dinamico88.dti.digitro.com.br Mon Dec 1 12:17:42 BRST 2008 + _________________________ version + ipsec --version Linux Openswan 2.6.18 (klips) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.18-53.1.13.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Tue Feb 12 13:01:45 EST 2008 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + sort -sg -k 3 /proc/net/ipsec_eroute 2 14.14.14.0/24 -> 15.15.15.0/24 => tun0x1001@192.168.170.38 + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 14.14.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 15.15.15.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 ipsec0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.160.1 0.0.0.0 UG 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + cat /proc/net/ipsec_spi esp0xd236acd5@192.168.170.88 ESP_3DES_HMAC_SHA1: dir=in src=192.168.170.38 iv_bits=64bits iv=0xec0d57e5546c4fe7 ooowin=64 alen=160 aklen=160 eklen=192 life(c,s,h)=addtime(63,0,0) natencap=na refcount=2 ref=4 refhim=1 tun0x1002@192.168.170.88 IPIP: dir=in src=192.168.170.38 policy=15.15.15.0/24->14.14.14.0/24 flags=0x8<> life(c,s,h)=addtime(63,0,0) natencap=na refcount=3 ref=3 refhim=1 esp0xff53421c@192.168.170.38 ESP_3DES_HMAC_SHA1: dir=out src=192.168.170.88 iv_bits=64bits iv=0x36fe2b729ec8e87f ooowin=64 seq=2 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(272,0,0)addtime(63,0,0)usetime(27,0,0)packets(2,0,0) idle=26 natencap=na refcount=3 ref=2 refhim=0 tun0x1001@192.168.170.38 IPIP: dir=out src=192.168.170.88 life(c,s,h)=bytes(208,0,0)addtime(63,0,0)usetime(27,0,0)packets(2,0,0) idle=26 natencap=na refcount=2 ref=1 refhim=0 + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp esp0xd236acd5@192.168.170.88 tun0x1002@192.168.170.88 tun0x1002@192.168.170.88 esp0xff53421c@192.168.170.38 tun0x1001@192.168.170.38 esp0xff53421c@192.168.170.38 + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + _________________________ /proc/crypto + test -r /proc/crypto + cat /proc/crypto name : crc32c driver : crc32c-generic module : kernel priority : 0 type : digest blocksize : 32 digestsize : 4 name : sha1 driver : sha1-generic module : kernel priority : 0 type : digest blocksize : 64 digestsize : 20 + __________________________/proc/sys/net/core/xfrm-star /usr/libexec/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: Arquivo ou diretório não encontrado + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_acq_expires: ' /proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires 30 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_etime: ' /proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime 10 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: ' /proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth 2 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_larval_drop: ' /proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop 0 + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_mast debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform debug_xmit icmp inbound_policy_check pfkey_lossage tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_mast:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 debug_xmit:0 icmp:1 inbound_policy_check:1 pfkey_lossage:0 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 using kernel interface: klips 000 interface ipsec0/eth0 192.168.170.88 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "net-to-net": 14.14.14.0/24===192.168.170.88<192.168.170.88>[@left.digitro.com.br,+S=C]...192.168.170.38<192.168.170.38>[@right.digitro.com.br,+S=C]===15.15.15.0/24; erouted; eroute owner: #2 000 "net-to-net": myip=unset; hisip=unset; 000 "net-to-net": ike_life: 300s; ipsec_life: 300s; rekey_margin: 120s; rekey_fuzz: 100%; keyingtries: 3 000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW; prio: 24,24; interface: eth0; 000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "net-to-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048 000 "net-to-net": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "net-to-net": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "net-to-net": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 000 #2: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 178s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set 000 #2: "net-to-net" esp.ff53421c@192.168.170.38 esp.d236acd5@192.168.170.88 tun.1001@192.168.170.38 tun.1002@192.168.170.88 ref=3 refhim=1 000 #1: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 177s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 08:00:27:89:F4:48 inet addr:192.168.170.88 Bcast:192.168.175.255 Mask:255.255.240.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:437528 errors:18 dropped:0 overruns:0 frame:0 TX packets:2652 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:31549188 (30.0 MiB) TX bytes:394922 (385.6 KiB) Interrupt:11 Base address:0xc020 eth0:10 Link encap:Ethernet HWaddr 08:00:27:89:F4:48 inet addr:14.14.14.14 Bcast:14.14.14.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0xc020 ipsec0 Link encap:Ethernet HWaddr 08:00:27:89:F4:48 inet addr:192.168.170.88 Mask:255.255.240.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:2 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:14098 errors:0 dropped:0 overruns:0 frame:0 TX packets:14098 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:838115 (818.4 KiB) TX bytes:838115 (818.4 KiB) mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 08:00:27:89:f4:48 brd ff:ff:ff:ff:ff:ff inet 192.168.170.88/20 brd 192.168.175.255 scope global eth0 inet 14.14.14.14/24 brd 14.14.14.255 scope global eth0:10 3: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 08:00:27:89:f4:48 brd ff:ff:ff:ff:ff:ff inet 192.168.170.88/20 brd 192.168.175.255 scope global ipsec0 4: ipsec1: mtu 0 qdisc noop qlen 10 link/void 5: mast0: mtu 0 qdisc noop qlen 10 link/[65534] + _________________________ ip-route-list + ip route list 14.14.14.0/24 dev eth0 proto kernel scope link src 14.14.14.14 15.15.15.0/24 dev ipsec0 scope link 192.168.160.0/20 dev eth0 proto kernel scope link src 192.168.170.88 192.168.160.0/20 dev ipsec0 proto kernel scope link src 192.168.170.88 169.254.0.0/16 dev eth0 scope link default via 192.168.160.1 dev eth0 + _________________________ ip-rule-list + ip rule list 0: from all lookup 255 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.6.18 (klips) Checking for IPsec support in kernel [OK] KLIPS detected, checking for NAT Traversal support [FAILED] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [N/A] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + /sbin/mii-tool -v SIOCGMIIPHY on 'eth0' failed: Operation not supported no MII interfaces found + _________________________ ipsec/directory + ipsec --directory /usr/libexec/ipsec + _________________________ hostname/fqdn + hostname --fqdn dinamico88.dti.digitro.com.br + _________________________ hostname/ipaddress + hostname --ip-address 192.168.170.88 + _________________________ uptime + uptime 12:17:45 up 3:02, 2 users, load average: 0.48, 0.29, 0.24 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 5199 4608 24 0 3544 1144 - R+ pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/barf 1 0 3516 1 25 0 2380 400 wait S pts/0 0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive --disable_port_floating no --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16,%v4:192.168.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /axs/traces/ipsec.txt --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 1 0 3517 3516 25 0 2380 564 wait S pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive --disable_port_floating no --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16,%v4:192.168.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /axs/traces/ipsec.txt --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 4 0 3519 3517 15 0 3132 1508 - S pts/0 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-klips --uniqueids --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16,%v4:192.168.0.0/16 --stderrlog 1 0 3524 3519 26 10 3084 676 - SN pts/0 0:00 | \_ pluto helper # 0 0 0 3520 3516 22 0 2372 940 pipe_w S pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post 0 0 3518 1 23 0 1636 500 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults routephys=eth0 routevirt=ipsec0 routeaddr=192.168.170.88 routenexthop=192.168.160.1 + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=all # plutodebug="control parsing" #plutodebug=all #plutodebug="raw crypt parsing emitting control lifecycle klips private pfkey" plutostderrlog=/axs/traces/ipsec.txt # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey virtual_private=%v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16,%v4:192.168.0.0/16 protostack=klips nat_traversal=no #interfaces="ipsec0=eth0" conn %default rekeymargin=2m keylife=5m ikelifetime=5m # OE policy groups are disabled by default conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore #include /etc/ipsec.d/*.conf #conn teste # left=172.16.16.1 # leftnexthop=10.0.0.1 # leftid=@left.digitro.com.br # # rsakey AQPQOA8iZ # leftrsasigkey=[keyid AQPQOA8iZ] # right=10.0.0.3 # rightnexthop=172.16.16.2 # rightid=@right.digitro.com.br # # rsakey AQOGAKfBG # rightrsasigkey=[keyid AQOGAKfBG] # auto=add conn net-to-net left=192.168.170.88 leftsubnet=14.14.14.0/24 leftid=@left.digitro.com.br # rsakey AQPQOA8iZ leftrsasigkey=[keyid AQPQOA8iZ] right=192.168.170.38 rightsubnet=15.15.15.0/24 rightid=@right.digitro.com.br # rsakey AQOGAKfBG rightrsasigkey=[keyid AQOGAKfBG] auto=add auth=esp esp=3des-sha1 #conn road # type=tunnel # left=%defaultroute # leftid=@left.digitro.com.br # leftrsasigkey=[keyid AQPQOA8iZ] # right=10.0.0.3 # rightsubnet=15.15.15.0/24 # rightid=@right.digitro.com.br # rightrsasigkey=[keyid AQOGAKfBG] # auto=add # auth=esp # esp=3des-sha1 + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 1024 bits localhost.localdomain Tue Nov 18 12:32:12 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQPQOA8iZ] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 Dec 01 12:09:41 2008, 1024 RSA Key AQOGAKfBG (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@right.digitro.com.br' 000 Dec 01 12:09:41 2008, 1024 RSA Key AQPQOA8iZ (has private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@left.digitro.com.br' 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 1: RSA (none) (none) + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # root name servers should be in the clear 192.58.128.30/32 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 193.0.14.129/32 199.7.83.42/32 202.12.27.33/32 + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/libexec/ipsec total 2700 -rwxr-xr-x 1 root root 5996 Dec 1 10:17 _copyright -rwxr-xr-x 1 root root 2379 Dec 1 10:17 _include -rwxr-xr-x 1 root root 1475 Dec 1 10:17 _keycensor -rwxr-xr-x 1 root root 2632 Dec 1 10:17 _plutoload -rwxr-xr-x 1 root root 7627 Dec 1 10:17 _plutorun -rwxr-xr-x 1 root root 12863 Dec 1 10:17 _realsetup -rwxr-xr-x 1 root root 1975 Dec 1 10:17 _secretcensor -rwxr-xr-x 1 root root 8119 Dec 1 10:17 _startklips -rwxr-xr-x 1 root root 8119 Dec 1 10:17 _startklips.old -rwxr-xr-x 1 root root 5773 Dec 1 10:17 _startnetkey -rwxr-xr-x 1 root root 4880 Dec 1 10:17 _updown -rwxr-xr-x 1 root root 14030 Dec 1 10:17 _updown.klips -rwxr-xr-x 1 root root 14030 Dec 1 10:17 _updown.klips.old -rwxr-xr-x 1 root root 11798 Dec 1 10:17 _updown.mast -rwxr-xr-x 1 root root 11798 Dec 1 10:17 _updown.mast.old -rwxr-xr-x 1 root root 8534 Dec 1 10:17 _updown.netkey -rwxr-xr-x 1 root root 184192 Dec 1 10:17 addconn -rwxr-xr-x 1 root root 6129 Dec 1 10:17 auto -rwxr-xr-x 1 root root 10758 Dec 1 10:17 barf -rwxr-xr-x 1 root root 90028 Dec 1 10:17 eroute -rwxr-xr-x 1 root root 20072 Dec 1 10:17 ikeping -rwxr-xr-x 1 root root 69744 Dec 1 10:17 klipsdebug -rwxr-xr-x 1 root root 1836 Dec 1 10:17 livetest -rwxr-xr-x 1 root root 2591 Dec 1 10:17 look -rwxr-xr-x 1 root root 414480 Dec 1 10:17 lwdnsq -rwxr-xr-x 1 root root 1921 Dec 1 10:17 newhostkey -rwxr-xr-x 1 root root 60780 Dec 1 10:17 pf_key -rwxr-xr-x 1 root root 991428 Dec 1 10:17 pluto -rwxr-xr-x 1 root root 10176 Dec 1 10:17 ranbits -rwxr-xr-x 1 root root 20532 Dec 1 10:17 rsasigkey -rwxr-xr-x 1 root root 766 Dec 1 10:17 secrets lrwxrwxrwx 1 root root 30 Dec 1 09:16 setup -> ../../../etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1054 Dec 1 10:17 showdefaults -rwxr-xr-x 1 root root 223472 Dec 1 10:17 showhostkey -rwxr-xr-x 1 root root 22684 Dec 1 10:17 showpolicy -rwxr-xr-x 1 root root 148008 Dec 1 10:17 spi -rwxr-xr-x 1 root root 77276 Dec 1 10:17 spigrp -rwxr-xr-x 1 root root 69160 Dec 1 10:17 tncfg -rwxr-xr-x 1 root root 12526 Dec 1 10:17 verify -rwxr-xr-x 1 root root 50600 Dec 1 10:17 whack + _________________________ ipsec/ls-execdir + ls -l /usr/libexec/ipsec total 2700 -rwxr-xr-x 1 root root 5996 Dec 1 10:17 _copyright -rwxr-xr-x 1 root root 2379 Dec 1 10:17 _include -rwxr-xr-x 1 root root 1475 Dec 1 10:17 _keycensor -rwxr-xr-x 1 root root 2632 Dec 1 10:17 _plutoload -rwxr-xr-x 1 root root 7627 Dec 1 10:17 _plutorun -rwxr-xr-x 1 root root 12863 Dec 1 10:17 _realsetup -rwxr-xr-x 1 root root 1975 Dec 1 10:17 _secretcensor -rwxr-xr-x 1 root root 8119 Dec 1 10:17 _startklips -rwxr-xr-x 1 root root 8119 Dec 1 10:17 _startklips.old -rwxr-xr-x 1 root root 5773 Dec 1 10:17 _startnetkey -rwxr-xr-x 1 root root 4880 Dec 1 10:17 _updown -rwxr-xr-x 1 root root 14030 Dec 1 10:17 _updown.klips -rwxr-xr-x 1 root root 14030 Dec 1 10:17 _updown.klips.old -rwxr-xr-x 1 root root 11798 Dec 1 10:17 _updown.mast -rwxr-xr-x 1 root root 11798 Dec 1 10:17 _updown.mast.old -rwxr-xr-x 1 root root 8534 Dec 1 10:17 _updown.netkey -rwxr-xr-x 1 root root 184192 Dec 1 10:17 addconn -rwxr-xr-x 1 root root 6129 Dec 1 10:17 auto -rwxr-xr-x 1 root root 10758 Dec 1 10:17 barf -rwxr-xr-x 1 root root 90028 Dec 1 10:17 eroute -rwxr-xr-x 1 root root 20072 Dec 1 10:17 ikeping -rwxr-xr-x 1 root root 69744 Dec 1 10:17 klipsdebug -rwxr-xr-x 1 root root 1836 Dec 1 10:17 livetest -rwxr-xr-x 1 root root 2591 Dec 1 10:17 look -rwxr-xr-x 1 root root 414480 Dec 1 10:17 lwdnsq -rwxr-xr-x 1 root root 1921 Dec 1 10:17 newhostkey -rwxr-xr-x 1 root root 60780 Dec 1 10:17 pf_key -rwxr-xr-x 1 root root 991428 Dec 1 10:17 pluto -rwxr-xr-x 1 root root 10176 Dec 1 10:17 ranbits -rwxr-xr-x 1 root root 20532 Dec 1 10:17 rsasigkey -rwxr-xr-x 1 root root 766 Dec 1 10:17 secrets lrwxrwxrwx 1 root root 30 Dec 1 09:16 setup -> ../../../etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1054 Dec 1 10:17 showdefaults -rwxr-xr-x 1 root root 223472 Dec 1 10:17 showhostkey -rwxr-xr-x 1 root root 22684 Dec 1 10:17 showpolicy -rwxr-xr-x 1 root root 148008 Dec 1 10:17 spi -rwxr-xr-x 1 root root 77276 Dec 1 10:17 spigrp -rwxr-xr-x 1 root root 69160 Dec 1 10:17 tncfg -rwxr-xr-x 1 root root 12526 Dec 1 10:17 verify -rwxr-xr-x 1 root root 50600 Dec 1 10:17 whack + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 838396 14102 0 0 0 0 0 0 838396 14102 0 0 0 0 0 0 eth0:31560640 437710 18 0 0 0 0 0 395184 2656 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 mast0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 000E0E0E 00000000 0001 0 0 0 00FFFFFF 0 0 0 ipsec0 000F0F0F 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 00A0A8C0 00000000 0001 0 0 0 00F0FFFF 0 0 0 ipsec0 00A0A8C0 00000000 0001 0 0 0 00F0FFFF 0 0 0 eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0 eth0 00000000 01A0A8C0 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc + cat /proc/sys/net/ipv4/ip_no_pmtu_disc 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:1 eth0/rp_filter:0 ipsec0/rp_filter:1 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:1 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 ipsec0/accept_redirects:0 ipsec0/secure_redirects:1 ipsec0/send_redirects:0 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux dinamico88.dti.digitro.com.br 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:01:45 EST 2008 i686 athlon i386 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/redhat-release + cat /etc/redhat-release CentOS release 5 (Final) + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/debian-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/SuSE-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandrake-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandriva-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + cat /proc/net/ipsec_version Openswan version: 2.6.18 + _________________________ iptables + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules iptable_mangle 6849 0 - Live 0xd0adc000 iptable_nat 11205 0 - Live 0xd0b29000 ip_nat 20973 1 iptable_nat, Live 0xd0b11000 ip_conntrack 53025 2 iptable_nat,ip_nat, Live 0xd0b1b000 nfnetlink 10713 2 ip_nat,ip_conntrack, Live 0xd0ad8000 iptable_filter 7105 0 - Live 0xd0a96000 ip_tables 17029 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xd0ae5000 x_tables 17349 2 iptable_nat,ip_tables, Live 0xd0adf000 ipsec 328228 2 [permanent], Live 0xd0f23000 ext3 123849 1 - Live 0xd0b2f000 jbd 56681 1 ext3, Live 0xd0afb000 dm_mirror 28869 0 - Live 0xd0a50000 dm_multipath 21577 0 - Live 0xd0a8f000 dm_mod 58457 2 dm_mirror,dm_multipath, Live 0xd0aeb000 sg 36061 0 - Live 0xd0a9b000 floppy 57125 0 - Live 0xd0ac9000 ata_piix 18629 0 - Live 0xd0a89000 ahci 23621 1 - Live 0xd0a73000 libata 115961 2 ata_piix,ahci, Live 0xd0aab000 pcnet32 35269 0 - Live 0xd0a7f000 mii 9409 1 pcnet32, Live 0xd0a4c000 i2c_piix4 12237 0 - Live 0xd0845000 i2c_core 23745 1 i2c_piix4, Live 0xd0813000 ide_cd 40033 0 - Live 0xd0a41000 cdrom 36705 1 ide_cd, Live 0xd0a37000 parport_pc 29157 0 - Live 0xd0875000 parport 37513 1 parport_pc, Live 0xd084c000 aufs 100656 1 - Live 0xd0a59000 sd_mod 25025 2 - Live 0xd0861000 usb_storage 76577 0 - Live 0xd0a23000 ehci_hcd 33101 0 - Live 0xd0857000 scsi_mod 133069 4 sg,libata,sd_mod,usb_storage, Live 0xd0a01000 vfat 15809 1 - Live 0xd083b000 fat 51165 1 vfat, Live 0xd0820000 squashfs 45253 1 - Live 0xd082e000 loop 19017 2 - Live 0xd081a000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 255696 kB MemFree: 3932 kB Buffers: 120732 kB Cached: 88116 kB SwapCached: 0 kB Active: 56612 kB Inactive: 179312 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255696 kB LowFree: 3932 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 24 kB Writeback: 0 kB AnonPages: 27100 kB Mapped: 10920 kB Slab: 11728 kB PageTables: 1232 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 127848 kB Committed_AS: 78768 kB VmallocTotal: 770040 kB VmallocUsed: 3636 kB VmallocChunk: 762404 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 4096 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version lrwxrwxrwx 1 root root 16 Dec 1 12:17 /proc/net/ipsec_eroute -> ipsec/eroute/all lrwxrwxrwx 1 root root 16 Dec 1 12:17 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug lrwxrwxrwx 1 root root 13 Dec 1 12:17 /proc/net/ipsec_spi -> ipsec/spi/all lrwxrwxrwx 1 root root 16 Dec 1 12:17 /proc/net/ipsec_spigrp -> ipsec/spigrp/all lrwxrwxrwx 1 root root 11 Dec 1 12:17 /proc/net/ipsec_tncfg -> ipsec/tncfg lrwxrwxrwx 1 root root 13 Dec 1 12:17 /proc/net/ipsec_version -> ipsec/version + _________________________ usr/src/linux/.config + test -f /proc/config.gz ++ uname -r + test -f /lib/modules/2.6.18-53.1.13.el5/build/.config + echo 'no .config file found, cannot list kernel properties' no .config file found, cannot list kernel properties + _________________________ etc/syslog.conf + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + _________________________ etc/resolv.conf + cat /etc/resolv.conf ; generated by /sbin/dhclient-script search dti.digitro.com.br nameserver 192.168.50.41 nameserver 192.168.50.42 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 0 drwxr-xr-x 6 root root 280 Dec 1 09:16 2.6.18-53.1.13.el5 + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c05abbfb T __netif_rx_schedule c05ac941 T netif_rx c05adce4 T netif_rx_ni c05ac941 U netif_rx [ipsec] c05ac941 U netif_rx [pcnet32] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.18-53.1.13.el5: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '14,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Dec 1 12:08:53 dinamico88 ipsec_setup: Starting Openswan IPsec 2.6.18... + _________________________ plog + sed -n '18,$p' /var/log/secure + egrep -i pluto + case "$1" in + cat Dec 1 12:08:53 dinamico88 ipsec__plutorun: Starting Pluto subsystem... + _________________________ date + date Mon Dec 1 12:17:50 BRST 2008