Leevi.leevi Sat Dec 14 16:09:53 CST 2002 + _________________________ version + ipsec --version Linux FreeS/WAN 1.98b See `ipsec --copyright' for copyright information. + _________________________ proc/version + cat /proc/version Linux version 2.4.16 (root@Leevi.leevi) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81)) #23 SMP Tue Dec 10 14:26:43 CST 2002 + _________________________ proc/net/ipsec_eroute + sort +3 /proc/net/ipsec_eroute + _________________________ netstart-rn + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec1 10.170.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth0 10.170.0.0 0.0.0.0 255.255.0.0 U 40 0 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 10.170.0.253 0.0.0.0 UG 40 0 0 eth0 + _________________________ proc/net/ipsec_spi + cat /proc/net/ipsec_spi + _________________________ proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp + _________________________ proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> eth1 mtu=16260(1500) -> 1500 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ proc/net/pf_key + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St c7cdca20 30758 c74e0900 0 0 0 0 2 65535 00000000 3 1 + _________________________ proc/net/pf_key-star + cd /proc/net + egrep '^' pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c74e0900 30758 c7cdca20 pf_key_registered: 3 c74e0900 30758 c7cdca20 pf_key_registered: 9 c74e0900 30758 c7cdca20 pf_key_registered: 10 c74e0900 30758 c7cdca20 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 12 128 128 256 pf_key_supported: 3 15 3 64 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ proc/sys/net/ipsec-star + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:1 inbound_policy_check:1 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 interface ipsec0/eth0 10.170.1.90 000 interface ipsec1/eth1 192.168.1.1 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536 000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048 000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072 000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:FC:27:4D:78 inet addr:10.170.1.90 Bcast:10.170.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:265028 errors:0 dropped:0 overruns:0 frame:0 TX packets:9468 errors:0 dropped:0 overruns:0 carrier:0 collisions:1242 txqueuelen:100 Interrupt:10 eth1 Link encap:Ethernet HWaddr 00:50:FC:2B:78:4F inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:206070 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0x2000 ipsec0 Link encap:Ethernet HWaddr 00:50:FC:27:4D:78 inet addr:10.170.1.90 Mask:255.255.0.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:59325 errors:0 dropped:59325 overruns:0 frame:0 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ipsec1 Link encap:Ethernet HWaddr 00:50:FC:2B:78:4F inet addr:192.168.1.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ipsec2 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ipsec3 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:136 errors:0 dropped:0 overruns:0 frame:0 TX packets:136 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn leein + _________________________ hostname/ipaddress + hostname --ip-address 192.168.1.1 + _________________________ uptime + uptime 4:09pm up 2 days, 2:53, 3 users, load average: 0.93, 0.33, 0.11 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 000 0 30623 937 9 0 2120 992 wait4 S tty1 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf 000 0 30624 30623 16 0 2144 1032 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf 000 0 30813 30624 15 0 1432 476 pipe_w S tty1 0:00 \_ egrep -i ppid|pluto|ipsec|klips 040 0 30751 1 9 0 1948 928 wait4 S tty1 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --re --debug all --uniqu 040 0 30753 30751 9 0 1948 928 wait4 S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --re --debug all --u 100 0 30758 30753 9 0 2080 820 do_sel S tty1 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-all --uniqu 000 0 30771 30758 9 0 1412 348 do_sel S tty1 0:00 | \_ _pluto_adns -d 7 10 000 0 30754 30751 8 0 1928 904 pipe_w S tty1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load --start -- 000 0 30752 1 9 0 1336 436 pipe_w S tty1 0:00 logger -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults #dr: no default route #dr: no default route # no default route # no default route # no default route # no default route + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=eth0 ipsec1=eth1" #%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=all # Use auto= parameters in conn descriptions to control startup actions. #plutoload=%search #plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes conn %default keyingtries=0 disablearrivalcheck=no #authby=rsasig authby=secret #leftrsasigkey=%dnsondemand #rightrsasigkey=%dnsondemand # connection description for opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) conn me-to-anyone left=%defaultroute right=%opportunistic keylife=1h rekey=no # for initiator only OE, uncomment and uncomment this # after putting your key in your forward map #leftid=@myhostname.example.com # uncomment this next line to enable it #auto=route conn gw120 left=10.170.1.120 right=10.170.1.90 auth=ah ike=3des-md5 ah=hmac-md5-96 esp=3des # sample VPN connection conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.0.0.1 leftsubnet=172.16.0.0/24 leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. right=10.12.12.1 rightsubnet=192.168.0.0/24 rightnexthop=10.101.102.103 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". # # -- not filled in because ipsec.secrets existed at build time -- # } # do not change the indenting of that "[sums to 7d9d...]" 10.170.1.90 10.170.1.120: PSK "[sums to 7c12...]" 10.170.1.90 10.170.1.121: PSK "[sums to 7c12...]" #> /etc/ipsec.secrets 15 + _________________________ ipsec/ls-dir + ls -l /usr/local/lib/ipsec total 2892 -rwxr-xr-x 1 root root 11115 Dec 10 14:06 _confread -rwxr-xr-x 1 root root 46357 Dec 10 14:06 _copyright -rwxr-xr-x 1 root root 2163 Dec 10 14:06 _include -rwxr-xr-x 1 root root 1472 Dec 10 14:06 _keycensor -rwxr-xr-x 1 root root 71329 Dec 10 14:06 _pluto_adns -rwxr-xr-x 1 root root 3495 Dec 10 14:06 _plutoload -rwxr-xr-x 1 root root 4376 Dec 10 14:06 _plutorun -rwxr-xr-x 1 root root 7450 Dec 10 14:06 _realsetup -rwxr-xr-x 1 root root 1971 Dec 10 14:06 _secretcensor -rwxr-xr-x 1 root root 6933 Dec 10 14:06 _startklips -rwxr-xr-x 1 root root 5014 Dec 10 14:06 _updown -rwxr-xr-x 1 root root 11672 Dec 10 14:06 auto -rwxr-xr-x 1 root root 7195 Dec 10 14:06 barf -rwxr-xr-x 1 root root 816 Dec 10 14:06 calcgoo -rwxr-xr-x 1 root root 225069 Dec 10 14:06 eroute -rwxr-xr-x 1 root root 97920 Dec 10 14:06 ikeping -rwxr-xr-x 1 root root 2916 Dec 10 14:06 ipsec -rw-r--r-- 1 root root 1950 Dec 10 14:06 ipsec_pr.template -rwxr-xr-x 1 root root 160870 Dec 10 14:06 klipsdebug -rwxr-xr-x 1 root root 2437 Dec 10 14:06 look -rwxr-xr-x 1 root root 16157 Dec 10 14:06 manual -rwxr-xr-x 1 root root 1847 Dec 10 14:06 newhostkey -rwxr-xr-x 1 root root 139309 Dec 10 14:06 pf_key -rwxr-xr-x 1 root root 1069960 Dec 10 14:06 pluto -rwxr-xr-x 1 root root 52702 Dec 10 14:06 ranbits -rwxr-xr-x 1 root root 76414 Dec 10 14:06 rsasigkey -rwxr-xr-x 1 root root 16671 Dec 10 14:06 send-pr lrwxrwxrwx 1 root root 22 Dec 10 14:06 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1041 Dec 10 14:06 showdefaults -rwxr-xr-x 1 root root 4205 Dec 10 14:06 showhostkey -rwxr-xr-x 1 root root 357049 Dec 10 14:06 spi -rwxr-xr-x 1 root root 201914 Dec 10 14:06 spigrp -rwxr-xr-x 1 root root 70647 Dec 10 14:06 tncfg -rwxr-xr-x 1 root root 17048 Dec 10 14:06 uml_netjig -rwxr-xr-x 1 root root 3353 Dec 10 14:06 verify -rwxr-xr-x 1 root root 136243 Dec 10 14:06 whack + _________________________ ipsec/updowns ++ ls /usr/local/lib/ipsec ++ egrep updown + cat /usr/local/lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } doroute() { parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" ;; *) it="route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" ;; *) it="route del -net $PLUTO_PEER_CLIENT_NET \ netmask $PLUTO_PEER_CLIENT_MASK 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in 'SIOCDELRT: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 11180 136 0 0 0 0 0 0 11180 136 0 0 0 0 0 0 eth0:36033610 265028 0 0 0 0 0 0 8064694 9468 0 0 0 1242 0 0 eth1:25908943 206070 0 0 0 0 0 0 660 11 0 0 0 0 0 0 ipsec0: 0 59325 0 59325 0 0 0 0 2406 17 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 0001A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 ipsec1 0001A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth0 0000AA0A 00000000 0001 0 0 0 0000FFFF 40 0 0 ipsec0 0000AA0A 00000000 0001 0 0 0 0000FFFF 40 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 40 0 0 eth0 00000000 FD00AA0A 0003 0 0 0 00000000 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter all/rp_filter:1 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 ipsec1/rp_filter:0 lo/rp_filter:0 + _________________________ uname-a + uname -a Linux Leevi.leevi 2.4.16 #23 SMP Tue Dec 10 14:26:43 CST 2002 i686 unknown + _________________________ redhat-release + test -r /etc/redhat-release + cat /etc/redhat-release LINUX 7.2 + _________________________ proc/net/ipsec_version + cat /proc/net/ipsec_version FreeS/WAN version: 1.98b + _________________________ iptables/list + iptables -L -v -n Chain INPUT (policy ACCEPT 231K packets, 33M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8166 packets, 7878K bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/list + ipchains -L -v -n ipchains: Incompatible with this kernel + _________________________ ipfwadm/forward + ipfwadm -F -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ ipfwadm/input + ipfwadm -I -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ ipfwadm/output + ipfwadm -O -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ iptables/nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 114K packets, 19M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2455 packets, 343K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2455 packets, 343K bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/masq + ipchains -M -L -v -n ipchains: cannot open file `/proc/net/ip_masquerade' + _________________________ ipfwadm/masq + ipfwadm -M -l -n -e Generic IP Firewall Chains not in this kernel + _________________________ iptables/mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 306K packets, 46M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8166 packets, 7878K bytes) pkts bytes target prot opt in out source destination + _________________________ proc/modules + cat /proc/modules ipsec_aes 31984 0 (unused) ipsec 247904 3 [ipsec_aes] + _________________________ proc/meminfo + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 129400832 124035072 5365760 0 1622016 109948928 Swap: 287842304 8802304 279040000 MemTotal: 126368 kB MemFree: 5240 kB MemShared: 0 kB Buffers: 1584 kB Cached: 106684 kB SwapCached: 688 kB Active: 24704 kB Inactive: 88616 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 126368 kB LowFree: 5240 kB SwapTotal: 281096 kB SwapFree: 272500 kB + _________________________ dev/ipsec-ls + ls -l '/dev/ipsec*' ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_eroute -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_klipsdebug -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Dec 14 16:09 /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /usr/src/linux/.config + egrep 'IP|NETLINK' /usr/src/linux/.config # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set CONFIG_SYSVIPC=y # CONFIG_MD_MULTIPATH is not set CONFIG_NETLINK=y # CONFIG_RTNETLINK is not set # CONFIG_NETLINK_DEV is not set # CONFIG_IP_MULTICAST is not set # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # IP: Netfilter Configuration CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_TCPMSS=y # CONFIG_IPX is not set CONFIG_IPSEC=m CONFIG_IPSEC_IPIP=y CONFIG_IPSEC_AH=y CONFIG_IPSEC_AUTH_HMAC_MD5=y CONFIG_IPSEC_AUTH_HMAC_SHA1=y CONFIG_IPSEC_ESP=y CONFIG_IPSEC_ENC_3DES=y CONFIG_IPSEC_ALG=y CONFIG_IPSEC_ALG_AES=m # CONFIG_IPSEC_ALG_TWOFISH is not set # CONFIG_IPSEC_ALG_3DES is not set # CONFIG_IPSEC_ALG_BLOWFISH is not set # CONFIG_IPSEC_ALG_NULL is not set # CONFIG_IPSEC_ALG_SERPENT is not set # CONFIG_IPSEC_ALG_MD5 is not set # CONFIG_IPSEC_ALG_SHA1 is not set # CONFIG_IPSEC_ALG_SHA2 is not set CONFIG_IPSEC_IPCOMP=y CONFIG_IPSEC_DEBUG=y # CONFIG_IDEDMA_PCI_WIP is not set # CONFIG_IDE_CHIPSETS is not set # CONFIG_TULIP is not set # CONFIG_PLIP is not set # CONFIG_SLIP is not set # CONFIG_PCMCIA_XIRTULIP is not set + _________________________ etc/syslog.conf + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages, plus log them on another # machine. *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # # INN # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice + _________________________ etc/resolv.conf + cat /etc/resolv.conf #nameserver 202.99.8.1 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 28 drwxr-xr-x 4 root root 4096 Sep 20 2001 2.4.2-2 drwxrwxr-x 4 root root 4096 Mar 4 2002 2.4.6 drwxr-xr-x 4 root root 4096 May 16 2002 2.2.14-5.0 drwxr-xr-x 4 root root 4096 May 17 2002 2.2.14 drwxr-xr-x 4 root root 4096 Aug 23 14:25 2.4.18 drwxr-xr-x 4 root root 4096 Aug 24 16:31 2.4.19 drwxr-xr-x 4 root root 4096 Dec 10 14:27 2.4.16 + _________________________ proc/ksyms-netif_rx + egrep netif_rx /proc/ksyms c0200980 netif_rx_Rsmp_b0459ed7 + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.2.14: 2.2.14-5.0: 2.4.16: 2.4.18: 2.4.19: 2.4.2-2: U netif_rx_Rsmp_2599e7b9 2.4.6: U netif_rx_Rsmp_f922bd3f + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '858807,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + cat Dec 14 14:37:18 Leevi ipsec_setup: Starting FreeS/WAN IPsec 1.98b... Dec 14 14:37:18 Leevi ipsec_setup: KLIPS debug `none' Dec 14 14:37:18 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 14:37:18 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 14:37:18 Leevi ipsec_setup: ...FreeS/WAN IPsec started Dec 14 14:42:10 Leevi ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Dec 14 14:42:10 Leevi ipsec__plutorun: restarting IPsec after pause... Dec 14 14:42:20 Leevi ipsec_setup: Stopping FreeS/WAN IPsec... Dec 14 14:42:20 Leevi ipsec_setup: Removing orphaned /var/run/pluto.pid: Dec 14 14:42:20 Leevi kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Dec 14 14:42:20 Leevi kernel: IPSEC EVENT: KLIPS device ipsec1 shut down. Dec 14 14:42:21 Leevi ipsec_setup: ipsec: Device or resource busy Dec 14 14:42:21 Leevi ipsec_setup: ...FreeS/WAN IPsec stopped Dec 14 14:42:21 Leevi ipsec_setup: Restarting FreeS/WAN IPsec 1.98b... Dec 14 14:42:21 Leevi ipsec_setup: KLIPS debug `none' Dec 14 14:42:21 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 14:42:21 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 14:42:21 Leevi ipsec_setup: ...FreeS/WAN IPsec started Dec 14 14:42:59 Leevi ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Dec 14 14:42:59 Leevi ipsec__plutorun: restarting IPsec after pause... Dec 14 14:43:09 Leevi ipsec_setup: Stopping FreeS/WAN IPsec... Dec 14 14:43:09 Leevi ipsec_setup: Removing orphaned /var/run/pluto.pid: Dec 14 14:43:09 Leevi kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Dec 14 14:43:09 Leevi kernel: IPSEC EVENT: KLIPS device ipsec1 shut down. Dec 14 14:43:09 Leevi ipsec_setup: ipsec: Device or resource busy Dec 14 14:43:09 Leevi ipsec_setup: ...FreeS/WAN IPsec stopped Dec 14 14:43:09 Leevi ipsec_setup: Restarting FreeS/WAN IPsec 1.98b... Dec 14 14:43:09 Leevi ipsec_setup: KLIPS debug `none' Dec 14 14:43:09 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 14:43:09 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 14:43:09 Leevi ipsec_setup: ...FreeS/WAN IPsec started Dec 14 14:52:32 Leevi ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Dec 14 14:52:32 Leevi ipsec__plutorun: restarting IPsec after pause... Dec 14 14:52:42 Leevi ipsec_setup: Stopping FreeS/WAN IPsec... Dec 14 14:52:42 Leevi ipsec_setup: Removing orphaned /var/run/pluto.pid: Dec 14 14:52:42 Leevi kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Dec 14 14:52:42 Leevi kernel: IPSEC EVENT: KLIPS device ipsec1 shut down. Dec 14 14:52:42 Leevi ipsec_setup: ipsec: Device or resource busy Dec 14 14:52:42 Leevi ipsec_setup: ...FreeS/WAN IPsec stopped Dec 14 14:52:42 Leevi ipsec_setup: Restarting FreeS/WAN IPsec 1.98b... Dec 14 14:52:42 Leevi ipsec_setup: KLIPS debug `none' Dec 14 14:52:42 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 14:52:42 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 14:52:42 Leevi ipsec_setup: ...FreeS/WAN IPsec started Dec 14 16:07:52 Leevi ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Dec 14 16:07:52 Leevi ipsec__plutorun: restarting IPsec after pause... Dec 14 16:08:02 Leevi ipsec_setup: Stopping FreeS/WAN IPsec... Dec 14 16:08:02 Leevi ipsec_setup: Removing orphaned /var/run/pluto.pid: Dec 14 16:08:02 Leevi kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Dec 14 16:08:02 Leevi kernel: IPSEC EVENT: KLIPS device ipsec1 shut down. Dec 14 16:08:02 Leevi ipsec_setup: ipsec: Device or resource busy Dec 14 16:08:02 Leevi ipsec_setup: ...FreeS/WAN IPsec stopped Dec 14 16:08:03 Leevi ipsec_setup: Restarting FreeS/WAN IPsec 1.98b... Dec 14 16:08:03 Leevi ipsec_setup: KLIPS debug `none' Dec 14 16:08:03 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 16:08:03 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 16:08:03 Leevi ipsec_setup: ...FreeS/WAN IPsec started Dec 14 16:08:19 Leevi ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11) Dec 14 16:08:19 Leevi ipsec__plutorun: restarting IPsec after pause... Dec 14 16:08:33 Leevi ipsec_setup: Stopping FreeS/WAN IPsec... Dec 14 16:08:33 Leevi ipsec_setup: Removing orphaned /var/run/pluto.pid: Dec 14 16:08:33 Leevi kernel: IPSEC EVENT: KLIPS device ipsec0 shut down. Dec 14 16:08:34 Leevi kernel: IPSEC EVENT: KLIPS device ipsec1 shut down. Dec 14 16:08:34 Leevi ipsec_setup: ipsec: Device or resource busy Dec 14 16:08:34 Leevi ipsec_setup: ...FreeS/WAN IPsec stopped Dec 14 16:08:34 Leevi ipsec_setup: Restarting FreeS/WAN IPsec 1.98b... Dec 14 16:08:34 Leevi ipsec_setup: KLIPS debug `none' Dec 14 16:08:35 Leevi ipsec_setup: KLIPS ipsec0 on eth0 10.170.1.90/255.255.0.0 broadcast 10.170.255.255 Dec 14 16:08:35 Leevi ipsec_setup: KLIPS ipsec1 on eth1 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 Dec 14 16:08:35 Leevi ipsec_setup: ...FreeS/WAN IPsec started + _________________________ plog + sed -n '540,$p' /var/log/secure + egrep -i pluto + cat Dec 14 16:08:35 Leevi ipsec__plutorun: Restarting Pluto subsystem... Dec 14 16:08:35 Leevi pluto[30758]: Starting Pluto (FreeS/WAN Version 1.98b) Dec 14 16:08:35 Leevi pluto[30758]: | opening /dev/urandom Dec 14 16:08:35 Leevi pluto[30758]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_enc: Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0) Dec 14 16:08:35 Leevi pluto[30758]: | process 30758 listening for PF_KEY_V2 on file descriptor 6 Dec 14 16:08:35 Leevi pluto[30758]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH Dec 14 16:08:35 Leevi pluto[30758]: | 02 07 00 02 02 00 00 00 01 00 00 00 26 78 00 00 Dec 14 16:08:36 Leevi pluto[30758]: | pfkey_get: SADB_REGISTER message 1 Dec 14 16:08:36 Leevi pluto[30758]: | AH registered with kernel. Dec 14 16:08:36 Leevi pluto[30758]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP Dec 14 16:08:36 Leevi pluto[30758]: | 02 07 00 03 02 00 00 00 02 00 00 00 26 78 00 00 Dec 14 16:08:37 Leevi pluto[30758]: | pfkey_get: SADB_REGISTER message 2 Dec 14 16:08:37 Leevi pluto[30758]: | alg_init():memset(0x80b4c20, 0, 128) memset(0x80b4ca0, 0, 2048) Dec 14 16:08:37 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=8 sadb_supported_len=24 Dec 14 16:08:37 Leevi pluto[30758]: | kernel_alg_add():satype=3, exttype=14, alg_id=3 Dec 14 16:08:37 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 Dec 14 16:08:37 Leevi pluto[30758]: | kernel_alg_add():satype=3, exttype=14, alg_id=2 Dec 14 16:08:38 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 Dec 14 16:08:38 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=8 sadb_supported_len=24 Dec 14 16:08:38 Leevi pluto[30758]: | kernel_alg_add():satype=3, exttype=15, alg_id=12 Dec 14 16:08:38 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=15, satype=3, alg_id=12, alg_ivlen=128, alg_minbits=128, alg_maxbits=256, res=0, ret=1 Dec 14 16:08:39 Leevi pluto[30758]: | kernel_alg_add():satype=3, exttype=15, alg_id=3 Dec 14 16:08:39 Leevi pluto[30758]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=15, satype=3, alg_id=3, alg_ivlen=64, alg_minbits=168, alg_maxbits=168, res=0, ret=1 Dec 14 16:08:39 Leevi pluto[30758]: | ESP registered with kernel. Dec 14 16:08:39 Leevi pluto[30758]: | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP Dec 14 16:08:40 Leevi pluto[30758]: | 02 07 00 0a 02 00 00 00 03 00 00 00 26 78 00 00 Dec 14 16:08:40 Leevi pluto[30758]: | pfkey_get: SADB_REGISTER message 3 Dec 14 16:08:40 Leevi pluto[30758]: | IPCOMP registered with kernel. Dec 14 16:08:40 Leevi pluto[30758]: | finish_pfkey_msg: SADB_REGISTER message 4 for IPIP Dec 14 16:08:40 Leevi pluto[30758]: | 02 07 00 09 02 00 00 00 04 00 00 00 26 78 00 00 Dec 14 16:08:40 Leevi pluto[30758]: | pfkey_get: SADB_REGISTER message 4 Dec 14 16:08:40 Leevi pluto[30758]: | IPIP registered with kernel. Dec 14 16:08:40 Leevi pluto[30758]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds Dec 14 16:08:40 Leevi pluto[30758]: | next event EVENT_SHUNT_SCAN in 120 seconds Dec 14 16:08:40 Leevi pluto[30758]: | Dec 14 16:08:41 Leevi pluto[30758]: | *received whack message Dec 14 16:08:41 Leevi pluto[30758]: listening for IKE messages Dec 14 16:08:41 Leevi pluto[30758]: | found lo with address 127.0.0.1 Dec 14 16:08:41 Leevi pluto[30758]: | found eth0 with address 10.170.1.90 Dec 14 16:08:41 Leevi pluto[30758]: | found eth1 with address 192.168.1.1 Dec 14 16:08:41 Leevi pluto[30758]: | found ipsec0 with address 10.170.1.90 Dec 14 16:08:41 Leevi pluto[30758]: | found ipsec1 with address 192.168.1.1 Dec 14 16:08:42 Leevi pluto[30758]: adding interface ipsec1/eth1 192.168.1.1 Dec 14 16:08:42 Leevi pluto[30758]: adding interface ipsec0/eth0 10.170.1.90 Dec 14 16:08:42 Leevi pluto[30758]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored Dec 14 16:08:42 Leevi pluto[30758]: | could not open /proc/net/if_inet6 Dec 14 16:08:42 Leevi pluto[30758]: loading secrets from "/etc/ipsec.secrets" Dec 14 16:08:42 Leevi pluto[30758]: loading secrets from "/etc/fw.config/vpn/ipsec1.secrets" Dec 14 16:08:42 Leevi pluto[30758]: | next event EVENT_SHUNT_SCAN in 118 seconds Dec 14 16:09:53 Leevi pluto[30758]: | Dec 14 16:09:53 Leevi pluto[30758]: | *received whack message Dec 14 16:09:53 Leevi pluto[30758]: | next event EVENT_SHUNT_SCAN in 47 seconds + _________________________ date + date Sat Dec 14 16:10:40 CST 2002