV=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
# CONFIG_IP_ROUTE_NAT is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_TALK is not set
CONFIG_IP_NF_H323=m
# CONFIG_IP_NF_EGG is not set
# CONFIG_IP_NF_IRC is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_QUOTA is not set
CONFIG_IP_NF_POOL=m
# CONFIG_IP_POOL_STATISTICS is not set
CONFIG_IP_NF_MATCH_MAC=m
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_MPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
# CONFIG_IP_NF_MATCH_TIME is not set
# CONFIG_IP_NF_MATCH_RANDOM is not set
# CONFIG_IP_NF_MATCH_PSD is not set
# CONFIG_IP_NF_MATCH_NTH is not set
# CONFIG_IP_NF_MATCH_IPV4OPTIONS is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
CONFIG_IP_NF_MATCH_TTL=m
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_REALM is not set
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
# CONFIG_IP_NF_MATCH_IPLIMIT is not set
CONFIG_IP_NF_MATCH_CONNTRACK=m
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_STRING is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_NETLINK is not set
# CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP is not set
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_H323=m
# CONFIG_IP_NF_TARGET_SAME is not set
# CONFIG_IP_NF_TARGET_NETMAP is not set
CONFIG_IP_NF_NAT_LOCAL=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
# CONFIG_IP_NF_TARGET_TOS is not set
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
# CONFIG_IP_NF_TARGET_MARK is not set
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ROUTE=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IPV6 is not set
# CONFIG_IPX is not set
CONFIG_IPSEC=m
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_SCSI_IPS is not set
# CONFIG_TULIP is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_FBCON_IPLAN2P2 is not set
# CONFIG_FBCON_IPLAN2P4 is not set
# CONFIG_FBCON_IPLAN2P8 is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 10.23.5.240
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 4 root root 4096 Nov 11 10:02 2.4.18-14
drwxr-xr-x 2 root root 4096 Nov 13 11:22 2.4.191
drwxr-xr-x 4 root root 4096 Dec 9 15:42 2.4.19
drwxr-xr-x 4 root root 4096 Jan 8 15:29 2.4.20
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c021e8f0 netif_rx_Rsmp_a824d93c
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18-14: U netif_rx_Rac7ce141
2.4.19:
2.4.191:
2.4.20:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '90,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
gen 12 10:33:09 proxy ipsec_setup: Starting FreeS/WAN IPsec 1.99...
gen 12 10:33:09 proxy ipsec_setup: Using
/lib/modules/2.4.20/kernel/net/ipsec/ipsec.o
Jan 12 10:33:09 proxy kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 1.99
Jan 12 10:33:09 proxy /etc/hotplug/net.agent: invoke ifup ipsec0
Jan 12 10:33:09 proxy /etc/hotplug/net.agent: invoke ifup ipsec1
Jan 12 10:33:09 proxy /etc/hotplug/net.agent: invoke ifup ipsec2
Jan 12 10:33:09 proxy ipsec_setup: KLIPS debug `none'
Jan 12 10:33:09 proxy ipsec_setup: KLIPS ipsec0 on eth0
10.23.5.243/255.255.255.0 broadcast 10.23.5.255
gen 12 10:33:09 proxy ipsec_setup: WARNING: eth0 has route filtering turned
on, KLIPS may not work
gen 12 10:33:09 proxy ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter
= `1', should be 0)
Jan 12 10:33:09 proxy /etc/hotplug/net.agent: invoke ifup ipsec3
Jan 12 10:33:09 proxy ipsec_setup: ...FreeS/WAN IPsec started
Jan 12 10:33:10 proxy ipsec__plutorun: ipsec_auto: fatal error in
"roadwarrior-net": (/etc/ipsec.conf, line 70) duplicated parameter
"leftnexthop"
Jan 12 10:33:10 proxy ipsec__plutorun: ...could not add conn
"roadwarrior-net"
+ _________________________ plog
+ sed -n '2362,$p' /var/log/secure
+ egrep -i pluto
+ cat
Jan 12 10:33:09 proxy ipsec__plutorun: Starting Pluto subsystem...
Jan 12 10:33:09 proxy pluto[13813]: Starting Pluto (FreeS/WAN Version 1.99)
Jan 12 10:33:09 proxy pluto[13813]: including X.509 patch (Version 0.9.15)
Jan 12 10:33:09 proxy pluto[13813]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 12 10:33:09 proxy pluto[13813]: Warning: empty directory
Jan 12 10:33:09 proxy pluto[13813]: Changing to directory
'/etc/ipsec.d/crls'
Jan 12 10:33:10 proxy pluto[13813]: loaded crl file 'crl.pem' (674 bytes)
Jan 12 10:33:10 proxy pluto[13813]: could not open my default X.509 cert
file '/etc/x509cert.der'
Jan 12 10:33:10 proxy pluto[13813]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Jan 12 10:33:10 proxy pluto[13813]: loaded host cert file
'/etc/ipsec.d/proxy.example.com.pem' (5006 bytes)
Jan 12 10:33:10 proxy pluto[13813]: added connection description
"roadwarrior"
Jan 12 10:33:10 proxy pluto[13813]: listening for IKE messages
Jan 12 10:33:10 proxy pluto[13813]: adding interface ipsec0/eth0 10.23.5.243
Jan 12 10:33:10 proxy pluto[13813]: loading secrets from
"/etc/ipsec.secrets"
Jan 12 10:33:53 proxy pluto[13813]: packet from 10.23.5.20:500: ignoring
Vendor ID payload
Jan 12 10:33:53 proxy pluto[13813]: "roadwarrior"[1] 10.23.5.20 #1:
responding to Main Mode from unknown peer 10.23.5.20
Jan 12 10:33:53 proxy pluto[13813]: "roadwarrior"[1] 10.23.5.20 #1:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 10:35:03 proxy pluto[13813]: "roadwarrior"[1] 10.23.5.20 #1: max
number of retransmissions (2) reached STATE_MAIN_R2
Jan 12 10:35:03 proxy pluto[13813]: "roadwarrior"[1] 10.23.5.20: deleting
connection "roadwarrior" instance with peer 10.23.5.20
Jan 12 10:36:02 proxy pluto[13813]: packet from 10.23.5.20:500:
Informational Exchange is for an unknown (expired?) SA
Jan 12 11:17:40 proxy pluto[13813]: packet from 10.23.5.20:500: ignoring
Vendor ID payload
Jan 12 11:17:40 proxy pluto[13813]: "roadwarrior"[2] 10.23.5.20 #2:
responding to Main Mode from unknown peer 10.23.5.20
Jan 12 11:17:40 proxy pluto[13813]: "roadwarrior"[2] 10.23.5.20 #2:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 11:18:50 proxy pluto[13813]: "roadwarrior"[2] 10.23.5.20 #2: max
number of retransmissions (2) reached STATE_MAIN_R2
Jan 12 11:18:50 proxy pluto[13813]: "roadwarrior"[2] 10.23.5.20: deleting
connection "roadwarrior" instance with peer 10.23.5.20
Jan 12 11:19:23 proxy pluto[13813]: packet from 10.23.5.20:500:
Informational Exchange is for an unknown (expired?) SA
Jan 12 11:23:18 proxy pluto[13813]: packet from 10.23.5.20:500: ignoring
Vendor ID payload
Jan 12 11:23:18 proxy pluto[13813]: "roadwarrior"[3] 10.23.5.20 #3:
responding to Main Mode from unknown peer 10.23.5.20
Jan 12 11:23:18 proxy pluto[13813]: "roadwarrior"[3] 10.23.5.20 #3:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 11:24:28 proxy pluto[13813]: "roadwarrior"[3] 10.23.5.20 #3: max
number of retransmissions (2) reached STATE_MAIN_R2
Jan 12 11:24:28 proxy pluto[13813]: "roadwarrior"[3] 10.23.5.20: deleting
connection "roadwarrior" instance with peer 10.23.5.20
Jan 12 11:25:23 proxy pluto[13813]: packet from 10.23.5.20:500:
Informational Exchange is for an unknown (expired?) SA
Jan 12 11:28:10 proxy pluto[13813]: packet from 10.23.5.20:500: ignoring
Vendor ID payload
Jan 12 11:28:10 proxy pluto[13813]: "roadwarrior"[4] 10.23.5.20 #4:
responding to Main Mode from unknown peer 10.23.5.20
Jan 12 11:28:10 proxy pluto[13813]: "roadwarrior"[4] 10.23.5.20 #4:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 11:29:20 proxy pluto[13813]: "roadwarrior"[4] 10.23.5.20 #4: max
number of retransmissions (2) reached STATE_MAIN_R2
Jan 12 11:29:20 proxy pluto[13813]: "roadwarrior"[4] 10.23.5.20: deleting
connection "roadwarrior" instance with peer 10.23.5.20
Jan 12 11:29:20 proxy pluto[13813]: packet from 10.23.5.20:500:
Informational Exchange is for an unknown (expired?) SA
Jan 12 11:30:00 proxy pluto[13813]: packet from 10.23.5.20:500: ignoring
Vendor ID payload
Jan 12 11:30:00 proxy pluto[13813]: "roadwarrior"[5] 10.23.5.20 #5:
responding to Main Mode from unknown peer 10.23.5.20
Jan 12 11:30:01 proxy pluto[13813]: "roadwarrior"[5] 10.23.5.20 #5:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 11:31:02 proxy pluto[13813]: "roadwarrior"[5] 10.23.5.20 #5:
encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA
Jan 12 11:31:10 proxy pluto[13813]: "roadwarrior"[5] 10.23.5.20 #5: max
number of retransmissions (2) reached STATE_MAIN_R2
Jan 12 11:31:10 proxy pluto[13813]: "roadwarrior"[5] 10.23.5.20: deleting
connection "roadwarrior" instance with peer 10.23.5.20
+ _________________________ date
+ date
Sun Jan 12 11:40:39 CET 2003
*****OAKLEY OUTPUT******
1-12: 11:16:26:4c4 Posting acquire: op=810CA168 src=10.23.5.20.0
dst=10.23.5.243.0 proto = 0, SrcMask=255.255.255.255,
DstMask=255.255.255.255, Tunnel 1, TunnelEndpt=10.23.5.243 Inbound
TunnelEndpt=10.23.5.20
1-12: 11:16:26:4c4 Acquire thread waiting
1-12: 11:16:26:6b8 find(ipsec): 80105249-6b45-4b78-9d9591834d6f81cd
1-12: 11:16:26:6b8 outstanding_kernel_req returned 0
1-12: 11:16:26:6b8 Created new SA 23b058
1-12: 11:16:26:6b8 Acquire: src = 10.23.5.20.0000, dst = 10.23.5.243.62465,
proto = 00, context = 810CA168, ProxySrc = 10.23.5.20.0000, ProxyDst =
10.23.5.243.0000 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
1-12: 11:16:26:6b8 constructing ISAKMP Header
1-12: 11:16:26:6b8 constructing SA (ISAKMP)
1-12: 11:16:26:6b8 find(isakmp): 80105249-6b45-4b78-9d9591834d6f81cd
1-12: 11:16:26:6b8 Setting group desc
1-12: 11:16:26:6b8 Setting group desc
1-12: 11:16:26:6b8 Setting group desc
1-12: 11:16:26:6b8 Setting group desc
1-12: 11:16:26:6b8 Constructing Vendor
1-12: 11:16:26:6b8 Throw: State mask=1
1-12: 11:16:26:6b8 Added Timeout 10c830
1-12: 11:16:26:6b8 Setting Retransmit: sa 23b058 handle 10c830 context
23b918
1-12: 11:16:26:6b8
1-12: 11:16:26:6b8 Sending: SA = 0x0023B058 to 10.23.5.243
1-12: 11:16:26:6b8 ISAKMP Header: (V1.0), len = 216
1-12: 11:16:26:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:26:6b8 R-COOKIE 0000000000000000
1-12: 11:16:26:6b8 exchange: Oakley Main Mode
1-12: 11:16:26:6b8 flags: 0
1-12: 11:16:26:6b8 next payload: SA
1-12: 11:16:26:6b8 message ID: 00000000
1-12: 11:16:26:6b8
1-12: 11:16:26:6b8 Resume: (get) SA = 0x0023b058 from 10.23.5.243
1-12: 11:16:26:6b8 ISAKMP Header: (V1.0), len = 84
1-12: 11:16:26:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:26:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:26:6b8 exchange: Oakley Main Mode
1-12: 11:16:26:6b8 flags: 0
1-12: 11:16:26:6b8 next payload: SA
1-12: 11:16:26:6b8 message ID: 00000000
1-12: 11:16:26:6b8 Stopping RetransTimer sa:0023B058 centry:00000000
handle:0010C830
1-12: 11:16:26:6b8 processing payload SA
1-12: 11:16:26:6b8 Received Phase 1 Transform 1
1-12: 11:16:26:6b8 Encryption Alg Triple DES CBC(5)
1-12: 11:16:26:6b8 Hash Alg SHA(2)
1-12: 11:16:26:6b8 Oakley Group 2
1-12: 11:16:26:6b8 Auth Method Firma RSA con certificati(3)
1-12: 11:16:26:6b8 Life type in Seconds
1-12: 11:16:26:6b8 Life duration of 28800
1-12: 11:16:26:6b8 Phase 1 SA accepted: transform=1
1-12: 11:16:26:6b8 SA - Oakley proposal accepted
1-12: 11:16:26:6b8 In state OAK_MM_SA_SETUP
1-12: 11:16:26:6b8 constructing ISAKMP Header
1-12: 11:16:26:6b8 constructing KE
1-12: 11:16:26:6b8 constructing NONCE (ISAKMP)
1-12: 11:16:26:6b8 Throw: State mask=7
1-12: 11:16:26:6b8
1-12: 11:16:26:6b8 Sending: SA = 0x0023B058 to 10.23.5.243
1-12: 11:16:26:6b8 ISAKMP Header: (V1.0), len = 184
1-12: 11:16:26:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:26:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:26:6b8 exchange: Oakley Main Mode
1-12: 11:16:26:6b8 flags: 0
1-12: 11:16:26:6b8 next payload: KE
1-12: 11:16:26:6b8 message ID: 00000000
1-12: 11:16:26:6b8
1-12: 11:16:26:6b8 Resume: (get) SA = 0x0023b058 from 10.23.5.243
1-12: 11:16:26:6b8 ISAKMP Header: (V1.0), len = 188
1-12: 11:16:26:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:26:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:26:6b8 exchange: Oakley Main Mode
1-12: 11:16:26:6b8 flags: 0
1-12: 11:16:26:6b8 next payload: KE
1-12: 11:16:26:6b8 message ID: 00000000
1-12: 11:16:26:6b8 Stopping RetransTimer sa:0023B058 centry:00000000
handle:0010C830
1-12: 11:16:26:6b8 processing payload KE
1-12: 11:16:26:6b8 Generated 128 byte Shared Secret
1-12: 11:16:26:6b8 KE processed; DH shared secret computed
1-12: 11:16:26:6b8 processing payload NONCE
1-12: 11:16:26:6b8 processing payload CR
1-12: 11:16:26:6b8 Processing Cert request
1-12: 11:16:26:6b8 In state OAK_MM_Key_EXCH
1-12: 11:16:26:6b8 skeyid generated; crypto enabled (initiator)
1-12: 11:16:26:6b8 constructing ISAKMP Header
1-12: 11:16:26:6b8 constructing ID
1-12: 11:16:26:6b8 Received no valid CRPs. Using all configured
1-12: 11:16:26:6b8 failed to get chain -2146885628
1-12: 11:16:26:6b8 ProcessFailure: sa:0023B058 centry:00000000
status:cbad0326
1-12: 11:16:26:6b8 isadb_set_status sa:0023B058 centry:00000000 status
cbad0326
1-12: 11:16:26:6b8 Modalità Scambio chiave (modalità principale)
1-12: 11:16:26:6b8 Indirizzo IP di origine 10.23.5.20
Mask indirizzo IP di origine 255.255.255.255
Indirizzo IP di destinazione 10.23.5.243
Mask indirizzo IP di destinazione 255.255.255.255
Protocollo 0
Porta di origine 0
Porta di destinazione 0
1-12: 11:16:26:6b8 Utente
1-12: 11:16:26:6b8 IKE non è riuscito a trovare un certificato di computer
valido
1-12: 11:16:26:6b8 ProcessFailure: sa:0023B058 centry:00000000
status:cbad0326
1-12: 11:16:26:6b8 constructing ISAKMP Header
1-12: 11:16:26:6b8 constructing HASH (null)
1-12: 11:16:26:6b8 constructing NOTIFY 28
1-12: 11:16:26:6b8 constructing HASH (ND)
1-12: 11:16:26:6b8 Construct ND has
er: (V1.0), len = 84
1-12: 11:16:26:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:26:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:26:6b8 exchange: ISAKMP Informational Exchange
1-12: 11:16:26:6b8 flags: 1 ( encrypted )
1-12: 11:16:26:6b8 next payload: HASH
1-12: 11:16:26:6b8 message ID: dec27606
1-12: 11:16:36:6b8
1-12: 11:16:36:6b8 Resume: (get) SA = 0x0023b058 from 10.23.5.243
1-12: 11:16:36:6b8 ISAKMP Header: (V1.0), len = 188
1-12: 11:16:36:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:36:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:36:6b8 exchange: Oakley Main Mode
1-12: 11:16:36:6b8 flags: 0
1-12: 11:16:36:6b8 next payload: KE
1-12: 11:16:36:6b8 message ID: 00000000
1-12: 11:16:36:6b8 received an unencrypted packet when crypto active
1-12: 11:16:36:6b8 GetPacket failed cbad0324
1-12: 11:16:56:6b8
1-12: 11:16:56:6b8 Resume: (get) SA = 0x0023b058 from 10.23.5.243
1-12: 11:16:56:6b8 ISAKMP Header: (V1.0), len = 188
1-12: 11:16:56:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:16:56:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:16:56:6b8 exchange: Oakley Main Mode
1-12: 11:16:56:6b8 flags: 0
1-12: 11:16:56:6b8 next payload: KE
1-12: 11:16:56:6b8 message ID: 00000000
1-12: 11:16:56:6b8 received an unencrypted packet when crypto active
1-12: 11:16:56:6b8 GetPacket failed cbad0324
1-12: 11:18:09:6b8 SA Dead. sa:0023B058 status:cbad0328
1-12: 11:18:09:6b8 constructing ISAKMP Header
1-12: 11:18:09:6b8 constructing HASH (null)
1-12: 11:18:09:6b8 constructing DELETE
1-12: 11:18:09:6b8 constructing HASH (ND)
1-12: 11:18:09:6b8 Construct ND hash message len = 28 pcklen=80 hashlen=20
1-12: 11:18:09:6b8 Construct ND Hash mess ID dcc6c01b
1-12: 11:18:09:6b8 ND Hash skeyid_a b3418a8cccc4ef30878900ad128f3064
1-12: 11:18:09:6b8 73bacf91
1-12: 11:18:09:6b8 ND Hash message 0000001c0000000101100001bbd29339
1-12: 11:18:09:6b8 ad5f4774354b1bc133ad024a
1-12: 11:18:09:6b8 Throw: State mask=110f
1-12: 11:18:09:6b8 Doing tripleDES
1-12: 11:18:09:6b8
1-12: 11:18:09:6b8 Sending: SA = 0x0023B058 to 10.23.5.243
1-12: 11:18:09:6b8 ISAKMP Header: (V1.0), len = 84
1-12: 11:18:09:6b8 I-COOKIE bbd29339ad5f4774
1-12: 11:18:09:6b8 R-COOKIE 354b1bc133ad024a
1-12: 11:18:09:6b8 exchange: ISAKMP Informational Exchange
1-12: 11:18:09:6b8 flags: 1 ( encrypted )
1-12: 11:18:09:6b8 next payload: HASH
1-12: 11:18:09:6b8 message ID: dcc6c01b
1-12: 11:18:09:6b8 Deleting SA 0023B058
1-12: 11:18:09:6b8 Cancelling Timeout 10c830
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET