left.vpn.test Tue Oct 8 16:40:51 EST 2002 + _________________________ version + ipsec --version Linux FreeS/WAN 1.98b See `ipsec --copyright' for copyright information. + _________________________ proc/version + cat /proc/version Linux version 2.4.18-6mdk (quintela@bi.mandrakesoft.com) (gcc version 2.96 20000731 (Mandrake Linux 8.2 2.96-0.76mdk)) #1 Fri Mar 15 02:59:08 CET 2002 + _________________________ proc/net/ipsec_eroute + sort +3 /proc/net/ipsec_eroute 0 10.10.10.0/24 -> 10.0.0.0/24 => tun0x1002@192.168.0.200 + _________________________ netstart-rn + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 192.168.0.200 255.255.255.0 UG 40 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0 10.10.10.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 10.10.10.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec1 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.0.200 0.0.0.0 UG 40 0 0 eth0 + _________________________ proc/net/ipsec_spi + cat /proc/net/ipsec_spi esp0x1185859c@192.168.0.100 ESP_3DES_HMAC_MD5: dir=in src=192.168.0.200 iv_bits=64bits iv=0x23a628668c4c7ebe ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(94,0,0) tun0x1002@192.168.0.200 IPIP: dir=out src=192.168.0.100 life(c,s,h)=addtime(94,0,0) tun0x1001@192.168.0.100 IPIP: dir=in src=192.168.0.200 life(c,s,h)=addtime(94,0,0) esp0xd084e08@192.168.0.200 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.100 iv_bits=64bits iv=0x026f138170c19712 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(94,0,0) + _________________________ proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp tun0x1002@192.168.0.200 esp0xd084e08@192.168.0.200 tun0x1001@192.168.0.100 esp0x1185859c@192.168.0.100 + _________________________ proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> eth1 mtu=16260(1500) -> 1500 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ proc/net/pf_key + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St cc91e040 31792 c66611c4 0 0 0 0 2 65535 00000000 3 1 + _________________________ proc/net/pf_key-star + cd /proc/net + egrep '^' pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c66611c4 31792 cc91e040 pf_key_registered: 3 c66611c4 31792 cc91e040 pf_key_registered: 9 c66611c4 31792 cc91e040 pf_key_registered: 10 c66611c4 31792 cc91e040 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ proc/sys/net/ipsec-star + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:1 inbound_policy_check:1 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 interface ipsec0/eth0 192.168.0.100 000 interface ipsec1/eth1 10.10.10.100 000 000 "left-right": 10.10.10.0/24===192.168.0.100[@left.vpn.test]...192.168.0.200[@right.vpn.test]===10.0.0.0/24 000 "left-right": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "left-right": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; erouted 000 "left-right": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2 000 000 #2: "left-right" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27665s; newest IPSEC; eroute owner 000 #2: "left-right" esp.d084e08@192.168.0.200 esp.1185859c@192.168.0.100 tun.1002@192.168.0.200 tun.1001@192.168.0.100 000 #1: "left-right" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2753s; newest ISAKMP 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:02:E3:17:6F:91 inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:58561 errors:0 dropped:0 overruns:0 frame:0 TX packets:64463 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:49702840 (47.4 Mb) TX bytes:50692221 (48.3 Mb) Interrupt:10 Base address:0xb000 eth1 Link encap:Ethernet HWaddr 00:10:DC:34:F7:17 inet addr:10.10.10.100 Bcast:10.10.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:720 (720.0 b) Interrupt:11 Base address:0x4000 ipsec0 Link encap:Ethernet HWaddr 00:02:E3:17:6F:91 inet addr:192.168.0.100 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec1 Link encap:Ethernet HWaddr 00:10:DC:34:F7:17 inet addr:10.10.10.100 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec2 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec3 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:323 errors:0 dropped:0 overruns:0 frame:0 TX packets:323 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:23336 (22.7 Kb) TX bytes:23336 (22.7 Kb) + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn left.vpn.test + _________________________ hostname/ipaddress + hostname --ip-address 10.10.10.100 192.168.0.100 + _________________________ uptime + uptime 4:40pm up 1:39, 6 users, load average: 0.00, 0.00, 0.00 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 000 0 31898 16704 9 0 2424 1188 wait4 S vc/1 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf 000 0 31899 31898 17 0 2452 1244 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf 000 0 31939 31899 16 0 1764 572 pipe_w S tty1 0:00 \_ egrep -i ppid|pluto|ipsec|klips 040 0 31785 1 9 0 2412 1196 wait4 S tty1 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids 040 0 31789 31785 9 0 2412 1196 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqu 100 0 31792 31789 8 0 2016 904 do_sel S tty1 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-none --uniq 000 0 31818 31792 9 0 1448 292 do_sel S tty1 0:00 | \_ _pluto_adns 7 10 000 0 31790 31785 8 0 2396 1176 pipe_w S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st 000 0 31786 1 9 0 1612 460 pipe_w S tty1 0:00 logger -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults #dr: no default route #dr: no default route # no default route # no default route # no default route # no default route + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=eth0 ipsec1=eth1" #interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions # (these defaults will soon go away) conn %default keyingtries=0 #disablearrivalcheck=no authby=rsasig #leftrsasigkey=%dnsondemand #rightrsasigkey=%dnsondemand # connection description for opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) #conn me-to-anyone #left=%defaultroute #right=%opportunistic #keylife=1h #rekey=no # for initiator only OE, uncomment and uncomment this # after putting your key in your forward map #leftid=@myhostname.example.com # uncomment this next line to enable it #auto=route # sample VPN connection #conn sample # Left security gateway, subnet behind it, next hop toward right. #left=10.0.0.1 #leftsubnet=172.16.0.0/24 #leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. #right=10.12.12.1 #rightsubnet=192.168.0.0/24 #rightnexthop=10.101.102.103 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add conn left-right left=192.168.0.100 leftsubnet=10.10.10.0/24 leftnexthop=192.168.0.200 leftid=@left.vpn.test right=192.168.0.200 rightsubnet=10.0.0.0/24 rightnexthop=192.168.0.100 rightid=@right.vpn.test authby=rsasig auto=add leftrsasigkey=[keyid AQOT+6P9H] rightrsasigkey=[keyid AQPiGQ8qP] + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 @left.vpn.test : RSA { # RSA 2048 bits left.vpn.test Tue Oct 8 16:00:16 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOT+6P9H] #IN KEY 0x4200 4 1 [keyid AQOT+6P9H] # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } + _________________________ ipsec/ls-dir + ls -l /usr/local/lib/ipsec total 2604 -rwxr-xr-x 1 root root 11404 Oct 8 15:34 auto -rwxr-xr-x 1 root root 7195 Oct 8 15:34 barf -rwxr-xr-x 1 root root 816 Oct 8 15:34 calcgoo -rwxr-xr-x 1 root root 11102 Oct 8 15:34 _confread -rwxr-xr-x 1 root root 46497 Oct 8 15:34 _copyright -rwxr-xr-x 1 root root 227875 Oct 8 15:34 eroute -rwxr-xr-x 1 root root 98240 Oct 8 15:34 ikeping -rwxr-xr-x 1 root root 2163 Oct 8 15:34 _include -rwxr-xr-x 1 root root 2916 Oct 8 15:34 ipsec -rw-r--r-- 1 root root 1950 Oct 8 15:34 ipsec_pr.template -rwxr-xr-x 1 root root 1472 Oct 8 15:34 _keycensor -rwxr-xr-x 1 root root 162908 Oct 8 15:34 klipsdebug -rwxr-xr-x 1 root root 2437 Oct 8 15:34 look -rwxr-xr-x 1 root root 16157 Oct 8 15:34 manual -rwxr-xr-x 1 root root 1847 Oct 8 15:34 newhostkey -rwxr-xr-x 1 root root 141249 Oct 8 15:34 pf_key -rwxr-xr-x 1 root root 800539 Oct 8 15:34 pluto -rwxr-xr-x 1 root root 71605 Oct 8 15:34 _pluto_adns -rwxr-xr-x 1 root root 3495 Oct 8 15:34 _plutoload -rwxr-xr-x 1 root root 4376 Oct 8 15:34 _plutorun -rwxr-xr-x 1 root root 53008 Oct 8 15:34 ranbits -rwxr-xr-x 1 root root 7450 Oct 8 15:34 _realsetup -rwxr-xr-x 1 root root 76380 Oct 8 15:34 rsasigkey -rwxr-xr-x 1 root root 1971 Oct 8 15:34 _secretcensor -rwxr-xr-x 1 root root 16671 Oct 8 15:34 send-pr lrwxrwxrwx 1 root root 22 Oct 8 15:34 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1041 Oct 8 15:34 showdefaults -rwxr-xr-x 1 root root 4205 Oct 8 15:34 showhostkey -rwxr-xr-x 1 root root 248632 Oct 8 15:34 spi -rwxr-xr-x 1 root root 204600 Oct 8 15:34 spigrp -rwxr-xr-x 1 root root 6933 Oct 8 15:34 _startklips -rwxr-xr-x 1 root root 71289 Oct 8 15:34 tncfg -rwxr-xr-x 1 root root 94968 Oct 8 15:34 uml_netjig -rwxr-xr-x 1 root root 5014 Oct 8 15:34 _updown -rwxr-xr-x 1 root root 3353 Oct 8 15:34 verify -rwxr-xr-x 1 root root 136239 Oct 8 15:34 whack + _________________________ ipsec/updowns ++ ls /usr/local/lib/ipsec ++ egrep updown + cat /usr/local/lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" ;; *) it="route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" ;; *) it="route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 23336 323 0 0 0 0 0 0 23336 323 0 0 0 0 0 0 eth0:49702840 58561 0 0 0 0 0 0 50692221 64463 0 0 0 0 0 0 eth1: 0 0 0 0 0 0 0 0 720 12 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT ipsec0 0000000A C800A8C0 0003 0 0 0 00FFFFFF 40 0 0 eth0 0000A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth0 0000A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 ipsec0 0000A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth1 000A0A0A 00000000 0001 0 0 0 00FFFFFF 40 0 0 ipsec1 000A0A0A 00000000 0001 0 0 0 00FFFFFF 40 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 40 0 0 eth0 00000000 C800A8C0 0003 0 0 0 00000000 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:1 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:1 ipsec1/rp_filter:1 lo/rp_filter:1 + _________________________ uname-a + uname -a Linux left.vpn.test 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002 i686 unknown + _________________________ redhat-release + test -r /etc/redhat-release + cat /etc/redhat-release Mandrake Linux release 8.2 (Bluebird) for i586 + _________________________ proc/net/ipsec_version + cat /proc/net/ipsec_version FreeS/WAN version: 1.98b + _________________________ iptables/list + iptables -L -v -n insmod: /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: No such file or directory modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. + _________________________ ipchains/list + ipchains -L -v -n /usr/local/lib/ipsec/barf: ipchains: command not found + _________________________ ipfwadm/forward + ipfwadm -F -l -n -e /usr/local/lib/ipsec/barf: ipfwadm: command not found + _________________________ ipfwadm/input + ipfwadm -I -l -n -e /usr/local/lib/ipsec/barf: ipfwadm: command not found + _________________________ ipfwadm/output + ipfwadm -O -l -n -e /usr/local/lib/ipsec/barf: ipfwadm: command not found + _________________________ iptables/nat + iptables -t nat -L -v -n insmod: /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: No such file or directory modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. + _________________________ ipchains/masq + ipchains -M -L -v -n /usr/local/lib/ipsec/barf: ipchains: command not found + _________________________ ipfwadm/masq + ipfwadm -M -l -n -e /usr/local/lib/ipsec/barf: ipfwadm: command not found + _________________________ iptables/mangle + iptables -t mangle -L -v -n insmod: /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz: No such file or directory modprobe: insmod /lib/modules/2.4.18-6mdk/kernel/net/ipv4/netfilter/ip_tables.o.gz failed modprobe: insmod ip_tables failed iptables v1.2.5: can't initialize iptables table `mangle': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. + _________________________ proc/modules + cat /proc/modules ipsec 245312 3 nls_iso8859-1 2816 1 (autoclean) isofs 25792 1 (autoclean) inflate_fs 19328 0 (autoclean) [isofs] af_packet 12488 1 (autoclean) ip_vs 65400 0 (autoclean) usb-uhci 21668 0 (unused) usbcore 59072 1 [usb-uhci] 8139too 14336 1 (autoclean) mii 1360 0 (autoclean) [8139too] natsemi 15720 1 (autoclean) supermount 62180 2 (autoclean) rtc 5912 0 (autoclean) ext3 62092 4 jbd 39356 4 [ext3] + _________________________ proc/meminfo + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 253661184 227364864 26296320 0 16728064 91652096 Swap: 411222016 0 411222016 MemTotal: 247716 kB MemFree: 25680 kB MemShared: 0 kB Buffers: 16336 kB Cached: 89504 kB SwapCached: 0 kB Active: 60012 kB Inactive: 62676 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 247716 kB LowFree: 25680 kB SwapTotal: 401584 kB SwapFree: 401584 kB NrSwapPages: 100396 pages + _________________________ dev/ipsec-ls + ls -l '/dev/ipsec*' ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_eroute -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_klipsdebug -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Oct 8 16:40 /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /usr/src/linux/.config + egrep 'IP|NETLINK' /usr/src/linux/.config # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set CONFIG_SYSVIPC=y # CONFIG_MTD_OBSOLETE_CHIPS is not set CONFIG_MD_MULTIPATH=m CONFIG_NETLINK_DEV=m CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y # IP: Netfilter Configuration CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_COMPAT_IPFWADM=m CONFIG_IP_NF_NAT_NEEDED=y # IP: Virtual Server Configuration CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=12 # IPVS scheduler CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m # IPVS application helper CONFIG_IP_VS_FTP=m CONFIG_IPV6=m # IPv6: Netfilter Configuration # CONFIG_IP6_NF_QUEUE is not set CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m CONFIG_ATM_CLIP=y # CONFIG_ATM_CLIP_NO_ICMP is not set # CONFIG_ATM_BR2684_IPFILTER is not set CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IPSEC=m # IPSec options (FreeS/WAN) CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y CONFIG_IDEDMA_PCI_WIP=y CONFIG_IDE_CHIPSETS=y CONFIG_SCSI_IPS=m # CONFIG_SCSI_IZIP_EPP16 is not set # CONFIG_SCSI_IZIP_SLOW_CTR is not set CONFIG_IPDDP=m CONFIG_IPDDP_ENCAP=y CONFIG_IPDDP_DECAP=y CONFIG_TULIP=m # CONFIG_TULIP_MWI is not set # CONFIG_TULIP_MMIO is not set # CONFIG_HIPPI is not set CONFIG_PLIP=m CONFIG_SLIP=m CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP_SMART=y CONFIG_SLIP_MODE_SLIP6=y CONFIG_CIPE=m CONFIG_STRIP=m CONFIG_IPHASE5526=m CONFIG_WANPIPE_CHDLC=y CONFIG_WANPIPE_FR=y CONFIG_WANPIPE_X25=y CONFIG_WANPIPE_PPP=y CONFIG_WANPIPE_MULTPPP=y CONFIG_PCMCIA_XIRTULIP=m CONFIG_HISAX_FRITZ_PCIPNP=m CONFIG_SERIAL_MULTIPORT=y CONFIG_INPUT_GRIP=m CONFIG_USB_SERIAL_IPAQ=m + _________________________ etc/syslog.conf + cat /etc/syslog.conf # Various entry auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog user.* -/var/log/user.log # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;;news.none;authpriv.none -/var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Mail logging mail.=debug;mail.=info;mail.=notice -/var/log/mail/info mail.=warn -/var/log/mail/warnings mail.err -/var/log/mail/errors # Cron logging cron.=debug;cron.=info;cron.=notice -/var/log/cron/info cron.=warn -/var/log/cron/warnings cron.err -/var/log/cron/errors # Kernel logging kern.=debug;kern.=info;kern.=notice -/var/log/kernel/info kern.=warn -/var/log/kernel/warnings kern.err /var/log/kernel/errors # Lpr logging lpr.=debug;lpr.=info;lpr.=notice -/var/log/lpr/info lpr.=warn -/var/log/lpr/warnings lpr.err -/var/log/lpr/errors # News logging news.=debug;news.=info;news.=notice -/var/log/news/news.notice news.=crit -/var/log/news/news.crit news.=err -/var/log/news/news.err # Daemons logging daemon.=debug;daemon.=info;daemon.=notice -/var/log/daemons/info daemon.=warn -/var/log/daemons/warnings daemon.err -/var/log/daemons/errors # Everybody gets emergency messages *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit -/var/log/spooler # Save boot messages also to boot.log local7.* -/var/log/boot.log # Explanations from Mandrake Linux configuration tools local1.* -/var/log/explanations + _________________________ etc/resolv.conf + cat /etc/resolv.conf # search vpn.test search vpn.test nameserver 192.168.0.100 # ppp temp entry + _________________________ lib/modules-ls + ls -ltr /lib/modules total 1 drwxr-xr-x 5 root root 1024 Oct 8 15:35 2.4.18-6mdk + _________________________ proc/ksyms-netif_rx + egrep netif_rx /proc/ksyms c01dad00 netif_rx_R8fa84786 + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.18-6mdk: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '673,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + cat Oct 8 16:38:26 left ipsec_setup: Starting FreeS/WAN IPsec 1.98b... Oct 8 16:38:26 left kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.98b Oct 8 16:38:26 left ipsec_setup: Using /lib/modules/2.4.18-6mdk/kernel/net/ipsec/ipsec.o Oct 8 16:38:26 left ipsec_setup: KLIPS debug `none' Oct 8 16:38:27 left /etc/hotplug/net.agent: invoke ifup ipsec0 Oct 8 16:38:27 left ipsec_setup: KLIPS ipsec0 on eth0 192.168.0.100/255.255.255.0 broadcast 192.168.0.255 Oct 8 16:38:27 left ipsec_setup: KLIPS ipsec1 on eth1 10.10.10.100/255.255.255.0 broadcast 10.10.10.255 Oct 8 16:38:27 left /etc/hotplug/net.agent: invoke ifup ipsec1 Oct 8 16:38:27 left /etc/hotplug/net.agent: invoke ifup ipsec2 Oct 8 16:38:27 left ipsec_setup: ...FreeS/WAN IPsec started Oct 8 16:38:27 left /etc/hotplug/net.agent: invoke ifup ipsec3 + _________________________ plog + sed -n '41,$p' /var/log/secure + egrep -i pluto + cat Oct 8 16:38:27 left ipsec__plutorun: Starting Pluto subsystem... Oct 8 16:38:27 left pluto[31792]: Starting Pluto (FreeS/WAN Version 1.98b) Oct 8 16:38:27 left pluto[31792]: added connection description "left-right" Oct 8 16:38:27 left pluto[31792]: listening for IKE messages Oct 8 16:38:27 left pluto[31792]: adding interface ipsec1/eth1 10.10.10.100 Oct 8 16:38:27 left pluto[31792]: adding interface ipsec0/eth0 192.168.0.100 Oct 8 16:38:27 left pluto[31792]: loading secrets from "/etc/ipsec.secrets" Oct 8 16:39:17 left pluto[31792]: "left-right" #1: initiating Main Mode Oct 8 16:39:17 left pluto[31792]: "left-right" #1: ISAKMP SA established Oct 8 16:39:17 left pluto[31792]: "left-right" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK Oct 8 16:39:17 left pluto[31792]: "left-right" #2: sent QI2, IPsec SA established + _________________________ date + date Tue Oct 8 16:40:52 EST 2002