root@gatekeeper:/home/administrator# ipsec barf gatekeeper.mycompany.com Fri Mar 14 15:28:33 EDT 2008 + _________________________ version + + ipsec --version Linux Openswan U2.4.6/K2.6.22-14-server (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + + cat /proc/version Linux version 2.6.22-14-server (buildd@terranova) (gcc version 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Tue Feb 12 08:27:05 UTC 2008 + _________________________ /proc/net/ipsec_eroute + + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 66.225.x.x 0.0.0.0 255.255.255.224 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.10 0.0.0.0 UG 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + + ip xfrm state + _________________________ ip-xfrm-policy + + ip xfrm policy src ::/0 dst ::/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src ::/0 dst ::/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main + _________________________ /proc/sys/net/ipsec-star + + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + + ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface eth1/eth1 66.225.y.y 000 interface eth0/eth0 192.168.0.20 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "pax_square": 192.168.0.0/24===66.225.y.y...%any[@pax_square]===192.168.36.0/24; unrouted; eroute owner: #0 000 "pax_square": srcip=192.168.0.20; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "pax_square": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "pax_square": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth1; 000 "pax_square": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "pax_square": IKE algorithms wanted: 5_000-1-2, flags=strict 000 "pax_square": IKE algorithms found: 5_192-1_128-2, 000 "pax_square": ESP algorithms wanted: 3_000-1, flags=strict 000 "pax_square": ESP algorithms loaded: 3_000-1, flags=strict 000 000 + _________________________ ifconfig-a + + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:02:B3:E6:AA:7D inet addr:192.168.0.20 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::202:b3ff:fee6:aa7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:36874 errors:0 dropped:0 overruns:0 frame:0 TX packets:3394 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3823722 (3.6 MB) TX bytes:837891 (818.2 KB) eth1 Link encap:Ethernet HWaddr 00:30:1B:44:B4:AE inet addr:66.225.y.y Bcast:66.225.z.z Mask:255.255.255.224 inet6 addr: fe80::230:1bff:fe44:b4ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:127 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9007 (8.7 KB) TX bytes:492 (492.0 b) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:44:b4:ae brd ff:ff:ff:ff:ff:ff inet 66.225.y.y/27 brd 66.225.z.z scope global eth1 inet6 fe80::230:1bff:fe44:b4ae/64 scope link valid_lft forever preferred_lft forever 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:e6:aa:7d brd ff:ff:ff:ff:ff:ff inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0 inet6 fe80::202:b3ff:fee6:aa7d/64 scope link valid_lft forever preferred_lft forever + _________________________ ip-route-list + + ip route list 66.225.x.x/27 dev eth1 proto kernel scope link src 66.225.y.y 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20 default via 192.168.0.10 dev eth0 metric 100 + _________________________ ip-rule-list + + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.6/K2.6.22-14-server (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + + [ -x /sbin/mii-tool ] + /sbin/mii-tool -v eth0: negotiated 100baseTx-FD, link ok product info: Intel 82555 rev 4 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD eth1: negotiated 100baseTx-FD, link ok product info: vendor 00:50:43, model 2 rev 5 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD + _________________________ ipsec/directory + + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + + hostname --fqdn gatekeeper.mycompany.com + _________________________ hostname/ipaddress + + hostname --ip-address 192.168.0.20 + _________________________ uptime + + uptime 15:28:34 up 2:50, 1 user, load average: 0.00, 0.00, 0.00 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 1 0 4159 1 19 0 2836 500 wait S ? 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 4160 4159 19 0 2836 696 wait S ? 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 4161 4160 15 0 7288 2156 - S ? 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids 5 0 4328 4161 29 10 7288 852 - SN ? 0:00 | \_ pluto helper # 0 -nofork 0 0 4396 4161 18 0 1616 300 - S ? 0:00 | \_ _pluto_adns 0 0 4162 4159 16 0 1752 508 pipe_w S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 0 0 4163 1 19 0 1676 428 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun 0 0 5388 5069 24 0 1752 520 wait S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf 0 0 5463 5388 24 0 1760 540 pipe_w S+ pts/0 0:00 \_ grep -E -i ppid|pluto|ipsec|klips + _________________________ ipsec/showdefaults + + ipsec showdefaults routephys=eth0 routevirt=ipsec0 routeaddr=192.168.0.20 routenexthop=192.168.0.10 + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $ # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification config setup interfaces=%defaultroute uniqueids=yes #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/share/doc/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 16 conn pax_square also=central-site right=%any rightid=@pax_square rightsubnet=192.168.36.0/24 also=linksys-policy auto=add conn central-site left=66.225.y.y leftsubnet=192.168.0.0/24 leftsourceip=192.168.0.20 conn linksys-policy ike=3des-md5-modp1024 esp=3des-md5 compress=no authby=secret # basic configuration #config setup # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: # plutodebug="control parsing" # # Only enable klipsdebug=all if you are a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal #nat_traversal=yes # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # # enable this if you see "failed to find any available worker" #nhelpers=0 # Add connections here # sample VPN connections, see /etc/ipsec.d/examples/ #Disable Opportunistic Encryption + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 2192 bits gatekeeper.mycompany.com Thu Mar 13 20:52:42 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOVIRNnv] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" 66.225.y.y : PSK "[sums to 2787...]" + _________________________ ipsec/listall + + ipsec auto --listall 000 000 List of Public Keys: 000 + [ /etc/ipsec.d/policies ] + basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + + ls -l /usr/lib/ipsec total 1420 -rwxr-xr-x 1 root root 15848 Jul 4 2007 _confread -rwxr-xr-x 1 root root 4448 Jul 4 2007 _copyright -rwxr-xr-x 1 root root 2379 Jul 4 2007 _include -rwxr-xr-x 1 root root 1475 Jul 4 2007 _keycensor -rwxr-xr-x 1 root root 8256 Jul 4 2007 _pluto_adns -rwxr-xr-x 1 root root 3586 Jul 4 2007 _plutoload -rwxr-xr-x 1 root root 7209 Jul 4 2007 _plutorun -rwxr-xr-x 1 root root 12335 Jul 4 2007 _realsetup -rwxr-xr-x 1 root root 1975 Jul 4 2007 _secretcensor -rwxr-xr-x 1 root root 10070 Jul 4 2007 _startklips -rwxr-xr-x 1 root root 13912 Jul 4 2007 _updown -rwxr-xr-x 1 root root 15740 Jul 4 2007 _updown_x509 -rwxr-xr-x 1 root root 18891 Jul 4 2007 auto -rwxr-xr-x 1 root root 11331 Jul 4 2007 barf -rwxr-xr-x 1 root root 816 Jul 4 2007 calcgoo -rwxr-xr-x 1 root root 78488 Jul 4 2007 eroute -rwxr-xr-x 1 root root 18116 Jul 4 2007 ikeping -rwxr-xr-x 1 root root 1942 Jul 4 2007 ipsec_pr.template -rwxr-xr-x 1 root root 60848 Jul 4 2007 klipsdebug -rwxr-xr-x 1 root root 1836 Jul 4 2007 livetest -rwxr-xr-x 1 root root 2605 Jul 4 2007 look -rwxr-xr-x 1 root root 7147 Jul 4 2007 mailkey -rwxr-xr-x 1 root root 16015 Jul 4 2007 manual -rwxr-xr-x 1 root root 1951 Jul 4 2007 newhostkey -rwxr-xr-x 1 root root 52016 Jul 4 2007 pf_key -rwxr-xr-x 1 root root 668408 Jul 4 2007 pluto -rwxr-xr-x 1 root root 6664 Jul 4 2007 ranbits -rwxr-xr-x 1 root root 19056 Jul 4 2007 rsasigkey -rwxr-xr-x 1 root root 766 Jul 4 2007 secrets -rwxr-xr-x 1 root root 17624 Jul 4 2007 send-pr lrwxrwxrwx 1 root root 17 Mar 13 20:41 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jul 4 2007 showdefaults -rwxr-xr-x 1 root root 4748 Jul 4 2007 showhostkey -rwxr-xr-x 1 root root 120096 Jul 4 2007 spi -rwxr-xr-x 1 root root 66292 Jul 4 2007 spigrp -rwxr-xr-x 1 root root 10644 Jul 4 2007 tncfg -rwxr-xr-x 1 root root 11628 Jul 4 2007 verify -rwxr-xr-x 1 root root 51300 Jul 4 2007 whack + _________________________ ipsec/ls-execdir + + ls -l /usr/lib/ipsec total 1420 -rwxr-xr-x 1 root root 15848 Jul 4 2007 _confread -rwxr-xr-x 1 root root 4448 Jul 4 2007 _copyright -rwxr-xr-x 1 root root 2379 Jul 4 2007 _include -rwxr-xr-x 1 root root 1475 Jul 4 2007 _keycensor -rwxr-xr-x 1 root root 8256 Jul 4 2007 _pluto_adns -rwxr-xr-x 1 root root 3586 Jul 4 2007 _plutoload -rwxr-xr-x 1 root root 7209 Jul 4 2007 _plutorun -rwxr-xr-x 1 root root 12335 Jul 4 2007 _realsetup -rwxr-xr-x 1 root root 1975 Jul 4 2007 _secretcensor -rwxr-xr-x 1 root root 10070 Jul 4 2007 _startklips -rwxr-xr-x 1 root root 13912 Jul 4 2007 _updown -rwxr-xr-x 1 root root 15740 Jul 4 2007 _updown_x509 -rwxr-xr-x 1 root root 18891 Jul 4 2007 auto -rwxr-xr-x 1 root root 11331 Jul 4 2007 barf -rwxr-xr-x 1 root root 816 Jul 4 2007 calcgoo -rwxr-xr-x 1 root root 78488 Jul 4 2007 eroute -rwxr-xr-x 1 root root 18116 Jul 4 2007 ikeping -rwxr-xr-x 1 root root 1942 Jul 4 2007 ipsec_pr.template -rwxr-xr-x 1 root root 60848 Jul 4 2007 klipsdebug -rwxr-xr-x 1 root root 1836 Jul 4 2007 livetest -rwxr-xr-x 1 root root 2605 Jul 4 2007 look -rwxr-xr-x 1 root root 7147 Jul 4 2007 mailkey -rwxr-xr-x 1 root root 16015 Jul 4 2007 manual -rwxr-xr-x 1 root root 1951 Jul 4 2007 newhostkey -rwxr-xr-x 1 root root 52016 Jul 4 2007 pf_key -rwxr-xr-x 1 root root 668408 Jul 4 2007 pluto -rwxr-xr-x 1 root root 6664 Jul 4 2007 ranbits -rwxr-xr-x 1 root root 19056 Jul 4 2007 rsasigkey -rwxr-xr-x 1 root root 766 Jul 4 2007 secrets -rwxr-xr-x 1 root root 17624 Jul 4 2007 send-pr lrwxrwxrwx 1 root root 17 Mar 13 20:41 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jul 4 2007 showdefaults -rwxr-xr-x 1 root root 4748 Jul 4 2007 showhostkey -rwxr-xr-x 1 root root 120096 Jul 4 2007 spi -rwxr-xr-x 1 root root 66292 Jul 4 2007 spigrp -rwxr-xr-x 1 root root 10644 Jul 4 2007 tncfg -rwxr-xr-x 1 root root 11628 Jul 4 2007 verify -rwxr-xr-x 1 root root 51300 Jul 4 2007 whack + _________________________ ipsec/updowns + + ls /usr/lib/ipsec + egrep updown + cat /usr/lib/ipsec/_updown #! /bin/sh # iproute2 version, default updown script # # Copyright (C) 2003-2004 Nigel Metheringham # Copyright (C) 2002-2004 Michael Richardson # Copyright (C) 2003-2005 Tuomo Soini # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $ # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway # communications is IPv6, then a suffix of -v6 is added # to the verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/default/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/default/pluto_updown ] then . /etc/default/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource rc=$? if [ $rc -ne 0 ]; then changesource fi fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 # check if given sourceip is local and add as alias if not if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: File exists'*) # should not happen, but ... ignore if the # address was already assigned on interface oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { # Change used route source to destination if there is previous # Route to same PLUTO_PEER_CLIENT. This is basically to fix # configuration errors where all conns to same destination don't # have (left/right)sourceip set. st=0 parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}" parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route change $parms" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such file or directory'*) # Will happen every time first tunnel is activated because # there is no previous route to PLUTO_PEER_CLIENT. So we # need to ignore this error. oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + cat /usr/lib/ipsec/_updown_x509 #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then S_MY_PORT="--sport $PLUTO_MY_PORT" D_MY_PORT="--dport $PLUTO_MY_PORT" fi if [ "$PLUTO_PEER_PORT" != 0 ] then S_PEER_PORT="--sport $PLUTO_PEER_PORT" D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway communica­ # tions is IPv6, then a suffix of -v6 is added to the # verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/default/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/default/pluto_updown ] then . /etc/default/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource changesource fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { st=0 parms="$PLUTO_PEER_CLIENT" parms2="dev ${PLUTO_INTERFACE%:*}" parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table '$IPROUTETABLE'" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ /proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth1: 9007 127 0 0 0 0 0 112 492 6 0 0 0 0 0 0 eth0: 3827912 36940 0 0 0 0 0 0 918841 3703 0 0 0 0 0 0 + _________________________ /proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 6068E142 00000000 0001 0 0 0 E0FFFFFF0 0 0 eth0 0000A8C0 00000000 0001 0 0 0 00FFFFFF0 0 0 eth0 00000000 0A00A8C0 0003 0 0 100 000000000 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + + cd /proc/sys/net/ipv4/conf + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:0 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:0 eth0/secure_redirects:1 eth0/send_redirects:0 eth1/accept_redirects:0 eth1/secure_redirects:1 eth1/send_redirects:0 lo/accept_redirects:0 lo/secure_redirects:1 lo/send_redirects:0 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + + uname -a Linux gatekeeper.mycompany.com 2.6.22-14-server #1 SMP Tue Feb 12 08:27:05 UTC 2008 i686 GNU/Linux + _________________________ config-built-with + + test -r /proc/config_built_with + _________________________ distro-release + + test -f /etc/redhat-release + test -f /etc/debian-release + test -f /etc/SuSE-release + test -f /etc/mandrake-release + test -f /etc/mandriva-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey + uname -r + echo NETKEY (2.6.22-14-server) support detected NETKEY (2.6.22-14-server) support detected + _________________________ ipfwadm + + test -r /sbin/ipfwadm + no old-style linux 1.x/2.0 ipfwadm firewall support /usr/lib/ipsec/barf: 1: no old-style linux 1.x/2.0 ipfwadm firewall support: not found + _________________________ ipchains + + test -r /sbin/ipchains + echo no old-style linux 2.0 ipchains firewall support no old-style linux 2.0 ipchains firewall support + _________________________ iptables + + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 12305 packets, 1940K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3575 packets, 867K bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 3360 packets, 570K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 140 packets, 11067 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 140 packets, 11067 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 12331 packets, 1942K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 12240 packets, 1930K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3566 packets, 865K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 3566 packets, 865K bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + + test -f /proc/modules + cat /proc/modules iptable_mangle 3840 0 - Live 0xf8c02000 iptable_nat 8708 0 - Live 0xf8a3f000 nf_nat 20012 1 iptable_nat, Live 0xf8c06000 nf_conntrack_ipv4 19724 2 iptable_nat, Live 0xf8be7000 nf_conntrack 65160 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xf8dce000 nfnetlink 6936 3 nf_nat,nf_conntrack_ipv4,nf_conntrack, Live 0xf8be4000 iptable_filter 3968 0 - Live 0xf8afe000 ip_tables 13924 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xf8bfa000 x_tables 16260 2 iptable_nat,ip_tables, Live 0xf8bf5000 xfrm_user 26368 2 - Live 0xf8bed000 xfrm4_tunnel 3712 0 - Live 0xf8a2e000 tunnel4 4616 1 xfrm4_tunnel, Live 0xf8be1000 ipcomp 8968 0 - Live 0xf8bdd000 esp4 8960 0 - Live 0xf8bd9000 ah4 7424 0 - Live 0xf8bce000 deflate 4864 0 - Live 0xf8bcb000 zlib_deflate 20632 1 deflate, Live 0xf8bd2000 twofish 9600 0 - Live 0xf8bc7000 twofish_common 39552 1 twofish, Live 0xf8ad2000 camellia 32000 0 - Live 0xf8af5000 serpent 19072 0 - Live 0xf8aef000 blowfish 9472 0 - Live 0xf8a7c000 des 17664 0 - Live 0xf8ae9000 cbc 5504 0 - Live 0xf8a79000 ecb 4608 0 - Live 0xf8a55000 blkcipher 7556 2 cbc,ecb, Live 0xf8a43000 aes 28608 0 - Live 0xf8ac1000 xcbc 7176 0 - Live 0xf89bd000 sha256 12032 0 - Live 0xf8a51000 sha1 3584 0 - Live 0xf8a03000 crypto_null 3584 0 - Live 0xf8854000 af_key 37904 0 - Live 0xf8ade000 sbp2 24584 0 - Live 0xf8aca000 lp 12452 0 - Live 0xf8a4c000 loop 19076 0 - Live 0xf8a46000 snd_hda_intel 263712 0 - Live 0xf8c1c000 snd_pcm_oss 44544 0 - Live 0xf8a6d000 snd_mixer_oss 17664 1 snd_pcm_oss, Live 0xf8a1b000 snd_pcm 80388 2 snd_hda_intel,snd_pcm_oss, Live 0xf8a58000 snd_seq_dummy 4740 0 - Live 0xf8a29000 snd_seq_oss 33152 0 - Live 0xf8a35000 iTCO_wdt 11940 0 - Live 0xf8884000 iTCO_vendor_support 4868 1 iTCO_wdt, Live 0xf8a18000 snd_seq_midi 9600 0 - Live 0xf8a10000 snd_rawmidi 25728 1 snd_seq_midi, Live 0xf8a21000 serio_raw 8068 0 - Live 0xf8920000 snd_seq_midi_event 8448 2 snd_seq_oss,snd_seq_midi, Live 0xf8a14000 parport_pc 37668 1 - Live 0xf89f8000 parport 37448 2 lp,parport_pc, Live 0xf8a05000 ipv6 278916 24 - Live 0xf8b81000 psmouse 39952 0 - Live 0xf89a7000 intel_agp 25620 1 - Live 0xf89f0000 agpgart 35144 1 intel_agp, Live 0xf89b3000 snd_seq 53104 6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event, Live 0xf89e2000 pcspkr 4224 0 - Live 0xf8978000 snd_timer 24324 2 snd_pcm,snd_seq, Live 0xf8981000 snd_seq_device 9228 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq, Live 0xf8974000 evdev 11136 0 - Live 0xf8951000 snd 54532 9 snd_hda_intel,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device, Live 0xf8998000 soundcore 8800 1 snd, Live 0xf894d000 snd_page_alloc 11528 2 snd_hda_intel,snd_pcm, Live 0xf8949000 ext3 133640 1 - Live 0xf89c0000 jbd 60456 1 ext3, Live 0xf8988000 mbcache 9732 1 ext3, Live 0xf891c000 sg 36380 0 - Live 0xf896a000 sd_mod 30336 3 - Live 0xf8961000 sr_mod 17700 0 - Live 0xf8929000 cdrom 37408 1 sr_mod, Live 0xf8956000 ata_piix 17540 2 - Live 0xf8923000 floppy 59876 0 - Live 0xf88c1000 ata_generic 8580 0 - Live 0xf88bd000 ohci1394 36784 0 - Live 0xf8912000 ieee1394 96312 2 sbp2,ohci1394, Live 0xf8930000 e100 37772 0 - Live 0xf8907000 mii 6656 1 e100, Live 0xf88ac000 skge 43280 0 - Live 0xf88fb000 ehci_hcd 36748 0 - Live 0xf88f1000 uhci_hcd 26640 0 - Live 0xf88b5000 libata 125296 2 ata_piix,ata_generic, Live 0xf88d1000 scsi_mod 146828 5 sbp2,sg,sd_mod,sr_mod,libata, Live 0xf885f000 usbcore 138760 3 ehci_hcd,uhci_hcd, Live 0xf8889000 thermal 14344 0 - Live 0xf885a000 processor 32072 1 thermal, Live 0xf884b000 fan 5764 0 - Live 0xf883d000 fuse 47124 1 - Live 0xf8824000 apparmor 40600 0 - Live 0xf8832000 commoncap 8320 1 apparmor, Live 0xf8820000 + _________________________ /proc/meminfo + + cat /proc/meminfo MemTotal: 1027420 kB MemFree: 957016 kB Buffers: 10668 kB Cached: 24932 kB SwapCached: 0 kB Active: 27572 kB Inactive: 21112 kB HighTotal: 122816 kB HighFree: 79392 kB LowTotal: 904604 kB LowFree: 877624 kB SwapTotal: 3004112 kB SwapFree: 3004112 kB Dirty: 196 kB Writeback: 0 kB AnonPages: 13092 kB Mapped: 5652 kB Slab: 10636 kB SReclaimable: 3580 kB SUnreclaim: 7056 kB PageTables: 504 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 3517820 kB Committed_AS: 23968 kB VmallocTotal: 118776 kB VmallocUsed: 5952 kB VmallocChunk: 112696 kB + _________________________ /proc/net/ipsec-ls + + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /proc/config.gz + uname -r + test -f /lib/modules/2.6.22-14-server/build/.config + echo no .config file found, cannot list kernel properties no .config file found, cannot list kernel properties + _________________________ etc/syslog.conf + + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole + _________________________ etc/syslog-ng/syslog-ng.conf + + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + _________________________ etc/resolv.conf + + cat /etc/resolv.conf nameserver 192.168.0.45 nameserver 192.168.0.47 + _________________________ lib/modules-ls + + ls -ltr /lib/modules total 4 drwxr-xr-x 5 root root 4096 Mar 13 20:01 2.6.22-14-server + _________________________ /proc/ksyms-netif_rx + + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c0286b00 T __netif_rx_schedule c0288220 T netif_rx c0288470 T netif_rx_ni c03a4364 r __ksymtab_netif_rx c03a4444 r __ksymtab_netif_rx_ni c03a4474 r __ksymtab___netif_rx_schedule c03a8408 r __kcrctab_netif_rx c03a8478 r __kcrctab_netif_rx_ni c03a8490 r __kcrctab___netif_rx_schedule c03b3d0f r __kstrtab_netif_rx c03b3ed7 r __kstrtab_netif_rx_ni c03b3f42 r __kstrtab___netif_rx_schedule c0288220 u netif_rx [ipv6] c0286b00 u __netif_rx_schedule [e100] c0286b00 u __netif_rx_schedule [skge] + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.22-14-server: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + sed -n 825,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Mar 14 08:46:34 gatekeeper ipsec_setup: Starting Openswan IPsec 2.4.6... Mar 14 08:46:34 gatekeeper ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko Mar 14 08:46:34 gatekeeper ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko Mar 14 08:46:34 gatekeeper ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko Mar 14 09:28:13 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 14 09:28:13 gatekeeper ipsec_setup: Stopping Openswan IPsec... Mar 14 09:34:07 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 14 09:34:07 gatekeeper ipsec_setup: Stopping Openswan IPsec... Mar 14 12:08:44 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 14 12:08:44 gatekeeper ipsec_setup: Stopping Openswan IPsec... Mar 14 12:37:49 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 14 12:37:49 gatekeeper ipsec_setup: Stopping Openswan IPsec... + _________________________ plog + + sed -n 237,$p /var/log/auth.log + egrep -i pluto + cat Mar 14 08:46:34 gatekeeper ipsec__plutorun: Starting Pluto subsystem... Mar 14 08:46:34 gatekeeper pluto[5190]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD) Mar 14 08:46:34 gatekeeper pluto[5190]: Setting NAT-Traversal port-4500 floating to off Mar 14 08:46:34 gatekeeper pluto[5190]: port floating activation criteria nat_t=0/port_fload=1 Mar 14 08:46:34 gatekeeper pluto[5190]: including NAT-Traversal patch (Version 0.6c) [disabled] Mar 14 08:46:34 gatekeeper pluto[5190]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random Mar 14 08:46:34 gatekeeper pluto[5190]: WARNING: Using /dev/urandom as the source of random Mar 14 08:46:34 gatekeeper pluto[5190]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Mar 14 08:46:34 gatekeeper pluto[5190]: starting up 1 cryptographic helpers Mar 14 08:46:34 gatekeeper pluto[5197]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random Mar 14 08:46:34 gatekeeper pluto[5197]: WARNING: Using /dev/urandom as the source of random Mar 14 08:46:34 gatekeeper pluto[5190]: started helper pid=5197 (fd:6) Mar 14 08:46:34 gatekeeper pluto[5190]: Using Linux 2.6 IPsec interface code on 2.6.22-14-server Mar 14 08:46:34 gatekeeper pluto[5190]: Changing to directory '/etc/ipsec.d/cacerts' Mar 14 08:46:34 gatekeeper pluto[5190]: Changing to directory '/etc/ipsec.d/aacerts' Mar 14 08:46:34 gatekeeper pluto[5190]: Changing to directory '/etc/ipsec.d/ocspcerts' Mar 14 08:46:34 gatekeeper pluto[5190]: Changing to directory '/etc/ipsec.d/crls' Mar 14 08:46:34 gatekeeper pluto[5190]: Warning: empty directory Mar 14 08:46:34 gatekeeper pluto[5190]: added connection description "pax_square" Mar 14 08:46:34 gatekeeper pluto[5190]: listening for IKE messages Mar 14 08:46:34 gatekeeper pluto[5190]: adding interface eth1/eth1 66.225.y.y:500 Mar 14 08:46:34 gatekeeper pluto[5190]: adding interface eth0/eth0 192.168.0.20:500 Mar 14 08:46:34 gatekeeper pluto[5190]: adding interface lo/lo 127.0.0.1:500 Mar 14 08:46:34 gatekeeper pluto[5190]: adding interface lo/lo ::1:500 Mar 14 08:46:34 gatekeeper pluto[5190]: loading secrets from "/etc/ipsec.secrets" Mar 14 08:46:52 gatekeeper pluto[5190]: "pax_square": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE) Mar 14 08:47:17 gatekeeper pluto[5190]: "pax_square": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE) Mar 14 08:48:19 gatekeeper pluto[5190]: attempt to redefine connection "pax_square" Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 08:48:45 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 08:48:45 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #1: responding to Main Mode from unknown peer 66.225.w.w Mar 14 08:48:45 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 08:48:45 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #1: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 08:48:55 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 08:48:55 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #2: responding to Main Mode from unknown peer 66.225.w.w Mar 14 08:48:55 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 08:48:55 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #2: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 08:49:15 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 08:49:15 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #3: responding to Main Mode from unknown peer 66.225.w.w Mar 14 08:49:15 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 08:49:15 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #3: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 08:49:55 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #1: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 08:50:05 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #2: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 08:50:25 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w #3: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 08:50:25 gatekeeper pluto[5190]: "pax_square"[1] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:16:29 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:16:29 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #4: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:16:29 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:16:29 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #4: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:16:38 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:16:38 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #5: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:16:38 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:16:38 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #5: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:16:59 gatekeeper pluto[5190]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:16:59 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #6: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:16:59 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:16:59 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #6: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:17:39 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #4: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 09:17:48 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #5: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 09:18:09 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w #6: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 09:18:09 gatekeeper pluto[5190]: "pax_square"[2] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 09:28:12 gatekeeper pluto[5190]: shutting down Mar 14 09:28:12 gatekeeper pluto[5190]: forgetting secrets Mar 14 09:28:12 gatekeeper pluto[5190]: "pax_square": deleting connection Mar 14 09:28:12 gatekeeper pluto[5190]: shutting down interface lo/lo ::1:500 Mar 14 09:28:12 gatekeeper pluto[5190]: shutting down interface lo/lo 127.0.0.1:500 Mar 14 09:28:12 gatekeeper pluto[5190]: shutting down interface eth0/eth0 192.168.0.20:500 Mar 14 09:28:12 gatekeeper pluto[5190]: shutting down interface eth1/eth1 66.225.y.y:500 Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:32:39 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:32:39 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #1: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:32:39 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:32:39 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #1: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:32:49 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:32:49 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #2: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:32:49 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:32:49 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #2: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 09:33:09 gatekeeper pluto[4210]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 09:33:09 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #3: responding to Main Mode from unknown peer 66.225.w.w Mar 14 09:33:09 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 09:33:09 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #3: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 09:33:49 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #1: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 09:33:59 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w #2: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 09:34:06 gatekeeper pluto[4210]: shutting down Mar 14 09:34:06 gatekeeper pluto[4210]: forgetting secrets Mar 14 09:34:06 gatekeeper pluto[4210]: "pax_square"[1] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 09:34:06 gatekeeper pluto[4210]: "pax_square" #3: deleting state (STATE_MAIN_R1) Mar 14 09:34:06 gatekeeper pluto[4210]: "pax_square": deleting connection Mar 14 09:34:06 gatekeeper pluto[4210]: shutting down interface lo/lo ::1:500 Mar 14 09:34:06 gatekeeper pluto[4210]: shutting down interface lo/lo 127.0.0.1:500 Mar 14 09:34:06 gatekeeper pluto[4210]: shutting down interface eth1/eth1 66.225.y.y:500 Mar 14 09:34:06 gatekeeper pluto[4210]: shutting down interface eth0/eth0 192.168.0.20:500 Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:07:58 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:07:58 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #1: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:07:58 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:07:58 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #1: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:08:09 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:08:09 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #2: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:08:09 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:08:09 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #2: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:08:29 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:08:29 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #3: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:08:29 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:08:29 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #3: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:09:08 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #1: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:09:19 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #2: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:09:39 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w #3: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:09:39 gatekeeper pluto[4160]: "pax_square"[1] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:53:03 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:53:03 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #4: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:53:03 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:53:03 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #4: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:53:12 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:53:12 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #5: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:53:12 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:53:12 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #5: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 10:53:32 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 10:53:32 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #6: responding to Main Mode from unknown peer 66.225.w.w Mar 14 10:53:32 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 10:53:32 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #6: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 10:54:13 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #4: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:54:22 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #5: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:54:42 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w #6: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 10:54:42 gatekeeper pluto[4160]: "pax_square"[2] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 11:51:17 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 11:51:17 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #7: responding to Main Mode from unknown peer 66.225.w.w Mar 14 11:51:17 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 11:51:17 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #7: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 11:51:26 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 11:51:26 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #8: responding to Main Mode from unknown peer 66.225.w.w Mar 14 11:51:26 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 11:51:26 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #8: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [Dead Peer Detection] Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [RFC 3947] meth=110, but port floating is off Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 14 11:51:46 gatekeeper pluto[4160]: packet from 66.225.w.w:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 14 11:51:46 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #9: responding to Main Mode from unknown peer 66.225.w.w Mar 14 11:51:46 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 14 11:51:46 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #9: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 14 11:52:27 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #7: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 11:52:36 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #8: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 11:52:56 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w #9: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 14 11:52:56 gatekeeper pluto[4160]: "pax_square"[3] 66.225.w.w: deleting connection "pax_square" instance with peer 66.225.w.w {isakmp=#0/ipsec=#0} Mar 14 12:08:43 gatekeeper pluto[4160]: shutting down Mar 14 12:08:43 gatekeeper pluto[4160]: forgetting secrets Mar 14 12:08:43 gatekeeper pluto[4160]: "pax_square": deleting connection Mar 14 12:08:43 gatekeeper pluto[4160]: shutting down interface lo/lo ::1:500 Mar 14 12:08:43 gatekeeper pluto[4160]: shutting down interface lo/lo 127.0.0.1:500 Mar 14 12:08:43 gatekeeper pluto[4160]: shutting down interface eth1/eth1 66.225.y.y:500 Mar 14 12:08:43 gatekeeper pluto[4160]: shutting down interface eth0/eth0 192.168.0.20:500 Mar 14 12:37:48 gatekeeper pluto[4167]: shutting down Mar 14 12:37:48 gatekeeper pluto[4167]: forgetting secrets Mar 14 12:37:48 gatekeeper pluto[4167]: "pax_square": deleting connection Mar 14 12:37:48 gatekeeper pluto[4167]: shutting down interface lo/lo ::1:500 Mar 14 12:37:48 gatekeeper pluto[4167]: shutting down interface lo/lo 127.0.0.1:500 Mar 14 12:37:48 gatekeeper pluto[4167]: shutting down interface eth1/eth1 66.225.y.y:500 Mar 14 12:37:48 gatekeeper pluto[4167]: shutting down interface eth0/eth0 192.168.0.20:500 + _________________________ date + + date Fri Mar 14 15:28:34 EDT 2008 root@gatekeeper:/home/administrator#