compac810e Thu Nov 7 16:10:02 CLST 2002 + _________________________ version + ipsec --version Linux FreeS/WAN super-freeswan-1.99_kb1 See `ipsec --copyright' for copyright information. + _________________________ proc/version + cat /proc/version Linux version 2.4.18-17.8.0 (bhcompile@daffy.perf.redhat.com) (gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)) #1 Tue Oct 8 13:51:08 EDT 2002 + _________________________ proc/net/ipsec_eroute + sort +3 /proc/net/ipsec_eroute sort: open failed: /proc/net/ipsec_eroute: No such file or directory + cat /proc/net/ipsec_eroute cat: /proc/net/ipsec_eroute: No such file or directory + _________________________ netstart-rn + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo + _________________________ proc/net/ipsec_spi + cat /proc/net/ipsec_spi cat: /proc/net/ipsec_spi: No such file or directory + _________________________ proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp cat: /proc/net/ipsec_spigrp: No such file or directory + _________________________ proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg cat: /proc/net/ipsec_tncfg: No such file or directory + _________________________ proc/net/pf_key + cat /proc/net/pf_key cat: /proc/net/pf_key: No such file or directory + _________________________ proc/net/pf_key-star + cd /proc/net + egrep '^' 'pf_key_*' grep: pf_key_*: No such file or directory + _________________________ proc/sys/net/ipsec-star + cd /proc/sys/net/ipsec /usr/local/lib/ipsec/barf: line 148: cd: /proc/sys/net/ipsec: No such file or directory + _________________________ ipsec/status + ipsec auto --status whack: Pluto is not running (no "/var/run/pluto.ctl") + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:10:5A:02:C1:A1 inet addr:192.168.2.10 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:3 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:240 (240.0 b) Interrupt:11 Base address:0x1000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:700 (700.0 b) TX bytes:700 (700.0 b) + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn compac810e + _________________________ hostname/ipaddress + hostname --ip-address 127.0.0.1 + _________________________ uptime + uptime 4:10pm up 1:24, 2 users, load average: 0.22, 0.33, 0.22 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 000 0 12685 836 16 0 3824 1048 wait4 S tty1 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf 000 0 12686 12685 22 0 3848 1104 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf + _________________________ ipsec/showdefaults + ipsec showdefaults ipsec showdefaults: cannot find defaults file `/var/run/ipsec.info' + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions # (these defaults will soon go away) conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%dnsondemand rightrsasigkey=%dnsondemand # connection description for opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) conn me-to-anyone left=%defaultroute right=%opportunistic keylife=1h rekey=no # for initiator only OE, uncomment and uncomment this # after putting your key in your forward map #leftid=@myhostname.example.com # uncomment this next line to enable it #auto=route # sample VPN connection conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.0.0.1 leftsubnet=172.16.0.0/24 leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. right=10.12.12.1 rightsubnet=192.168.0.0/24 rightnexthop=10.101.102.103 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". : RSA { # RSA 2192 bits compac810e Tue Nov 5 16:29:38 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQNz6C6zi] #IN KEY 0x4200 4 1 [keyid AQNz6C6zi] # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" + _________________________ ipsec/ls-dir + ls -l /usr/local/lib/ipsec total 6233 -rwxr-xr-x 1 root root 11264 Nov 7 16:07 _confread -rwxr-xr-x 1 root root 11264 Nov 7 16:03 _confread.old -rwxr-xr-x 1 root root 47979 Nov 7 16:07 _copyright -rwxr-xr-x 1 root root 47979 Nov 7 16:03 _copyright.old -rwxr-xr-x 1 root root 2164 Nov 7 16:07 _include -rwxr-xr-x 1 root root 2164 Nov 7 16:03 _include.old -rwxr-xr-x 1 root root 1476 Nov 7 16:07 _keycensor -rwxr-xr-x 1 root root 1476 Nov 7 16:03 _keycensor.old -rwxr-xr-x 1 root root 70791 Nov 7 16:07 _pluto_adns -rwxr-xr-x 1 root root 70791 Nov 7 16:03 _pluto_adns.old -rwxr-xr-x 1 root root 3497 Nov 7 16:07 _plutoload -rwxr-xr-x 1 root root 3497 Nov 7 16:03 _plutoload.old -rwxr-xr-x 1 root root 5431 Nov 7 16:07 _plutorun -rwxr-xr-x 1 root root 5431 Nov 7 16:03 _plutorun.old -rwxr-xr-x 1 root root 7700 Nov 7 16:07 _realsetup -rwxr-xr-x 1 root root 7700 Nov 7 16:03 _realsetup.old -rwxr-xr-x 1 root root 1975 Nov 7 16:07 _secretcensor -rwxr-xr-x 1 root root 1975 Nov 7 16:03 _secretcensor.old -rwxr-xr-x 1 root root 7058 Nov 7 16:07 _startklips -rwxr-xr-x 1 root root 7058 Nov 7 16:03 _startklips.old -rwxr-xr-x 1 root root 5015 Nov 7 16:07 _updown -rwxr-xr-x 1 root root 5015 Nov 7 16:03 _updown.old -rwxr-xr-x 1 root root 9099 Nov 7 16:07 _updown.x509 -rwxr-xr-x 1 root root 9099 Nov 7 16:03 _updown.x509.old -rwxr-xr-x 1 root root 13598 Nov 7 16:07 auto -rwxr-xr-x 1 root root 13598 Nov 7 16:03 auto.old -rwxr-xr-x 1 root root 7193 Nov 7 16:07 barf -rwxr-xr-x 1 root root 7193 Nov 7 16:03 barf.old -rwxr-xr-x 1 root root 816 Nov 7 16:07 calcgoo -rwxr-xr-x 1 root root 816 Nov 7 16:03 calcgoo.old -rwxr-xr-x 1 root root 321947 Nov 7 16:07 eroute -rwxr-xr-x 1 root root 142114 Nov 7 16:07 ikeping -rwxr-xr-x 1 root root 142114 Nov 7 16:03 ikeping.old -rwxr-xr-x 1 root root 2935 Nov 7 16:07 ipsec -rwxr-xr-x 1 root root 2935 Nov 7 16:03 ipsec.old -rw-r--r-- 1 root root 1950 Nov 7 16:07 ipsec_pr.template -rwxr-xr-x 1 root root 173212 Nov 7 16:07 klipsdebug -rwxr-xr-x 1 root root 2438 Nov 7 16:07 look -rwxr-xr-x 1 root root 2438 Nov 7 16:03 look.old -rwxr-xr-x 1 root root 16158 Nov 7 16:07 manual -rwxr-xr-x 1 root root 16158 Nov 7 16:03 manual.old -rwxr-xr-x 1 root root 1847 Nov 7 16:07 newhostkey -rwxr-xr-x 1 root root 1847 Nov 7 16:03 newhostkey.old -rwxr-xr-x 1 root root 147399 Nov 7 16:07 pf_key -rwxr-xr-x 1 root root 1690303 Nov 7 16:07 pluto -rwxr-xr-x 1 root root 1690303 Nov 7 16:03 pluto.old -rwxr-xr-x 1 root root 52452 Nov 7 16:07 ranbits -rwxr-xr-x 1 root root 52452 Nov 7 16:03 ranbits.old -rwxr-xr-x 1 root root 78622 Nov 7 16:07 rsasigkey -rwxr-xr-x 1 root root 78622 Nov 7 16:03 rsasigkey.old -rwxr-xr-x 1 root root 16730 Nov 7 16:07 send-pr -rwxr-xr-x 1 root root 16730 Nov 7 16:03 send-pr.old lrwxrwxrwx 1 root root 22 Nov 7 16:07 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1043 Nov 7 16:07 showdefaults -rwxr-xr-x 1 root root 1043 Nov 7 16:03 showdefaults.old -rwxr-xr-x 1 root root 4203 Nov 7 16:07 showhostkey -rwxr-xr-x 1 root root 4203 Nov 7 16:03 showhostkey.old -rwxr-xr-x 1 root root 446177 Nov 7 16:07 spi -rwxr-xr-x 1 root root 271849 Nov 7 16:07 spigrp -rwxr-xr-x 1 root root 60207 Nov 7 16:07 tncfg -rwxr-xr-x 1 root root 16056 Nov 7 16:07 uml_netjig -rwxr-xr-x 1 root root 3353 Nov 7 16:07 verify -rwxr-xr-x 1 root root 3353 Nov 7 16:03 verify.old -rwxr-xr-x 1 root root 226667 Nov 7 16:07 whack -rwxr-xr-x 1 root root 226667 Nov 7 16:03 whack.old + _________________________ ipsec/updowns ++ ls /usr/local/lib/ipsec ++ egrep updown + cat /usr/local/lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.1.1.1 2002/09/05 03:13:22 ken Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" ;; *) it="route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" ;; *) it="route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + cat /usr/local/lib/ipsec/_updown.old #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.1.1.1 2002/09/05 03:13:22 ken Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" ;; *) it="route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" ;; *) it="route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + cat /usr/local/lib/ipsec/_updown.x509 #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&" it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2 ;; *) it="route $1 $parms $parms2" route $1 $parms $parms2 ;; esac st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic parms1="-net 0.0.0.0 netmask 128.0.0.0" parms2="-net 128.0.0.0 netmask 128.0.0.0" it="route del $parms1 2>&1 ; route del $parms2 2>&1" oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`" ;; *) parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" it="route del $parms 2>&1" oops="`route del $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT else iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT else iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT else iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT else iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + cat /usr/local/lib/ipsec/_updown.x509.old #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&" it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2 ;; *) it="route $1 $parms $parms2" route $1 $parms $parms2 ;; esac st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic parms1="-net 0.0.0.0 netmask 128.0.0.0" parms2="-net 128.0.0.0 netmask 128.0.0.0" it="route del $parms1 2>&1 ; route del $parms2 2>&1" oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`" ;; *) parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" it="route del $parms 2>&1" oops="`route del $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d 0.0.0.0/0.0.0.0 --dport $PLUTO_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s 0.0.0.0/0.0.0.0 --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT else iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT else iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT else iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ] then iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j ACCEPT else iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT fi if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 700 10 0 0 0 0 0 0 700 10 0 0 0 0 0 0 eth0: 0 0 0 0 0 0 0 0 240 4 0 0 0 0 3 0 + _________________________ proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 0 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:1 eth0/rp_filter:1 lo/rp_filter:1 + _________________________ uname-a + uname -a Linux compac810e 2.4.18-17.8.0 #1 Tue Oct 8 13:51:08 EDT 2002 i686 i686 i386 GNU/Linux + _________________________ redhat-release + test -r /etc/redhat-release + cat /etc/redhat-release Red Hat Linux release 8.0 (Psyche) + _________________________ proc/net/ipsec_version + cat /proc/net/ipsec_version cat: /proc/net/ipsec_version: No such file or directory + _________________________ iptables/list + iptables -L -v -n Chain INPUT (policy ACCEPT 10 packets, 700 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 700 bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/list + ipchains -L -v -n /usr/local/lib/ipsec/barf: line 197: ipchains: command not found + _________________________ ipfwadm/forward + ipfwadm -F -l -n -e /usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found + _________________________ ipfwadm/input + ipfwadm -I -l -n -e /usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found + _________________________ ipfwadm/output + ipfwadm -O -l -n -e /usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found + _________________________ iptables/nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/masq + ipchains -M -L -v -n /usr/local/lib/ipsec/barf: line 207: ipchains: command not found + _________________________ ipfwadm/masq + ipfwadm -M -l -n -e /usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found + _________________________ iptables/mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ proc/modules + cat /proc/modules iptable_mangle 2776 0 (autoclean) (unused) iptable_nat 19960 0 (autoclean) (unused) ip_conntrack 21244 1 (autoclean) [iptable_nat] autofs 13348 0 (autoclean) (unused) 3c59x 30640 1 iptable_filter 2412 0 (autoclean) (unused) ip_tables 14936 5 [iptable_mangle iptable_nat iptable_filter] microcode 4668 0 (autoclean) nls_iso8859-1 3516 1 (autoclean) nls_cp437 5148 1 (autoclean) vfat 13084 1 (autoclean) fat 38712 0 (autoclean) [vfat] ext3 70400 9 (autoclean) jbd 52244 9 (autoclean) [ext3] sd_mod 13584 0 (autoclean) (unused) scsi_mod 107240 1 (autoclean) [sd_mod] ov511 83576 0 videodev 8288 1 [ov511] mousedev 5524 0 (unused) keybdev 2976 0 (unused) hid 22244 0 (unused) input 5920 0 [mousedev keybdev hid] usb-uhci 26188 0 (unused) usbcore 77024 1 [ov511 hid usb-uhci] + _________________________ proc/meminfo + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 128196608 114102272 14094336 0 11833344 54218752 Swap: 402513920 0 402513920 MemTotal: 125192 kB MemFree: 13764 kB MemShared: 0 kB Buffers: 11556 kB Cached: 52948 kB SwapCached: 0 kB Active: 49720 kB Inact_dirty: 16292 kB Inact_clean: 4216 kB Inact_target: 14044 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 125192 kB LowFree: 13764 kB SwapTotal: 393080 kB SwapFree: 393080 kB Committed_AS: 7512 kB + _________________________ dev/ipsec-ls + ls -l '/dev/ipsec*' ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + ls -l '/proc/net/ipsec_*' ls: /proc/net/ipsec_*: No such file or directory + _________________________ usr/src/linux/.config + test -f /usr/src/linux/.config + egrep 'IP|NETLINK' /usr/src/linux/.config # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set CONFIG_SYSVIPC=y # CONFIG_CIPE is not set # CONFIG_MD_MULTIPATH is not set # CONFIG_CIPHERS is not set CONFIG_NETLINK_DEV=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y # IP: Netfilter Configuration CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_COMPAT_IPFWADM=m CONFIG_IP_NF_NAT_NEEDED=y # IP: Virtual Server Configuration CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=16 CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m # IPv6: Netfilter Configuration # CONFIG_IP6_NF_QUEUE is not set CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m # CONFIG_IPX is not set CONFIG_IPSEC=m CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_ALG=y CONFIG_IPSEC_ALG_MD5=y CONFIG_IPSEC_ALG_SHA1=y CONFIG_IPSEC_ALG_SHA2=y CONFIG_IPSEC_ALG_3DES=y CONFIG_IPSEC_ALG_AES=y CONFIG_IPSEC_ALG_BLOWFISH=y CONFIG_IPSEC_ALG_TWOFISH=y CONFIG_IPSEC_ALG_SERPENT=y CONFIG_IPSEC_ALG_CAST=y CONFIG_IPSEC_ALG_NULL=y CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y CONFIG_IPSEC_NAT_TRAVERSAL=y # CONFIG_IDEDMA_PCI_WIP is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_TULIP=m # CONFIG_TULIP_MWI is not set CONFIG_TULIP_MMIO=y # CONFIG_HIPPI is not set CONFIG_PLIP=m CONFIG_SLIP=m CONFIG_SLIP_COMPRESSED=y CONFIG_SLIP_SMART=y CONFIG_SLIP_MODE_SLIP6=y CONFIG_STRIP=m CONFIG_WANPIPE_CHDLC=y CONFIG_WANPIPE_FR=y CONFIG_WANPIPE_X25=y CONFIG_WANPIPE_PPP=y CONFIG_WANPIPE_MULTPPP=y CONFIG_PCMCIA_XIRTULIP=m CONFIG_HISAX_FRITZ_PCIPNP=m CONFIG_SERIAL_MULTIPORT=y CONFIG_I2C_PHILIPSPAR=m # CONFIG_INPUT_GRIP is not set CONFIG_USB_SERIAL_IPAQ=m + _________________________ etc/syslog.conf + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + _________________________ etc/resolv.conf + cat /etc/resolv.conf nameserver 200.72.1.254 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 1 drwxr-xr-x 4 root root 1024 Nov 6 23:48 2.4.18-17.8.0 + _________________________ proc/ksyms-netif_rx + egrep netif_rx /proc/ksyms c01edbe0 netif_rx_Rac7ce141 + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.18-17.8.0: U netif_rx_Rac7ce141 + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '4032,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + cat Nov 7 14:46:06 compac810e ipsec_setup: Starting FreeS/WAN IPsec super-freeswan-1.99_kb1... Nov 7 14:46:06 compac810e ipsec_setup: insmod: ipsec: no module by that name found Nov 7 14:46:06 compac810e ipsec: ipsec_setup: insmod: ipsec: no module by that name found Nov 7 14:46:11 compac810e ipsec_setup: modprobe: Can't locate module ipsec Nov 7 14:46:11 compac810e ipsec: ipsec_setup: modprobe: Can't locate module ipsec Nov 7 14:46:11 compac810e ipsec_setup: kernel appears to lack KLIPS Nov 7 14:46:11 compac810e ipsec: ipsec_setup: kernel appears to lack KLIPS Nov 7 14:46:11 compac810e ipsec_setup: OOPS, should have aborted! Broken shell! Nov 7 14:46:11 compac810e ipsec: ipsec_setup: OOPS, should have aborted! Broken shell! Nov 7 14:46:11 compac810e rc: Starting ipsec: failed + _________________________ plog + sed -n '1,$p' /dev/null + egrep -i pluto + cat + _________________________ date + date Thu Nov 7 16:10:02 CLST 2002