omnia.nicolan.com Wed Oct 25 11:50:32 CEST 2006 + _________________________ version + ipsec --version Linux Openswan 2.4.7rc2 (klips) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.17.13 (root@omnia.nicolan.com) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)) #2 Fri Oct 20 16:04:10 CEST 2006 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + sort -sg +3 /proc/net/ipsec_eroute + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 62.123.146.12 0.0.0.0 255.255.255.252 U 0 0 0 eth1 62.123.146.12 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0 10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 62.123.146.13 0.0.0.0 UG 0 0 0 eth1 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + cat /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth1 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check pfkey_lossage tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:1 inbound_policy_check:1 pfkey_lossage:0 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 interface ipsec0/eth1 62.123.146.14 000 interface ipsec0/eth1 62.123.146.14 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "nico": 62.123.146.14[C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=omnia.nicolan.com]:17/1701---62.123.146.13...%virtual[C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it]:17/1701===?; unrouted; eroute owner: #0 000 "nico": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "nico": CAs: '\364\237@'...'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 "nico": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "nico": policy: RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth1; encap: esp; 000 "nico": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "nico"[1]: 62.123.146.14[C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=omnia.nicolan.com]:17/1701---62.123.146.13...85.18.80.194[C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it]:17/1701===?; unrouted; eroute owner: #0 000 "nico"[1]: srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "nico"[1]: CAs: '\364\237@'...'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 "nico"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "nico"[1]: policy: RSASIG+ENCRYPT+TUNNEL; prio: 32,32; interface: eth1; encap: esp; 000 "nico"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #1: "nico"[1] 85.18.80.194:500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 14s; nodpd 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:05:1C:1A:B0:42 inet addr:10.0.0.1 Bcast:10.0.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:60968 errors:0 dropped:0 overruns:0 frame:0 TX packets:77303 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7015802 (6.6 MiB) TX bytes:32859309 (31.3 MiB) Interrupt:11 Base address:0xec00 eth1 Link encap:Ethernet HWaddr 00:40:63:DE:D4:57 inet addr:62.123.146.14 Bcast:62.123.146.15 Mask:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:436661 errors:0 dropped:0 overruns:0 frame:108 TX packets:287968 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:61804178 (58.9 MiB) TX bytes:262509716 (250.3 MiB) Interrupt:10 Base address:0x2000 ipsec0 Link encap:Ethernet HWaddr 00:40:63:DE:D4:57 inet addr:62.123.146.14 Mask:255.255.255.252 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:3 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14349 errors:0 dropped:0 overruns:0 frame:0 TX packets:14349 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1862624 (1.7 MiB) TX bytes:1862624 (1.7 MiB) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: mtu 1500 qdisc htb qlen 1000 link/ether 00:40:63:de:d4:57 brd ff:ff:ff:ff:ff:ff inet 62.123.146.14/30 brd 62.123.146.15 scope global eth1 inet6 fe80::240:63ff:fede:d457/64 scope link valid_lft forever preferred_lft forever 3: eth0: mtu 1500 qdisc htb qlen 1000 link/ether 00:05:1c:1a:b0:42 brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/16 brd 10.0.255.255 scope global eth0 inet6 fe80::205:1cff:fe1a:b042/64 scope link valid_lft forever preferred_lft forever 4: sit0: mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 441: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:40:63:de:d4:57 brd ff:ff:ff:ff:ff:ff inet 62.123.146.14/30 brd 62.123.146.15 scope global ipsec0 inet6 fe80::240:63ff:fede:d457/64 scope link valid_lft forever preferred_lft forever 442: ipsec1: mtu 0 qdisc noop qlen 10 link/void 443: ipsec2: mtu 0 qdisc noop qlen 10 link/void 444: ipsec3: mtu 0 qdisc noop qlen 10 link/void + _________________________ ip-route-list + ip route list 62.123.146.12/30 dev eth1 proto kernel scope link src 62.123.146.14 62.123.146.12/30 dev ipsec0 proto kernel scope link src 62.123.146.14 10.0.0.0/16 dev eth0 proto kernel scope link src 10.0.0.1 169.254.0.0/16 dev eth1 scope link default via 62.123.146.13 dev eth1 + _________________________ ip-rule-list + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.4.7rc2 (klips) Checking for IPsec support in kernel [OK] Hardware RNG detected, testing if used properly [FAILED] Hardware RNG is present but 'rngd' is not running. No harware random used! Checking for RSA private key (/etc/ipsec.secrets) [DISABLED] ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + /sbin/mii-tool -v eth0: negotiated 100baseTx-FD, link ok product info: vendor 00:00:00, model 0 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control eth1: negotiated 10baseT-FD, link ok product info: vendor 00:40:63, model 50 rev 10 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 10baseT-FD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn omnia.nicolan.com + _________________________ hostname/ipaddress + hostname --ip-address 127.0.0.1 + _________________________ uptime + uptime 11:50:32 up 3 days, 21 min, 1 user, load average: 0.13, 0.04, 0.01 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 18432 17939 24 0 4248 1072 wait S+ pts/0 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf 0 0 18517 18432 24 0 1652 456 pipe_w S+ pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips 1 0 18351 1 25 0 2212 396 wait S pts/0 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:192.168.0.0/24,%v4:!10.0.0.0/8 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 18352 18351 25 0 2212 568 wait S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:192.168.0.0/24,%v4:!10.0.0.0/8 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 18361 18352 15 0 2500 1284 - S pts/0 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:192.168.0.0/24,%v4:!10.0.0.0/8 1 0 18378 18361 26 10 2440 528 - SN pts/0 0:00 | \_ pluto helper # 0 0 0 18379 18361 25 0 1472 268 - S pts/0 0:00 | \_ _pluto_adns 0 0 18353 18351 18 0 2212 1092 pipe_w S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post 0 0 18354 1 25 0 1524 356 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults # no default route + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $ # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup nat_traversal=yes #virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/24,%v4:62.123.146.12/24 virtual_private=%v4:192.168.0.0/24,%v4:!10.0.0.0/8 interfaces="ipsec0=eth1" #plutodebug="control parsing" #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/local/share/doc/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 19 #include /etc/ipsec.d/conf/nico-host.conf #< /etc/ipsec.d/conf/nico-road-ext.conf 1 conn nico authby=rsasig pfs=no #type=transport # left=62.123.146.14 leftnexthop=62.123.146.13 leftrsasigkey=%cert leftcert=/etc/ipsec.d/certs/omnia.nicolan.com.pem leftsendcert=yes leftprotoport=17/1701 leftca=/etc/ipsec.d/cacerts/cacert.pem # # The remote user. # right=%any rightrsasigkey=%cert rightsubnet=vhost:%no,%priv rightcert=/etc/ipsec.d/certs/mrcyano.graphimedia.it.pem rightprotoport=17/1701 rightsendcert=yes # # Change 'ignore' to 'add' to enable the configuration for this user. # auto=add keyingtries=3 #> /etc/ipsec.conf 21 #include /etc/ipsec.d/conf/nico-road-int.conf + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA omnia.nicolan.com.key + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 Oct 25 11:50:31 2006, 1024 RSA Key AwEAAaxnO, until Oct 19 20:15:21 2007 ok 000 ID_DER_ASN1_DN 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' 000 Issuer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 Oct 25 11:50:02 2006, 1024 RSA Key AwEAAe+b9, until Oct 19 20:17:51 2007 ok 000 ID_DER_ASN1_DN 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=omnia.nicolan.com' 000 Issuer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 000 List of X.509 End Certificates: 000 000 Oct 25 11:50:02 2006, count: 2 000 subject: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' 000 issuer: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 serial: 03 000 pubkey: 1024 RSA Key AwEAAaxnO 000 validity: not before Oct 20 09:57:35 2006 ok 000 not after Oct 20 09:57:35 2007 ok 000 subjkey: 21:6d:fe:62:cd:a7:fe:24:1d:d3:96:e2:57:42:03:71:70:75:21:46 000 authkey: 19:51:3f:6a:7f:d8:f2:32:5e:a4:e8:2f:92:2a:c5:7f:46:25:fc:ad 000 aserial: 00:e5:35:3c:61:88:96:f8:ad 000 Oct 25 11:50:02 2006, count: 2 000 subject: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=omnia.nicolan.com' 000 issuer: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 serial: 02 000 pubkey: 1024 RSA Key AwEAAe+b9, has private key 000 validity: not before Oct 19 20:17:51 2006 ok 000 not after Oct 19 20:17:51 2007 ok 000 subjkey: ad:cc:1d:41:1b:91:35:8c:1d:9f:0a:cb:ae:7f:24:69:32:25:8d:07 000 authkey: 19:51:3f:6a:7f:d8:f2:32:5e:a4:e8:2f:92:2a:c5:7f:46:25:fc:ad 000 aserial: 00:e5:35:3c:61:88:96:f8:ad 000 000 List of X.509 CA Certificates: 000 000 Oct 25 11:50:01 2006, count: 1 000 subject: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 issuer: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 serial: 00:e5:35:3c:61:88:96:f8:ad 000 pubkey: 1024 RSA Key AwEAAcHsM 000 validity: not before Oct 19 20:15:21 2006 ok 000 not after Oct 19 20:15:21 2007 ok 000 subjkey: 19:51:3f:6a:7f:d8:f2:32:5e:a4:e8:2f:92:2a:c5:7f:46:25:fc:ad 000 authkey: 19:51:3f:6a:7f:d8:f2:32:5e:a4:e8:2f:92:2a:c5:7f:46:25:fc:ad 000 aserial: 00:e5:35:3c:61:88:96:f8:ad 000 000 List of X.509 CRLs: 000 000 Oct 25 11:50:01 2006, revoked certs: 0 000 issuer: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=nicolan' 000 updates: this Oct 23 16:57:41 2006 000 next Nov 07 15:57:41 2006 ok + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/local/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/local/share/doc/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/local/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/local/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/local/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/local/lib/ipsec total 120 -rwxr-xr-x 1 root root 15848 Oct 23 15:14 _confread -rwxr-xr-x 1 root root 13252 Oct 23 15:14 _copyright -rwxr-xr-x 1 root root 2379 Oct 23 15:14 _include -rwxr-xr-x 1 root root 1475 Oct 23 15:14 _keycensor -rwxr-xr-x 1 root root 3586 Oct 23 15:14 _plutoload -rwxr-xr-x 1 root root 8069 Oct 23 15:14 _plutorun -rwxr-xr-x 1 root root 12346 Oct 23 15:14 _realsetup -rwxr-xr-x 1 root root 1975 Oct 23 15:14 _secretcensor -rwxr-xr-x 1 root root 10575 Oct 23 15:14 _startklips -rwxr-xr-x 1 root root 13918 Oct 23 15:14 _updown -rwxr-xr-x 1 root root 15746 Oct 23 15:14 _updown_x509 -rwxr-xr-x 1 root root 1942 Oct 23 15:14 ipsec_pr.template + _________________________ ipsec/ls-execdir + ls -l /usr/local/libexec/ipsec total 3216 -rwxr-xr-x 1 root root 29219 Oct 23 15:14 _pluto_adns -rwxr-xr-x 1 root root 18891 Oct 23 15:14 auto -rwxr-xr-x 1 root root 11355 Oct 23 15:14 barf -rwxr-xr-x 1 root root 816 Oct 23 15:14 calcgoo -rwxr-xr-x 1 root root 187114 Oct 23 15:14 eroute -rwxr-xr-x 1 root root 62443 Oct 23 15:14 ikeping -rwxr-xr-x 1 root root 116187 Oct 23 15:14 klipsdebug -rwxr-xr-x 1 root root 1836 Oct 23 15:14 livetest -rwxr-xr-x 1 root root 2605 Oct 23 15:14 look -rwxr-xr-x 1 root root 7159 Oct 23 15:14 mailkey -rwxr-xr-x 1 root root 16015 Oct 23 15:14 manual -rwxr-xr-x 1 root root 1951 Oct 23 15:14 newhostkey -rwxr-xr-x 1 root root 105952 Oct 23 15:14 pf_key -rwxr-xr-x 1 root root 1911079 Oct 23 15:14 pluto -rwxr-xr-x 1 root root 19902 Oct 23 15:14 ranbits -rwxr-xr-x 1 root root 47332 Oct 23 15:14 rsasigkey -rwxr-xr-x 1 root root 766 Oct 23 15:14 secrets -rwxr-xr-x 1 root root 17660 Oct 23 15:14 send-pr lrwxrwxrwx 1 root root 22 Oct 23 15:14 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1054 Oct 23 15:14 showdefaults -rwxr-xr-x 1 root root 4748 Oct 23 15:14 showhostkey -rwxr-xr-x 1 root root 305801 Oct 23 15:14 spi -rwxr-xr-x 1 root root 155631 Oct 23 15:14 spigrp -rwxr-xr-x 1 root root 21988 Oct 23 15:14 tncfg -rwxr-xr-x 1 root root 12783 Oct 23 15:14 verify -rwxr-xr-x 1 root root 150496 Oct 23 15:14 whack + _________________________ ipsec/updowns ++ ls /usr/local/libexec/ipsec ++ egrep updown + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 1862624 14349 0 0 0 0 0 0 1862624 14349 0 0 0 0 0 0 eth1:61804238 436662 0 0 0 108 0 0 262509716 287968 0 0 0 0 0 0 eth0: 7015802 60968 0 0 0 0 0 0 32859309 77303 0 0 0 0 0 0 sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 0C927B3E 00000000 0001 0 0 0 FCFFFFFF 0 0 0 ipsec0 0C927B3E 00000000 0001 0 0 0 FCFFFFFF 0 0 0 eth0 0000000A 00000000 0001 0 0 0 0000FFFF 0 0 0 eth1 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0 eth1 00000000 0D927B3E 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:1 default/accept_redirects:1 default/secure_redirects:1 default/send_redirects:1 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 eth1/accept_redirects:1 eth1/secure_redirects:1 eth1/send_redirects:1 ipsec0/accept_redirects:1 ipsec0/secure_redirects:1 ipsec0/send_redirects:1 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux omnia.nicolan.com 2.6.17.13 #2 Fri Oct 20 16:04:10 CEST 2006 i686 i686 i386 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/redhat-release + cat /etc/redhat-release CentOS release 4.4 (Final) + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/debian-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/SuSE-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandrake-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandriva-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + cat /proc/net/ipsec_version Openswan version: 2.4.7rc2 + _________________________ ipfwadm + test -r /sbin/ipfwadm + 'no old-style linux 1.x/2.0 ipfwadm firewall support' /usr/local/libexec/ipsec/barf: line 305: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory + _________________________ ipchains + test -r /sbin/ipchains + echo 'no old-style linux 2.0 ipchains firewall support' no old-style linux 2.0 ipchains firewall support + _________________________ iptables + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy DROP 25 packets, 2100 bytes) pkts bytes target prot opt in out source destination 13470 1743K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 143 10331 Cid443510B6.0 all -- eth0 * 10.0.0.0/24 0.0.0.0/0 state NEW 0 0 Cid443510B6.0 all -- eth0 * 172.16.0.0/24 0.0.0.0/0 state NEW 0 0 Cid4473610D.0 all -- eth1 * 0.0.0.0/0 10.0.0.1 0 0 Cid4473610D.0 all -- eth1 * 0.0.0.0/0 172.16.0.1 511 51928 Cid4473610D.0 all -- eth1 * 0.0.0.0/0 62.123.146.14 147 32428 Cid4435118C.0 all -- eth1 * 0.0.0.0/0 62.123.146.14 state NEW 0 0 eth1_In_RULE_2 all -- eth1 * 0.0.0.0/0 10.0.0.1 0 0 eth1_In_RULE_2 all -- eth1 * 0.0.0.0/0 172.16.0.1 57 9589 eth1_In_RULE_2 all -- eth1 * 0.0.0.0/0 62.123.146.14 1 84 Cid4435390C.0 all -- lo * 10.0.0.1 0.0.0.0/0 state NEW 0 0 Cid4435390C.0 all -- lo * 172.16.0.1 0.0.0.0/0 state NEW 0 0 Cid4435390C.0 all -- lo * 62.123.146.14 0.0.0.0/0 state NEW 98 6945 Cid4435390C.0 all -- lo * 127.0.0.1 0.0.0.0/0 state NEW 70 5880 ACCEPT all -- ipsec0 * 0.0.0.0/0 10.0.0.1 state NEW 0 0 ACCEPT all -- ipsec0 * 0.0.0.0/0 172.16.0.1 state NEW 0 0 ACCEPT all -- ipsec0 * 0.0.0.0/0 62.123.146.14 state NEW Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 406 52509 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * eth0 10.0.0.0/24 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth0 * 172.16.0.0/24 !10.0.0.0/24 state NEW 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 172.16.0.3 tcp dpt:22 state NEW 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.0.0.2 tcp dpt:22 state NEW 4 240 Cid45127581.0 all -- eth1 * 0.0.0.0/0 172.16.0.3 state NEW 21 1562 ACCEPT all -- * * 10.0.0.0/24 0.0.0.0/0 state NEW 0 0 RULE_1 all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 2 packets, 280 bytes) pkts bytes target prot opt in out source destination 11250 2188K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 261 13572 ACCEPT all -- * eth0 10.0.0.1 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * eth0 172.16.0.1 0.0.0.0/0 state NEW 5274 290K ACCEPT all -- * eth1 62.123.146.14 0.0.0.0/0 state NEW 1 84 ACCEPT all -- * lo 10.0.0.1 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * lo 172.16.0.1 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * lo 62.123.146.14 0.0.0.0/0 state NEW 98 6945 ACCEPT all -- * lo 127.0.0.1 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * ipsec0 10.0.0.1 0.0.0.0/0 state NEW 0 0 ACCEPT all -- * ipsec0 172.16.0.1 0.0.0.0/0 state NEW 69 5964 ACCEPT all -- * ipsec0 62.123.146.14 0.0.0.0/0 state NEW Chain Cid443510B6.0 (2 references) pkts bytes target prot opt in out source destination 143 10331 ACCEPT all -- * * 0.0.0.0/0 10.0.0.1 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.0.1 Chain Cid4435118C.0 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 1 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 code 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 32 2520 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1701:1750 28 1580 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 25,563,53,995,465,80,443,22,82 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2500:2515 20 15335 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp multiport dports 53,500,4500 28 4256 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain Cid4435390C.0 (4 references) pkts bytes target prot opt in out source destination 1 84 ACCEPT all -- * * 0.0.0.0/0 10.0.0.1 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.0.1 0 0 ACCEPT all -- * * 0.0.0.0/0 62.123.146.14 98 6945 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1 Chain Cid4473610D.0 (3 references) pkts bytes target prot opt in out source destination 346 18648 eth1_In_RULE_0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 1433,445,139,135 Chain Cid45127581.0 (1 references) pkts bytes target prot opt in out source destination 4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 Chain RULE_1 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `fwd01-' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_In_RULE_0 (1 references) pkts bytes target prot opt in out source destination 346 18648 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `int-000' 346 18648 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_In_RULE_2 (3 references) pkts bytes target prot opt in out source destination 57 9589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `int-01-' 57 9589 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 + _________________________ iptables-nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 860 packets, 66964 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 62.123.146.14 tcp dpt:26 to:172.16.0.3:22 1 60 DNAT tcp -- * * 0.0.0.0/0 62.123.146.14 tcp multiport dports 80,443 to:172.16.0.3 0 0 DNAT tcp -- * * 0.0.0.0/0 62.123.146.14 tcp dpt:24 to:10.0.0.2:22 Chain POSTROUTING (policy ACCEPT 4937 packets, 260K bytes) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * eth0 0.0.0.0/0 172.16.0.3 tcp dpt:22 to:172.16.0.1 0 0 SNAT tcp -- * eth0 0.0.0.0/0 172.16.0.3 tcp multiport dports 80,443 to:172.16.0.1 21 1562 SNAT all -- * eth1 10.0.0.0/24 0.0.0.0/0 to:62.123.146.14 0 0 SNAT all -- * eth1 172.16.0.0/24 0.0.0.0/0 to:62.123.146.14 Chain OUTPUT (policy ACCEPT 4936 packets, 260K bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 1504 packets, 251K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1504 packets, 251K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4872 packets, 468K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4872 packets, 468K bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules ipsec 307212 2 - Live 0xdcc52000 iptable_mangle 2816 0 - Live 0xdcb1d000 ip_nat_tftp 1920 0 - Live 0xdcb23000 ip_nat_pptp 5764 0 - Live 0xdcb26000 ip_nat_irc 2688 0 - Live 0xdcb13000 ip_nat_h323 6528 0 - Live 0xdcb0b000 ip_nat_amanda 2304 0 - Live 0xdcb11000 ip_conntrack_tftp 4216 1 ip_nat_tftp, Live 0xdcb0e000 ip_conntrack_pptp 10768 1 ip_nat_pptp, Live 0xdcaff000 ip_conntrack_irc 6640 1 ip_nat_irc, Live 0xdcb08000 ip_conntrack_h323 47228 1 ip_nat_h323, Live 0xdcbeb000 ip_conntrack_amanda 4616 1 ip_nat_amanda, Live 0xdcb05000 deflate 3968 0 - Live 0xdcb5f000 zlib_deflate 18968 1 deflate, Live 0xdcbd2000 twofish 37376 0 - Live 0xdcbe0000 serpent 18048 0 - Live 0xdcbcc000 blowfish 8576 0 - Live 0xdcb81000 crypto_null 2560 0 - Live 0xdcb31000 aes 28736 0 - Live 0xdcb78000 des 15616 0 - Live 0xdcb73000 sha1 2560 0 - Live 0xdcb33000 sha256 9344 0 - Live 0xdcb68000 padlock 22720 0 - Live 0xdcb61000 hw_random 5528 0 - Live 0xdcb53000 apm 19296 1 - Live 0xdcb56000 ipv6 217952 39 - Live 0xdcb8c000 act_police 5600 2 - Live 0xdcb4a000 sch_ingress 3456 2 - Live 0xdcb48000 cls_u32 7940 6 - Live 0xdcb45000 sch_sfq 5632 6 - Live 0xdcb42000 sch_htb 16128 2 - Live 0xdcb38000 xt_multiport 3328 6 - Live 0xdcb2b000 iptable_nat 7812 1 - Live 0xdcb35000 xt_state 2176 29 - Live 0xdcb2f000 ip_nat_snmp_basic 9732 0 - Live 0xdcb1f000 ip_nat_ftp 3200 0 - Live 0xdcb03000 ip_nat 15916 7 ip_nat_tftp,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_amanda,iptable_nat,ip_nat_ftp, Live 0xdcafa000 ip_conntrack_proto_sctp 7556 0 - Live 0xdca62000 ip_conntrack_netbios_ns 2944 0 - Live 0xdcaf8000 binfmt_misc 10760 1 - Live 0xdca4e000 video 15492 0 - Live 0xdca71000 thermal 13064 0 - Live 0xdca6c000 processor 23360 1 thermal, Live 0xdca65000 fan 4740 0 - Live 0xdca59000 container 4608 0 - Live 0xdca56000 button 6672 0 - Live 0xdca48000 battery 9476 0 - Live 0xdca52000 ac 4996 0 - Live 0xdca4b000 ohci1394 35632 0 - Live 0xdc9bf000 ieee1394 291640 1 ohci1394, Live 0xdc9f9000 snd_via82xx 24724 0 - Live 0xdc8ee000 snd_ac97_codec 82720 1 snd_via82xx, Live 0xdc8fd000 snd_ac97_bus 2304 1 snd_ac97_codec, Live 0xdc8d9000 snd_pcm 74120 2 snd_via82xx,snd_ac97_codec, Live 0xdc914000 snd_timer 20996 1 snd_pcm, Live 0xdc8f6000 snd_page_alloc 9608 2 snd_via82xx,snd_pcm, Live 0xdc89a000 snd_mpu401_uart 7040 1 snd_via82xx, Live 0xdc8d4000 snd_rawmidi 20352 1 snd_mpu401_uart, Live 0xdc8db000 snd_seq_device 7692 1 snd_rawmidi, Live 0xdc8aa000 snd 41592 7 snd_via82xx,snd_ac97_codec,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device, Live 0xdc8e2000 soundcore 9056 1 snd, Live 0xdc89e000 8139too 24192 0 - Live 0xdc8a3000 ide_cd 36484 0 - Live 0xdc8ca000 cdrom 34976 1 ide_cd, Live 0xdc835000 via_rhine 21124 0 - Live 0xdc893000 dm_snapshot 16412 0 - Live 0xdc88d000 dm_zero 2048 0 - Live 0xdc820000 dm_mirror 19024 0 - Live 0xdc82f000 ext3 109576 2 - Live 0xdc8ae000 jbd 47508 1 ext3, Live 0xdc880000 dm_mod 51896 6 dm_snapshot,dm_zero,dm_mirror, Live 0xdc872000 sata_via 8324 0 - Live 0xdc82b000 libata 63116 1 sata_via, Live 0xdc861000 sd_mod 18576 0 - Live 0xdc825000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 451224 kB MemFree: 18916 kB Buffers: 44052 kB Cached: 287836 kB SwapCached: 0 kB Active: 254740 kB Inactive: 131724 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 451224 kB LowFree: 18916 kB SwapTotal: 1048816 kB SwapFree: 1048316 kB Dirty: 68 kB Writeback: 0 kB Mapped: 71916 kB Slab: 39504 kB CommitLimit: 1274428 kB Committed_AS: 209076 kB PageTables: 1536 kB VmallocTotal: 573432 kB VmallocUsed: 4172 kB VmallocChunk: 568700 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version lrwxrwxrwx 1 root root 16 Oct 25 11:50 /proc/net/ipsec_eroute -> ipsec/eroute/all lrwxrwxrwx 1 root root 16 Oct 25 11:50 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug lrwxrwxrwx 1 root root 13 Oct 25 11:50 /proc/net/ipsec_spi -> ipsec/spi/all lrwxrwxrwx 1 root root 16 Oct 25 11:50 /proc/net/ipsec_spigrp -> ipsec/spigrp/all lrwxrwxrwx 1 root root 11 Oct 25 11:50 /proc/net/ipsec_tncfg -> ipsec/tncfg lrwxrwxrwx 1 root root 13 Oct 25 11:50 /proc/net/ipsec_version -> ipsec/version + _________________________ usr/src/linux/.config + test -f /proc/config.gz + zcat /proc/config.gz + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV' CONFIG_NET_KEY=m CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_FIB_HASH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_MULTIPATH_CACHED=y CONFIG_IP_ROUTE_MULTIPATH_RR=m CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m CONFIG_IP_ROUTE_MULTIPATH_DRR=m CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y CONFIG_IP_PNP_RARP=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_IPSEC_NAT_TRAVERSAL=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m CONFIG_INET_DIAG=m CONFIG_INET_TCP_DIAG=m CONFIG_IP_VS=m CONFIG_IP_VS_DEBUG=y CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m CONFIG_IPV6_PRIVACY=y CONFIG_IPV6_ROUTER_PREF=y CONFIG_IPV6_ROUTE_INFO=y CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET6_TUNNEL=m CONFIG_IPV6_TUNNEL=m CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CT_PROTO_SCTP=m CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=m CONFIG_IP_NF_NETBIOS_NS=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_PPTP=m CONFIG_IP_NF_H323=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_IPTABLES=m # CONFIG_IP6_NF_MATCH_RT is not set # CONFIG_IP6_NF_MATCH_OPTS is not set # CONFIG_IP6_NF_MATCH_FRAG is not set # CONFIG_IP6_NF_MATCH_HL is not set # CONFIG_IP6_NF_MATCH_OWNER is not set # CONFIG_IP6_NF_MATCH_IPV6HEADER is not set # CONFIG_IP6_NF_MATCH_AH is not set # CONFIG_IP6_NF_MATCH_EUI64 is not set # CONFIG_IP6_NF_FILTER is not set # CONFIG_IP6_NF_MANGLE is not set # CONFIG_IP6_NF_RAW is not set # CONFIG_IP_DCCP is not set # CONFIG_IP_SCTP is not set CONFIG_IPX=m CONFIG_IPX_INTERN=y # CONFIG_IPMI_HANDLER is not set CONFIG_HW_RANDOM=m CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=y + _________________________ etc/syslog.conf + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log *.* /var/log/junk + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + _________________________ etc/resolv.conf + cat /etc/resolv.conf search nicolan.com nameserver 127.0.0.1 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 12 drwxr-xr-x 3 root root 4096 Oct 5 20:05 2.6.9-42.0.2.EL drwxr-xr-x 3 root root 4096 Oct 19 18:07 2.6.17.13.orig drwxr-xr-x 3 root root 4096 Oct 23 15:11 2.6.17.13 + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c11907eb T __netif_rx_schedule c1190c96 T netif_rx c1190d3f T netif_rx_ni c1190c96 U netif_rx [ipsec] c1190c96 U netif_rx [ipv6] c11907eb U __netif_rx_schedule [8139too] c1190c96 U netif_rx [via_rhine] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.17.13: 2.6.17.13.orig: 2.6.9-42.0.2.EL: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '4010,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Oct 25 11:50:01 omnia ipsec_setup: Starting Openswan IPsec 2.4.7rc2... + _________________________ plog + sed -n '11018,$p' /var/log/secure + egrep -i pluto + case "$1" in + cat Oct 25 11:50:01 omnia ipsec__plutorun: Starting Pluto subsystem... Oct 25 11:50:01 omnia pluto[18361]: Starting Pluto (Openswan Version 2.4.7rc2 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZV\134wHFxzNV) Oct 25 11:50:01 omnia pluto[18361]: Setting NAT-Traversal port-4500 floating to on Oct 25 11:50:01 omnia pluto[18361]: port floating activation criteria nat_t=1/port_fload=1 Oct 25 11:50:01 omnia pluto[18361]: including NAT-Traversal patch (Version 0.6c) Oct 25 11:50:01 omnia pluto[18361]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Oct 25 11:50:01 omnia pluto[18361]: starting up 1 cryptographic helpers Oct 25 11:50:01 omnia pluto[18361]: started helper pid=18378 (fd:6) Oct 25 11:50:01 omnia pluto[18361]: Using KLIPS IPsec interface code on 2.6.17.13 Oct 25 11:50:01 omnia pluto[18361]: Changing to directory '/etc/ipsec.d/cacerts' Oct 25 11:50:01 omnia pluto[18361]: loaded CA cert file 'cacert.pem' (1062 bytes) Oct 25 11:50:01 omnia pluto[18361]: Changing to directory '/etc/ipsec.d/aacerts' Oct 25 11:50:01 omnia pluto[18361]: Changing to directory '/etc/ipsec.d/ocspcerts' Oct 25 11:50:01 omnia pluto[18361]: Changing to directory '/etc/ipsec.d/crls' Oct 25 11:50:01 omnia pluto[18361]: loaded crl file 'crl.pem' (438 bytes) Oct 25 11:50:02 omnia pluto[18361]: loaded host cert file '/etc/ipsec.d/certs/omnia.nicolan.com.pem' (3700 bytes) Oct 25 11:50:02 omnia pluto[18361]: loaded host cert file '/etc/ipsec.d/certs/mrcyano.graphimedia.it.pem' (3709 bytes) Oct 25 11:50:02 omnia pluto[18361]: added connection description "nico" Oct 25 11:50:02 omnia pluto[18361]: listening for IKE messages Oct 25 11:50:02 omnia pluto[18361]: adding interface ipsec0/eth1 62.123.146.14:500 Oct 25 11:50:02 omnia pluto[18361]: adding interface ipsec0/eth1 62.123.146.14:4500 Oct 25 11:50:02 omnia pluto[18361]: loading secrets from "/etc/ipsec.secrets" Oct 25 11:50:02 omnia pluto[18361]: loaded private key file '/etc/ipsec.d/private/omnia.nicolan.com.key' (1526 bytes) Oct 25 11:50:16 omnia pluto[18361]: packet from 85.18.80.194:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] Oct 25 11:50:16 omnia pluto[18361]: packet from 85.18.80.194:500: ignoring Vendor ID payload [FRAGMENTATION] Oct 25 11:50:16 omnia pluto[18361]: packet from 85.18.80.194:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Oct 25 11:50:16 omnia pluto[18361]: packet from 85.18.80.194:500: ignoring Vendor ID payload [Vid-Initial-Contact] Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: responding to Main Mode from unknown peer 85.18.80.194 Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: STATE_MAIN_R1: sent MR1, expecting MI2 Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: STATE_MAIN_R2: sent MR2, expecting MI3 Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:16 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 85.18.80.194:500 Oct 25 11:50:17 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:17 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:17 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 85.18.80.194:500 Oct 25 11:50:19 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:19 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:19 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 85.18.80.194:500 Oct 25 11:50:23 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:23 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:23 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 85.18.80.194:500 Oct 25 11:50:31 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:31 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: no suitable connection for peer 'C=IT, ST=Torino, L=Montanaro, O=nicolan, CN=mrcyano.graphimedia.it' Oct 25 11:50:31 omnia pluto[18361]: "nico"[1] 85.18.80.194 #1: sending encrypted notification INVALID_ID_INFORMATION to 85.18.80.194:500 + _________________________ date + date Wed Oct 25 11:50:32 CEST 2006