Dell2450LC Sun Sep 21 17:17:08 BST 2008 + _________________________ version + ipsec --version Linux Openswan U2.4.4/K2.6.16.54-0.2.8-smp (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.16.54-0.2.8-smp (geeko@buildhost) (gcc version 4.1.2 20070115 (prerelease) (SUSE Linux)) #1 SMP Mon Jun 23 13:41:12 UTC 2008 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.100.0 192.168.101.1 255.255.255.0 UG 0 0 0 eth1 192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 eth1 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ setkey-D + setkey -D 192.168.101.253[4500] 213.246.173.52[4500] esp-udp mode=tunnel spi=2872810065(0xab3b9a51) reqid=16385(0x00004001) E: 3des-cbc 8bb0a72e 4f0f34aa c01a7230 93b56b62 1c442d97 5dec9dd0 A: hmac-md5 9f74a4a0 9bbfad35 7dd3f703 d3055fe7 seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Sep 21 17:12:03 2008 current: Sep 21 17:17:08 2008 diff: 305(s) hard: 0(s) soft: 0(s) last: Sep 21 17:14:02 2008 hard: 0(s) soft: 0(s) current: 480(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 4 hard: 0 soft: 0 sadb_seq=1 pid=6365 refcnt=0 213.246.173.52[4500] 192.168.101.253[4500] esp-udp mode=tunnel spi=3230091467(0xc08748cb) reqid=16385(0x00004001) E: 3des-cbc 4c948187 dd7fb9c4 7dd8fd6e 9c41d2b1 5dd54e92 31365258 A: hmac-md5 b5e2cc84 dd27473a 8384c4f6 ea220e0c seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Sep 21 17:12:03 2008 current: Sep 21 17:17:08 2008 diff: 305(s) hard: 0(s) soft: 0(s) last: Sep 21 17:12:03 2008 hard: 0(s) soft: 0(s) current: 10999(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 153 hard: 0 soft: 0 sadb_seq=0 pid=6365 refcnt=0 + _________________________ setkey-D-P + setkey -D -P 192.168.100.0/24[any] 192.168.101.0/24[any] any in prio high + 1073739480 ipsec esp/tunnel/213.246.173.52-192.168.101.253/unique#16385 created: Sep 21 17:12:03 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10184 seq=16 pid=6366 refcnt=1 192.168.101.0/24[any] 192.168.100.0/24[any] any out prio high + 1073739480 ipsec esp/tunnel/192.168.101.253-213.246.173.52/unique#16385 created: Sep 21 17:12:03 2008 lastused: Sep 21 17:14:23 2008 lifetime: 0(s) validtime: 0(s) spid=10177 seq=15 pid=6366 refcnt=3 192.168.100.0/24[any] 192.168.101.0/24[any] any fwd prio high + 1073739480 ipsec esp/tunnel/213.246.173.52-192.168.101.253/unique#16385 created: Sep 21 17:12:03 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10194 seq=14 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10163 seq=13 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10147 seq=12 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10131 seq=11 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10115 seq=10 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10099 seq=9 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: Sep 21 17:14:01 2008 lifetime: 0(s) validtime: 0(s) spid=10083 seq=8 pid=6366 refcnt=1 (per-socket policy) in none created: Sep 21 17:12:02 2008 lastused: Sep 21 17:12:02 2008 lifetime: 0(s) validtime: 0(s) spid=10067 seq=7 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10172 seq=6 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10156 seq=5 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10140 seq=4 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10124 seq=3 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=10108 seq=2 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: Sep 21 17:17:02 2008 lifetime: 0(s) validtime: 0(s) spid=10092 seq=1 pid=6366 refcnt=1 (per-socket policy) out none created: Sep 21 17:12:02 2008 lastused: Sep 21 17:12:02 2008 lifetime: 0(s) validtime: 0(s) spid=10076 seq=0 pid=6366 refcnt=1 + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 192.168.3.253 000 interface eth0/eth0 192.168.3.253 000 interface eth1/eth1 192.168.101.253 000 interface eth1/eth1 192.168.101.253 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,336} attrs={0,2,224} 000 000 "westerham": 192.168.101.0/24===192.168.101.253[213.246.191.115]---192.168.101.1...213.246.191.115---213.246.173.52===192.168.100.0/24; erouted; eroute owner: #2 000 "westerham": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "westerham": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "westerham": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; 000 "westerham": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "westerham": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, flags=-strict 000 "westerham": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 000 "westerham": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "westerham": ESP algorithms wanted: 3_000-1, flags=-strict 000 "westerham": ESP algorithms loaded: 3_000-1, flags=-strict 000 "westerham": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup= 000 000 #2: "westerham":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2320s; newest IPSEC; eroute owner 000 #2: "westerham" esp.ab3b9a51@213.246.173.52 esp.c08748cb@192.168.101.253 tun.0@213.246.173.52 tun.0@192.168.101.253 000 #1: "westerham":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 13417s; newest ISAKMP; nodpd 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:B0:D0:49:06:66 inet addr:192.168.3.253 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::2b0:d0ff:fe49:666/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:390157 errors:0 dropped:0 overruns:0 frame:0 TX packets:253175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:65270590 (62.2 Mb) TX bytes:170256496 (162.3 Mb) eth1 Link encap:Ethernet HWaddr 00:A0:24:A9:41:EE inet addr:192.168.101.253 Bcast:192.168.101.255 Mask:255.255.255.0 inet6 addr: fe80::2a0:24ff:fea9:41ee/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:847858 errors:0 dropped:0 overruns:0 frame:0 TX packets:804924 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:221423999 (211.1 Mb) TX bytes:299987165 (286.0 Mb) Interrupt:201 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3096934 errors:0 dropped:0 overruns:0 frame:0 TX packets:3096934 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2112209802 (2014.3 Mb) TX bytes:2112209802 (2014.3 Mb) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:b0:d0:49:06:66 brd ff:ff:ff:ff:ff:ff inet 192.168.3.253/24 brd 192.168.3.255 scope global eth0 inet6 fe80::2b0:d0ff:fe49:666/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:24:a9:41:ee brd ff:ff:ff:ff:ff:ff inet 192.168.101.253/24 brd 192.168.101.255 scope global eth1 inet6 fe80::2a0:24ff:fea9:41ee/64 scope link valid_lft forever preferred_lft forever 4: sit0: mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 + _________________________ ip-route-list + ip route list 192.168.100.0/24 via 192.168.101.1 dev eth1 192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.253 192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.253 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 192.168.101.1 dev eth1 + _________________________ ip-rule-list + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.4/K2.6.16.54-0.2.8-smp (netkey) Checking for IPsec support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Checking for 'curl' command for CRL fetching [OK] Checking for 'setkey' command for NETKEY IPsec stack support [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + '[' -x /usr/sbin/mii-tool ']' + mii-tool -v /usr/lib/ipsec/barf: line 212: mii-tool: command not found + _________________________ ipsec/directory + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn Dell2450LC.talos.co.uk + _________________________ hostname/ipaddress + hostname --ip-address 192.168.101.253 + _________________________ uptime + uptime 5:17pm up 3 days 2:15, 0 users, load average: 0.65, 0.82, 0.83 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 6341 2403 25 0 2764 1332 wait S+ pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/barf 0 0 6411 6341 25 0 1860 668 stext S+ pts/1 0:00 \_ /bin/grep -E -i ppid|pluto|ipsec|klips 1 0 3133 1 24 0 2728 492 wait S pts/1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /var/log/pluto/ipsec.log --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 3134 3133 24 0 2728 636 wait S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /var/log/pluto/ipsec.log --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 3135 3134 15 0 2472 1308 - S pts/1 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --stderrlog 1 0 3140 3135 25 10 2412 532 - SN pts/1 0:00 | \_ pluto helper # 0 -nofork 0 0 3196 3135 18 0 1452 296 - S pts/1 0:00 | \_ _pluto_adns 0 0 3137 3133 15 0 2720 1320 pipe_w S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait yes --post 0 0 3138 1 24 0 1508 496 pipe_w S pts/1 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults # no default route + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $ # This file: /usr/share/doc/packages/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth1" # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: #plutodebug=all # # Only enable klipsdebug=all if you are a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal plutostderrlog=/var/log/pluto/ipsec.log nat_traversal=yes #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24 # # Certificate Revocation List handling: #crlcheckinterval=600 #strictcrlpolicy=yes # # Change rp_filter setting? (default is 0, disabled) # See also setting in the /etc/sysctl.conf file! #rp_filter=%unchanged # # Workaround to setup all tunnels immediately, since the new default # of "plutowait=no" causes "Resource temporarily unavailable" errors # for the first connect attempt over each tunnel, that is delayed to # be established later / on demand. # plutowait=yes # default settings for connections conn %default # keyingtries default to %forever #keyingtries=3 # Sig keys (default: %dnsondemand) #leftrsasigkey=%cert #rightrsasigkey=%cert # Lifetimes, defaults are 1h/8hrs #ikelifetime=20m #keylife=1h #rekeymargin=8m #Disable Opportunistic Encryption #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/share/doc/packages/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 56 # Add connections here conn westerham #General keyingtries=0 ##disablearrivalcheck=no auto=start #IKE Params authby=secret keyexchange=ike ikelifetime=240m esp=3des-md5-96 ike=3des-md5 #IPSec Params type=tunnel auth=esp pfs=yes ##compress=no keylife=1h # Left security gateway, subnet behind it, nexthop toward right. left=192.168.101.253 leftid=213.246.191.115 leftsubnet=192.168.101.0/24 leftnexthop=192.168.101.1 # Right security gateway, subnet behind it, nexthop toward left. right=213.246.173.52 rightsubnet=192.168.100.0/24 rightnexthop=213.246.191.115 # To authorize this connection, but not actually start it, # at startup, uncomment this. #auto=add + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". : RSA { # RSA 2048 bits Dell2450LC Wed Sep 10 18:19:23 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOAjN3TJ] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" : PSK "[sums to 65b1...]" + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/packages/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/lib/ipsec total 1316 -rwxr-xr-x 1 root root 15535 Jun 16 2006 _confread -rwxr-xr-x 1 root root 4884 Jun 16 2006 _copyright -rwxr-xr-x 1 root root 2379 Jun 16 2006 _include -rwxr-xr-x 1 root root 1475 Jun 16 2006 _keycensor -rwxr-xr-x 1 root root 8564 Jun 16 2006 _pluto_adns -rwxr-xr-x 1 root root 3586 Jun 16 2006 _plutoload -rwxr-xr-x 1 root root 7427 Jun 16 2006 _plutorun -rwxr-xr-x 1 root root 12448 Jun 16 2006 _realsetup -rwxr-xr-x 1 root root 1975 Jun 16 2006 _secretcensor -rwxr-xr-x 1 root root 9905 Jun 16 2006 _startklips -rwxr-xr-x 1 root root 14855 Jun 16 2006 _updown -rwxr-xr-x 1 root root 15746 Jun 16 2006 _updown_x509 -rwxr-xr-x 1 root root 19334 Jun 16 2006 auto -rwxr-xr-x 1 root root 10548 Jun 16 2006 barf -rwxr-xr-x 1 root root 816 Jun 16 2006 calcgoo -rwxr-xr-x 1 root root 78364 Jun 16 2006 eroute -rwxr-xr-x 1 root root 16788 Jun 16 2006 ikeping -rwxr-xr-x 1 root root 960 Jun 16 2006 ipsec_1_to_2.pl -rw-r--r-- 1 root root 1942 Jun 16 2006 ipsec_pr.template -rwxr-xr-x 1 root root 61312 Jun 16 2006 klipsdebug -rwxr-xr-x 1 root root 1836 Jun 16 2006 livetest -rwxr-xr-x 1 root root 2605 Jun 16 2006 look -rwxr-xr-x 1 root root 7153 Jun 16 2006 mailkey -rwxr-xr-x 1 root root 15996 Jun 16 2006 manual -rwxr-xr-x 1 root root 1926 Jun 16 2006 newhostkey -rwxr-xr-x 1 root root 52580 Jun 16 2006 pf_key -rwxr-xr-x 1 root root 574408 Jun 16 2006 pluto -rwxr-xr-x 1 root root 6972 Jun 16 2006 ranbits -rwxr-xr-x 1 root root 19008 Jun 16 2006 rsasigkey -rwxr-xr-x 1 root root 766 Jun 16 2006 secrets -rwxr-xr-x 1 root root 17624 Jun 16 2006 send-pr lrwxrwxrwx 1 root root 17 Sep 10 18:19 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jun 16 2006 showdefaults -rwxr-xr-x 1 root root 4748 Jun 16 2006 showhostkey -rwxr-xr-x 1 root root 116316 Jun 16 2006 spi -rwxr-xr-x 1 root root 66304 Jun 16 2006 spigrp -rwxr-xr-x 1 root root 10952 Jun 16 2006 tncfg -rwxr-xr-x 1 root root 10607 Jun 16 2006 verify -rwxr-xr-x 1 root root 43912 Jun 16 2006 whack + _________________________ ipsec/ls-execdir + ls -l /usr/lib/ipsec total 1316 -rwxr-xr-x 1 root root 15535 Jun 16 2006 _confread -rwxr-xr-x 1 root root 4884 Jun 16 2006 _copyright -rwxr-xr-x 1 root root 2379 Jun 16 2006 _include -rwxr-xr-x 1 root root 1475 Jun 16 2006 _keycensor -rwxr-xr-x 1 root root 8564 Jun 16 2006 _pluto_adns -rwxr-xr-x 1 root root 3586 Jun 16 2006 _plutoload -rwxr-xr-x 1 root root 7427 Jun 16 2006 _plutorun -rwxr-xr-x 1 root root 12448 Jun 16 2006 _realsetup -rwxr-xr-x 1 root root 1975 Jun 16 2006 _secretcensor -rwxr-xr-x 1 root root 9905 Jun 16 2006 _startklips -rwxr-xr-x 1 root root 14855 Jun 16 2006 _updown -rwxr-xr-x 1 root root 15746 Jun 16 2006 _updown_x509 -rwxr-xr-x 1 root root 19334 Jun 16 2006 auto -rwxr-xr-x 1 root root 10548 Jun 16 2006 barf -rwxr-xr-x 1 root root 816 Jun 16 2006 calcgoo -rwxr-xr-x 1 root root 78364 Jun 16 2006 eroute -rwxr-xr-x 1 root root 16788 Jun 16 2006 ikeping -rwxr-xr-x 1 root root 960 Jun 16 2006 ipsec_1_to_2.pl -rw-r--r-- 1 root root 1942 Jun 16 2006 ipsec_pr.template -rwxr-xr-x 1 root root 61312 Jun 16 2006 klipsdebug -rwxr-xr-x 1 root root 1836 Jun 16 2006 livetest -rwxr-xr-x 1 root root 2605 Jun 16 2006 look -rwxr-xr-x 1 root root 7153 Jun 16 2006 mailkey -rwxr-xr-x 1 root root 15996 Jun 16 2006 manual -rwxr-xr-x 1 root root 1926 Jun 16 2006 newhostkey -rwxr-xr-x 1 root root 52580 Jun 16 2006 pf_key -rwxr-xr-x 1 root root 574408 Jun 16 2006 pluto -rwxr-xr-x 1 root root 6972 Jun 16 2006 ranbits -rwxr-xr-x 1 root root 19008 Jun 16 2006 rsasigkey -rwxr-xr-x 1 root root 766 Jun 16 2006 secrets -rwxr-xr-x 1 root root 17624 Jun 16 2006 send-pr lrwxrwxrwx 1 root root 17 Sep 10 18:19 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jun 16 2006 showdefaults -rwxr-xr-x 1 root root 4748 Jun 16 2006 showhostkey -rwxr-xr-x 1 root root 116316 Jun 16 2006 spi -rwxr-xr-x 1 root root 66304 Jun 16 2006 spigrp -rwxr-xr-x 1 root root 10952 Jun 16 2006 tncfg -rwxr-xr-x 1 root root 10607 Jun 16 2006 verify -rwxr-xr-x 1 root root 43912 Jun 16 2006 whack + _________________________ ipsec/updowns ++ ls /usr/lib/ipsec ++ egrep updown + for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`' + cat /usr/lib/ipsec/_updown #! /bin/sh # iproute2 version, default updown script # # Copyright (C) 2003-2004 Nigel Metheringham # Copyright (C) 2002-2004 Michael Richardson # Copyright (C) 2003-2005 Tuomo Soini # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown.in,v 1.21.2.8 2005/08/28 02:45:26 paul Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway communica­ # tions is IPv6, then a suffix of -v6 is added to the # verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/sysconfig/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/sysconfig/pluto_updown ] then . /etc/sysconfig/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then if addsource then changesource fi fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 # check if given sourceip is local and add as alias if not #if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local #then # it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" # # Fix for Bug #66215 to solve SNAT/MASQUERADE problems with recent # 2.6.x kernels. # Instead of a /32 it seems better to use the netmask of the remote # (peer) network for the sourceip as suggested by Patrick McHardy. # cidr=${PLUTO_PEER_CLIENT##*/} snet=${PLUTO_MY_SOURCEIP%/*}/32 if test "${PLUTO_PEER_CLIENT}" != "${cidr}" then snet=${PLUTO_MY_SOURCEIP%/*}/${cidr} fi # check if given "sourceip/mask" already added to interface if ! ip addr show dev ${PLUTO_INTERFACE%:*} | grep -qs "inet ${snet}" then it="ip addr add ${snet} dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: File exists'*) # should not happen, but ... ignore if the # address was already assigned on interface oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { st=0 parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}" parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route change $parms" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi # skip creating any routing in case it is a host to host # tunnel and the peer network(=host) is equal to peer ip, # except there is some different source ip to use. if test "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ; then test "$PLUTO_ME" != "$PLUTO_MY_SOURCEIP" && \ test -n "$PLUTO_MY_SOURCEIP" || return 0 fi if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then # nexthop is not needed on ppp interfaces. unset it to make cases # work, where left is set but no leftnexthop (e.g. left=%dynamic) ip link show "$PLUTO_INTERFACE" | grep -qs POINTOPOINT && \ unset PLUTO_NEXT_HOP # skip routing via nexthop if it is not reachable through any # directly connected network (but via default route only): ip route list match "$PLUTO_NEXT_HOP" dev "$PLUTO_INTERFACE" | \ grep -qs -v default || unset PLUTO_NEXT_HOP if [ -n "$PLUTO_NEXT_HOP" ] then parms2="via $PLUTO_NEXT_HOP" fi fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`' + cat /usr/lib/ipsec/_updown_x509 #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then S_MY_PORT="--sport $PLUTO_MY_PORT" D_MY_PORT="--dport $PLUTO_MY_PORT" fi if [ "$PLUTO_PEER_PORT" != 0 ] then S_PEER_PORT="--sport $PLUTO_PEER_PORT" D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway communica­ # tions is IPv6, then a suffix of -v6 is added to the # verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/sysconfig/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/sysconfig/pluto_updown ] then . /etc/sysconfig/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource changesource fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { st=0 parms="$PLUTO_PEER_CLIENT" parms2="dev ${PLUTO_INTERFACE%:*}" parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table '$IPROUTETABLE'" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo:2113385791 3097189 0 0 0 0 0 0 2113385791 3097189 0 0 0 0 0 0 eth0:65270590 390157 0 0 0 0 0 0 170256496 253175 0 0 0 0 0 0 eth1:221425789 847884 0 0 0 0 0 0 300052873 804976 0 0 0 0 0 0 sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth1 0064A8C0 0165A8C0 0003 0 0 0 00FFFFFF 0 0 0 eth1 0065A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 0003A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0 eth1 00000000 0165A8C0 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter all/rp_filter:1 default/rp_filter:1 eth0/rp_filter:1 eth1/rp_filter:1 lo/rp_filter:1 + _________________________ uname-a + uname -a Linux Dell2450LC 2.6.16.54-0.2.8-smp #1 SMP Mon Jun 23 13:41:12 UTC 2008 i686 i686 i386 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ redhat-release + test -r /etc/redhat-release + test -r /etc/fedora-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey ++ uname -r + echo 'NETKEY (2.6.16.54-0.2.8-smp) support detected ' NETKEY (2.6.16.54-0.2.8-smp) support detected + _________________________ ipfwadm + test -r /sbin/ipfwadm + 'no old-style linux 1.x/2.0 ipfwadm firewall support' /usr/lib/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory + _________________________ ipchains + test -r /sbin/ipchains + echo 'no old-style linux 2.0 ipchains firewall support' no old-style linux 2.0 ipchains firewall support + _________________________ iptables + test -r /sbin/iptables + test -r /sbin/ipchains + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules xfrm_user 20996 2 - Live 0xf1e11000 xfrm4_tunnel 7684 0 - Live 0xf1061000 af_key 39440 0 - Live 0xf1dbd000 ipt_policy 6784 3 - Live 0xf1439000 joydev 12864 0 - Live 0xf1d7a000 st 38172 0 - Live 0xf1e2a000 sr_mod 18596 0 - Live 0xf1e18000 deflate 7680 0 - Live 0xf1df1000 zlib_deflate 21912 1 deflate, Live 0xf1df4000 twofish 46848 0 - Live 0xf1dfd000 serpent 23168 0 - Live 0xf1dd3000 blowfish 13184 0 - Live 0xf1de8000 sha256 14848 0 - Live 0xf1de3000 crypto_null 6528 0 - Live 0xf137f000 aes 31936 0 - Live 0xf1dda000 sha1 6400 0 - Live 0xf1382000 ipcomp 11528 0 - Live 0xf1dc8000 esp4 11264 2 - Live 0xf1032000 ah4 9984 0 - Live 0xf137b000 ipt_MASQUERADE 7552 1 - Live 0xf1d89000 xt_pkttype 5760 7 - Live 0xf1d86000 ipt_TCPMSS 7936 1 - Live 0xf1d83000 ipt_LOG 9856 25 - Live 0xf1d7f000 xt_limit 6528 25 - Live 0xf13ce000 zapi 11144 1 - Live 0xf1431000 nebdrv 14096 20 - Live 0xf13b7000 nsslsa 143012 5 zapi, Live 0xf13eb000 nssmanage 101672 1 nsslsa, Live 0xf13d1000 nsszlss 1373776 2 nsslsa,nssmanage, Live 0xf1e44000 nsscomn 1342800 12 zapi,nsslsa,nssmanage,nsszlss, Live 0xf1443000 ndpmod 54440 4 nsslsa,nsscomn, Live 0xf12ad000 nss 301236 5 zapi,nsslsa,nssmanage,nsszlss,nsscomn, Live 0xf11c8000 nsslibrary 1077856 7 zapi,nsslsa,nssmanage,nsszlss,nsscomn,ndpmod,nss, Live 0xf10bf000 nsslnxlib 36424 3 nsszlss,nsscomn,nsslibrary, Live 0xf0c9e000 linuxmpk 129268 10 zapi,nebdrv,nsslsa,nssmanage,nsszlss,nsscomn,ndpmod,nss,nsslibrary,nsslnxlib, Live 0xf0d08000 libnss 82356 8 nsslsa,nssmanage,nsszlss,nsscomn,ndpmod,nss,nsslibrary,nsslnxlib, Live 0xf0cc9000 admindrv 8880 1 nsscomn, Live 0xf0c85000 nwraid 99348 0 - Live 0xf0caf000 af_packet 28552 2 - Live 0xf0c8a000 button 10640 0 - Live 0xf1064000 battery 13444 0 - Live 0xf10ba000 ac 8964 0 - Live 0xf106f000 ip6t_REJECT 8960 3 - Live 0xf106b000 xt_tcpudp 7040 25 - Live 0xf1068000 ipt_REJECT 9216 3 - Live 0xf105d000 xt_state 6016 34 - Live 0xf105a000 iptable_mangle 6656 0 - Live 0xf1036000 iptable_nat 11524 1 - Live 0xf0fc2000 ip_nat 20396 2 ipt_MASQUERADE,iptable_nat, Live 0xf1039000 iptable_filter 6912 1 - Live 0xf102f000 ip6table_mangle 6272 0 - Live 0xf0fc6000 ip_conntrack 49880 4 ipt_MASQUERADE,xt_state,iptable_nat,ip_nat, Live 0xf103f000 nfnetlink 10136 2 ip_nat,ip_conntrack, Live 0xf0fec000 ip_tables 16196 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xf1019000 ip6table_filter 6656 1 - Live 0xf0e48000 ip6_tables 17604 2 ip6table_mangle,ip6table_filter, Live 0xf1013000 x_tables 16132 13 ipt_policy,ipt_MASQUERADE,xt_pkttype,ipt_TCPMSS,ipt_LOG,xt_limit,ip6t_REJECT,xt_tcpudp,ipt_REJECT,xt_state,iptable_nat,ip_tables,ip6_tables, Live 0xf100e000 ipv6 245216 63 ip6t_REJECT, Live 0xf1077000 apparmor 54552 0 - Live 0xf1020000 aamatch_pcre 17408 1 apparmor, Live 0xf0fe6000 nls_iso8859_1 8064 1 - Live 0xf0825000 nls_cp437 9728 1 - Live 0xf0fe2000 vfat 16000 1 - Live 0xf0fdd000 fat 51100 1 vfat, Live 0xf1000000 loop 19592 0 - Live 0xf0fc9000 dm_mod 59728 8 nwraid, Live 0xf0ff0000 shpchp 43360 0 - Live 0xf0fd1000 pci_hotplug 28604 1 shpchp, Live 0xf0e83000 3c59x 45224 0 - Live 0xf0f97000 i2c_piix4 12432 0 - Live 0xf0f92000 i2c_core 23680 1 i2c_piix4, Live 0xf0f8b000 sworks_agp 12704 0 - Live 0xf0ec4000 ohci_hcd 22020 0 - Live 0xf0e8b000 agpgart 33352 1 sworks_agp, Live 0xf0f81000 usbcore 115460 2 ohci_hcd, Live 0xf0fa4000 e100 37128 0 - Live 0xf0f76000 mii 9088 2 3c59x,e100, Live 0xf0e51000 ide_cd 40224 0 - Live 0xf0f6b000 cdrom 36512 2 sr_mod,ide_cd, Live 0xf0eba000 parport_pc 39524 1 - Live 0xf0eaf000 lp 14756 0 - Live 0xf0e7e000 parport 36936 2 parport_pc,lp, Live 0xf0ea4000 ext3 123656 2 - Live 0xf0ec9000 jbd 62496 1 ext3, Live 0xf0e93000 edd 12484 0 - Live 0xf0e79000 fan 8580 0 - Live 0xf0e44000 thermal 17544 0 - Live 0xf0e4b000 processor 31468 1 thermal, Live 0xf0e70000 sg 35500 0 - Live 0xf0e66000 aacraid 55168 5 - Live 0xf0e57000 serverworks 12168 0 [permanent], Live 0xf0849000 aic7xxx 152628 0 - Live 0xf0855000 scsi_transport_spi 25984 1 aic7xxx, Live 0xf084d000 sd_mod 23296 6 - Live 0xf0818000 scsi_mod 131724 7 st,sr_mod,sg,aacraid,aic7xxx,scsi_transport_spi,sd_mod, Live 0xf0e22000 ide_disk 19072 0 - Live 0xf081f000 ide_core 123468 3 ide_cd,serverworks,ide_disk, Live 0xf0e02000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 775188 kB MemFree: 10464 kB Buffers: 22012 kB Cached: 220760 kB SwapCached: 6048 kB Active: 444488 kB Inactive: 118168 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 775188 kB LowFree: 10464 kB SwapTotal: 1052248 kB SwapFree: 980032 kB Dirty: 1020 kB Writeback: 0 kB AnonPages: 319332 kB Mapped: 64544 kB Slab: 62788 kB CommitLimit: 1439840 kB Committed_AS: 5818356 kB PageTables: 5232 kB VmallocTotal: 245752 kB VmallocUsed: 23948 kB VmallocChunk: 221604 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 4096 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /proc/config.gz + zcat /proc/config.gz + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP' CONFIG_NET_KEY=m CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_FIB_HASH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_MULTIPATH=y # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_TUNNEL=m CONFIG_INET_DIAG=m CONFIG_INET_TCP_DIAG=m CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m CONFIG_IPV6_PRIVACY=y CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_TUNNEL=m CONFIG_IPV6_TUNNEL=m CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set CONFIG_IP_NF_CONNTRACK_NETLINK=m CONFIG_IP_NF_CT_PROTO_SCTP=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_NETBIOS_NS=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_PPTP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_MATCH_POLICY=m CONFIG_IP_NF_MATCH_IPV4OPTIONS=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_AHESP=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_MATCH_POLICY=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_IP6_NF_RAW=m CONFIG_IP_DCCP=m CONFIG_INET_DCCP_DIAG=m CONFIG_IP_DCCP_CCID3=m CONFIG_IP_DCCP_TFRC_LIB=m # CONFIG_IP_DCCP_DEBUG is not set # CONFIG_IP_DCCP_UNLOAD_HACK is not set CONFIG_IP_SCTP=m CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IPDDP=m CONFIG_IPDDP_ENCAP=y CONFIG_IPDDP_DECAP=y CONFIG_IPW2100=m CONFIG_IPW2100_MONITOR=y # CONFIG_IPW2100_DEBUG is not set CONFIG_IPW2200=m # CONFIG_IPW2200_DEBUG is not set CONFIG_IPPP_FILTER=y CONFIG_IPMI_HANDLER=m CONFIG_IPMI_PANIC_EVENT=y CONFIG_IPMI_PANIC_STRING=y CONFIG_IPMI_DEVICE_INTERFACE=m CONFIG_IPMI_SI=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m + _________________________ etc/syslog.conf + cat /etc/syslog.conf cat: /etc/syslog.conf: No such file or directory + _________________________ etc/resolv.conf + cat /etc/resolv.conf domain talos.co.uk nameserver 192.168.3.253 nameserver 195.74.130.12 nameserver 195.74.128.6 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 8 drwxr-xr-x 3 root root 4096 Sep 3 17:32 2.6.16.46-0.12-smp drwxr-xr-x 5 root root 4096 Sep 3 17:39 2.6.16.54-0.2.8-smp + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c02484ea T netif_rx c024946e T netif_rx_ni c02484ea U netif_rx [ipv6] c02484ea U netif_rx [3c59x] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.16.46-0.12-smp: 2.6.16.54-0.2.8-smp: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '985,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Sep 21 17:12:01 Dell2450LC ipsec_setup: Starting Openswan IPsec 2.4.4... Sep 21 17:12:01 Dell2450LC ipsec_setup: insmod /lib/modules/2.6.16.54-0.2.8-smp/kernel/net/key/af_key.ko Sep 21 17:12:01 Dell2450LC ipsec_setup: insmod /lib/modules/2.6.16.54-0.2.8-smp/kernel/net/ipv4/xfrm4_tunnel.ko Sep 21 17:12:01 Dell2450LC ipsec_setup: insmod /lib/modules/2.6.16.54-0.2.8-smp/kernel/net/xfrm/xfrm_user.ko Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 104 "westerham" #1: STATE_MAIN_I1: initiate Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: ignoring unknown Vendor ID payload [825733f5f2c1fe269671942e2e69cc85] Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 106 "westerham" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 108 "westerham" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 004 "westerham" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 117 "westerham" #2: STATE_QUICK_I1: initiate Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 004 "westerham" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xab3b9a51 <0xc08748cb xfrm=3DES_0-HMAC_MD5 NATD=213.246.173.52:4500 DPD=none} + _________________________ plog + sed -n '983,$p' /var/log/messages + egrep -i pluto + case "$1" in + cat Sep 21 17:12:00 Dell2450LC ipsec__plutorun: Starting Pluto subsystem... Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 104 "westerham" #1: STATE_MAIN_I1: initiate Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: ignoring unknown Vendor ID payload [825733f5f2c1fe269671942e2e69cc85] Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 106 "westerham" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 003 "westerham" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 108 "westerham" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 004 "westerham" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 117 "westerham" #2: STATE_QUICK_I1: initiate Sep 21 17:12:03 Dell2450LC ipsec__plutorun: 004 "westerham" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xab3b9a51 <0xc08748cb xfrm=3DES_0-HMAC_MD5 NATD=213.246.173.52:4500 DPD=none} + _________________________ date + date Sun Sep 21 17:17:10 BST 2008