root@gatekeeper:/home/administrator# ipsec barf gatekeeper.mycompanyname.com Mon Mar 17 12:22:10 EDT 2008 + _________________________ version + + ipsec --version Linux Openswan U2.4.11/K2.6.22-14-server (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + + cat /proc/version Linux version 2.6.22-14-server (buildd@terranova) (gcc version 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Tue Feb 12 08:27:05 UTC 2008 + _________________________ /proc/net/ipsec_eroute + + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 66.225.x.a 0.0.0.0 255.255.255.224 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.10 0.0.0.0 UG 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + + ip xfrm state + _________________________ ip-xfrm-policy + + ip xfrm policy src ::/0 dst ::/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 ptype main src ::/0 dst ::/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 ptype main + _________________________ /proc/sys/net/ipsec-star + + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + + ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface eth1/eth1 66.225.x.b 000 interface eth0/eth0 192.168.0.20 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "pax_square": 192.168.0.0/24===66.225.x.b...66.225.x.c[@pax_square]===192.168.36.0/24; unrouted; eroute owner: #0 000 "pax_square": srcip=192.168.0.20; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "pax_square": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "pax_square": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth1; encap: esp; 000 "pax_square": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "pax_square": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict 000 "pax_square": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) 000 "pax_square": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict 000 "pax_square": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict 000 000 + _________________________ ifconfig-a + + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:02:B3:E6:AA:7D inet addr:192.168.0.20 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::202:b3ff:fee6:aa7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11407 errors:0 dropped:0 overruns:0 frame:0 TX packets:1457 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1130558 (1.0 MB) TX bytes:150017 (146.5 KB) eth1 Link encap:Ethernet HWaddr 00:30:1B:44:B4:AE inet addr:66.225.x.b Bcast:66.225.x.d Mask:255.255.255.224 inet6 addr: fe80::230:1bff:fe44:b4ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:26 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2309 (2.2 KB) TX bytes:556 (556.0 b) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:44:b4:ae brd ff:ff:ff:ff:ff:ff inet 66.225.x.b/27 brd 66.225.x.d scope global eth1 inet6 fe80::230:1bff:fe44:b4ae/64 scope link valid_lft forever preferred_lft forever 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:e6:aa:7d brd ff:ff:ff:ff:ff:ff inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0 inet6 fe80::202:b3ff:fee6:aa7d/64 scope link valid_lft forever preferred_lft forever + _________________________ ip-route-list + + ip route list 66.225.x.a/27 dev eth1 proto kernel scope link src 66.225.x.b 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20 default via 192.168.0.10 dev eth0 metric 100 + _________________________ ip-rule-list + + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.11/K2.6.22-14-server (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [N/A] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + + [ -x /sbin/mii-tool ] + /sbin/mii-tool -v eth0: negotiated 100baseTx-FD, link ok product info: Intel 82555 rev 4 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD eth1: negotiated 100baseTx-FD, link ok product info: vendor 00:50:43, model 2 rev 5 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD + _________________________ ipsec/directory + + ipsec --directory /usr/local/lib/ipsec + _________________________ hostname/fqdn + + hostname --fqdn gatekeeper.mycompanyname.com + _________________________ hostname/ipaddress + + hostname --ip-address 192.168.0.20 + _________________________ uptime + + uptime 12:22:10 up 36 min, 1 user, load average: 0.06, 0.02, 0.00 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 1 0 4160 1 23 0 1752 256 wait S ? 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 4161 4160 23 0 1752 244 wait S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 4162 4161 16 0 2804 1296 - S ? 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids 1 0 4219 4162 29 10 2748 404 - SN ? 0:00 | \_ pluto helper # 0 0 0 4387 4162 18 0 1620 304 - S ? 0:00 | \_ _pluto_adns 0 0 4163 4160 16 0 1756 512 pipe_w S ? 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post 0 0 4164 1 18 0 1680 428 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun 0 0 4730 4709 25 0 1752 520 wait S+ pts/0 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf 0 0 4804 4730 18 0 1760 540 - S+ pts/0 0:00 \_ grep -E -i ppid|pluto|ipsec|klips + _________________________ ipsec/showdefaults + + ipsec showdefaults routephys=eth0 routevirt=ipsec0 routeaddr=192.168.0.20 routenexthop=192.168.0.10 + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $ # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification config setup forwardcontrol=yes interfaces=%defaultroute uniqueids=yes #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/share/doc/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 17 conn pax_square also=central-site right=66.225.x.c rightid=@pax_square rightsubnet=192.168.36.0/24 also=linksys-policy auto=add conn central-site left=66.225.x.b leftsubnet=192.168.0.0/24 leftsourceip=192.168.0.20 conn linksys-policy ike=3des-md5-modp1024 esp=3des-md5 compress=no authby=secret # basic configuration #config setup # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: # plutodebug="control parsing" # # Only enable klipsdebug=all if you are a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal #nat_traversal=yes # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # # enable this if you see "failed to find any available worker" #nhelpers=0 # Add connections here # sample VPN connections, see /etc/ipsec.d/examples/ #Disable Opportunistic Encryption + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 2192 bits gatekeeper.mycompanyname.com Thu Mar 13 20:52:42 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOVIRNnv] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" : PSK "[sums to 2787...]" + _________________________ ipsec/listall + + ipsec auto --listall 000 000 List of Public Keys: 000 + [ /etc/ipsec.d/policies ] + basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + + ls -l /usr/local/lib/ipsec total 112 -rwxr-xr-x 1 root root 15848 Mar 17 11:05 _confread -rwxr-xr-x 1 root root 14733 Mar 17 11:05 _copyright -rwxr-xr-x 1 root root 2379 Mar 17 11:05 _include -rwxr-xr-x 1 root root 1475 Mar 17 11:05 _keycensor -rwxr-xr-x 1 root root 3586 Mar 17 11:05 _plutoload -rwxr-xr-x 1 root root 8069 Mar 17 11:05 _plutorun -rwxr-xr-x 1 root root 12277 Mar 17 11:05 _realsetup -rwxr-xr-x 1 root root 1975 Mar 17 11:05 _secretcensor -rwxr-xr-x 1 root root 11071 Mar 17 11:05 _startklips -rwxr-xr-x 1 root root 13918 Mar 17 11:05 _updown -rwxr-xr-x 1 root root 15746 Mar 17 11:05 _updown_x509 + _________________________ ipsec/ls-execdir + + ls -l /usr/local/libexec/ipsec total 3312 -rwxr-xr-x 1 root root 28089 Mar 17 11:05 _pluto_adns -rwxr-xr-x 1 root root 18891 Mar 17 11:05 auto -rwxr-xr-x 1 root root 11367 Mar 17 11:05 barf -rwxr-xr-x 1 root root 816 Mar 17 11:05 calcgoo -rwxr-xr-x 1 root root 200749 Mar 17 11:05 eroute -rwxr-xr-x 1 root root 65776 Mar 17 11:05 ikeping -rwxr-xr-x 1 root root 128648 Mar 17 11:05 klipsdebug -rwxr-xr-x 1 root root 1836 Mar 17 11:05 livetest -rwxr-xr-x 1 root root 2604 Mar 17 11:05 look -rwxr-xr-x 1 root root 7094 Mar 17 11:05 mailkey -rwxr-xr-x 1 root root 16015 Mar 17 11:05 manual -rwxr-xr-x 1 root root 1951 Mar 17 11:05 newhostkey -rwxr-xr-x 1 root root 111600 Mar 17 11:05 pf_key -rwxr-xr-x 1 root root 1935678 Mar 17 11:05 pluto -rwxr-xr-x 1 root root 21761 Mar 17 11:05 ranbits -rwxr-xr-x 1 root root 52624 Mar 17 11:05 rsasigkey -rwxr-xr-x 1 root root 766 Mar 17 11:05 secrets lrwxrwxrwx 1 root root 17 Mar 17 11:05 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Mar 17 11:05 showdefaults -rwxr-xr-x 1 root root 4845 Mar 17 11:05 showhostkey -rwxr-xr-x 1 root root 329005 Mar 17 11:05 spi -rwxr-xr-x 1 root root 162999 Mar 17 11:05 spigrp -rwxr-xr-x 1 root root 27989 Mar 17 11:05 tncfg -rwxr-xr-x 1 root root 13530 Mar 17 11:05 verify -rwxr-xr-x 1 root root 156539 Mar 17 11:05 whack + _________________________ ipsec/updowns + + ls /usr/local/libexec/ipsec + egrep updown + _________________________ /proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth1: 2309 26 0 0 0 0 0 21 556 7 0 0 0 0 0 0 eth0: 1134346 11467 0 0 0 0 0 0 195555 1754 0 0 0 0 0 0 + _________________________ /proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 6068E142 00000000 0001 0 0 0 E0FFFFFF0 0 0 eth0 0000A8C0 00000000 0001 0 0 0 00FFFFFF0 0 0 eth0 00000000 0A00A8C0 0003 0 0 100 000000000 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + + cd /proc/sys/net/ipv4/conf + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:0 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:0 eth0/secure_redirects:1 eth0/send_redirects:0 eth1/accept_redirects:0 eth1/secure_redirects:1 eth1/send_redirects:0 lo/accept_redirects:0 lo/secure_redirects:1 lo/send_redirects:0 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + + uname -a Linux gatekeeper.mycompanyname.com 2.6.22-14-server #1 SMP Tue Feb 12 08:27:05 UTC 2008 i686 GNU/Linux + _________________________ config-built-with + + test -r /proc/config_built_with + _________________________ distro-release + + test -f /etc/redhat-release + test -f /etc/debian-release + test -f /etc/SuSE-release + test -f /etc/mandrake-release + test -f /etc/mandriva-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey + uname -r + echo NETKEY (2.6.22-14-server) support detected NETKEY (2.6.22-14-server) support detected + _________________________ ipfwadm + + test -r /sbin/ipfwadm + no old-style linux 1.x/2.0 ipfwadm firewall support /usr/local/libexec/ipsec/barf: 1: no old-style linux 1.x/2.0 ipfwadm firewall support: not found + _________________________ ipchains + + test -r /sbin/ipchains + echo no old-style linux 2.0 ipchains firewall support no old-style linux 2.0 ipchains firewall support + _________________________ iptables + + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + + test -f /proc/modules + cat /proc/modules iptable_mangle 3840 0 - Live 0xf8b42000 iptable_nat 8708 0 - Live 0xf8b4f000 nf_nat 20012 1 iptable_nat, Live 0xf8dbf000 nf_conntrack_ipv4 19724 2 iptable_nat, Live 0xf8db9000 nf_conntrack 65160 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xf8dc6000 nfnetlink 6936 3 nf_nat,nf_conntrack_ipv4,nf_conntrack, Live 0xf8da0000 iptable_filter 3968 0 - Live 0xf89fe000 ip_tables 13924 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xf8dac000 x_tables 16260 2 iptable_nat,ip_tables, Live 0xf8da7000 xfrm_user 26368 2 - Live 0xf8be6000 xfrm4_tunnel 3712 0 - Live 0xf899c000 tunnel4 4616 1 xfrm4_tunnel, Live 0xf8be3000 ipcomp 8968 0 - Live 0xf8bdf000 esp4 8960 0 - Live 0xf8bdb000 ah4 7424 0 - Live 0xf8b07000 deflate 4864 0 - Live 0xf8b4c000 zlib_deflate 20632 1 deflate, Live 0xf8bd4000 twofish 9600 0 - Live 0xf8bd0000 twofish_common 39552 1 twofish, Live 0xf8bbc000 camellia 32000 0 - Live 0xf8bc7000 serpent 19072 0 - Live 0xf8bb6000 blowfish 9472 0 - Live 0xf8ba1000 des 17664 0 - Live 0xf8bb0000 cbc 5504 0 - Live 0xf8b3f000 ecb 4608 0 - Live 0xf8b0a000 blkcipher 7556 2 cbc,ecb, Live 0xf8a65000 aes 28608 0 - Live 0xf8b99000 xcbc 7176 0 - Live 0xf89ec000 sha256 12032 0 - Live 0xf8b3b000 sha1 3584 0 - Live 0xf88c7000 crypto_null 3584 0 - Live 0xf8863000 af_key 37904 0 - Live 0xf8ba5000 sbp2 24584 0 - Live 0xf8b44000 lp 12452 0 - Live 0xf8b14000 loop 19076 0 - Live 0xf8b0e000 snd_hda_intel 263712 0 - Live 0xf8bee000 snd_pcm_oss 44544 0 - Live 0xf8b2f000 snd_mixer_oss 17664 1 snd_pcm_oss, Live 0xf8b01000 snd_pcm 80388 2 snd_hda_intel,snd_pcm_oss, Live 0xf8b1a000 snd_seq_dummy 4740 0 - Live 0xf89ef000 snd_seq_oss 33152 0 - Live 0xf8a76000 snd_seq_midi 9600 0 - Live 0xf89fa000 snd_rawmidi 25728 1 snd_seq_midi, Live 0xf8a6e000 snd_seq_midi_event 8448 2 snd_seq_oss,snd_seq_midi, Live 0xf89f6000 iTCO_wdt 11940 0 - Live 0xf89f2000 iTCO_vendor_support 4868 1 iTCO_wdt, Live 0xf89e9000 snd_seq 53104 6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event, Live 0xf8a57000 snd_timer 24324 2 snd_pcm,snd_seq, Live 0xf899e000 snd_seq_device 9228 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq, Live 0xf89ba000 parport_pc 37668 1 - Live 0xf8a4c000 parport 37448 2 lp,parport_pc, Live 0xf8a41000 serio_raw 8068 0 - Live 0xf8965000 ipv6 278916 24 - Live 0xf8b53000 intel_agp 25620 1 - Live 0xf89e1000 agpgart 35144 1 intel_agp, Live 0xf89b0000 psmouse 39952 0 - Live 0xf89a5000 pcspkr 4224 0 - Live 0xf88c4000 snd 54532 9 snd_hda_intel,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device, Live 0xf8977000 soundcore 8800 1 snd, Live 0xf8973000 evdev 11136 0 - Live 0xf8961000 snd_page_alloc 11528 2 snd_hda_intel,snd_pcm, Live 0xf88d5000 ext3 133640 1 - Live 0xf89bf000 jbd 60456 1 ext3, Live 0xf8987000 mbcache 9732 1 ext3, Live 0xf8854000 sg 36380 0 - Live 0xf8948000 sr_mod 17700 0 - Live 0xf895b000 cdrom 37408 1 sr_mod, Live 0xf8968000 sd_mod 30336 3 - Live 0xf8952000 ata_piix 17540 2 - Live 0xf88c9000 floppy 59876 0 - Live 0xf8938000 e100 37772 0 - Live 0xf88ac000 mii 6656 1 e100, Live 0xf8865000 ohci1394 36784 0 - Live 0xf88b8000 skge 43280 0 - Live 0xf8870000 ieee1394 96312 2 sbp2,ohci1394, Live 0xf891f000 ehci_hcd 36748 0 - Live 0xf887c000 ata_generic 8580 0 - Live 0xf885f000 libata 125296 2 ata_piix,ata_generic, Live 0xf88ff000 scsi_mod 146828 5 sbp2,sg,sr_mod,sd_mod,libata, Live 0xf88da000 uhci_hcd 26640 0 - Live 0xf8868000 usbcore 138760 3 ehci_hcd,uhci_hcd, Live 0xf8889000 thermal 14344 0 - Live 0xf885a000 processor 32072 1 thermal, Live 0xf884b000 fan 5764 0 - Live 0xf883d000 fuse 47124 1 - Live 0xf8824000 apparmor 40600 0 - Live 0xf8832000 commoncap 8320 1 apparmor, Live 0xf8820000 + _________________________ /proc/meminfo + + cat /proc/meminfo MemTotal: 1027420 kB MemFree: 963932 kB Buffers: 5784 kB Cached: 22484 kB SwapCached: 0 kB Active: 26796 kB Inactive: 15192 kB HighTotal: 122816 kB HighFree: 81060 kB LowTotal: 904604 kB LowFree: 882872 kB SwapTotal: 3004112 kB SwapFree: 3004112 kB Dirty: 80 kB Writeback: 0 kB AnonPages: 13716 kB Mapped: 5672 kB Slab: 10264 kB SReclaimable: 3300 kB SUnreclaim: 6964 kB PageTables: 508 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 3517820 kB Committed_AS: 28296 kB VmallocTotal: 118776 kB VmallocUsed: 5952 kB VmallocChunk: 112728 kB + _________________________ /proc/net/ipsec-ls + + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /proc/config.gz + uname -r + test -f /lib/modules/2.6.22-14-server/build/.config + echo no .config file found, cannot list kernel properties no .config file found, cannot list kernel properties + _________________________ etc/syslog.conf + + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole + _________________________ etc/syslog-ng/syslog-ng.conf + + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + _________________________ etc/resolv.conf + + cat /etc/resolv.conf nameserver 192.168.0.45 nameserver 192.168.0.47 + _________________________ lib/modules-ls + + ls -ltr /lib/modules total 4 drwxr-xr-x 5 root root 4096 Mar 13 20:01 2.6.22-14-server + _________________________ /proc/ksyms-netif_rx + + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c0286b00 T __netif_rx_schedule c0288220 T netif_rx c0288470 T netif_rx_ni c03a4364 r __ksymtab_netif_rx c03a4444 r __ksymtab_netif_rx_ni c03a4474 r __ksymtab___netif_rx_schedule c03a8408 r __kcrctab_netif_rx c03a8478 r __kcrctab_netif_rx_ni c03a8490 r __kcrctab___netif_rx_schedule c03b3d0f r __kstrtab_netif_rx c03b3ed7 r __kstrtab_netif_rx_ni c03b3f42 r __kstrtab___netif_rx_schedule c0288220 u netif_rx [ipv6] c0286b00 u __netif_rx_schedule [e100] c0286b00 u __netif_rx_schedule [skge] + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.22-14-server: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + sed -n 510,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Mar 17 11:35:09 gatekeeper ipsec_setup: Starting Openswan IPsec 2.4.11... Mar 17 11:44:00 gatekeeper ipsec_setup: Openswan IPsec apparently already active, start aborted Mar 17 11:45:13 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 17 11:45:13 gatekeeper ipsec_setup: Stopping Openswan IPsec... Mar 17 11:45:14 gatekeeper ipsec_setup: ...Openswan IPsec stopped Mar 17 11:45:14 gatekeeper ipsec_setup: Stopping Openswan IPsec... Mar 17 11:45:14 gatekeeper ipsec_setup: stop ordered, but IPsec appear to be stopped already! Mar 17 11:45:14 gatekeeper ipsec_setup: doing cleanup anyway... Mar 17 11:46:09 gatekeeper ipsec_setup: Openswan IPsec apparently already active, start aborted + _________________________ plog + + sed -n 535,$p /var/log/auth.log + egrep -i pluto + cat Mar 17 11:35:09 gatekeeper ipsec__plutorun: Starting Pluto subsystem... Mar 17 11:35:09 gatekeeper pluto[5085]: Starting Pluto (Openswan Version 2.4.11 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE{dD^fJcUvk) Mar 17 11:35:09 gatekeeper pluto[5085]: Setting NAT-Traversal port-4500 floating to off Mar 17 11:35:09 gatekeeper pluto[5085]: port floating activation criteria nat_t=0/port_fload=1 Mar 17 11:35:09 gatekeeper pluto[5085]: including NAT-Traversal patch (Version 0.6c) [disabled] Mar 17 11:35:09 gatekeeper pluto[5085]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Mar 17 11:35:09 gatekeeper pluto[5085]: starting up 1 cryptographic helpers Mar 17 11:35:09 gatekeeper pluto[5085]: started helper pid=5090 (fd:6) Mar 17 11:35:09 gatekeeper pluto[5085]: Using NETKEY IPsec interface code on 2.6.22-14-server Mar 17 11:35:09 gatekeeper pluto[5085]: Changing to directory '/etc/ipsec.d/cacerts' Mar 17 11:35:09 gatekeeper pluto[5085]: Changing to directory '/etc/ipsec.d/aacerts' Mar 17 11:35:09 gatekeeper pluto[5085]: Changing to directory '/etc/ipsec.d/ocspcerts' Mar 17 11:35:09 gatekeeper pluto[5085]: Changing to directory '/etc/ipsec.d/crls' Mar 17 11:35:09 gatekeeper pluto[5085]: Warning: empty directory Mar 17 11:35:09 gatekeeper pluto[5085]: added connection description "pax_square" Mar 17 11:35:09 gatekeeper pluto[5085]: listening for IKE messages Mar 17 11:35:09 gatekeeper pluto[5085]: adding interface eth1/eth1 66.225.x.b:500 Mar 17 11:35:09 gatekeeper pluto[5085]: adding interface eth0/eth0 192.168.0.20:500 Mar 17 11:35:09 gatekeeper pluto[5085]: adding interface lo/lo 127.0.0.1:500 Mar 17 11:35:09 gatekeeper pluto[5085]: adding interface lo/lo ::1:500 Mar 17 11:35:09 gatekeeper pluto[5085]: loading secrets from "/etc/ipsec.secrets" Mar 17 11:45:12 gatekeeper pluto[5085]: shutting down Mar 17 11:45:12 gatekeeper pluto[5085]: forgetting secrets Mar 17 11:45:12 gatekeeper pluto[5085]: "pax_square": deleting connection Mar 17 11:45:12 gatekeeper pluto[5085]: shutting down interface lo/lo ::1:500 Mar 17 11:45:12 gatekeeper pluto[5085]: shutting down interface lo/lo 127.0.0.1:500 Mar 17 11:45:12 gatekeeper pluto[5085]: shutting down interface eth0/eth0 192.168.0.20:500 Mar 17 11:45:12 gatekeeper pluto[5085]: shutting down interface eth1/eth1 66.225.x.b:500 Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [Dead Peer Detection] Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 17 11:54:06 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 17 11:54:06 gatekeeper pluto[4162]: "pax_square" #1: responding to Main Mode Mar 17 11:54:06 gatekeeper pluto[4162]: "pax_square" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 17 11:54:06 gatekeeper pluto[4162]: "pax_square" #1: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [Dead Peer Detection] Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 17 11:54:16 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 17 11:54:16 gatekeeper pluto[4162]: "pax_square" #2: responding to Main Mode Mar 17 11:54:16 gatekeeper pluto[4162]: "pax_square" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 17 11:54:16 gatekeeper pluto[4162]: "pax_square" #2: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring unknown Vendor ID payload [4f4540454371496d7a684644] Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [Dead Peer Detection] Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Mar 17 11:54:36 gatekeeper pluto[4162]: packet from 66.225.x.c:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Mar 17 11:54:36 gatekeeper pluto[4162]: "pax_square" #3: responding to Main Mode Mar 17 11:54:36 gatekeeper pluto[4162]: "pax_square" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Mar 17 11:54:36 gatekeeper pluto[4162]: "pax_square" #3: STATE_MAIN_R1: sent MR1, expecting MI2 Mar 17 11:55:16 gatekeeper pluto[4162]: "pax_square" #1: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 17 11:55:26 gatekeeper pluto[4162]: "pax_square" #2: max number of retransmissions (2) reached STATE_MAIN_R1 Mar 17 11:55:46 gatekeeper pluto[4162]: "pax_square" #3: max number of retransmissions (2) reached STATE_MAIN_R1 + _________________________ date + + date Mon Mar 17 12:22:10 EDT 2008 root@gatekeeper:/home/administrator#