sheridan Fri Dec 1 12:08:26 EST 2006 + _________________________ version + ipsec --version Linux Openswan 2.4.6 (klips) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.4.31 (root@sheridan) (gcc version 3.3.4) #1 Tue Nov 28 14:52:18 EST 2006 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + sort -sg +3 /proc/net/ipsec_eroute 8 66.11.74.93/32 -> 69.159.228.59/32 => %hold 0 172.21.0.0/16 -> 69.159.228.59/32 => %trap 0 66.11.74.93/32 -> 74.14.224.160/32 => %trap 0 172.21.0.0/16 -> 74.14.224.160/32 => %trap 0 172.21.0.0/16 -> 172.16.0.0/14 => %trap 56 66.11.74.93/32 -> 172.21.1.0/24 => %hold 0 66.11.74.93/32 -> 172.21.5.0/24 => %trap 41 66.11.74.93/32 -> 172.21.7.0/24 => %hold 40 66.11.74.93/32 -> 172.21.13.0/24 => %hold 90 172.21.0.0/16 -> 172.21.1.0/24 => %hold 0 172.21.0.0/16 -> 172.21.5.0/24 => %trap 0 172.21.0.0/16 -> 172.21.7.0/24 => %trap 0 172.21.0.0/16 -> 172.21.13.0/24 => %trap 0 172.21.0.0/16 -> 172.26.0.0/16 => %trap 0 172.21.0.0/16 -> 192.168.0.0/16 => %trap 0 66.11.74.93/32 -> 208.97.79.186/32 => %trap 0 172.21.0.0/16 -> 208.97.79.186/32 => %trap + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 74.14.224.160 66.11.74.94 255.255.255.255 UGH 0 0 0 ipsec0 69.159.228.59 66.11.74.94 255.255.255.255 UGH 0 0 0 ipsec0 208.97.79.186 66.11.74.94 255.255.255.255 UGH 0 0 0 ipsec0 66.11.74.88 0.0.0.0 255.255.255.248 U 0 0 0 eth1 66.11.74.88 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0 172.21.13.0 66.11.74.94 255.255.255.0 UG 0 0 0 ipsec0 172.21.7.0 66.11.74.94 255.255.255.0 UG 0 0 0 ipsec0 172.21.5.0 66.11.74.94 255.255.255.0 UG 0 0 0 ipsec0 172.21.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.21.1.0 66.11.74.94 255.255.255.0 UG 0 0 0 ipsec0 172.26.0.0 66.11.74.94 255.255.0.0 UG 0 0 0 ipsec0 192.168.0.0 66.11.74.94 255.255.0.0 UG 0 0 0 ipsec0 172.16.0.0 66.11.74.94 255.252.0.0 UG 0 0 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 66.11.74.94 0.0.0.0 UG 0 0 0 eth1 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + cat /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth1 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check pfkey_lossage tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:1 inbound_policy_check:1 pfkey_lossage:0 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 interface ipsec0/eth1 66.11.74.93 000 interface ipsec0/eth1 66.11.74.93 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} trans={0,3,72} attrs={0,3,48} 000 000 "highway7-office-net-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]===172.21.5.0/24; prospective erouted; eroute owner: #0 000 "highway7-office-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "highway7-office-net-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "highway7-office-net-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth1; 000 "highway7-office-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "highway7-office-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "highway7-office-net-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]===172.21.5.0/24; prospective erouted; eroute owner: #0 000 "highway7-office-net-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "highway7-office-net-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "highway7-office-net-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; 000 "highway7-office-net-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "highway7-office-net-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "mcgill-home-net-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...%any[@newton.mcgill.stmarys.on.ca]===10.0.0.0/24; unrouted; eroute owner: #0 000 "mcgill-home-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "mcgill-home-net-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "mcgill-home-net-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 16,24; interface: eth1; 000 "mcgill-home-net-to-london-office-net": dpd: action:clear; delay:30; timeout:120; 000 "mcgill-home-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "mcgill-home-net-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...%any[@newton.mcgill.stmarys.on.ca]===10.0.0.0/24; unrouted; eroute owner: #0 000 "mcgill-home-net-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "mcgill-home-net-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "mcgill-home-net-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,24; interface: eth1; 000 "mcgill-home-net-to-london-office-server": dpd: action:clear; delay:30; timeout:120; 000 "mcgill-home-net-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "paris-office-net-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---74.14.224.160[@sinclair.paris.goco.net]===172.21.13.0/24; prospective erouted; eroute owner: #0 000 "paris-office-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "paris-office-net-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "paris-office-net-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth1; 000 "paris-office-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "paris-office-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "paris-office-net-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---74.14.224.160[@sinclair.paris.goco.net]===172.21.13.0/24; erouted HOLD; eroute owner: #0 000 "paris-office-net-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "paris-office-net-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "paris-office-net-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; 000 "paris-office-net-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "paris-office-net-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "paris-office-server-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---74.14.224.160[@sinclair.paris.goco.net]; prospective erouted; eroute owner: #0 000 "paris-office-server-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "paris-office-server-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "paris-office-server-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,32; interface: eth1; 000 "paris-office-server-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "paris-office-server-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "paris-office-server-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---74.14.224.160[@sinclair.paris.goco.net]; prospective erouted; eroute owner: #0 000 "paris-office-server-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "paris-office-server-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "paris-office-server-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth1; 000 "paris-office-server-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "paris-office-server-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "remote-client-to-london-office-server": 66.11.74.93[C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=sheridan.goco.net, E=hostmaster@goco.net]:17/1701---66.11.74.94...%virtual[C=CA, ST=Ontario, L=*, O=Gra Ham Energy Limited, OU=*, CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0 000 "remote-client-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "remote-client-to-london-office-server": CAs: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net'...'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 "remote-client-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "remote-client-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY+rKOD; prio: 32,32; interface: eth1; 000 "remote-client-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "stmarys-office-net-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]===172.21.1.0/24; erouted HOLD; eroute owner: #0 000 "stmarys-office-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "stmarys-office-net-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "stmarys-office-net-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth1; 000 "stmarys-office-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "stmarys-office-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "stmarys-office-net-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]===172.21.1.0/24; erouted HOLD; eroute owner: #0 000 "stmarys-office-net-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "stmarys-office-net-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "stmarys-office-net-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; 000 "stmarys-office-net-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "stmarys-office-net-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "stmarys-office-server-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]; prospective erouted; eroute owner: #0 000 "stmarys-office-server-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "stmarys-office-server-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "stmarys-office-server-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,32; interface: eth1; 000 "stmarys-office-server-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "stmarys-office-server-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "stmarys-office-server-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---69.159.228.59[@delenn.stmarys.goco.net]; erouted HOLD; eroute owner: #0 000 "stmarys-office-server-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "stmarys-office-server-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "stmarys-office-server-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth1; 000 "stmarys-office-server-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "stmarys-office-server-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "sunoco-172-16-19-net-to-london-office-net": 172.21.0.0/16===66.11.74.93---66.11.74.94...66.11.74.94---199.212.129.226===172.16.0.0/14; prospective erouted; eroute owner: #0 000 "sunoco-172-16-19-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "sunoco-172-16-19-net-to-london-office-net": ike_life: 43200s; ipsec_life: 43200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "sunoco-172-16-19-net-to-london-office-net": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 16,14; interface: eth1; 000 "sunoco-172-16-19-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "sunoco-172-16-19-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "sunoco-172-16-19-net-to-london-office-net": IKE algorithms wanted: 5_000-1-2, flags=strict 000 "sunoco-172-16-19-net-to-london-office-net": IKE algorithms found: 5_192-1_128-2, 000 "sunoco-172-16-19-net-to-london-office-net": ESP algorithms wanted: 3_000-1, flags=strict 000 "sunoco-172-16-19-net-to-london-office-net": ESP algorithms loaded: 3_000-1, flags=strict 000 "sunoco-172-26-net-to-london-office-net": 172.21.0.0/16===66.11.74.93---66.11.74.94...66.11.74.94---199.212.129.226===172.26.0.0/16; prospective erouted; eroute owner: #0 000 "sunoco-172-26-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "sunoco-172-26-net-to-london-office-net": ike_life: 43200s; ipsec_life: 43200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "sunoco-172-26-net-to-london-office-net": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 16,16; interface: eth1; 000 "sunoco-172-26-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "sunoco-172-26-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "sunoco-172-26-net-to-london-office-net": IKE algorithms wanted: 5_000-1-2, flags=strict 000 "sunoco-172-26-net-to-london-office-net": IKE algorithms found: 5_192-1_128-2, 000 "sunoco-172-26-net-to-london-office-net": ESP algorithms wanted: 3_000-1, flags=strict 000 "sunoco-172-26-net-to-london-office-net": ESP algorithms loaded: 3_000-1, flags=strict 000 "sunoco-192-168-net-to-london-office-net": 172.21.0.0/16===66.11.74.93---66.11.74.94...66.11.74.94---199.212.129.226===192.168.0.0/16; prospective erouted; eroute owner: #0 000 "sunoco-192-168-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "sunoco-192-168-net-to-london-office-net": ike_life: 43200s; ipsec_life: 43200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "sunoco-192-168-net-to-london-office-net": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 16,16; interface: eth1; 000 "sunoco-192-168-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "sunoco-192-168-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "sunoco-192-168-net-to-london-office-net": IKE algorithms wanted: 5_000-1-2, flags=strict 000 "sunoco-192-168-net-to-london-office-net": IKE algorithms found: 5_192-1_128-2, 000 "sunoco-192-168-net-to-london-office-net": ESP algorithms wanted: 3_000-1, flags=strict 000 "sunoco-192-168-net-to-london-office-net": ESP algorithms loaded: 3_000-1, flags=strict 000 "thorndale-office-net-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---208.97.79.186[@franklin.thorndale.goco.net]===172.21.7.0/24; prospective erouted; eroute owner: #0 000 "thorndale-office-net-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "thorndale-office-net-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "thorndale-office-net-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: eth1; 000 "thorndale-office-net-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "thorndale-office-net-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "thorndale-office-net-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---208.97.79.186[@franklin.thorndale.goco.net]===172.21.7.0/24; erouted HOLD; eroute owner: #0 000 "thorndale-office-net-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "thorndale-office-net-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "thorndale-office-net-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; 000 "thorndale-office-net-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "thorndale-office-net-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "thorndale-office-server-to-london-office-net": 172.21.0.0/16===66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---208.97.79.186[@franklin.thorndale.goco.net]; prospective erouted; eroute owner: #0 000 "thorndale-office-server-to-london-office-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "thorndale-office-server-to-london-office-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "thorndale-office-server-to-london-office-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 16,32; interface: eth1; 000 "thorndale-office-server-to-london-office-net": dpd: action:restart; delay:30; timeout:120; 000 "thorndale-office-server-to-london-office-net": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "thorndale-office-server-to-london-office-server": 66.11.74.93[@sheridan.london.goco.net]---66.11.74.94...66.11.74.94---208.97.79.186[@franklin.thorndale.goco.net]; prospective erouted; eroute owner: #0 000 "thorndale-office-server-to-london-office-server": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "thorndale-office-server-to-london-office-server": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "thorndale-office-server-to-london-office-server": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth1; 000 "thorndale-office-server-to-london-office-server": dpd: action:restart; delay:30; timeout:120; 000 "thorndale-office-server-to-london-office-server": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #2: "paris-office-server-to-london-office-server":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 22s; nodpd 000 #2: pending Phase 2 for "paris-office-net-to-london-office-server" replacing #0 000 #2: pending Phase 2 for "paris-office-server-to-london-office-net" replacing #0 000 #2: pending Phase 2 for "paris-office-net-to-london-office-net" replacing #0 000 #2: pending Phase 2 for "paris-office-net-to-london-office-server" replacing #0 000 #2: pending Phase 2 for "paris-office-server-to-london-office-server" replacing #0 000 #1: "stmarys-office-net-to-london-office-server":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 22s; nodpd 000 #1: pending Phase 2 for "stmarys-office-server-to-london-office-server" replacing #0 000 #1: pending Phase 2 for "stmarys-office-net-to-london-office-net" replacing #0 000 #1: pending Phase 2 for "highway7-office-net-to-london-office-net" replacing #0 000 #1: pending Phase 2 for "highway7-office-net-to-london-office-server" replacing #0 000 #1: pending Phase 2 for "stmarys-office-server-to-london-office-net" replacing #0 000 #1: pending Phase 2 for "stmarys-office-net-to-london-office-net" replacing #0 000 #1: pending Phase 2 for "stmarys-office-net-to-london-office-server" replacing #0 000 #1: pending Phase 2 for "stmarys-office-server-to-london-office-server" replacing #0 000 #1: pending Phase 2 for "stmarys-office-net-to-london-office-server" replacing #0 000 #3: "sunoco-192-168-net-to-london-office-net":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 22s; nodpd 000 #3: pending Phase 2 for "sunoco-172-26-net-to-london-office-net" replacing #0 000 #3: pending Phase 2 for "sunoco-172-16-19-net-to-london-office-net" replacing #0 000 #3: pending Phase 2 for "sunoco-192-168-net-to-london-office-net" replacing #0 000 #4: "thorndale-office-server-to-london-office-net":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 23s; nodpd 000 #4: pending Phase 2 for "thorndale-office-net-to-london-office-server" replacing #0 000 #4: pending Phase 2 for "thorndale-office-net-to-london-office-net" replacing #0 000 #4: pending Phase 2 for "thorndale-office-net-to-london-office-server" replacing #0 000 #4: pending Phase 2 for "thorndale-office-server-to-london-office-server" replacing #0 000 #4: pending Phase 2 for "thorndale-office-server-to-london-office-net" replacing #0 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0B:CD:E7:49:6D inet addr:172.21.3.101 Bcast:172.21.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:326 errors:0 dropped:0 overruns:0 frame:0 TX packets:176 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:43520 (42.5 Kb) TX bytes:78193 (76.3 Kb) Interrupt:10 Memory:e8100000-e8110000 eth1 Link encap:Ethernet HWaddr 00:50:FC:A5:FD:E5 inet addr:66.11.74.93 Bcast:66.11.74.95 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:189 errors:0 dropped:0 overruns:0 frame:0 TX packets:223 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:84782 (82.7 Kb) TX bytes:40937 (39.9 Kb) Interrupt:11 Base address:0x2400 ipsec0 Link encap:Ethernet HWaddr 00:50:FC:A5:FD:E5 inet addr:66.11.74.93 Mask:255.255.255.248 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:3 errors:0 dropped:3 overruns:0 frame:0 TX packets:12 errors:0 dropped:289 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:4248 (4.1 Kb) ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:36 errors:0 dropped:0 overruns:0 frame:0 TX packets:36 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3521 (3.4 Kb) TX bytes:3521 (3.4 Kb) ppp1 Link encap:Point-to-Point Protocol POINTOPOINT NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0b:cd:e7:49:6d brd ff:ff:ff:ff:ff:ff inet 172.21.3.101/24 brd 172.21.3.255 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:fc:a5:fd:e5 brd ff:ff:ff:ff:ff:ff inet 66.11.74.93/29 brd 66.11.74.95 scope global eth1 4: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:50:fc:a5:fd:e5 brd ff:ff:ff:ff:ff:ff inet 66.11.74.93/29 brd 66.11.74.95 scope global ipsec0 5: ipsec1: mtu 0 qdisc noop qlen 10 link/void 6: ipsec2: mtu 0 qdisc noop qlen 10 link/void 7: ipsec3: mtu 0 qdisc noop qlen 10 link/void 8: ppp1: mtu 1500 qdisc noop qlen 3 link/ppp + _________________________ ip-route-list + ip route list 74.14.224.160 via 66.11.74.94 dev ipsec0 69.159.228.59 via 66.11.74.94 dev ipsec0 208.97.79.186 via 66.11.74.94 dev ipsec0 66.11.74.88/29 dev eth1 proto kernel scope link src 66.11.74.93 66.11.74.88/29 dev ipsec0 proto kernel scope link src 66.11.74.93 172.21.13.0/24 via 66.11.74.94 dev ipsec0 172.21.7.0/24 via 66.11.74.94 dev ipsec0 172.21.5.0/24 via 66.11.74.94 dev ipsec0 172.21.3.0/24 dev eth0 proto kernel scope link src 172.21.3.101 172.21.1.0/24 via 66.11.74.94 dev ipsec0 172.26.0.0/16 via 66.11.74.94 dev ipsec0 192.168.0.0/16 via 66.11.74.94 dev ipsec0 172.16.0.0/14 via 66.11.74.94 dev ipsec0 127.0.0.0/8 dev lo scope link default via 66.11.74.94 dev eth1 metric 1 + _________________________ ip-rule-list + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.4.6 (klips) Checking for IPsec support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [DISABLED] ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Checking for 'curl' command for CRL fetching [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + /sbin/mii-tool -v eth0: negotiated 100baseTx-FD flow-control, link ok product info: vendor 00:08:18, model 26 rev 2 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control eth1: negotiated 100baseTx-FD, link ok product info: vendor 00:00:00, model 0 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control + _________________________ ipsec/directory + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn sheridan.london.goco.net + _________________________ hostname/ipaddress + hostname --ip-address 172.21.3.101 + _________________________ uptime + uptime 12:08:26 up 1 min, 1 user, load average: 0.15, 0.11, 0.04 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 1 0 1762 1 9 0 2184 1156 wait4 S ? 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172.26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32 --crlcheckinterval 600 --ocspuri --nhelpers --dump /tmp --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 1766 1762 9 0 2184 1164 wait4 S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172.26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32 --crlcheckinterval 600 --ocspuri --nhelpers --dump /tmp --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 1775 1766 8 0 2396 1264 select S ? 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172.26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32 --crlcheckinterval 600 1 0 1803 1775 15 10 2332 824 unix_s SN ? 0:00 | \_ pluto helper # 0 0 0 1804 1775 9 0 1312 260 select S ? 0:00 | \_ _pluto_adns 0 0 1767 1762 8 0 2172 1144 pipe_w S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post 0 0 1763 1 9 0 1376 480 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun 0 0 2729 2659 17 0 1972 1024 wait4 S+ tty1 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf 0 0 2805 2729 16 0 1460 484 pipe_w S+ tty1 0:00 \_ egrep -i ppid|pluto|ipsec|klips + _________________________ ipsec/showdefaults + ipsec showdefaults routephys=eth1 routevirt=ipsec0 routeaddr=66.11.74.93 routenexthop=66.11.74.94 + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $ # This file: /usr/local/share/doc/freeswan/ipsec.conf-sample # # Manual: ipsec.conf.5 # # Help: # http://www.freeswan.org/freeswan_trees/freeswan-2.1.2/doc/quickstart.html # http://www.freeswan.org/freeswan_trees/freeswan-2.1.2/doc/config.html # http://www.freeswan.org/freeswan_trees/freeswan-2.1.2/doc/adv_config.html # # Policy groups are enabled by default. See: # http://www.freeswan.org/freeswan_trees/freeswan-2.1.2/doc/policygroups.html # # Examples: # http://www.freeswan.org/freeswan_trees/freeswan-2.1.2/doc/examples version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces=%defaultroute uniqueids=yes crlcheckinterval=600 nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.21.0.0/16,%v4:!10.0.0.0/24,%v4:!192.168.2.0/24,%v4:!172.26.36.204/32,%v4:!172.17.1.152/32,%v4:!192.168.51.31/32 # fragicmp=no # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=all # plutodebug=all dumpdir=/tmp # Disable Opportunistic Encryptionn #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/local/share/doc/freeswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 38 # Add connections here. # sample VPN connection #sample# conn sample #sample# # Left security gateway, subnet behind it, next hop toward right. #sample# left=10.0.0.1 #sample# leftsubnet=172.16.0.0/24 #sample# leftnexthop=10.22.33.44 #sample# # Right security gateway, subnet behind it, next hop toward left. #sample# right=10.12.12.1 #sample# rightsubnet=192.168.0.0/24 #sample# rightnexthop=10.101.102.103 #sample# # To authorize this connection, but not actually start it, at startup, #sample# # uncomment this. #sample# #auto=start conn stmarys-office-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=stmarys-office rightsubnet=172.21.1.0/24 auto=start conn stmarys-office-net-to-london-office-server also=london-office alsoflip=stmarys-office rightsubnet=172.21.1.0/24 auto=start conn stmarys-office-server-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=stmarys-office auto=start conn stmarys-office-server-to-london-office-server also=london-office alsoflip=stmarys-office auto=start conn paris-office-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=paris-office rightsubnet=172.21.13.0/24 auto=start conn paris-office-net-to-london-office-server also=london-office alsoflip=paris-office rightsubnet=172.21.13.0/24 auto=start conn paris-office-server-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=paris-office auto=start conn paris-office-server-to-london-office-server also=london-office alsoflip=paris-office auto=start conn highway7-office-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=stmarys-office rightsubnet=172.21.5.0/24 auto=start conn highway7-office-net-to-london-office-server also=london-office alsoflip=stmarys-office rightsubnet=172.21.5.0/24 auto=start conn thorndale-office-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=thorndale-office rightsubnet=172.21.7.0/24 auto=start conn thorndale-office-net-to-london-office-server also=london-office alsoflip=thorndale-office rightsubnet=172.21.7.0/24 auto=start conn thorndale-office-server-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=thorndale-office auto=start conn thorndale-office-server-to-london-office-server also=london-office alsoflip=thorndale-office auto=start conn neptune-office-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=neptune-office rightsubnet=192.168.2.0/24 auto=ignore conn neptune-office-net-to-london-office-server also=london-office alsoflip=neptune-office rightsubnet=192.168.2.0/24 auto=ignore conn neptune-office-server-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=neptune-office auto=ignore conn neptune-office-server-to-london-office-server also=london-office alsoflip=neptune-office auto=ignore conn mcgill-home-net-to-london-office-net also=london-office leftsubnet=172.21.0.0/16 alsoflip=mcgill-home rightsubnet=10.0.0.0/24 auto=add conn mcgill-home-net-to-london-office-server also=london-office alsoflip=mcgill-home rightsubnet=10.0.0.0/24 auto=add conn sunoco-172-16-19-net-to-london-office-net left=66.11.74.93 leftnexthop=%defaultroute leftsubnet=172.21.0.0/16 alsoflip=sunoco-toronto rightsubnet=172.16.0.0/14 auto=start conn sunoco-172-26-net-to-london-office-net left=66.11.74.93 leftnexthop=%defaultroute leftsubnet=172.21.0.0/16 alsoflip=sunoco-toronto rightsubnet=172.26.0.0/16 auto=start conn sunoco-192-168-net-to-london-office-net left=66.11.74.93 leftnexthop=%defaultroute leftsubnet=172.21.0.0/16 alsoflip=sunoco-toronto rightsubnet=192.168.0.0/16 auto=start # conn sunoco-172-24-net-to-london-office-net # left=66.11.74.93 # leftnexthop=%defaultroute # leftsubnet=172.21.0.0/16 # alsoflip=sunoco-toronto # rightsubnet=172.24.0.0/16 # auto=start # conn sunoco-test # left=66.11.74.93 # leftnexthop=%defaultroute # leftsubnet=172.21.3.101/32 # right=66.11.74.92 # rightnexthop=%defaultroute # rightsubnet=172.21.3.102/32 # also=sunoco # auto=add conn remote-client-to-london-office-server left=66.11.74.93 leftnexthop=%defaultroute leftid="/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster@goco.net" leftrsasigkey=%cert leftcert=/etc/ipsec.d/certs/sheridan.crt leftprotoport=udp/l2tp right=%any rightid="/C=CA/ST=Ontario/L=*/O=Gra Ham Energy Limited/OU=*/CN=*/emailAddress=*" rightca=%same rightsubnet=vhost:%no,%priv rightprotoport=udp/%any type=transport pfs=no rekey=no keyingtries=3 authby=rsasig auto=add conn london-office left=66.11.74.93 leftnexthop=%defaultroute leftid=@sheridan.london.goco.net # RSA 2192 bits sheridan.london.goco.net Thu Sep 30 08:42:32 2004 leftrsasigkey=[keyid AQNd8gO06] conn stmarys-office left=69.159.228.59 leftnexthop=%defaultroute leftid=@delenn.stmarys.goco.net # RSA 2192 bits delenn.stmarys.goco.net Fri Dec 3 16:27:53 2004 leftrsasigkey=[keyid AQNsYLhzx] also=goco conn paris-office left=74.14.224.160 leftnexthop=%defaultroute leftid=@sinclair.paris.goco.net # RSA 2192 bits sinclair.paris.goco.net Tue Oct 4 09:33:59 2005 leftrsasigkey=[keyid AQOKclCLX] also=goco conn thorndale-office left=208.97.79.186 leftnexthop=%defaultroute leftid=@franklin.thorndale.goco.net # RSA 2192 bits franklin.thorndale.goco.net Mon Oct 4 15:30:36 2004 leftrsasigkey=[keyid AQOLSs0aQ] also=goco conn neptune-office left=209.239.12.97 leftnexthop=%defaultroute leftid=@garibaldi.neptune.goco.net # RSA 2192 bits garibaldi.neptune.goco.net Wed Nov 1 14:35:01 2006 leftrsasigkey=[keyid AQNrd1ave] also=goco conn goco dpddelay=30 dpdtimeout=120 dpdaction=restart # hold conn mcgill-home left=%any leftid=@newton.mcgill.stmarys.on.ca # RSA 2192 bits newton.mcgill.stmarys.on.ca Thu Sep 30 08:25:15 2004 leftrsasigkey=[keyid AQOEHNKWo] dpddelay=30 dpdtimeout=120 dpdaction=clear # hold conn sunoco-toronto left=199.212.129.226 leftnexthop=%defaultroute also=sunoco conn sunoco-calgary left=199.85.9.226 leftnexthop=%defaultroute also=sunoco conn sunoco keyexchange=ike aggrmode=no auth=esp ike=3des-md5-modp1024 esp=3des-md5 pfs=yes compress=yes ikelifetime=12.0h # 1.0h keylife=12.0h # 8.0h rekey=yes keyingtries=%forever rekeymargin=9m rekeyfuzz=100% dpddelay=30 dpdtimeout=120 dpdaction=restart # hold authby=secret conn compatible keyexchange=ike aggrmode=no auth=esp # ike=(aes256|aes192|aes128|3des)-(sha2_512|sha2_384|sha2_256|sha1|md5)-(modp8192|modp6144|modp4096|modp3072|modp2048|modp1536|modp1024) # ike=aes256-sha2_512-modp4096,aes192-sha2_384-modp3072,aes128-sha2_256-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-md5-modp1536,3des-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024 ike=3des,aes esp=3des,aes pfs=no compress=yes + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # sunoco's PSK 66.11.74.93 @sheridan.london.goco.net 199.212.129.226 @toronto.sunoco.ca 199.85.9.226 @calgary.sunoco.ca : PSK "[sums to 77c5...]" # 66.11.74.93 66.11.74.92 : PSK "[sums to 5f52...]" # sheridan's RSA 66.11.74.93 @sheridan.london.goco.net 69.159.228.59 @delenn.stmarys.goco.net 209.162.226.246 @sinclair.paris.goco.net 69.63.33.181 @franklin.thorndale.goco.net @newton.mcgill.stmarys.on.ca : RSA { # RSA 2192 bits sheridan.london.goco.net Thu Sep 30 08:42:32 2004 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQNd8gO06] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" # sheridan's Certificate 66.11.74.93 "[sums to dfea...]" %any : RSA /etc/ipsec.d/private/sheridan-private.key + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 Dec 01 12:06:58 2006, 2192 RSA Key AQOLSs0aQ, until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@franklin.thorndale.goco.net' 000 Dec 01 12:06:58 2006, 2192 RSA Key AQNd8gO06, until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@sheridan.london.goco.net' 000 Dec 01 12:06:58 2006, 2192 RSA Key AQNsYLhzx, until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@delenn.stmarys.goco.net' 000 Dec 01 12:06:57 2006, 2192 RSA Key AQOKclCLX, until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@sinclair.paris.goco.net' 000 Dec 01 12:06:57 2006, 2192 RSA Key AQOEHNKWo, until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@newton.mcgill.stmarys.on.ca' 000 Dec 01 12:06:57 2006, 1024 RSA Key AwEAAa//C, until Feb 14 12:44:13 2010 ok 000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=sheridan.goco.net, E=hostmaster@goco.net' 000 Issuer 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 000 List of X.509 End Certificates: 000 000 Dec 01 12:06:57 2006, count: 1 000 subject: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=sheridan.goco.net, E=hostmaster@goco.net' 000 issuer: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 serial: 01 000 pubkey: 1024 RSA Key AwEAAa//C, has private key 000 validity: not before Feb 15 12:44:13 2005 ok 000 not after Feb 14 12:44:13 2010 ok 000 subjkey: ca:d7:35:69:08:06:31:b2:77:8f:30:8d:2c:35:f3:3f:31:35:4e:9b 000 authkey: 1d:58:96:07:f7:39:d0:06:9b:cc:a9:7f:82:6e:0b:2f:47:47:13:79 000 aserial: 00 000 000 List of X.509 CA Certificates: 000 000 Dec 01 12:06:56 2006, count: 1 000 subject: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 issuer: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 serial: 00 000 pubkey: 1024 RSA Key AwEAAbulr 000 validity: not before Feb 15 12:42:29 2005 ok 000 not after Feb 14 12:42:29 2010 ok 000 subjkey: 1d:58:96:07:f7:39:d0:06:9b:cc:a9:7f:82:6e:0b:2f:47:47:13:79 000 authkey: 1d:58:96:07:f7:39:d0:06:9b:cc:a9:7f:82:6e:0b:2f:47:47:13:79 000 aserial: 00 000 000 List of X.509 CRLs: 000 000 Dec 01 12:06:56 2006, revoked certs: 6 000 issuer: 'C=CA, ST=Ontario, O=Gra Ham Energy Limited, CN=Gra Ham Energy Root Certification Authority, E=sslca@goco.net' 000 updates: this Dec 01 04:00:04 2006 000 next Jan 01 04:00:04 2007 ok + '[' /etc/ipsec.d/policies ']' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/local/share/doc/freeswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/local/share/doc/freeswan/policygroups.html for details. # # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/local/share/doc/freeswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/local/share/doc/freeswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/local/share/doc/freeswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/local/lib/ipsec total 300 -rwxr-xr-x 1 root root 15848 Aug 4 13:45 _confread -rwxr-xr-x 1 root root 15848 Aug 3 16:19 _confread.old -rwxr-xr-x 1 root root 48269 Aug 4 13:45 _copyright -rwxr-xr-x 1 root root 48281 Aug 3 16:19 _copyright.old -rwxr-xr-x 1 root root 2379 Aug 4 13:45 _include -rwxr-xr-x 1 root root 2379 Aug 3 16:19 _include.old -rwxr-xr-x 1 root root 1475 Aug 4 13:45 _keycensor -rwxr-xr-x 1 root root 1475 Aug 3 16:19 _keycensor.old -rwxr-xr-x 1 root root 3586 Aug 4 13:45 _plutoload -rwxr-xr-x 1 root root 3586 Aug 3 16:19 _plutoload.old -rwxr-xr-x 1 root root 7223 Aug 4 13:45 _plutorun -rwxr-xr-x 1 root root 7223 Aug 3 16:20 _plutorun.old -rwxr-xr-x 1 root root 12335 Aug 4 13:45 _realsetup -rwxr-xr-x 1 root root 12335 Aug 3 16:20 _realsetup.old -rwxr-xr-x 1 root root 1975 Aug 4 13:45 _secretcensor -rwxr-xr-x 1 root root 1975 Aug 3 16:20 _secretcensor.old -rwxr-xr-x 1 root root 10076 Aug 4 13:45 _startklips -rwxr-xr-x 1 root root 10076 Aug 3 16:20 _startklips.old -rwxr-xr-x 1 root root 13918 Aug 4 13:45 _updown -rwxr-xr-x 1 root root 13918 Aug 3 16:20 _updown.old -rwxr-xr-x 1 root root 15746 Aug 4 13:45 _updown_x509 -rwxr-xr-x 1 root root 15746 Aug 3 16:20 _updown_x509.old -rwxr-xr-x 1 root root 1942 Aug 4 13:45 ipsec_pr.template + _________________________ ipsec/ls-execdir + ls -l /usr/local/libexec/ipsec total 10120 -rwxr-xr-x 1 root root 72550 Aug 4 13:45 _pluto_adns -rwxr-xr-x 1 root root 72574 Aug 3 16:19 _pluto_adns.old -rwxr-xr-x 1 root root 18891 Aug 4 13:45 auto -rwxr-xr-x 1 root root 18891 Aug 3 16:20 auto.old -rwxr-xr-x 1 root root 11355 Aug 4 13:45 barf -rwxr-xr-x 1 root root 11355 Aug 3 16:20 barf.old -rwxr-xr-x 1 root root 816 Aug 4 13:45 calcgoo -rwxr-xr-x 1 root root 816 Aug 3 16:20 calcgoo.old -rwxr-xr-x 1 root root 325541 Aug 4 13:45 eroute -rwxr-xr-x 1 root root 325677 Aug 3 16:19 eroute.old -rwxr-xr-x 1 root root 133207 Aug 4 13:45 ikeping -rwxr-xr-x 1 root root 133303 Aug 3 16:20 ikeping.old -rwxr-xr-x 1 root root 193178 Aug 4 13:45 klipsdebug -rwxr-xr-x 1 root root 193246 Aug 3 16:19 klipsdebug.old -rwxr-xr-x 1 root root 1836 Aug 4 13:45 livetest -rwxr-xr-x 1 root root 1836 Aug 3 16:20 livetest.old -rwxr-xr-x 1 root root 2605 Aug 4 13:45 look -rwxr-xr-x 1 root root 2605 Aug 3 16:20 look.old -rwxr-xr-x 1 root root 7159 Aug 4 13:45 mailkey -rwxr-xr-x 1 root root 7159 Aug 3 16:20 mailkey.old -rwxr-xr-x 1 root root 16015 Aug 4 13:45 manual -rwxr-xr-x 1 root root 16015 Aug 3 16:20 manual.old -rwxr-xr-x 1 root root 1951 Aug 4 13:45 newhostkey -rwxr-xr-x 1 root root 1951 Aug 3 16:20 newhostkey.old -rwxr-xr-x 1 root root 175321 Aug 4 13:45 pf_key -rwxr-xr-x 1 root root 175385 Aug 3 16:19 pf_key.old -rwxr-xr-x 1 root root 2816203 Aug 4 13:45 pluto -rwxr-xr-x 1 root root 2817059 Aug 3 16:19 pluto.old -rwxr-xr-x 1 root root 52173 Aug 4 13:45 ranbits -rwxr-xr-x 1 root root 52193 Aug 3 16:20 ranbits.old -rwxr-xr-x 1 root root 82747 Aug 4 13:45 rsasigkey -rwxr-xr-x 1 root root 82775 Aug 3 16:20 rsasigkey.old -rwxr-xr-x 1 root root 766 Aug 4 13:45 secrets -rwxr-xr-x 1 root root 766 Aug 3 16:20 secrets.old -rwxr-xr-x 1 root root 17660 Aug 4 13:45 send-pr -rwxr-xr-x 1 root root 17660 Aug 3 16:20 send-pr.old lrwxrwxrwx 1 root root 15 Aug 4 13:45 setup -> /etc/rc.d/ipsec -rwxr-xr-x 1 root root 1054 Aug 4 13:45 showdefaults -rwxr-xr-x 1 root root 1054 Aug 3 16:20 showdefaults.old -rwxr-xr-x 1 root root 4748 Aug 4 13:45 showhostkey -rwxr-xr-x 1 root root 4748 Aug 3 16:20 showhostkey.old -rwxr-xr-x 1 root root 526451 Aug 4 13:45 spi -rwxr-xr-x 1 root root 526671 Aug 3 16:19 spi.old -rwxr-xr-x 1 root root 264238 Aug 4 13:45 spigrp -rwxr-xr-x 1 root root 264354 Aug 3 16:19 spigrp.old -rwxr-xr-x 1 root root 56965 Aug 4 13:45 tncfg -rwxr-xr-x 1 root root 56981 Aug 3 16:19 tncfg.old -rwxr-xr-x 1 root root 11640 Aug 4 13:45 verify -rwxr-xr-x 1 root root 11640 Aug 3 16:20 verify.old -rwxr-xr-x 1 root root 287575 Aug 4 13:45 whack -rwxr-xr-x 1 root root 287667 Aug 3 16:19 whack.old + _________________________ ipsec/updowns ++ ls /usr/local/libexec/ipsec ++ egrep updown + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 3521 36 0 0 0 0 0 0 3521 36 0 0 0 0 0 0 eth0: 43520 326 0 0 0 0 0 0 78193 176 0 0 0 0 0 0 eth1: 84782 189 0 0 0 0 0 0 40937 223 0 0 0 0 0 0 ipsec0: 0 3 0 3 0 0 0 0 4248 12 0 290 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ppp1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT ipsec0 A0E00E4A 5E4A0B42 0007 0 0 0 FFFFFFFF 0 0 0 ipsec0 3BE49F45 5E4A0B42 0007 0 0 0 FFFFFFFF 0 0 0 ipsec0 BA4F61D0 5E4A0B42 0007 0 0 0 FFFFFFFF 0 0 0 eth1 584A0B42 00000000 0001 0 0 0 F8FFFFFF 0 0 0 ipsec0 584A0B42 00000000 0001 0 0 0 F8FFFFFF 0 0 0 ipsec0 000D15AC 5E4A0B42 0003 0 0 0 00FFFFFF 0 0 0 ipsec0 000715AC 5E4A0B42 0003 0 0 0 00FFFFFF 0 0 0 ipsec0 000515AC 5E4A0B42 0003 0 0 0 00FFFFFF 0 0 0 eth0 000315AC 00000000 0001 0 0 0 00FFFFFF 0 0 0 ipsec0 000115AC 5E4A0B42 0003 0 0 0 00FFFFFF 0 0 0 ipsec0 00001AAC 5E4A0B42 0003 0 0 0 0000FFFF 0 0 0 ipsec0 0000A8C0 5E4A0B42 0003 0 0 0 0000FFFF 0 0 0 ipsec0 000010AC 5E4A0B42 0003 0 0 0 0000FCFF 0 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0 eth1 00000000 5E4A0B42 0003 0 0 1 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:1 default/accept_redirects:1 default/secure_redirects:1 default/send_redirects:1 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 eth1/accept_redirects:1 eth1/secure_redirects:1 eth1/send_redirects:1 ipsec0/accept_redirects:1 ipsec0/secure_redirects:1 ipsec0/send_redirects:1 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux sheridan 2.4.31 #1 Tue Nov 28 14:52:18 EST 2006 i686 unknown unknown GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + test -f /etc/redhat-release + test -f /etc/debian-release + test -f /etc/SuSE-release + test -f /etc/mandrake-release + test -f /etc/mandriva-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + cat /proc/net/ipsec_version Openswan version: 2.4.6 + _________________________ ipfwadm + test -r /sbin/ipfwadm + 'no old-style linux 1.x/2.0 ipfwadm firewall support' /usr/local/libexec/ipsec/barf: line 305: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory + _________________________ ipchains + test -r /sbin/ipchains + echo 'no old-style linux 2.0 ipchains firewall support' no old-style linux 2.0 ipchains firewall support + _________________________ iptables + test -r /sbin/iptables + test -r /sbin/ipchains + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules ppp_async 6528 1 (autoclean) ppp_generic 19556 3 (autoclean) [ppp_async] slhc 4592 0 (autoclean) [ppp_generic] ipsec 307264 2 ipt_DSCP 1016 2 (autoclean) ipt_multiport 664 1 (autoclean) ipt_state 504 3 (autoclean) ipt_LOG 3448 1 (autoclean) iptable_mangle 2072 1 (autoclean) iptable_filter 1644 1 (autoclean) ip_nat_ftp 2544 0 (unused) iptable_nat 16814 2 [ip_nat_ftp] ip_conntrack_irc 2768 0 (unused) ip_conntrack_ftp 3632 1 ip_conntrack 18564 2 [ipt_state ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] ip_tables 12000 9 [ipt_DSCP ipt_multiport ipt_state ipt_LOG iptable_mangle iptable_filter iptable_nat] usbcore 59148 1 rtl8139 13868 1 pci-scan 3956 1 [rtl8139] bcm5700 104388 1 ide-scsi 9392 0 + _________________________ /proc/meminfo + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 526901248 133328896 393572352 0 4771840 65069056 Swap: 2048053248 0 2048053248 MemTotal: 514552 kB MemFree: 384348 kB MemShared: 0 kB Buffers: 4660 kB Cached: 63544 kB SwapCached: 0 kB Active: 31300 kB Inactive: 37016 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 514552 kB LowFree: 384348 kB SwapTotal: 2000052 kB SwapFree: 2000052 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version lrwxrwxrwx 1 root root 16 Dec 1 12:08 /proc/net/ipsec_eroute -> ipsec/eroute/all lrwxrwxrwx 1 root root 16 Dec 1 12:08 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug lrwxrwxrwx 1 root root 13 Dec 1 12:08 /proc/net/ipsec_spi -> ipsec/spi/all lrwxrwxrwx 1 root root 16 Dec 1 12:08 /proc/net/ipsec_spigrp -> ipsec/spigrp/all lrwxrwxrwx 1 root root 11 Dec 1 12:08 /proc/net/ipsec_tncfg -> ipsec/tncfg lrwxrwxrwx 1 root root 13 Dec 1 12:08 /proc/net/ipsec_version -> ipsec/version + _________________________ usr/src/linux/.config + test -f /proc/config.gz ++ uname -r + test -f /lib/modules/2.4.31/build/.config ++ uname -r + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV' + cat /lib/modules/2.4.31/build/.config CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y # CONFIG_IP_PIMSM_V2 is not set # CONFIG_INET_ECN is not set CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_UNCLEAN=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP_NF_COMPAT_IPCHAINS=m CONFIG_IP_NF_NAT_NEEDED=y # CONFIG_IP_NF_COMPAT_IPFWADM is not set CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m # CONFIG_IP6_NF_QUEUE is not set CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_AHESP=m CONFIG_IP6_NF_MATCH_LENGTH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m CONFIG_IP_SCTP=m CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IPSEC_NAT_TRAVERSAL=y CONFIG_IPHASE5526=m CONFIG_IPPP_FILTER=y CONFIG_IPMI_HANDLER=m # CONFIG_IPMI_PANIC_EVENT is not set CONFIG_IPMI_DEVICE_INTERFACE=m CONFIG_IPMI_KCS=m CONFIG_IPMI_WATCHDOG=m CONFIG_HW_RANDOM=m + _________________________ etc/syslog.conf + cat /etc/syslog.conf # /etc/syslog.conf # For info about the format of this file, see "man syslog.conf" # and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some # of these entries; this omits syncing the file after every logging. # In the event of a crash, some log information might be lost, so # if this is a concern to you then you might want to remove the '-'. # Be advised this will cause a performation loss if you're using # programs that do heavy logging. # Uncomment this to see kernel messages on the console. #kern.* /dev/console # Log anything 'info' or higher, but lower than 'warn'. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.info;*.!warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/messages # Log anything 'warn' or higher. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/syslog # Debugging information is logged here. *.=debug -/var/log/debug # Private authentication message logging: authpriv.* -/var/log/secure # Cron related logs: cron.* -/var/log/cron # Mail related logs: mail.* -/var/log/maillog # Emergency level messages go to all users: *.emerg * # This log is for news and uucp errors: uucp,news.crit -/var/log/spooler # Uncomment these if you'd like INN to keep logs on everything. # You won't need this if you don't run INN (the InterNetNews daemon). #news.=crit -/var/log/news/news.crit #news.=err -/var/log/news/news.err #news.notice -/var/log/news/news.notice + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + _________________________ etc/resolv.conf + cat /etc/resolv.conf nameserver 127.0.0.1 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 8 drwxr-xr-x 4 root root 4096 Nov 10 2005 2.4.31 drwxr-xr-x 3 root root 4096 Nov 28 12:02 2.4.26 + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + egrep netif_rx /proc/ksyms c02b62d0 netif_rx + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.26: 2.4.31: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '8678,$p' /var/log/syslog + egrep -i 'ipsec|klips|pluto' + cat Dec 1 12:06:56 sheridan ipsec_setup: Starting Openswan IPsec 2.4.6... Dec 1 12:06:58 sheridan ipsec__plutorun: 003 ERROR "/etc/ipsec.secrets" line 32: index ""/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster@goco.net"" unknown OID in ID_DER_ASN1_DN Dec 1 12:06:58 sheridan ipsec__plutorun: 104 "paris-office-server-to-london-office-server" #2: STATE_MAIN_I1: initiate Dec 1 12:06:58 sheridan ipsec__plutorun: ...could not start conn "paris-office-server-to-london-office-server" Dec 1 12:06:58 sheridan ipsec__plutorun: 104 "sunoco-192-168-net-to-london-office-net" #3: STATE_MAIN_I1: initiate Dec 1 12:06:58 sheridan ipsec__plutorun: ...could not start conn "sunoco-192-168-net-to-london-office-net" Dec 1 12:06:59 sheridan ipsec__plutorun: 104 "thorndale-office-server-to-london-office-net" #4: STATE_MAIN_I1: initiate Dec 1 12:06:59 sheridan ipsec__plutorun: ...could not start conn "thorndale-office-server-to-london-office-net" + _________________________ plog + sed -n '29898,$p' /var/log/secure + egrep -i pluto + cat Dec 1 12:06:56 sheridan ipsec__plutorun: Starting Pluto subsystem... Dec 1 12:06:56 sheridan pluto[1775]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg) Dec 1 12:06:56 sheridan pluto[1775]: Setting NAT-Traversal port-4500 floating to on Dec 1 12:06:56 sheridan pluto[1775]: port floating activation criteria nat_t=1/port_fload=1 Dec 1 12:06:56 sheridan pluto[1775]: including NAT-Traversal patch (Version 0.6c) Dec 1 12:06:56 sheridan pluto[1775]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random Dec 1 12:06:56 sheridan pluto[1775]: WARNING: Using /dev/urandom as the source of random Dec 1 12:06:56 sheridan pluto[1775]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Dec 1 12:06:56 sheridan pluto[1775]: starting up 1 cryptographic helpers Dec 1 12:06:56 sheridan pluto[1775]: started helper pid=1803 (fd:6) Dec 1 12:06:56 sheridan pluto[1803]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random Dec 1 12:06:56 sheridan pluto[1803]: WARNING: Using /dev/urandom as the source of random Dec 1 12:06:56 sheridan pluto[1775]: Using KLIPS IPsec interface code on 2.4.31 Dec 1 12:06:56 sheridan pluto[1775]: Changing to directory '/etc/ipsec.d/cacerts' Dec 1 12:06:56 sheridan pluto[1775]: loaded CA cert file 'goco-ca.crt' (1306 bytes) Dec 1 12:06:56 sheridan pluto[1775]: Changing to directory '/etc/ipsec.d/aacerts' Dec 1 12:06:56 sheridan pluto[1775]: Changing to directory '/etc/ipsec.d/ocspcerts' Dec 1 12:06:56 sheridan pluto[1775]: Changing to directory '/etc/ipsec.d/crls' Dec 1 12:06:56 sheridan pluto[1775]: loaded crl file 'goco.crl' (690 bytes) Dec 1 12:06:56 sheridan pluto[1775]: added connection description "paris-office-server-to-london-office-server" Dec 1 12:06:56 sheridan pluto[1775]: added connection description "stmarys-office-server-to-london-office-server" Dec 1 12:06:56 sheridan pluto[1775]: added connection description "sunoco-192-168-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "mcgill-home-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "stmarys-office-net-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "paris-office-net-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "stmarys-office-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "sunoco-172-16-19-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "thorndale-office-server-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "stmarys-office-server-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "highway7-office-net-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "paris-office-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "thorndale-office-server-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: loaded host cert file '/etc/ipsec.d/certs/sheridan.crt' (3690 bytes) Dec 1 12:06:57 sheridan pluto[1775]: added connection description "remote-client-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "sunoco-172-26-net-to-london-office-net" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "mcgill-home-net-to-london-office-server" Dec 1 12:06:57 sheridan pluto[1775]: added connection description "paris-office-server-to-london-office-net" Dec 1 12:06:58 sheridan pluto[1775]: added connection description "thorndale-office-net-to-london-office-server" Dec 1 12:06:58 sheridan pluto[1775]: added connection description "highway7-office-net-to-london-office-net" Dec 1 12:06:58 sheridan pluto[1775]: added connection description "thorndale-office-net-to-london-office-net" Dec 1 12:06:58 sheridan pluto[1775]: listening for IKE messages Dec 1 12:06:58 sheridan pluto[1775]: adding interface ipsec0/eth1 66.11.74.93:500 Dec 1 12:06:58 sheridan pluto[1775]: adding interface ipsec0/eth1 66.11.74.93:4500 Dec 1 12:06:58 sheridan pluto[1775]: loading secrets from "/etc/ipsec.secrets" Dec 1 12:06:58 sheridan pluto[1775]: ERROR "/etc/ipsec.secrets" line 32: index ""/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster@goco.net"" unknown OID in ID_DER_ASN1_DN Dec 1 12:06:58 sheridan pluto[1775]: loaded private key file '/etc/ipsec.d/private/sheridan-private.key' (887 bytes) Dec 1 12:06:58 sheridan pluto[1775]: initiate on demand from 66.11.74.93:0 to 172.21.1.49:0 proto=0 state: fos_start because: acquire Dec 1 12:06:58 sheridan pluto[1775]: "stmarys-office-net-to-london-office-server" #1: initiating Main Mode Dec 1 12:06:58 sheridan pluto[1775]: "paris-office-server-to-london-office-server" #2: initiating Main Mode Dec 1 12:06:58 sheridan pluto[1775]: "sunoco-192-168-net-to-london-office-net" #3: initiating Main Mode Dec 1 12:06:59 sheridan pluto[1775]: "thorndale-office-server-to-london-office-net" #4: initiating Main Mode Dec 1 12:06:59 sheridan pluto[1775]: initiate on demand from 172.21.3.15:0 to 172.21.1.1:0 proto=0 state: fos_start because: acquire Dec 1 12:07:11 sheridan pluto[1775]: initiate on demand from 66.11.74.93:0 to 172.21.7.1:0 proto=0 state: fos_start because: acquire Dec 1 12:07:11 sheridan pluto[1775]: initiate on demand from 66.11.74.93:0 to 69.159.228.59:0 proto=0 state: fos_start because: acquire Dec 1 12:07:11 sheridan pluto[1775]: initiate on demand from 66.11.74.93:0 to 172.21.13.49:0 proto=0 state: fos_start because: acquire + _________________________ date + date Fri Dec 1 12:08:26 EST 2006