ATUL Sat Nov 23 23:46:41 IST 2002 + _________________________ version + ipsec --version Linux FreeS/WAN 1.99 See `ipsec --copyright' for copyright information. + _________________________ proc/version + cat /proc/version Linux version 2.4.18-3 (bhcompile@stripples.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)) #1 Thu Apr 18 07:31:07 EDT 2002 + _________________________ proc/net/ipsec_eroute + sort +3 /proc/net/ipsec_eroute + _________________________ netstart-rn + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0 151.2.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.1.2 0.0.0.0 UG 40 0 0 eth1 + _________________________ proc/net/ipsec_spi + cat /proc/net/ipsec_spi + _________________________ proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp + _________________________ proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth1 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ proc/net/pf_key + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St c13810a0 2097 c34aad14 0 0 0 0 2 65535 00000000 3 1 + _________________________ proc/net/pf_key-star + cd /proc/net + egrep '^' pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c34aad14 2097 c13810a0 pf_key_registered: 3 c34aad14 2097 c13810a0 pf_key_registered: 9 c34aad14 2097 c13810a0 pf_key_registered: 10 c34aad14 2097 c13810a0 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ proc/sys/net/ipsec-star + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:1 inbound_policy_check:1 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 interface ipsec0/eth1 192.168.1.1 000 000 "net-to-net": 151.2.0.0/16===192.168.1.1[@gw1.com]...192.168.1.2[@gw2.com]===10.2.1.0/24 000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted 000 "net-to-net": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 #1: "net-to-net" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 18s 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:A0:CC:66:4F:CB inet addr:151.2.123.95 Bcast:151.2.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12210 errors:1 dropped:0 overruns:0 frame:0 TX packets:512 errors:4 dropped:0 overruns:0 carrier:9 collisions:2 txqueuelen:100 RX bytes:1540579 (1.4 Mb) TX bytes:78734 (76.8 Kb) Interrupt:9 Base address:0xc000 eth1 Link encap:Ethernet HWaddr 00:80:48:ED:2E:5B inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:82 errors:0 dropped:0 overruns:0 frame:0 TX packets:1015 errors:6 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:9108 (8.8 Kb) TX bytes:101242 (98.8 Kb) Interrupt:5 Base address:0x220 ipsec0 Link encap:Ethernet HWaddr 00:80:48:ED:2E:5B inet addr:192.168.1.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec1 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec2 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec3 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:60 errors:0 dropped:0 overruns:0 frame:0 TX packets:60 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4366 (4.2 Kb) TX bytes:4366 (4.2 Kb) + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn ATUL + _________________________ hostname/ipaddress + hostname --ip-address 192.168.1.1 + _________________________ uptime + uptime 11:46pm up 33 min, 2 users, load average: 0.03, 0.24, 0.21 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 000 0 2157 1411 15 0 2180 1020 wait4 S tty1 0:00 \_ /bin/sh /usr/local/sbin/ipsec auto --up net-to-net 000 0 2158 2157 16 0 2184 1020 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/auto --up net-to-net 040 0 2160 2158 17 0 2184 1020 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/auto --up net-to-n 000 0 2165 2162 18 0 2180 1020 wait4 S tty1 0:00 | \_ /bin/sh /usr/local/sbin/ipsec whack --n 000 0 2166 2165 15 0 1308 336 schedu S tty1 0:00 | \_ /usr/local/lib/ipsec/whack --name n 000 0 2311 1785 16 0 2180 1020 wait4 S tty2 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf 000 0 2312 2311 16 0 2200 1060 wait4 S tty2 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf 000 0 2352 2312 17 0 1420 444 pipe_w S tty2 0:00 \_ grep -E -i ppid|pluto|ipsec|klips 040 0 2093 1 17 0 2076 1012 wait4 S tty2 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids 040 0 2095 2093 18 0 2076 1012 wait4 S tty2 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqu 100 0 2097 2095 15 0 1872 832 schedu S tty2 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-none --uniq 000 0 2115 2097 17 0 1348 300 schedu S tty2 0:00 | \_ _pluto_adns 7 10 000 0 2096 2093 15 0 2064 1000 pipe_w S tty2 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st 000 0 2094 1 17 0 1280 384 pipe_w S tty2 0:00 logger -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults routephys=eth1 routephys=eth1 routevirt=ipsec0 routevirt=ipsec0 routeaddr=192.168.1.1 routeaddr=192.168.1.1 routenexthop=192.168.1.2 routenexthop=192.168.1.2 defaultroutephys=eth1 defaultroutevirt=ipsec0 defaultrouteaddr=192.168.1.1 defaultroutenexthop=192.168.1.2 + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions # (these defaults will soon go away) conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%dnsondemand rightrsasigkey=%dnsondemand # connection description for opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) conn me-to-anyone left=%defaultroute right=%opportunistic keylife=1h rekey=no # for initiator only OE, uncomment and uncomment this # after putting your key in your forward map #leftid=@myhostname.example.com # uncomment this next line to enable it #auto=route # sample VPN connection conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.0.0.1 leftsubnet=172.16.0.0/24 leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. right=10.12.12.1 rightsubnet=192.168.0.0/24 rightnexthop=10.101.102.103 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add # Custom Connection conn net-to-net left=192.168.1.1 leftsubnet=151.2.0.0/16 leftid=@gw1.com leftrsasigkey=[keyid AQNikvctk] leftnexthop=192.168.1.2 right=192.168.1.2 rightsubnet=10.2.1.0/24 rightid=@gw2.com rightrsasigkey=[keyid AQNikvctk] rightnexthop=192.168.1.1 auto=add + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 2192 bits ATUL Wed Nov 20 21:13:09 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQNikvctk] #IN KEY 0x4200 4 1 [keyid AQNikvctk] # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" + _________________________ ipsec/ls-dir + ls -l /usr/local/lib/ipsec total 2520 -rwxr-xr-x 1 root root 11102 Nov 4 04:14 _confread -rwxr-xr-x 1 root root 46745 Nov 4 04:14 _copyright -rwxr-xr-x 1 root root 2163 Nov 4 04:14 _include -rwxr-xr-x 1 root root 1472 Nov 4 04:14 _keycensor -rwxr-xr-x 1 root root 71725 Nov 4 04:14 _pluto_adns -rwxr-xr-x 1 root root 3495 Nov 4 04:14 _plutoload -rwxr-xr-x 1 root root 4335 Nov 4 04:14 _plutorun -rwxr-xr-x 1 root root 7450 Nov 4 04:14 _realsetup -rwxr-xr-x 1 root root 1971 Nov 4 04:14 _secretcensor -rwxr-xr-x 1 root root 7062 Nov 4 04:14 _startklips -rwxr-xr-x 1 root root 5014 Nov 4 04:14 _updown -rwxr-xr-x 1 root root 11404 Nov 4 04:14 auto -rwxr-xr-x 1 root root 7198 Nov 4 04:14 barf -rwxr-xr-x 1 root root 816 Nov 4 04:14 calcgoo -rwxr-xr-x 1 root root 225917 Nov 4 04:14 eroute -rwxr-xr-x 1 root root 98508 Nov 4 04:14 ikeping -rwxr-xr-x 1 root root 2915 Nov 4 04:14 ipsec -rw-r--r-- 1 root root 1950 Nov 4 04:14 ipsec_pr.template -rwxr-xr-x 1 root root 161602 Nov 4 04:14 klipsdebug -rwxr-xr-x 1 root root 2437 Nov 4 04:14 look -rwxr-xr-x 1 root root 16157 Nov 4 04:14 manual -rwxr-xr-x 1 root root 1847 Nov 4 04:14 newhostkey -rwxr-xr-x 1 root root 140165 Nov 4 04:14 pf_key -rwxr-xr-x 1 root root 792407 Nov 4 04:14 pluto -rwxr-xr-x 1 root root 53058 Nov 4 04:14 ranbits -rwxr-xr-x 1 root root 76522 Nov 4 04:14 rsasigkey -rwxr-xr-x 1 root root 16671 Nov 4 04:14 send-pr lrwxrwxrwx 1 root root 22 Nov 20 21:09 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1041 Nov 4 04:14 showdefaults -rwxr-xr-x 1 root root 4205 Nov 4 04:14 showhostkey -rwxr-xr-x 1 root root 246930 Nov 4 04:14 spi -rwxr-xr-x 1 root root 202750 Nov 4 04:14 spigrp -rwxr-xr-x 1 root root 71207 Nov 4 04:14 tncfg -rwxr-xr-x 1 root root 17032 Nov 4 04:14 uml_netjig -rwxr-xr-x 1 root root 3353 Nov 4 04:14 verify -rwxr-xr-x 1 root root 136079 Nov 4 04:14 whack + _________________________ ipsec/updowns ++ ls /usr/local/lib/ipsec ++ egrep updown + cat /usr/local/lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" ;; *) it="route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" ;; *) it="route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 4366 60 0 0 0 0 0 0 4366 60 0 0 0 0 0 0 eth0: 1540763 12212 1 0 0 0 0 0 78734 512 4 0 0 2 9 0 eth1: 9108 82 0 0 0 0 0 6 101242 1015 6 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 0001A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 ipsec0 0001A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth0 00000297 00000000 0001 0 0 0 0000FFFF 40 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 40 0 0 eth1 00000000 0201A8C0 0003 0 0 0 00000000 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 0 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:1 eth0/rp_filter:1 eth1/rp_filter:1 ipsec0/rp_filter:1 lo/rp_filter:1 + _________________________ uname-a + uname -a Linux ATUL 2.4.18-3 #1 Thu Apr 18 07:31:07 EDT 2002 i586 unknown + _________________________ redhat-release + test -r /etc/redhat-release + cat /etc/redhat-release Red Hat Linux release 7.3 (Valhalla) + _________________________ proc/net/ipsec_version + cat /proc/net/ipsec_version FreeS/WAN version: 1.99 + _________________________ iptables/list + iptables -L -v -n Chain INPUT (policy ACCEPT 583 packets, 63194 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 1020 bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/list + ipchains -L -v -n ipchains: Incompatible with this kernel + _________________________ ipfwadm/forward + ipfwadm -F -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ ipfwadm/input + ipfwadm -I -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ ipfwadm/output + ipfwadm -O -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ iptables/nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 102 packets, 17957 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5 packets, 1020 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 1020 bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/masq + ipchains -M -L -v -n ipchains: cannot open file `/proc/net/ip_masquerade' + _________________________ ipfwadm/masq + ipfwadm -M -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ iptables/mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 578 packets, 62804 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 578 packets, 62804 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 1020 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5 packets, 1020 bytes) pkts bytes target prot opt in out source destination + _________________________ proc/modules + cat /proc/modules iptable_mangle 3008 0 (autoclean) (unused) iptable_nat 19348 0 (autoclean) (unused) ip_conntrack 20044 1 (autoclean) [iptable_nat] iptable_filter 2624 0 (autoclean) (unused) ip_tables 13536 5 [iptable_mangle iptable_nat iptable_filter] ipsec 253248 2 soundcore 6436 0 (autoclean) binfmt_misc 7204 1 autofs 11940 0 (autoclean) (unused) ne 7936 1 8390 7636 0 [ne] tulip 41568 1 usb-uhci 23492 0 (unused) usbcore 71168 1 [usb-uhci] ext3 64448 2 jbd 47608 2 [ext3] + _________________________ proc/meminfo + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 63594496 60489728 3104768 0 909312 28532736 Swap: 197398528 19820544 177577984 MemTotal: 62104 kB MemFree: 3032 kB MemShared: 0 kB Buffers: 888 kB Cached: 25732 kB SwapCached: 2132 kB Active: 40816 kB Inact_dirty: 10012 kB Inact_clean: 884 kB Inact_target: 10340 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 62104 kB LowFree: 3032 kB SwapTotal: 192772 kB SwapFree: 173416 kB Committed_AS: 143468 kB + _________________________ dev/ipsec-ls + ls -l '/dev/ipsec*' ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_eroute -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_klipsdebug -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Nov 23 23:46 /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /usr/src/linux/.config + _________________________ etc/syslog.conf + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + _________________________ etc/resolv.conf + cat /etc/resolv.conf + _________________________ lib/modules-ls + ls -ltr /lib/modules total 4 drwxr-xr-x 4 root root 4096 Nov 15 14:09 2.4.18-3 + _________________________ proc/ksyms-netif_rx + egrep netif_rx /proc/ksyms c01cdfa4 netif_rx_Rebe0c8b6 + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.18-3: U netif_rx_Rebe0c8b6 + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '5559,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + cat Nov 23 23:39:08 ATUL ipsec_setup: Starting FreeS/WAN IPsec 1.99... Nov 23 23:39:12 ATUL ipsec_setup: Using /lib/modules/2.4.18-3/kernel/net/ipsec/ipsec.o Nov 23 23:39:12 ATUL kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99 Nov 23 23:39:12 ATUL ipsec_setup: KLIPS debug `none' Nov 23 23:39:13 ATUL /etc/hotplug/net.agent: invoke ifup ipsec1 Nov 23 23:39:13 ATUL /etc/hotplug/net.agent: invoke ifup ipsec0 Nov 23 23:39:13 ATUL /etc/hotplug/net.agent: invoke ifup ipsec2 Nov 23 23:39:13 ATUL /etc/hotplug/net.agent: invoke ifup ipsec3 Nov 23 23:39:14 ATUL ipsec_setup: KLIPS ipsec0 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Nov 23 23:39:14 ATUL ipsec_setup: WARNING: eth1 has route filtering turned on, KLIPS may not work Nov 23 23:39:14 ATUL ipsec_setup: (/proc/sys/net/ipv4/conf/eth1/rp_filter = `1', should be 0) Nov 23 23:39:15 ATUL ipsec_setup: ...FreeS/WAN IPsec started + _________________________ plog + sed -n '249,$p' /var/log/secure + egrep -i pluto + cat Nov 23 23:39:15 ATUL ipsec__plutorun: Starting Pluto subsystem... Nov 23 23:39:15 ATUL pluto[2097]: Starting Pluto (FreeS/WAN Version 1.99) Nov 23 23:39:16 ATUL pluto[2097]: added connection description "net-to-net" Nov 23 23:39:17 ATUL pluto[2097]: listening for IKE messages Nov 23 23:39:17 ATUL pluto[2097]: adding interface ipsec0/eth1 192.168.1.1 Nov 23 23:39:17 ATUL pluto[2097]: loading secrets from "/etc/ipsec.secrets" Nov 23 23:39:49 ATUL pluto[2097]: "net-to-net" #1: initiating Main Mode Nov 23 23:39:49 ATUL pluto[2097]: "net-to-net" #1: ERROR: asynchronous network error report on eth1 for message to 192.168.1.2 port 500, complainant 192.168.1.2: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] + _________________________ date + date Sat Nov 23 23:46:43 IST 2002