<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2>Where is my traffic
going?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>At the moment I have... </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Linux Openswan U2.4.5dr2/K2.6.11.12
(netkey)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have tried K2.6.14.2 & .3 with U2.4.2 and
.5dr</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I can establish the IPSec, but when I try and ping
a known address on the other side of the vpn i get no traffic over the
vpn?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>on eth0 i see:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>tcpdump -i eth0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>19:48:37.115393 arp who-has 172.16.0.1 tell
??????.pureserver.info<BR>19:48:38.115174 arp who-has 172.16.0.1 tell
??????.pureserver.info<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>tcpdump host [right vpn ip]<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>tcpdump: verbose output suppressed, use -v or -vv
for full protocol decode<BR>listening on eth0, link-type EN10MB (Ethernet),
capture size 96 bytes<BR>19:50:00.461380 IP [right vpn ip] >
p15179238.pureserver.info: ESP(spi=0x50a0c52c,seq=0x54)<BR>19:50:00.461380 IP
[right vpn ip] > p15179238.pureserver.info: icmp 24: echo request seq
24328</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>But no extra ESP packets when i ping
172.16.0.1</DIV>
<DIV><BR>There is more to the story... I have tried using klips and not the
kernel so I could see a bit more by looking at ipsec0. But each time i
run ipsec --version i get a kernel oops, this was more of a work around and an
attempt to see what was going on.</DIV>
<DIV> </DIV>
<DIV>I have made sure the firewall is off.</DIV>
<DIV> </DIV>
<DIV>I have an eth0:0 192.168.0.10 that is part of the left subnet, not sure if
this is a problem or not</DIV>
<DIV> </DIV>
<DIV>Im not sure how to check the routing as it seems to be hidden by the kernel
with netkey? or if i should try and get klips working without netkey?</DIV>
<DIV> </DIV>
<DIV>Any ideas would be very welcome.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>[root@?????? root]# ipsec barf<BR>??????.pureserver.info<BR>Fri Nov 25
19:56:14 GMT 2005<BR>+ _________________________ version<BR>+ ipsec
--version<BR>Linux Openswan U2.4.5dr2/K2.6.11.12 (netkey)<BR>See `ipsec
--copyright' for copyright information.<BR>+ _________________________
/proc/version<BR>+ cat /proc/version<BR>Linux version 2.6.11.12 (<A
href="mailto:root@??????.pureserver.info">root@??????.pureserver.info</A>) (gcc
version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #2 SMP Fri Nov 25 18:53:47 GMT
2005<BR>+ _________________________ /proc/net/ipsec_eroute<BR>+ test -r
/proc/net/ipsec_eroute<BR>+ _________________________ netstat-rn<BR>+ netstat
-nr<BR>+ head -n 100<BR>Kernel IP routing
table<BR>Destination
Gateway
Genmask Flags MSS
Window irtt Iface<BR>10.255.255.1
0.0.0.0 255.255.255.255
UH 0
0 0
eth0<BR>172.16.0.0
0.0.0.0
255.255.255.0 U 0
0 0
eth0<BR>192.168.0.0
0.0.0.0
255.255.255.0 U 0
0 0
eth0<BR>169.254.0.0
0.0.0.0
255.255.0.0
U 0
0 0
eth0<BR>0.0.0.0
10.255.255.1
0.0.0.0
UG 0
0 0 eth0<BR>+
_________________________ /proc/net/ipsec_spi<BR>+ test -r
/proc/net/ipsec_spi<BR>+ _________________________ /proc/net/ipsec_spigrp<BR>+
test -r /proc/net/ipsec_spigrp<BR>+ _________________________
/proc/net/ipsec_tncfg<BR>+ test -r /proc/net/ipsec_tncfg<BR>+
_________________________ /proc/net/pfkey<BR>+ test -r /proc/net/pfkey<BR>+ cat
/proc/net/pfkey<BR>sk RefCnt
Rmem Wmem User Inode<BR>+
_________________________ setkey-D<BR>+ setkey -D<BR>[Right IP] [Left
IP]<BR> esp mode=tunnel
spi=1352713516(0x50a0c52c)
reqid=16385(0x00004001)<BR> E:
3des-cbc 1df8d910 a135c5c0 63bb1929 943ac223 65c1ebca
0c02ac79<BR> A: hmac-sha1
9bb0326b 880b732f baa59633 b0fdff5b
4eb7fbcc<BR> seq=0x00000000 replay=32
flags=0x00000000 state=mature<BR>
created: Nov 25 19:36:16 2005 current: Nov 25 19:56:14
2005<BR> diff: 1198(s)
hard: 0(s) soft:
0(s)<BR> last: Nov 25 19:36:16
2005 hard: 0(s)
soft: 0(s)<BR> current:
5324(bytes) hard: 0(bytes) soft:
0(bytes)<BR> allocated: 121
hard: 0 soft: 0<BR> sadb_seq=3
pid=1326 refcnt=0<BR>[Right IP] [Left
IP]<BR> esp mode=tunnel
spi=3707438638(0xdcfb062e)
reqid=16385(0x00004001)<BR> E:
3des-cbc 6d7e4666 c410b0c2 fe4f4d64 f5e1f57f 69e361d4
a01ebe0d<BR> A: hmac-sha1
1eaf04eb 8a6cd247 5432635c 814f0b77
bbccece7<BR> seq=0x00000000 replay=32
flags=0x00000000 state=mature<BR>
created: Nov 25 19:18:10 2005 current: Nov 25 19:56:14
2005<BR> diff: 2284(s)
hard: 0(s) soft:
0(s)<BR> last: Nov 25 19:18:10
2005 hard: 0(s)
soft: 0(s)<BR> current:
4840(bytes) hard: 0(bytes) soft:
0(bytes)<BR> allocated: 110
hard: 0 soft: 0<BR> sadb_seq=2
pid=1326 refcnt=0<BR>+ _________________________ setkey-D-P<BR>+ setkey -D
-P<BR>172.16.0.0/24[any] 192.168.0.0/24[any]
any<BR> in prio high + 1073739480
ipsec<BR> esp/tunnel/[Right IP]-[Left
IP]/unique#16385<BR> created: Nov 25
19:18:10 2005 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=40 seq=6 pid=1327<BR>
refcnt=1<BR>192.168.0.0/24[any] 172.16.0.0/24[any]
any<BR> out prio high + 1073739480
ipsec<BR> esp/tunnel/[Left IP]-[Right
IP]/unique#16385<BR> created: Nov 25
19:36:16 2005 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=33 seq=5 pid=1327<BR>
refcnt=1<BR>172.16.0.0/24[any] 192.168.0.0/24[any]
any<BR> fwd prio high + 1073739480
ipsec<BR> esp/tunnel/[Right IP]-[Left
IP]/unique#16385<BR> created: Nov 25
19:18:10 2005 lastused:<BR>
lifetime: 0(s) validtime: 0(s)<BR>
spid=50 seq=4 pid=1327<BR>
refcnt=1<BR>(per-socket policy)<BR> in
none<BR> created: Nov 25 19:12:11
2005 lastused: Nov 25 19:36:16
2005<BR> lifetime: 0(s) validtime:
0(s)<BR> spid=19 seq=3
pid=1327<BR> refcnt=1<BR>(per-socket
policy)<BR> in
none<BR> created: Nov 25 19:12:11
2005 lastused:<BR> lifetime:
0(s) validtime: 0(s)<BR> spid=3 seq=2
pid=1327<BR> refcnt=1<BR>(per-socket
policy)<BR> out
none<BR> created: Nov 25 19:12:11
2005 lastused: Nov 25 19:36:16
2005<BR> lifetime: 0(s) validtime:
0(s)<BR> spid=28 seq=1
pid=1327<BR> refcnt=1<BR>(per-socket
policy)<BR> out
none<BR> created: Nov 25 19:12:11
2005 lastused:<BR> lifetime:
0(s) validtime: 0(s)<BR> spid=12 seq=0
pid=1327<BR> refcnt=1<BR>+
_________________________ /proc/sys/net/ipsec-star<BR>+ test -d
/proc/sys/net/ipsec<BR>+ _________________________ ipsec/status<BR>+ ipsec auto
--status<BR>000 interface eth0/eth0 [Left IP]<BR>000 interface lo/lo
127.0.0.1<BR>000 %myid = (none)<BR>000 debug none<BR>000<BR>000 algorithm ESP
encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<BR>000
algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192<BR>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448<BR>000 algorithm ESP encrypt: id=11,
name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<BR>000 algorithm ESP encrypt:
id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm
ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256<BR>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256<BR>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<BR>000 algorithm
ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160<BR>000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<BR>000
algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0<BR>000<BR>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192<BR>000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<BR>000 algorithm IKE hash:
id=1, name=OAKLEY_MD5, hashsize=16<BR>000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20<BR>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024<BR>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<BR>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048<BR>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072<BR>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096<BR>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144<BR>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192<BR>000<BR>000 stats db_ops.c: {curr_cnt,
total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<BR>000<BR>000
"mobius": 192.168.0.0/24===[Left IP]...[Right IP]===172.16.0.0/24; erouted;
eroute owner: #3<BR>000 "mobius": srcip=unset;
dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<BR>000
"mobius": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0<BR>000 "mobius": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;<BR>000
"mobius": newest ISAKMP SA: #1; newest IPsec SA: #3;<BR>000
"mobius": IKE algorithm newest:
3DES_CBC_192-SHA1-MODP1024<BR>000<BR>000 #3: "mobius":500 STATE_QUICK_I2 (sent
QI2, IPsec SA established); EVENT_SA_REPLACE in 26777s; newest IPSEC; eroute
owner<BR>000 #3: "mobius" <A
href="mailto:esp.9f797971@[Right">esp.9f797971@[Right</A> IP] <A
href="mailto:esp.50a0c52c@[Left">esp.50a0c52c@[Left</A> IP] <A
href="mailto:tun.0@[Right">tun.0@[Right</A> IP] <A
href="mailto:tun.0@[Left">tun.0@[Left</A> IP]<BR>000 #2: "mobius":500
STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
25642s<BR>000 #2: "mobius" <A
href="mailto:esp.9f79796f@[Right">esp.9f79796f@[Right</A> IP] <A
href="mailto:esp.dcfb062e@[Left">esp.dcfb062e@[Left</A> IP] <A
href="mailto:tun.0@[Right">tun.0@[Right</A> IP] <A
href="mailto:tun.0@[Left">tun.0@[Left</A> IP]<BR>000 #1: "mobius":500
STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 662s; newest ISAKMP;
nodpd<BR>000<BR>+ _________________________ ifconfig-a<BR>+ ifconfig
-a<BR>eth0 Link encap:Ethernet HWaddr
00:11:11:B1:FE:62<BR> inet
addr:[Left IP] Bcast:[Left IP]
Mask:255.255.255.255<BR>
inet6 addr: fe80::211:11ff:feb1:fe62/64
Scope:Link<BR> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:1992 errors:0 dropped:0 overruns:0
frame:0<BR> TX
packets:1397 errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:1000<BR> RX
bytes:351386 (343.1 Kb) TX bytes:891589 (870.6 Kb)</DIV>
<DIV> </DIV>
<DIV>eth0:0 Link encap:Ethernet HWaddr
00:11:11:B1:FE:62<BR> inet
addr:192.168.0.10 Bcast:192.168.0.255
Mask:255.255.255.0<BR> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX packets:0
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:0
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:1000<BR> RX
bytes:0 (0.0 b) TX bytes:0 (0.0 b)</DIV>
<DIV> </DIV>
<DIV>lo Link encap:Local
Loopback<BR> inet
addr:127.0.0.1
Mask:255.0.0.0<BR> inet6
addr: ::1/128
Scope:Host<BR> UP LOOPBACK
RUNNING MTU:16436
Metric:1<BR> RX packets:22
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:22
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0<BR> RX
bytes:2464 (2.4 Kb) TX bytes:2464 (2.4 Kb)</DIV>
<DIV> </DIV>
<DIV>sit0 Link
encap:IPv6-in-IPv4<BR>
NOARP MTU:1480
Metric:1<BR> RX packets:0
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:0
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0<BR> RX
bytes:0 (0.0 b) TX bytes:0 (0.0 b)</DIV>
<DIV> </DIV>
<DIV>+ _________________________ ip-addr-list<BR>+ ip addr list<BR>1: eth0:
<BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000<BR> link/ether 00:11:11:b1:fe:62 brd
ff:ff:ff:ff:ff:ff<BR> inet [Left IP]/32 brd [Left IP] scope
global eth0<BR> inet 192.168.0.10/24 brd 192.168.0.255 scope
global eth0:0<BR> inet6 fe80::211:11ff:feb1:fe62/64 scope
link<BR> valid_lft forever preferred_lft
forever<BR>2: lo: <LOOPBACK,UP> mtu 16436 qdisc
noqueue<BR> link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00<BR> inet 127.0.0.1/8 brd 127.255.255.255
scope host lo<BR> inet6 ::1/128 scope
host<BR> valid_lft forever preferred_lft
forever<BR>3: sit0: <NOARP> mtu 1480 qdisc noop<BR>
link/sit 0.0.0.0 brd 0.0.0.0<BR>+ _________________________ ip-route-list<BR>+
ip route list<BR>10.255.255.1 dev eth0 scope link<BR>172.16.0.0/24 dev
eth0 scope link<BR>192.168.0.0/24 dev eth0 proto kernel scope
link src 192.168.0.10<BR>169.254.0.0/16 dev eth0 scope
link<BR>default via 10.255.255.1 dev eth0<BR>+ _________________________
ip-rule-list<BR>+ ip rule list<BR>RTNETLINK answers: Invalid argument<BR>Dump
terminated<BR>+ _________________________ ipsec_verify<BR>+ ipsec verify
--nocolour<BR>Checking your system to see if IPsec got installed and started
correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.5dr2/K2.6.11.12 (netkey)<BR>Checking for IPsec
support in
kernel
[OK]<BR>Checking for RSA private key
(/etc/ipsec.secrets)
[FAILED]<BR>ipsec showhostkey: no default key in
"/etc/ipsec.secrets"<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[FAILED]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Checking for 'setkey' command for NETKEY IPsec stack
support [OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR>+ _________________________ mii-tool<BR>+ '[' -x /sbin/mii-tool
']'<BR>+ /sbin/mii-tool -v<BR>eth0: negotiated 100baseTx-FD, link ok<BR>
product info: vendor 00:aa:00, model 51 rev 0<BR> basic mode:
autonegotiation enabled<BR> basic status: autonegotiation complete, link
ok<BR> capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD<BR> advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD flow-control<BR> link partner: 100baseTx-FD 100baseTx-HD
10baseT-FD 10baseT-HD<BR>+ _________________________ ipsec/directory<BR>+ ipsec
--directory<BR>/usr/local/lib/ipsec<BR>+ _________________________
hostname/fqdn<BR>+ hostname --fqdn<BR>??????.pureserver.info<BR>+
_________________________ hostname/ipaddress<BR>+ hostname --ip-address<BR>[Left
IP]<BR>+ _________________________ uptime<BR>+ uptime<BR> 19:56:16 up 44
min, 2 users, load average: 0.00, 0.02, 0.00<BR>+
_________________________ ps<BR>+ ps alxwf<BR>+ egrep -i
'ppid|pluto|ipsec|klips'<BR>F UID PID PPID
PRI NI VSZ RSS WCHAN STAT
TTY TIME
COMMAND<BR>1 0 593
1 20 0 2132 1024 wait S
? 0:00 /bin/sh
/usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal --keep_alive --protostack
auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers
--dump --opts --stderrlog --wait no --pre --post
--log daemon.error --pid /var/run/pluto/pluto.pid<BR>1
0 594 593 20 0 2132 1036
wait S
? 0:00 \_ /bin/sh
/usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal --keep_alive --protostack
auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers
--dump --opts --stderrlog --wait no --pre --post
--log daemon.error --pid /var/run/pluto/pluto.pid<BR>4
0 596 594 15 0 2356 1220
- S
? 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --use-auto --uniqueids<BR>1
0 621 596 27 10 2356 852
- SN
? 0:00
| \_ pluto helper #
0
<BR>0 0 672 596
18 0 1404 256 -
S ?
0:00 | \_
_pluto_adns<BR>0 0 597 593
16 0 2128 1004 pipe_w S
? 0:00 \_ /bin/sh
/usr/local/lib/ipsec/_plutoload --wait no --post<BR>0
0 595 1 20 0
1464 308 pipe_w S
? 0:00 logger -s -p
daemon.error -t ipsec__plutorun<BR>0 0 1306
1041 18 0 4156 972 wait
S ttyS0
0:00 \_ /bin/sh
/usr/local/libexec/ipsec/barf<BR>0 0 1385
1306 22 0 1588 412 -
S ttyS0
0:00 \_ egrep -i
ppid|pluto|ipsec|klips<BR>+ _________________________ ipsec/showdefaults<BR>+
ipsec showdefaults<BR>routephys=eth0<BR>routevirt=ipsec0<BR>routeaddr=[Left
IP]<BR>routenexthop=10.255.255.1<BR>+ _________________________ ipsec/conf<BR>+
ipsec _include /etc/ipsec.conf<BR>+ ipsec _keycensor</DIV>
<DIV> </DIV>
<DIV>#< /etc/ipsec.conf 1<BR># /etc/ipsec.conf - Openswan IPsec configuration
file<BR># RCSID $Id: ipsec.conf.in,v 1.15.2.1 2005/07/26 12:28:39 ken Exp
$</DIV>
<DIV> </DIV>
<DIV># This file:
/usr/local/share/doc/openswan/ipsec.conf-sample<BR>#<BR>#
Manual: ipsec.conf.5</DIV>
<DIV> </DIV>
<DIV><BR>version 2.0 # conforms to second version of
ipsec.conf specification</DIV>
<DIV> </DIV>
<DIV># basic configuration<BR>config
setup<BR> klipsdebug =
all<BR> # plutodebug / klipsdebug =
"all", "none" or a combation from
below:<BR> # "raw crypt parsing
emitting control klips pfkey natt x509
private"<BR> #
eg:<BR> # plutodebug="control
parsing"<BR>
#<BR> # Only enable klipsdebug=all if
you are a developer<BR>
#<BR> # NAT-TRAVERSAL support, see
README.NAT-Traversal<BR> #
nat_traversal=yes<BR> #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</DIV>
<DIV> </DIV>
<DIV># Add connections here</DIV>
<DIV> </DIV>
<DIV># sample VPN connection<BR># conn
sample<BR>#
# Left security gateway, subnet behind it, nexthop toward
right.<BR>#
left=10.0.0.1<BR>#
leftsubnet=172.16.0.0/24<BR>#
leftnexthop=10.22.33.44<BR>#
# Right security gateway, subnet behind it, nexthop toward
left.<BR>#
right=10.12.12.1<BR>#
rightsubnet=192.168.0.0/24<BR>#
rightnexthop=10.101.102.103<BR>#
# To authorize this connection, but not actually start
it,<BR>#
# at startup, uncomment
this.<BR>#
#auto=start</DIV>
<DIV> </DIV>
<DIV>conn mobius<BR> left=[Left
IP]<BR>
leftsubnet=192.168.0.0/24<BR>
right=[Right IP]<BR>
rightsubnet=172.16.0.0/24<BR>
authby=secret<BR> auto=route</DIV>
<DIV> </DIV>
<DIV>#Disable Opportunistic Encryption</DIV>
<DIV> </DIV>
<DIV>#< /etc/ipsec.d/examples/no_oe.conf 1<BR># 'include' this file to
disable Opportunistic Encryption.<BR># See
/usr/local/share/doc/openswan/policygroups.html for details.<BR>#<BR># RCSID
$Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $<BR>conn
block<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn private<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn private-or-clear<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn clear-or-private<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn clear<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>conn packetdefault<BR> auto=ignore</DIV>
<DIV> </DIV>
<DIV>#> /etc/ipsec.conf 58<BR>+ _________________________ ipsec/secrets<BR>+
ipsec _include /etc/ipsec.secrets<BR>+ ipsec _secretcensor</DIV>
<DIV> </DIV>
<DIV>#< /etc/ipsec.secrets 1<BR>: PSK "[sums to fef9...]"<BR>[Left IP] [Right
IP]: PSK "[sums to fef9...]"<BR>+ _________________________ ipsec/listall<BR>+
ipsec auto --listall<BR>000<BR>000 List of Public Keys:<BR>000<BR>+ '['
/etc/ipsec.d/policies ']'<BR>++ basename /etc/ipsec.d/policies/block<BR>+
base=block<BR>+ _________________________ ipsec/policies/block<BR>+ cat
/etc/ipsec.d/policies/block<BR># This file defines the set of CIDRs
(network/mask-length) to which<BR># communication should never be
allowed.<BR>#<BR># See /usr/local/share/doc/openswan/policygroups.html for
details.<BR>#<BR># $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $<BR>#</DIV>
<DIV> </DIV>
<DIV>++ basename /etc/ipsec.d/policies/clear<BR>+ base=clear<BR>+
_________________________ ipsec/policies/clear<BR>+ cat
/etc/ipsec.d/policies/clear<BR># This file defines the set of CIDRs
(network/mask-length) to which<BR># communication should always be in the
clear.<BR>#<BR># See /usr/local/share/doc/openswan/policygroups.html for
details.<BR>#<BR># $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $<BR>#<BR>++
basename /etc/ipsec.d/policies/clear-or-private<BR>+ base=clear-or-private<BR>+
_________________________ ipsec/policies/clear-or-private<BR>+ cat
/etc/ipsec.d/policies/clear-or-private<BR># This file defines the set of CIDRs
(network/mask-length) to which<BR># we will communicate in the clear, or, if the
other side initiates IPSEC,<BR># using encryption. This behaviour is also
called "Opportunistic Responder".<BR>#<BR># See
/usr/local/share/doc/openswan/policygroups.html for details.<BR>#<BR># $Id:
clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $<BR>#<BR>++ basename
/etc/ipsec.d/policies/private<BR>+ base=private<BR>+ _________________________
ipsec/policies/private<BR>+ cat /etc/ipsec.d/policies/private<BR># This file
defines the set of CIDRs (network/mask-length) to which<BR># communication
should always be private (i.e. encrypted).<BR># See
/usr/local/share/doc/openswan/policygroups.html for details.<BR>#<BR># $Id:
private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $<BR>#<BR>++ basename
/etc/ipsec.d/policies/private-or-clear<BR>+ base=private-or-clear<BR>+
_________________________ ipsec/policies/private-or-clear<BR>+ cat
/etc/ipsec.d/policies/private-or-clear<BR># This file defines the set of CIDRs
(network/mask-length) to which<BR># communication should be private, if
possible, but in the clear otherwise.<BR>#<BR># If the target has a TXT (later
IPSECKEY) record that specifies<BR># authentication material, we will require
private (i.e. encrypted)<BR># communications. If no such record is found,
communications will be<BR># in the clear.<BR>#<BR># See
/usr/local/share/doc/openswan/policygroups.html for details.<BR>#<BR># $Id:
private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $<BR>#</DIV>
<DIV> </DIV>
<DIV>0.0.0.0/0<BR>+ _________________________ ipsec/ls-libdir<BR>+ ls -l
/usr/local/lib/ipsec<BR>total 292<BR>-rwxr-xr-x 1 root root 15535 Nov 25
19:09 _confread<BR>-rwxr-xr-x 1 root root 15535 Nov 25 10:51
_confread.old<BR>-rwxr-xr-x 1 root root 45252 Nov 25 19:09
_copyright<BR>-rwxr-xr-x 1 root root 45252 Nov 25 10:51
_copyright.old<BR>-rwxr-xr-x 1 root root 2379 Nov 25 19:09
_include<BR>-rwxr-xr-x 1 root root 2379 Nov 25 10:51
_include.old<BR>-rwxr-xr-x 1 root root 1475 Nov 25 19:09
_keycensor<BR>-rwxr-xr-x 1 root root 1475 Nov 25 10:51
_keycensor.old<BR>-rwxr-xr-x 1 root root 3586 Nov 25 19:09
_plutoload<BR>-rwxr-xr-x 1 root root 3586 Nov 25 10:51
_plutoload.old<BR>-rwxr-xr-x 1 root root 7443 Nov 25 19:09
_plutorun<BR>-rwxr-xr-x 1 root root 7443 Nov 25 10:51
_plutorun.old<BR>-rwxr-xr-x 1 root root 12275 Nov 25 19:09
_realsetup<BR>-rwxr-xr-x 1 root root 12275 Nov 25 10:51
_realsetup.old<BR>-rwxr-xr-x 1 root root 1975 Nov 25 19:09
_secretcensor<BR>-rwxr-xr-x 1 root root 1975 Nov 25 10:51
_secretcensor.old<BR>-rwxr-xr-x 1 root root 9778 Nov 25 19:09
_startklips<BR>-rwxr-xr-x 1 root root 9778 Nov 25 10:51
_startklips.old<BR>-rwxr-xr-x 1 root root 13417 Nov 25 19:09
_updown<BR>-rwxr-xr-x 1 root root 13417 Nov 25 10:51
_updown.old<BR>-rwxr-xr-x 1 root root 15746 Nov 25 19:09
_updown_x509<BR>-rwxr-xr-x 1 root root 15746 Nov 25 10:51
_updown_x509.old<BR>-rwxr-xr-x 1 root root 1942 Nov 25 19:09
ipsec_pr.template<BR>+ _________________________ ipsec/ls-execdir<BR>+ ls -l
/usr/local/libexec/ipsec<BR>total 9808<BR>-rwxr-xr-x 1 root
root 69197 Nov 25 19:09 _pluto_adns<BR>-rwxr-xr-x 1 root
root 69197 Nov 25 10:51 _pluto_adns.old<BR>-rwxr-xr-x 1 root
root 19157 Nov 25 19:09 auto<BR>-rwxr-xr-x 1 root
root 19157 Nov 25 10:51 auto.old<BR>-rwxr-xr-x 1 root
root 10584 Nov 25 19:09 barf<BR>-rwxr-xr-x 1 root
root 10584 Nov 25 10:51 barf.old<BR>-rwxr-xr-x 1 root
root 816 Nov 25 19:09 calcgoo<BR>-rwxr-xr-x 1 root
root 816 Nov 25 10:51 calcgoo.old<BR>-rwxr-xr-x 1
root root 316534 Nov 25 19:09 eroute<BR>-rwxr-xr-x 1 root root
316534 Nov 25 10:51 eroute.old<BR>-rwxr-xr-x 1 root root 129396 Nov
25 19:09 ikeping<BR>-rwxr-xr-x 1 root root 129396 Nov 25 10:51
ikeping.old<BR>-rwxr-xr-x 1 root root 185639 Nov 25 19:09
klipsdebug<BR>-rwxr-xr-x 1 root root 185639 Nov 25 10:51
klipsdebug.old<BR>-rwxr-xr-x 1 root root 1836 Nov 25
19:09 livetest<BR>-rwxr-xr-x 1 root root 1836 Nov 25
10:51 livetest.old<BR>-rwxr-xr-x 1 root root 2605 Nov 25
19:09 look<BR>-rwxr-xr-x 1 root root 2605 Nov 25 10:51
look.old<BR>-rwxr-xr-x 1 root root 7159 Nov 25 19:09
mailkey<BR>-rwxr-xr-x 1 root root 7159 Nov 25 10:51
mailkey.old<BR>-rwxr-xr-x 1 root root 15996 Nov 25 19:09
manual<BR>-rwxr-xr-x 1 root root 15996 Nov 25 10:51
manual.old<BR>-rwxr-xr-x 1 root root 1926 Nov 25 19:09
newhostkey<BR>-rwxr-xr-x 1 root root 1926 Nov 25 10:51
newhostkey.old<BR>-rwxr-xr-x 1 root root 166104 Nov 25 19:09
pf_key<BR>-rwxr-xr-x 1 root root 166104 Nov 25 10:51
pf_key.old<BR>-rwxr-xr-x 1 root root 2769359 Nov 25 19:09
pluto<BR>-rwxr-xr-x 1 root root 2769359 Nov 25 10:51
pluto.old<BR>-rwxr-xr-x 1 root root 49150 Nov 25 19:09
ranbits<BR>-rwxr-xr-x 1 root root 49150 Nov 25 10:51
ranbits.old<BR>-rwxr-xr-x 1 root root 78968 Nov 25 19:09
rsasigkey<BR>-rwxr-xr-x 1 root root 78968 Nov 25 10:51
rsasigkey.old<BR>-rwxr-xr-x 1 root root 766 Nov 25
19:09 secrets<BR>-rwxr-xr-x 1 root root 766 Nov 25
10:51 secrets.old<BR>-rwxr-xr-x 1 root root 17660 Nov 25 19:09
send-pr<BR>-rwxr-xr-x 1 root root 17660 Nov 25 10:51
send-pr.old<BR>lrwxrwxrwx 1 root root 22 Nov
25 19:09 setup -> /etc/rc.d/init.d/ipsec<BR>-rwxr-xr-x 1 root
root 1054 Nov 25 19:09 showdefaults<BR>-rwxr-xr-x 1 root
root 1054 Nov 25 10:51 showdefaults.old<BR>-rwxr-xr-x 1
root root 4748 Nov 25 19:09 showhostkey<BR>-rwxr-xr-x 1
root root 4748 Nov 25 10:51
showhostkey.old<BR>-rwxr-xr-x 1 root root 515916 Nov 25 19:09
spi<BR>-rwxr-xr-x 1 root root 515916 Nov 25 10:51
spi.old<BR>-rwxr-xr-x 1 root root 254307 Nov 25 19:09
spigrp<BR>-rwxr-xr-x 1 root root 254307 Nov 25 10:51
spigrp.old<BR>-rwxr-xr-x 1 root root 53394 Nov 25 19:09
tncfg<BR>-rwxr-xr-x 1 root root 53394 Nov 25 10:51
tncfg.old<BR>-rwxr-xr-x 1 root root 10613 Nov 25 19:09
verify<BR>-rwxr-xr-x 1 root root 10613 Nov 25 10:51
verify.old<BR>-rwxr-xr-x 1 root root 282864 Nov 25 19:09
whack<BR>-rwxr-xr-x 1 root root 282864 Nov 25 10:51 whack.old<BR>+
_________________________ ipsec/updowns<BR>++ ls /usr/local/libexec/ipsec<BR>++
egrep updown<BR>+ _________________________ /proc/net/dev<BR>+ cat
/proc/net/dev<BR>Inter-|
Receive
| Transmit<BR> face |bytes packets ip_tables: (C)
2000-2002 Netfilter core team<BR>errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier
compressed<BR> eth0: 351386 1992
0 0 0
0
0 0
891589 1397 0
0 0 0
ip_conntrack version 2.1 (8177 buckets, 65416 max) - 216 bytes per
conntrack<BR> 0
0<BR> lo: 2464
22 0 0
0
0
0 0
2464 22 0
0 0
0
0 0<BR>
sit0: 0
0 0 0
0
0
0
0
0 0 0
0 0
0
0 0<BR>+
_________________________ /proc/net/route<BR>+ cat
/proc/net/route<BR>Iface Destination
Gateway Flags
RefCnt Use Metric Mask
MTU Window IRTT<BR>eth0
01FFFF0A
00000000 0005
0 0
0
FFFFFFFF0
0
0
<BR>eth0 000010AC
00000000 0001
0 0
0
00FFFFFF0
0
0
<BR>eth0 0000A8C0
00000000 0001
0 0
0
00FFFFFF0
0
0
<BR>eth0 0000FEA9
00000000 0001
0 0
0
0000FFFF0
0
0
<BR>eth0 00000000
01FFFF0A 0003
0 0
0
000000000
0
0
<BR>+ _________________________ /proc/sys/net/ipv4/ip_forward<BR>+ cat
/proc/sys/net/ipv4/ip_forward<BR>0<BR>+ _________________________
/proc/sys/net/ipv4/conf/star-rp_filter<BR>+ cd /proc/sys/net/ipv4/conf<BR>+
egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
lo/rp_filter<BR>all/rp_filter:0<BR>default/rp_filter:1<BR>eth0/rp_filter:1<BR>lo/rp_filter:1<BR>+
_________________________ uname-a<BR>+ uname -a<BR>Linux ??????.pureserver.info
2.6.11.12 #2 SMP Fri Nov 25 18:53:47 GMT 2005 i686 i686 i386 GNU/Linux<BR>+
_________________________ config-built-with<BR>+ test -r
/proc/config_built_with<BR>+ _________________________ redhat-release<BR>+ test
-r /etc/redhat-release<BR>+ cat /etc/redhat-release<BR>Fedora Core release 2
(Tettnang)<BR>+ _________________________ /proc/net/ipsec_version<BR>+ test -r
/proc/net/ipsec_version<BR>+ test -r /proc/net/pfkey<BR>++ uname -r<BR>+ echo
'NETKEY (2.6.11.12) support detected '<BR>NETKEY (2.6.11.12) support
detected<BR>+ _________________________ ipfwadm<BR>+ test -r /sbin/ipfwadm<BR>+
'no old-style linux 1.x/2.0 ipfwadm firewall
support'<BR>/usr/local/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0
ipfwadm firewall support: No such file or directory<BR>+
_________________________ ipchains<BR>+ test -r /sbin/ipchains<BR>+ echo 'no
old-style linux 2.0 ipchains firewall support'<BR>no old-style linux 2.0
ipchains firewall support<BR>+ _________________________ iptables<BR>+ test -r
/sbin/iptables<BR>+ iptables -L -v -n<BR>Chain INPUT (policy ACCEPT 0 packets, 0
bytes)<BR> pkts bytes target prot opt
in out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination <BR>+ _________________________ iptables-nat<BR>+ iptables -t nat -L
-v -n<BR>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination <BR>+ _________________________ iptables-mangle<BR>+ iptables -t
mangle -L -v -n<BR>Chain PREROUTING (policy ACCEPT 0 packets, 0
bytes)<BR> pkts bytes target prot opt
in out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination </DIV>
<DIV> </DIV>
<DIV>Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes
target prot opt in
out
source
destination <BR>+ _________________________ /proc/modules<BR>+ test -f
/proc/modules<BR>+ cat /proc/modules<BR>iptable_mangle 3328 0 - Live
0xf892f000<BR>iptable_nat 24124 0 - Live 0xf898c000<BR>ip_conntrack 45000 1
iptable_nat, Live 0xf89f6000<BR>iptable_filter 3584 0 - Live
0xf891d000<BR>ip_tables 22528 3 iptable_mangle,iptable_nat,iptable_filter, Live
0xf8994000<BR>ipv6 266624 18 - Live 0xf89b3000<BR>deflate 4352 0 - Live
0xf892c000<BR>zlib_deflate 23320 1 deflate, Live 0xf8951000<BR>zlib_inflate
18688 1 deflate, Live 0xf894b000<BR>twofish 39296 0 - Live 0xf895a000<BR>serpent
14848 0 - Live 0xf8946000<BR>blowfish 8832 0 - Live 0xf8942000<BR>sha256 10240 0
- Live 0xf893e000<BR>crypto_null 2816 0 - Live 0xf8901000<BR>aes_i586 39680 0 -
Live 0xf8933000<BR>des 12288 4 - Live 0xf8928000<BR>md5 4608 1 - Live
0xf8925000<BR>sha1 9088 4 - Live 0xf8919000<BR>xfrm_user 17284 0 - Live
0xf891f000<BR>xfrm4_tunnel 4484 0 - Live 0xf8916000<BR>ipcomp 9608 0 - Live
0xf8912000<BR>esp4 8960 4 - Live 0xf890e000<BR>ah4 7296 0 - Live
0xf890b000<BR>microcode 7680 0 - Live 0xf8908000<BR>binfmt_misc 12936 1 - Live
0xf8903000<BR>+ _________________________ /proc/meminfo<BR>+ cat
/proc/meminfo<BR>MemTotal: 1034000
kB<BR>MemFree: 821796
kB<BR>Buffers: 7060
kB<BR>Cached: 60464
kB<BR>SwapCached: 0
kB<BR>Active: 159904
kB<BR>Inactive: 34404
kB<BR>HighTotal: 129212
kB<BR>HighFree: 140
kB<BR>LowTotal: 904788
kB<BR>LowFree: 821656
kB<BR>SwapTotal: 2048276
kB<BR>SwapFree: 2048276
kB<BR>Dirty:
60 kB<BR>Writeback:
0 kB<BR>Mapped: 143348
kB<BR>Slab:
11048 kB<BR>CommitLimit: 2565276 kB<BR>Committed_AS:
321892 kB<BR>PageTables: 1948
kB<BR>VmallocTotal: 114680
kB<BR>VmallocUsed: 2024
kB<BR>VmallocChunk: 112624 kB<BR>+ _________________________
/proc/net/ipsec-ls<BR>+ test -f /proc/net/ipsec_version<BR>+
_________________________ usr/src/linux/.config<BR>+ test -f
/proc/config.gz<BR>+ zcat /proc/config.gz<BR>+ egrep
'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'<BR>CONFIG_NET_KEY=y<BR>CONFIG_INET=y<BR>#
CONFIG_IP_MULTICAST is not set<BR># CONFIG_IP_ADVANCED_ROUTER is not set<BR>#
CONFIG_IP_PNP is not
set<BR>CONFIG_INET_AH=m<BR>CONFIG_INET_ESP=m<BR>CONFIG_INET_IPCOMP=m<BR>CONFIG_INET_TUNNEL=m<BR>CONFIG_IP_TCPDIAG=y<BR>#
CONFIG_IP_TCPDIAG_IPV6 is not set<BR># CONFIG_IP_VS is not
set<BR>CONFIG_IPV6=m<BR>CONFIG_IPV6_PRIVACY=y<BR>CONFIG_INET6_AH=m<BR>CONFIG_INET6_ESP=m<BR>CONFIG_INET6_IPCOMP=m<BR>CONFIG_INET6_TUNNEL=m<BR>#
CONFIG_IPV6_TUNNEL is not set<BR>CONFIG_IP_NF_CONNTRACK=m<BR>#
CONFIG_IP_NF_CT_ACCT is not set<BR># CONFIG_IP_NF_CONNTRACK_MARK is not set<BR>#
CONFIG_IP_NF_CT_PROTO_SCTP is not
set<BR>CONFIG_IP_NF_FTP=m<BR>CONFIG_IP_NF_IRC=m<BR>CONFIG_IP_NF_TFTP=m<BR>CONFIG_IP_NF_AMANDA=m<BR>CONFIG_IP_NF_QUEUE=m<BR>CONFIG_IP_NF_IPTABLES=m<BR>CONFIG_IP_NF_MATCH_LIMIT=m<BR>#
CONFIG_IP_NF_MATCH_IPRANGE is not
set<BR>CONFIG_IP_NF_MATCH_MAC=m<BR>CONFIG_IP_NF_MATCH_PKTTYPE=m<BR>CONFIG_IP_NF_MATCH_MARK=m<BR>CONFIG_IP_NF_MATCH_MULTIPORT=m<BR>CONFIG_IP_NF_MATCH_TOS=m<BR>CONFIG_IP_NF_MATCH_RECENT=m<BR>CONFIG_IP_NF_MATCH_ECN=m<BR>CONFIG_IP_NF_MATCH_DSCP=m<BR>CONFIG_IP_NF_MATCH_AH_ESP=m<BR>CONFIG_IP_NF_MATCH_LENGTH=m<BR>CONFIG_IP_NF_MATCH_TTL=m<BR>CONFIG_IP_NF_MATCH_TCPMSS=m<BR>CONFIG_IP_NF_MATCH_HELPER=m<BR>CONFIG_IP_NF_MATCH_STATE=m<BR>CONFIG_IP_NF_MATCH_CONNTRACK=m<BR>CONFIG_IP_NF_MATCH_OWNER=m<BR>#
CONFIG_IP_NF_MATCH_ADDRTYPE is not set<BR># CONFIG_IP_NF_MATCH_REALM is not
set<BR># CONFIG_IP_NF_MATCH_SCTP is not set<BR># CONFIG_IP_NF_MATCH_COMMENT is
not set<BR># CONFIG_IP_NF_MATCH_HASHLIMIT is not
set<BR>CONFIG_IP_NF_FILTER=m<BR>CONFIG_IP_NF_TARGET_REJECT=m<BR>CONFIG_IP_NF_TARGET_LOG=m<BR>CONFIG_IP_NF_TARGET_ULOG=m<BR>CONFIG_IP_NF_TARGET_TCPMSS=m<BR>CONFIG_IP_NF_NAT=m<BR>CONFIG_IP_NF_NAT_NEEDED=y<BR>CONFIG_IP_NF_TARGET_MASQUERADE=m<BR>CONFIG_IP_NF_TARGET_REDIRECT=m<BR>#
CONFIG_IP_NF_TARGET_NETMAP is not set<BR># CONFIG_IP_NF_TARGET_SAME is not
set<BR>CONFIG_IP_NF_NAT_SNMP_BASIC=m<BR>CONFIG_IP_NF_NAT_IRC=m<BR>CONFIG_IP_NF_NAT_FTP=m<BR>CONFIG_IP_NF_NAT_TFTP=m<BR>CONFIG_IP_NF_NAT_AMANDA=m<BR>CONFIG_IP_NF_MANGLE=m<BR>CONFIG_IP_NF_TARGET_TOS=m<BR>CONFIG_IP_NF_TARGET_ECN=m<BR>CONFIG_IP_NF_TARGET_DSCP=m<BR>CONFIG_IP_NF_TARGET_MARK=m<BR>#
CONFIG_IP_NF_TARGET_CLASSIFY is not set<BR># CONFIG_IP_NF_RAW is not
set<BR>CONFIG_IP_NF_ARPTABLES=m<BR>CONFIG_IP_NF_ARPFILTER=m<BR>CONFIG_IP_NF_ARP_MANGLE=m<BR>CONFIG_IP6_NF_QUEUE=m<BR>CONFIG_IP6_NF_IPTABLES=m<BR>CONFIG_IP6_NF_MATCH_LIMIT=m<BR>CONFIG_IP6_NF_MATCH_MAC=m<BR>CONFIG_IP6_NF_MATCH_RT=m<BR>CONFIG_IP6_NF_MATCH_OPTS=m<BR>CONFIG_IP6_NF_MATCH_FRAG=m<BR>CONFIG_IP6_NF_MATCH_HL=m<BR>CONFIG_IP6_NF_MATCH_MULTIPORT=m<BR>CONFIG_IP6_NF_MATCH_OWNER=m<BR>CONFIG_IP6_NF_MATCH_MARK=m<BR>CONFIG_IP6_NF_MATCH_IPV6HEADER=m<BR>CONFIG_IP6_NF_MATCH_AHESP=m<BR>CONFIG_IP6_NF_MATCH_LENGTH=m<BR>CONFIG_IP6_NF_MATCH_EUI64=m<BR>CONFIG_IP6_NF_FILTER=m<BR>CONFIG_IP6_NF_TARGET_LOG=m<BR>CONFIG_IP6_NF_MANGLE=m<BR>CONFIG_IP6_NF_TARGET_MARK=m<BR>#
CONFIG_IP6_NF_RAW is not set<BR># CONFIG_IP_SCTP is not set<BR># CONFIG_IPX is
not set<BR># CONFIG_IPMI_HANDLER is not set<BR>+ _________________________
etc/syslog.conf<BR>+ cat /etc/syslog.conf<BR># Log all kernel messages to the
console.<BR># Logging much else clutters up the
screen.<BR>#kern.*
/dev/console</DIV>
<DIV> </DIV>
<DIV># Log anything (except mail) of level info or higher.<BR># Don't log
private authentication
messages!<BR>*.info;mail.none;authpriv.none;cron.none
/var/log/messages</DIV>
<DIV> </DIV>
<DIV># The authpriv file has restricted
access.<BR>authpriv.*
/var/log/secure</DIV>
<DIV> </DIV>
<DIV># Log all the mail messages in one
place.<BR>mail.*
/usr/local/psa/var/log/maillog</DIV>
<DIV> </DIV>
<DIV><BR># Log cron
stuff<BR>cron.*
/var/log/cron</DIV>
<DIV> </DIV>
<DIV># Everybody gets emergency
messages<BR>*.emerg
*</DIV>
<DIV> </DIV>
<DIV># Save news errors of level crit and higher in a special
file.<BR>uucp,news.crit
/var/log/spooler</DIV>
<DIV> </DIV>
<DIV># Save boot messages also to
boot.log<BR>local7.*
/var/log/boot.log<BR>+ _________________________ etc/resolv.conf<BR>+ cat
/etc/resolv.conf<BR>; generated by /sbin/dhclient-script<BR>search
pureserver.info<BR>nameserver 212.227.64.251<BR>nameserver
195.20.224.99<BR>nameserver 195.20.224.234<BR>+ _________________________
lib/modules-ls<BR>+ ls -ltr /lib/modules<BR>total 44<BR>drwxr-xr-x 4 root
root 4096 Feb 17 2005 2.6.9-1.6_FC2smp<BR>drwxr-xr-x 4 root root
4096 Feb 17 2005 2.6.9-1.6_FC2<BR>drwxr-xr-x 4 root root 4096 Feb
17 2005 2.6.10-1.9_FC2smp<BR>drwxr-xr-x 4 root root 4096 Nov 14
19:17 2.6.10-1.771_FC2smp<BR>drwxr-xr-x 3 root root 4096 Nov 15 08:54
2.6.5-1.358custom<BR>drwxr-xr-x 3 root root 4096 Nov 15 18:12
2.6.9-041221<BR>drwxr-xr-x 3 root root 4096 Nov 25 10:20
2.6.14.2m1<BR>drwxr-xr-x 3 root root 4096 Nov 25 10:45
2.6.14.2<BR>drwxr-xr-x 3 root root 4096 Nov 25 16:04
2.6.9-041214<BR>drwxr-xr-x 3 root root 4096 Nov 25 16:33
2.6.14.3<BR>drwxr-xr-x 3 root root 4096 Nov 25 19:02 2.6.11.12<BR>+
_________________________ /proc/ksyms-netif_rx<BR>+ test -r /proc/ksyms<BR>+
test -r /proc/kallsyms<BR>+ egrep netif_rx /proc/kallsyms<BR>c02e8d50 T
netif_rx<BR>c02e8f40 T netif_rx_ni<BR>c02e8d50 U
netif_rx [ipv6]<BR>+ _________________________
lib/modules-netif_rx<BR>+ modulegoo kernel/net/ipv4/ipip.o netif_rx<BR>+ set
+x<BR>2.6.10-1.771_FC2smp:<BR>2.6.10-1.9_FC2smp:<BR>2.6.11.12:<BR>2.6.14.2:<BR>2.6.14.2m1:<BR>2.6.14.3:<BR>2.6.5-1.358custom:<BR>2.6.9-041214:<BR>2.6.9-041221:<BR>2.6.9-1.6_FC2:<BR>2.6.9-1.6_FC2smp:<BR>+
_________________________ kern.debug<BR>+ test -f /var/log/kern.debug<BR>+
_________________________ klog<BR>+ sed -n '13805,$p' /var/log/messages<BR>+
egrep -i 'ipsec|klips|pluto'<BR>+ cat<BR>Nov 25 19:12:11 ?????? ipsec:
ipsec_setup: Starting Openswan IPsec U2.4.5dr2/K2.6.11.12...<BR>Nov 25 19:12:11
?????? ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/net/ipv4/ah4.ko<BR>Nov 25 19:12:11 ?????? ipsec:
ipsec_setup: insmod /lib/modules/2.6.11.12/kernel/net/ipv4/esp4.ko<BR>Nov 25
19:12:11 ?????? ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/net/ipv4/ipcomp.ko<BR>Nov 25 19:12:11 ??????
ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/net/ipv4/xfrm4_tunnel.ko<BR>Nov 25 19:12:11 ??????
ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/net/xfrm/xfrm_user.ko<BR>Nov 25 19:12:11 ??????
ipsec: ipsec_setup: insmod /lib/modules/2.6.11.12/kernel/crypto/sha1.ko<BR>Nov
25 19:12:11 ?????? ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/crypto/md5.ko<BR>Nov 25 19:12:11 ?????? ipsec:
ipsec_setup: insmod /lib/modules/2.6.11.12/kernel/crypto/des.ko<BR>Nov 25
19:12:11 ?????? ipsec: ipsec_setup: insmod
/lib/modules/2.6.11.12/kernel/arch/i386/crypto/aes-i586.ko<BR>Nov 25 19:12:11
?????? rc: Starting ipsec: succeeded<BR>+ _________________________
plog<BR>+ sed -n '18398,$p' /var/log/secure<BR>+ egrep -i pluto<BR>+ cat<BR>Nov
25 19:12:11 ?????? ipsec__plutorun: Starting Pluto subsystem...<BR>Nov 25
19:12:11 ?????? pluto[596]: Starting Pluto (Openswan Version 2.4.5dr2
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OErg}^Yx{Yhd)<BR>Nov 25 19:12:11 ?????? pluto[596]: Setting NAT-Traversal
port-4500 floating to off<BR>Nov 25 19:12:11 ??????
pluto[596]: port floating activation criteria
nat_t=0/port_fload=1<BR>Nov 25 19:12:11 ?????? pluto[596]: including
NAT-Traversal patch (Version 0.6c) [disabled]<BR>Nov 25 19:12:11 ??????
pluto[596]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>Nov
25 19:12:11 ?????? pluto[596]: starting up 1 cryptographic helpers<BR>Nov 25
19:12:11 ?????? pluto[596]: started helper pid=621 (fd:6)<BR>Nov 25 19:12:11
?????? pluto[596]: Using Linux 2.6 IPsec interface code on 2.6.11.12<BR>Nov 25
19:12:11 ?????? pluto[596]: Changing to directory '/etc/ipsec.d/cacerts'<BR>Nov
25 19:12:11 ?????? pluto[596]: Changing to directory
'/etc/ipsec.d/aacerts'<BR>Nov 25 19:12:11 ?????? pluto[596]: Changing to
directory '/etc/ipsec.d/ocspcerts'<BR>Nov 25 19:12:11 ?????? pluto[596]:
Changing to directory '/etc/ipsec.d/crls'<BR>Nov 25 19:12:11 ??????
pluto[596]: Warning: empty directory<BR>Nov 25 19:12:11 ??????
pluto[596]: added connection description "mobius"<BR>Nov 25 19:12:11 ??????
pluto[596]: listening for IKE messages<BR>Nov 25 19:12:11 ?????? pluto[596]:
adding interface lo/lo 127.0.0.1:500<BR>Nov 25 19:12:11 ?????? pluto[596]:
adding interface eth0/eth0 [Left IP]:500<BR>Nov 25 19:12:11 ?????? pluto[596]:
loading secrets from "/etc/ipsec.secrets"<BR>Nov 25 19:18:10 ?????? pluto[596]:
"mobius" #1: initiating Main Mode<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius"
#1: ignoring unknown Vendor ID payload
[1fc46a9704dd84ebad7e205854a55ad58f9a038d000000030000050a]<BR>Nov 25 19:18:10
?????? pluto[596]: "mobius" #1: ignoring Vendor ID payload [HeartBeat Notify
386b0100]<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Nov 25 19:18:10 ?????? pluto[596]:
"mobius" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>Nov 25 19:18:10 ??????
pluto[596]: "mobius" #1: I did not send a certificate because I do not have
one.<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Nov 25 19:18:10 ?????? pluto[596]:
"mobius" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR>Nov 25 19:18:10 ??????
pluto[596]: "mobius" #1: Main mode peer ID is ID_IPV4_ADDR: '[Right IP]'<BR>Nov
25 19:18:10 ?????? pluto[596]: "mobius" #1: transition from state STATE_MAIN_I3
to state STATE_MAIN_I4<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<BR>Nov 25 19:18:10
?????? pluto[596]: "mobius" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME<BR>Nov 25 19:18:10 ??????
pluto[596]: "mobius" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<BR>Nov 25 19:18:10 ?????? pluto[596]: "mobius" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9f79796f
<0xdcfb062e xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}<BR>Nov 25 19:36:16
?????? pluto[596]: "mobius" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}<BR>Nov 25 19:36:16 ?????? pluto[596]: "mobius" #3: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME<BR>Nov 25 19:36:16 ??????
pluto[596]: "mobius" #3: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<BR>Nov 25 19:36:16 ?????? pluto[596]: "mobius" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9f797971
<0x50a0c52c xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}<BR>+
_________________________ date<BR>+ date<BR>Fri Nov 25 19:56:21 GMT 2005</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></FONT></BODY></HTML>