3(NXDOMAIN) Thu Mar 6 20:37:26 EST 2008 + _________________________ version + ipsec --version Linux Openswan U2.4.7/K2.6.22.5-31-default (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.22.5-31-default (geeko@buildhost) (gcc version 4.2.1 (SUSE Linux)) #1 SMP 2007/09/21 22:29:00 UTC + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + ip xfrm state + _________________________ ip-xfrm-policy + ip xfrm policy src ::/0 dst ::/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src ::/0 dst ::/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 10.0.0.1 000 interface eth0/eth0 10.0.0.1 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0C:29:B9:E7:4C inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::20c:29ff:feb9:e74c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5389 errors:0 dropped:0 overruns:0 frame:0 TX packets:2551 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3118248 (2.9 Mb) TX bytes:368845 (360.2 Kb) Interrupt:17 Base address:0x1400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3366 errors:0 dropped:0 overruns:0 frame:0 TX packets:3366 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:202024 (197.2 Kb) TX bytes:202024 (197.2 Kb) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:b9:e7:4c brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0 inet6 fe80::20c:29ff:feb9:e74c/64 scope link valid_lft forever preferred_lft forever + _________________________ ip-route-list + ip route list 10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.1 127.0.0.0/8 dev lo scope link + _________________________ ip-rule-list + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.7/K2.6.22.5-31-default (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking for RSA private key (/etc/ipsec.secrets) [DISABLED] hostname: Unknown host ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Checking for 'curl' command for CRL fetching [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + '[' -x /usr/sbin/mii-tool ']' + mii-tool -v /usr/lib/ipsec/barf: line 212: mii-tool: command not found + _________________________ ipsec/directory + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn hostname: Unknown host + _________________________ hostname/ipaddress + hostname --ip-address hostname: Unknown host + _________________________ uptime + uptime 8:37pm up 1:14, 2 users, load average: 0.85, 0.31, 0.10 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 7865 3224 25 0 3852 1400 - R+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf 1 0 7209 1 25 0 2848 456 wait S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 7210 7209 25 0 2848 636 wait S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 7211 7210 15 0 2536 1148 348317 S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --nhelpers 0 0 0 7284 7211 22 0 1524 288 345297 S pts/0 0:00 | \_ _pluto_adns 0 0 7233 7209 23 0 2852 1268 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait yes --post 0 0 7235 1 18 0 1584 532 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults # no default route + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $ # This file: /usr/share/doc/packages/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: plutodebug="control parsing" # # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !! # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes interfaces="ipsec0=eth0" #interfaces=%defaultroute virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # # Certificate Revocation List handling: #crlcheckinterval=600 #strictcrlpolicy=yes # # Change rp_filter setting? (default is 0, disabled) # See also setting in the /etc/sysctl.conf file! #rp_filter=%unchanged # # Workaround to setup all tunnels immediately, since the new default # of "plutowait=no" causes "Resource temporarily unavailable" errors # for the first connect attempt over each tunnel, that is delayed to # be established later / on demand. # With "plutowait=yes" plutio waits for each negotiation attempt # that is part of startup to finish, before proceeding with the next. plutowait=yes # # enable this if you see "failed to find any available worker" nhelpers=0 # default settings for connections conn %default # keyingtries default to %forever keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig # Sig keys (default: %dnsondemand) leftrsasigkey=%cert rightrsasigkey=%cert # Lifetimes, defaults are 1h/8hrs #ikelifetime=20m #keylife=1h #rekeymargin=8m conn roadwarrior-all leftsubnet=0.0.0.0/0 lso=roadwarrior conn roadwarrior-l2tp pfs=no leftprotoport=17/0 rightprotoport=17/1701 also=roadwarrior conn roadwarrior-l2tp-updatedwin pfs=no leftprotoport=17/1701 rightprotoport=17/1701 also=roadwarrior conn roadwarrior-net leftsubnet=10.0.0.0/255.0.0.0 also=roadwarrior conn roadwarrior left=%defaultroute leftcert=newcert.pem right=%any rightsubnet=vhost:%no,%priv auto=add pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #Disable Opportunistic Encryption #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/share/doc/packages/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 108 # For sample VPN connections, see /etc/ipsec.d/examples/ # Add connections here + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". : RSA newkey.pem "[sums to 1eba...]" { # RSA 2048 bits 3(NXDOMAIN) Wed Mar 5 14:53:00 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOpujwxF] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 000 List of X.509 CA Certificates: 000 000 Mar 06 20:24:43 2008, count: 1 000 subject: 'C=CA, ST=Ontario, O=BigGuyCorp, OU=BrownG, CN=BGLIN, E=bmmacedo@learn.senecac.on.ca' 000 issuer: 'C=CA, ST=Ontario, O=BigGuyCorp, OU=BrownG, CN=BGLIN, E=bmmacedo@learn.senecac.on.ca' 000 serial: 00 000 pubkey: 1024 RSA Key AwEAAbYDZ 000 validity: not before Mar 04 13:11:14 2008 ok 000 not after Mar 04 13:11:14 2011 ok 000 subjkey: c1:2f:fb:30:bd:ca:a7:e6:90:84:6c:1b:19:0b:47:b3:e8:25:8b:69 000 authkey: c1:2f:fb:30:bd:ca:a7:e6:90:84:6c:1b:19:0b:47:b3:e8:25:8b:69 + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4.30.2 2006/10/19 17:43:56 paul Exp $ # # # Michael's idea: Always have ROOT NAMESERVERS in the clear. # It will make OE work much better on machines running caching # resolvers. # # Based on: http://www.internic.net/zones/named.root # This file holds the information on root name servers needed to # last update: Jan 29, 2004 # related version of root zone: 2004012900 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 192.58.128.30/32 193.0.14.129 /32 198.32.64.12/32 202.12.27.33/32 + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/lib/ipsec total 1328 -rwxr-xr-x 1 root root 15848 Sep 23 09:33 _confread -rwxr-xr-x 1 root root 6048 Sep 23 09:33 _copyright -rwxr-xr-x 1 root root 2379 Sep 23 09:33 _include -rwxr-xr-x 1 root root 1475 Sep 23 09:33 _keycensor -rwxr-xr-x 1 root root 10080 Sep 23 09:33 _pluto_adns -rwxr-xr-x 1 root root 3586 Sep 23 09:33 _plutoload -rwxr-xr-x 1 root root 8053 Sep 23 09:33 _plutorun -rwxr-xr-x 1 root root 12519 Sep 23 09:33 _realsetup -rwxr-xr-x 1 root root 1975 Sep 23 09:33 _secretcensor -rwxr-xr-x 1 root root 10709 Sep 23 09:33 _startklips -rwxr-xr-x 1 root root 15356 Sep 23 09:33 _updown -rwxr-xr-x 1 root root 15746 Sep 23 09:33 _updown_x509 -rwxr-xr-x 1 root root 19144 Sep 23 09:33 auto -rwxr-xr-x 1 root root 11331 Sep 23 09:33 barf -rwxr-xr-x 1 root root 816 Sep 23 09:33 calcgoo -rwxr-xr-x 1 root root 81480 Sep 23 09:33 eroute -rwxr-xr-x 1 root root 18444 Sep 23 09:33 ikeping -rwxr-xr-x 1 root root 960 Sep 23 09:33 ipsec_1_to_2.pl -rwxr-xr-x 1 root root 61100 Sep 23 09:33 klipsdebug -rwxr-xr-x 1 root root 1836 Sep 23 09:33 livetest -rwxr-xr-x 1 root root 2605 Sep 23 09:33 look -rwxr-xr-x 1 root root 7088 Sep 23 09:33 mailkey -rwxr-xr-x 1 root root 16015 Sep 23 09:33 manual -rwxr-xr-x 1 root root 1951 Sep 23 09:33 newhostkey -rwxr-xr-x 1 root root 56336 Sep 23 09:33 pf_key -rwxr-xr-x 1 root root 592276 Sep 23 09:33 pluto -rwxr-xr-x 1 root root 10184 Sep 23 09:33 ranbits -rwxr-xr-x 1 root root 18796 Sep 23 09:33 rsasigkey -rwxr-xr-x 1 root root 766 Sep 23 09:33 secrets lrwxrwxrwx 1 root root 17 Mar 5 14:52 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Sep 23 09:33 showdefaults -rwxr-xr-x 1 root root 4748 Sep 23 09:33 showhostkey -rwxr-xr-x 1 root root 119080 Sep 23 09:33 spi -rwxr-xr-x 1 root root 68972 Sep 23 09:33 spigrp -rwxr-xr-x 1 root root 14132 Sep 23 09:33 tncfg -rwxr-xr-x 1 root root 12777 Sep 23 09:33 verify -rwxr-xr-x 1 root root 43732 Sep 23 09:33 whack + _________________________ ipsec/ls-execdir + ls -l /usr/lib/ipsec total 1328 -rwxr-xr-x 1 root root 15848 Sep 23 09:33 _confread -rwxr-xr-x 1 root root 6048 Sep 23 09:33 _copyright -rwxr-xr-x 1 root root 2379 Sep 23 09:33 _include -rwxr-xr-x 1 root root 1475 Sep 23 09:33 _keycensor -rwxr-xr-x 1 root root 10080 Sep 23 09:33 _pluto_adns -rwxr-xr-x 1 root root 3586 Sep 23 09:33 _plutoload -rwxr-xr-x 1 root root 8053 Sep 23 09:33 _plutorun -rwxr-xr-x 1 root root 12519 Sep 23 09:33 _realsetup -rwxr-xr-x 1 root root 1975 Sep 23 09:33 _secretcensor -rwxr-xr-x 1 root root 10709 Sep 23 09:33 _startklips -rwxr-xr-x 1 root root 15356 Sep 23 09:33 _updown -rwxr-xr-x 1 root root 15746 Sep 23 09:33 _updown_x509 -rwxr-xr-x 1 root root 19144 Sep 23 09:33 auto -rwxr-xr-x 1 root root 11331 Sep 23 09:33 barf -rwxr-xr-x 1 root root 816 Sep 23 09:33 calcgoo -rwxr-xr-x 1 root root 81480 Sep 23 09:33 eroute -rwxr-xr-x 1 root root 18444 Sep 23 09:33 ikeping -rwxr-xr-x 1 root root 960 Sep 23 09:33 ipsec_1_to_2.pl -rwxr-xr-x 1 root root 61100 Sep 23 09:33 klipsdebug -rwxr-xr-x 1 root root 1836 Sep 23 09:33 livetest -rwxr-xr-x 1 root root 2605 Sep 23 09:33 look -rwxr-xr-x 1 root root 7088 Sep 23 09:33 mailkey -rwxr-xr-x 1 root root 16015 Sep 23 09:33 manual -rwxr-xr-x 1 root root 1951 Sep 23 09:33 newhostkey -rwxr-xr-x 1 root root 56336 Sep 23 09:33 pf_key -rwxr-xr-x 1 root root 592276 Sep 23 09:33 pluto -rwxr-xr-x 1 root root 10184 Sep 23 09:33 ranbits -rwxr-xr-x 1 root root 18796 Sep 23 09:33 rsasigkey -rwxr-xr-x 1 root root 766 Sep 23 09:33 secrets lrwxrwxrwx 1 root root 17 Mar 5 14:52 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Sep 23 09:33 showdefaults -rwxr-xr-x 1 root root 4748 Sep 23 09:33 showhostkey -rwxr-xr-x 1 root root 119080 Sep 23 09:33 spi -rwxr-xr-x 1 root root 68972 Sep 23 09:33 spigrp -rwxr-xr-x 1 root root 14132 Sep 23 09:33 tncfg -rwxr-xr-x 1 root root 12777 Sep 23 09:33 verify -rwxr-xr-x 1 root root 43732 Sep 23 09:33 whack + _________________________ ipsec/updowns ++ egrep updown ++ ls /usr/lib/ipsec + for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`' + cat /usr/lib/ipsec/_updown #! /bin/sh # iproute2 version, default updown script # # Copyright (C) 2003-2004 Nigel Metheringham # Copyright (C) 2002-2004 Michael Richardson # Copyright (C) 2003-2005 Tuomo Soini # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $ # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway # communications is IPv6, then a suffix of -v6 is added # to the verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/sysconfig/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/sysconfig/pluto_updown ] then . /etc/sysconfig/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource rc=$? if [ $rc -ne 0 ]; then changesource fi fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 # check if given sourceip is local and add as alias if not #if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local #then # it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" # # Fix for Bug #66215 to solve SNAT/MASQUERADE problems with recent # 2.6.x kernels. # Instead of a /32 it seems better to use the netmask of the remote # (peer) network for the sourceip as suggested by Patrick McHardy. # cidr=${PLUTO_PEER_CLIENT##*/} snet=${PLUTO_MY_SOURCEIP%/*}/32 if test "${PLUTO_PEER_CLIENT}" != "${cidr}" then snet=${PLUTO_MY_SOURCEIP%/*}/${cidr} fi # check if given "sourceip/mask" already added to interface if ! ip addr show dev ${PLUTO_INTERFACE%:*} | grep -qs "inet ${snet}" then it="ip addr add ${snet} dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: File exists'*) # should not happen, but ... ignore if the # address was already assigned on interface oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { # Change used route source to destination if there is previous # Route to same PLUTO_PEER_CLIENT. This is basically to fix # configuration errors where all conns to same destination don't # have (left/right)sourceip set. st=0 parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}" parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route change $parms" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such file or directory'*) # Will happen every time first tunnel is activated because # there is no previous route to PLUTO_PEER_CLIENT. So we # need to ignore this error. oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi # skip creating any routing in case it is a host to host # tunnel and the peer network(=host) is equal to peer ip, # except there is some different source ip to use. if test "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ; then test "$PLUTO_ME" != "$PLUTO_MY_SOURCEIP" && \ test -n "$PLUTO_MY_SOURCEIP" || return 0 fi if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then # nexthop is not needed on ppp interfaces. unset it to make cases # work, where left is set but no leftnexthop (e.g. left=%dynamic) ip link show "$PLUTO_INTERFACE" | grep -qs POINTOPOINT && \ unset PLUTO_NEXT_HOP # skip routing via nexthop if it is not reachable through any # directly connected network (but via default route only): ip route list match "$PLUTO_NEXT_HOP" dev "$PLUTO_INTERFACE" | \ grep -qs -v default || unset PLUTO_NEXT_HOP if [ -n "$PLUTO_NEXT_HOP" ] then parms2="via $PLUTO_NEXT_HOP" fi fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`' + cat /usr/lib/ipsec/_updown_x509 #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then S_MY_PORT="--sport $PLUTO_MY_PORT" D_MY_PORT="--dport $PLUTO_MY_PORT" fi if [ "$PLUTO_PEER_PORT" != 0 ] then S_PEER_PORT="--sport $PLUTO_PEER_PORT" D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway communica­ # tions is IPv6, then a suffix of -v6 is added to the # verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/sysconfig/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/sysconfig/pluto_updown ] then . /etc/sysconfig/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource changesource fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { st=0 parms="$PLUTO_PEER_CLIENT" parms2="dev ${PLUTO_INTERFACE%:*}" parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table '$IPROUTETABLE'" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 202024 3366 0 0 0 0 0 0 202024 3366 0 0 0 0 0 0 eth0: 3118248 5389 0 0 0 0 0 0 368845 2551 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 0000000A 00000000 0001 0 0 0 000000FF 0 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 0 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter all/rp_filter:1 default/rp_filter:0 eth0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter all/rp_filter:1 default/rp_filter:0 eth0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:0 default/accept_redirects:1 default/secure_redirects:1 default/send_redirects:1 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux 3(NXDOMAIN) 2.6.22.5-31-default #1 SMP 2007/09/21 22:29:00 UTC i686 athlon i386 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/redhat-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/debian-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/SuSE-release + cat /etc/SuSE-release openSUSE 10.3 (i586) VERSION = 10.3 + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandrake-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandriva-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey ++ uname -r + echo 'NETKEY (2.6.22.5-31-default) support detected ' NETKEY (2.6.22.5-31-default) support detected + _________________________ ipfwadm + test -r /sbin/ipfwadm + 'no old-style linux 1.x/2.0 ipfwadm firewall support' /usr/lib/ipsec/barf: line 305: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory + _________________________ ipchains + test -r /sbin/ipchains + echo 'no old-style linux 2.0 ipchains firewall support' no old-style linux 2.0 ipchains firewall support + _________________________ iptables + test -r /sbin/iptables + test -r /sbin/ipchains + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules xfrm_user 28800 2 - Live 0xd0cc3000 xfrm4_tunnel 6784 0 - Live 0xd0c43000 af_key 43920 0 - Live 0xd0d04000 af_packet 29064 2 - Live 0xd0d10000 deflate 7808 0 - Live 0xd0cda000 zlib_deflate 21736 1 deflate, Live 0xd0cfd000 twofish_i586 9728 0 - Live 0xd0cd0000 twofish_common 38912 1 twofish_i586, Live 0xd0ce8000 camellia 32896 0 - Live 0xd0cf3000 serpent 22528 0 - Live 0xd0ce1000 blowfish 12416 0 - Live 0xd0cd5000 cbc 8448 0 - Live 0xd0ccc000 ecb 7552 0 - Live 0xd0c7b000 blkcipher 10116 2 cbc,ecb, Live 0xd0c77000 xcbc 9736 0 - Live 0xd0c73000 crypto_null 6528 0 - Live 0xd0c70000 tunnel4 7688 1 xfrm4_tunnel, Live 0xd0c3c000 ipcomp 11656 0 - Live 0xd0c6c000 esp4 11648 0 - Live 0xd0c68000 ah4 10240 0 - Live 0xd0c64000 aes_i586 37236 0 - Live 0xd0c59000 des 20352 0 - Live 0xd0c53000 md5 8064 0 - Live 0xd0c31000 sha1 6656 0 - Live 0xd0c34000 sha256 15232 0 - Live 0xd0c37000 ipv6 268152 16 - Live 0xd0c80000 apparmor 40736 0 - Live 0xd0ecc000 loop 21636 0 - Live 0xd0ea5000 dm_mod 56880 0 - Live 0xd0eaf000 container 9088 0 - Live 0xd0e59000 ac 9604 0 - Live 0xd0e1b000 button 12432 0 - Live 0xd0e54000 parport_pc 40764 0 - Live 0xd0e3e000 pcnet32 35572 0 - Live 0xd0e4a000 sr_mod 19492 0 - Live 0xd0e22000 mii 9344 1 pcnet32, Live 0xd0df2000 cdrom 37020 1 sr_mod, Live 0xd0e33000 parport 37832 1 parport_pc, Live 0xd0e28000 rtc_cmos 12064 0 - Live 0xd081e000 rtc_core 23048 1 rtc_cmos, Live 0xd0df6000 rtc_lib 7040 1 rtc_core, Live 0xd0832000 shpchp 35092 0 - Live 0xd0e11000 pci_hotplug 33216 1 shpchp, Live 0xd0dba000 intel_agp 27156 1 - Live 0xd0de6000 i2c_piix4 12556 0 - Live 0xd0db5000 agpgart 35764 1 intel_agp, Live 0xd0d9d000 i2c_core 27520 1 i2c_piix4, Live 0xd0da7000 sg 37036 0 - Live 0xd0d74000 sd_mod 31104 3 - Live 0xd0d7f000 edd 12996 0 - Live 0xd0d38000 ext3 131848 1 - Live 0xd0dc4000 mbcache 12292 1 ext3, Live 0xd0d3d000 jbd 68148 1 ext3, Live 0xd0d8b000 fan 9220 0 - Live 0xd0822000 mptspi 21512 2 - Live 0xd0d31000 mptscsih 24704 1 mptspi, Live 0xd0d29000 mptbase 55888 2 mptspi,mptscsih, Live 0xd0d65000 scsi_transport_spi 26880 1 mptspi, Live 0xd0d21000 ata_piix 21380 0 - Live 0xd0d1a000 libata 136776 1 ata_piix, Live 0xd0d42000 scsi_mod 140376 7 sr_mod,sg,sd_mod,mptspi,mptscsih,scsi_transport_spi,libata, Live 0xd085a000 thermal 19848 0 - Live 0xd0854000 processor 40744 1 thermal, Live 0xd0827000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 256288 kB MemFree: 6340 kB Buffers: 6696 kB Cached: 106196 kB SwapCached: 36 kB Active: 179560 kB Inactive: 53184 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 256288 kB LowFree: 6340 kB SwapTotal: 514040 kB SwapFree: 513984 kB Dirty: 88 kB Writeback: 0 kB AnonPages: 119812 kB Mapped: 56008 kB Slab: 9692 kB SReclaimable: 4068 kB SUnreclaim: 5624 kB PageTables: 1800 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 642184 kB Committed_AS: 367960 kB VmallocTotal: 770040 kB VmallocUsed: 6720 kB VmallocChunk: 763036 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 4096 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /proc/config.gz + zcat /proc/config.gz + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM' # CONFIG_IPC_NS is not set CONFIG_XFRM=y CONFIG_XFRM_USER=m # CONFIG_XFRM_SUB_POLICY is not set CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=m CONFIG_NET_KEY_MIGRATE=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_FIB_HASH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_INET_DIAG=m CONFIG_INET_TCP_DIAG=m CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m CONFIG_IPV6_PRIVACY=y CONFIG_IPV6_ROUTER_PREF=y CONFIG_IPV6_ROUTE_INFO=y # CONFIG_IPV6_OPTIMISTIC_DAD is not set CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_IPV6_MIP6=y CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET6_TUNNEL=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m CONFIG_IPV6_SIT=m CONFIG_IPV6_TUNNEL=m CONFIG_IPV6_MULTIPLE_TABLES=y CONFIG_IPV6_SUBTREES=y CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_AH=m CONFIG_IP6_NF_MATCH_MH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_IP6_NF_RAW=m CONFIG_IP_DCCP=m CONFIG_INET_DCCP_DIAG=m CONFIG_IP_DCCP_ACKVEC=y CONFIG_IP_DCCP_CCID2=m # CONFIG_IP_DCCP_CCID2_DEBUG is not set CONFIG_IP_DCCP_CCID3=m CONFIG_IP_DCCP_TFRC_LIB=m # CONFIG_IP_DCCP_CCID3_DEBUG is not set CONFIG_IP_DCCP_CCID3_RTO=100 # CONFIG_IP_DCCP_DEBUG is not set CONFIG_IP_SCTP=m CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IPDDP=m CONFIG_IPDDP_ENCAP=y CONFIG_IPDDP_DECAP=y CONFIG_IPW2100=m CONFIG_IPW2100_MONITOR=y # CONFIG_IPW2100_DEBUG is not set CONFIG_IPW2200=m CONFIG_IPW2200_MONITOR=y CONFIG_IPW2200_RADIOTAP=y CONFIG_IPW2200_PROMISCUOUS=y CONFIG_IPW2200_QOS=y # CONFIG_IPW2200_DEBUG is not set CONFIG_IPPP_FILTER=y CONFIG_IPMI_HANDLER=m CONFIG_IPMI_PANIC_EVENT=y CONFIG_IPMI_PANIC_STRING=y CONFIG_IPMI_DEVICE_INTERFACE=m CONFIG_IPMI_SI=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_INTEL=m CONFIG_HW_RANDOM_AMD=m CONFIG_HW_RANDOM_GEODE=m CONFIG_HW_RANDOM_VIA=m # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_CRYPTO_DEV_GEODE=m + _________________________ etc/syslog.conf + cat /etc/syslog.conf cat: /etc/syslog.conf: No such file or directory + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # #udp(ip("0.0.0.0") port(514)); }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; # # acpid messages # filter f_acpid_full { match('^\acpid:'); }; filter f_acpid { level(emerg...notice) and match('^\acpid:'); }; # this is for the old acpid < 1.0.6 filter f_acpid_old { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); }; # # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { pipe("/dev/tty10" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; # # News-messages in separate files: # destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); }; # # and optionally also all in one file: # (don't forget to provide logrotation config) # #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; # # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; destination null { }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # if you want more verbose acpid logging, comment the destination(null) # line and uncomment the destination(acpid) line # log { source(src); filter(f_acpid_full); destination(null); flags(final); }; # log { source(src); filter(f_acpid_full); destination(acpid); flags(final); }; # # old acpid < 1.0.6 log { source(src); filter(f_acpid_old); destination(acpid); flags(final); }; # # NetworkManager messages in one file: # destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; # # Cron-messages in one file: # (don't forget to provide logrotation config) # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; + _________________________ etc/resolv.conf + cat /etc/resolv.conf ### BEGIN INFO # # Modified_by: dhclient # Backup: /etc/resolv.conf.saved.by.dhclient # Process: /sbin/dhclient # Process_id: 6077 # Script: /sbin/dhclient-script # # Info: This is a temporary resolv.conf created by dhclient. # A previous resolv.conf has been saved as # /etc/resolv.conf.saved.by.dhclient and will be # restored when dhclient is stopped. # # If you don't like dhclient to change your nameserver # settings, set DHCLIENT_MODIFY_RESOLV_CONF in # /etc/sysconfig/network/dhcp to "no", or set # MODIFY_RESOLV_CONF_DYNAMICALLY in /etc/sysconfig/network/config # to "no". # You can also customize /etc/dhclient.conf (man 5 dhclient.conf) # using the supersede and/or prepend option. ### END INFO search localdomain nameserver 192.168.233.2 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 4 drwxr-xr-x 3 root root 4096 Feb 20 20:58 2.6.22.5-31-default + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c026e288 T __netif_rx_schedule c026f4a1 T netif_rx c026f692 T netif_rx_ni c026f4a1 u netif_rx [ipv6] c026e288 u __netif_rx_schedule [pcnet32] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.22.5-31-default: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '1829,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Mar 6 20:24:43 linux-fm6v ipsec_setup: Starting Openswan IPsec 2.4.7... Mar 6 20:24:43 linux-fm6v pluto[7211]: Changing to directory '/etc/ipsec.d/cacerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: loaded CA cert file 'cacert.pem' (3248 bytes) Mar 6 20:24:43 linux-fm6v pluto[7211]: Could not change to directory '/etc/ipsec.d/aacerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: Could not change to directory '/etc/ipsec.d/ocspcerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: Changing to directory '/etc/ipsec.d/crls' Mar 6 20:24:43 linux-fm6v pluto[7211]: Warning: empty directory Mar 6 20:24:43 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp": (/etc/ipsec.conf, line 85) duplicated parameter "pfs" Mar 6 20:24:43 linux-fm6v ipsec__plutorun: ...could not add conn "roadwarrior-l2tp" Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior": %defaultroute requested but not known Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-net": %defaultroute requested but not known Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp-updatedwin": (/etc/ipsec.conf, line 85) duplicated parameter "pfs" Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ...could not add conn "roadwarrior-l2tp-updatedwin" Mar 6 20:24:44 linux-fm6v pluto[7211]: listening for IKE messages Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface eth0/eth0 10.0.0.1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface eth0/eth0 10.0.0.1:4500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo 127.0.0.1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo 127.0.0.1:4500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo ::1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: loading secrets from "/etc/ipsec.secrets" Mar 6 20:24:44 linux-fm6v pluto[7211]: loaded private key file '/etc/ipsec.d/private/newkey.pem' (963 bytes) Mar 6 20:24:44 linux-fm6v pluto[7211]: invalid passphrase Mar 6 20:24:44 linux-fm6v pluto[7211]: "/etc/ipsec.secrets" line 8: error loading RSA private key file Mar 6 20:24:44 linux-fm6v ipsec__plutorun: 003 "/etc/ipsec.secrets" line 8: error loading RSA private key file + _________________________ plog + sed -n '1820,$p' /var/log/messages + egrep -i pluto + case "$1" in + cat Mar 6 20:24:43 linux-fm6v ipsec__plutorun: Starting Pluto subsystem... Mar 6 20:24:43 linux-fm6v pluto[7211]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_) Mar 6 20:24:43 linux-fm6v pluto[7211]: Setting NAT-Traversal port-4500 floating to on Mar 6 20:24:43 linux-fm6v pluto[7211]: port floating activation criteria nat_t=1/port_fload=1 Mar 6 20:24:43 linux-fm6v pluto[7211]: including NAT-Traversal patch (Version 0.6c) Mar 6 20:24:43 linux-fm6v pluto[7211]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Mar 6 20:24:43 linux-fm6v pluto[7211]: no helpers will be started, all cryptographic operations will be done inline Mar 6 20:24:43 linux-fm6v pluto[7211]: Using NETKEY IPsec interface code on 2.6.22.5-31-default Mar 6 20:24:43 linux-fm6v pluto[7211]: Changing to directory '/etc/ipsec.d/cacerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: loaded CA cert file 'cacert.pem' (3248 bytes) Mar 6 20:24:43 linux-fm6v pluto[7211]: Could not change to directory '/etc/ipsec.d/aacerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: Could not change to directory '/etc/ipsec.d/ocspcerts' Mar 6 20:24:43 linux-fm6v pluto[7211]: Changing to directory '/etc/ipsec.d/crls' Mar 6 20:24:43 linux-fm6v pluto[7211]: Warning: empty directory Mar 6 20:24:43 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp": (/etc/ipsec.conf, line 85) duplicated parameter "pfs" Mar 6 20:24:43 linux-fm6v ipsec__plutorun: ...could not add conn "roadwarrior-l2tp" Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior": %defaultroute requested but not known Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-net": %defaultroute requested but not known Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ipsec_auto: fatal error in "roadwarrior-l2tp-updatedwin": (/etc/ipsec.conf, line 85) duplicated parameter "pfs" Mar 6 20:24:44 linux-fm6v ipsec__plutorun: ...could not add conn "roadwarrior-l2tp-updatedwin" Mar 6 20:24:44 linux-fm6v pluto[7211]: listening for IKE messages Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface eth0/eth0 10.0.0.1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface eth0/eth0 10.0.0.1:4500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo 127.0.0.1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo 127.0.0.1:4500 Mar 6 20:24:44 linux-fm6v pluto[7211]: adding interface lo/lo ::1:500 Mar 6 20:24:44 linux-fm6v pluto[7211]: loading secrets from "/etc/ipsec.secrets" Mar 6 20:24:44 linux-fm6v pluto[7211]: loaded private key file '/etc/ipsec.d/private/newkey.pem' (963 bytes) Mar 6 20:24:44 linux-fm6v pluto[7211]: invalid passphrase Mar 6 20:24:44 linux-fm6v pluto[7211]: "/etc/ipsec.secrets" line 8: error loading RSA private key file Mar 6 20:24:44 linux-fm6v ipsec__plutorun: 003 "/etc/ipsec.secrets" line 8: error loading RSA private key file + _________________________ date + date Thu Mar 6 20:37:28 EST 2008