dinamico38.dti.digitro.com.br Mon Dec 1 14:21:48 BRST 2008 + _________________________ version + ipsec --version Linux Openswan 2.6.18 (klips) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.18-53.1.13.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Tue Feb 12 13:01:45 EST 2008 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + sort -sg -k 3 /proc/net/ipsec_eroute 0 15.15.15.0/24 -> 14.14.14.0/24 => tun0x1001@192.168.170.88 + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 14.14.14.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 15.15.15.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 ipsec0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 192.168.160.1 0.0.0.0 UG 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + cat /proc/net/ipsec_spi esp0xd236acd5@192.168.170.88 ESP_3DES_HMAC_SHA1: dir=out src=192.168.170.38 iv_bits=64bits iv=0x5a328acd07d4d194 ooowin=64 alen=160 aklen=160 eklen=192 life(c,s,h)=addtime(77,0,0) natencap=na refcount=3 ref=2 refhim=0 tun0x1001@192.168.170.88 IPIP: dir=out src=192.168.170.38 life(c,s,h)=addtime(77,0,0) natencap=na refcount=2 ref=1 refhim=0 esp0xff53421c@192.168.170.38 ESP_3DES_HMAC_SHA1: dir=in src=192.168.170.88 iv_bits=64bits iv=0x4ef042a2ef440bb0 ooowin=64 alen=160 aklen=160 eklen=192 life(c,s,h)=addtime(77,0,0) natencap=na refcount=2 ref=4 refhim=1 tun0x1002@192.168.170.38 IPIP: dir=in src=192.168.170.88 policy=14.14.14.0/24->15.15.15.0/24 flags=0x8<> life(c,s,h)=addtime(77,0,0) natencap=na refcount=3 ref=3 refhim=1 + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + cat /proc/net/ipsec_spigrp esp0xd236acd5@192.168.170.88 tun0x1001@192.168.170.88 esp0xd236acd5@192.168.170.88 esp0xff53421c@192.168.170.38 tun0x1002@192.168.170.38 tun0x1002@192.168.170.38 + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + _________________________ /proc/crypto + test -r /proc/crypto + cat /proc/crypto name : crc32c driver : crc32c-generic module : kernel priority : 0 type : digest blocksize : 32 digestsize : 4 name : sha1 driver : sha1-generic module : kernel priority : 0 type : digest blocksize : 64 digestsize : 20 + __________________________/proc/sys/net/core/xfrm-star /usr/libexec/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: Arquivo ou diretório não encontrado + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_acq_expires: ' /proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires 30 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_etime: ' /proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime 10 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: ' /proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth 2 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_larval_drop: ' /proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop 0 + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + cd /proc/sys/net/ipsec + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_mast debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform debug_xmit icmp inbound_policy_check pfkey_lossage tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_mast:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 debug_xmit:0 icmp:1 inbound_policy_check:1 pfkey_lossage:0 tos:1 + _________________________ ipsec/status + ipsec auto --status 000 using kernel interface: klips 000 interface ipsec0/eth0 192.168.170.38 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,72} attrs={0,2,96} 000 000 "net-to-net": 15.15.15.0/24===192.168.170.38<192.168.170.38>[@right.digitro.com.br,+S=C]...192.168.170.88<192.168.170.88>[@left.digitro.com.br,+S=C]===14.14.14.0/24; erouted; eroute owner: #2 000 "net-to-net": myip=unset; hisip=unset; 000 "net-to-net": ike_life: 300s; ipsec_life: 300s; rekey_margin: 120s; rekey_fuzz: 100%; keyingtries: 3 000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 24,24; interface: eth0; 000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "net-to-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048 000 "net-to-net": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "net-to-net": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "net-to-net": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 46s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "net-to-net" esp.d236acd5@192.168.170.88 esp.ff53421c@192.168.170.38 tun.1001@192.168.170.88 tun.1002@192.168.170.38 ref=3 refhim=1 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 45s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:1C:F0:A7:98:E0 inet addr:192.168.170.38 Bcast:192.168.175.255 Mask:255.255.240.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:42464 errors:0 dropped:0 overruns:0 frame:0 TX packets:4394 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2941912 (2.8 MiB) TX bytes:375374 (366.5 KiB) Interrupt:209 Base address:0x2000 eth0:10 Link encap:Ethernet HWaddr 00:1C:F0:A7:98:E0 inet addr:15.15.15.15 Bcast:15.15.15.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:209 Base address:0x2000 eth1 Link encap:Ethernet HWaddr 00:1C:F0:9C:69:EA inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1120 errors:0 dropped:0 overruns:0 frame:0 TX packets:1105 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:80583 (78.6 KiB) TX bytes:78530 (76.6 KiB) Interrupt:217 Base address:0xc000 eth2 Link encap:Ethernet HWaddr 00:1E:90:C8:8C:12 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:50 Base address:0xc000 ipsec0 Link encap:Ethernet HWaddr 00:1C:F0:A7:98:E0 inet addr:192.168.170.38 Mask:255.255.240.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:13761 errors:0 dropped:0 overruns:0 frame:0 TX packets:13761 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1691496 (1.6 MiB) TX bytes:1691496 (1.6 MiB) mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:1c:f0:a7:98:e0 brd ff:ff:ff:ff:ff:ff inet 192.168.170.38/20 brd 192.168.175.255 scope global eth0 inet 15.15.15.15/24 brd 15.15.15.255 scope global eth0:10 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:1c:f0:9c:69:ea brd ff:ff:ff:ff:ff:ff inet 10.0.0.3/24 brd 10.0.0.255 scope global eth1 4: eth2: mtu 1500 qdisc noop qlen 1000 link/ether 00:1e:90:c8:8c:12 brd ff:ff:ff:ff:ff:ff 5: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:1c:f0:a7:98:e0 brd ff:ff:ff:ff:ff:ff inet 192.168.170.38/20 brd 192.168.175.255 scope global ipsec0 6: ipsec1: mtu 0 qdisc noop qlen 10 link/void 7: mast0: mtu 0 qdisc noop qlen 10 link/[65534] + _________________________ ip-route-list + ip route list 14.14.14.0/24 dev ipsec0 scope link 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.3 15.15.15.0/24 dev eth0 proto kernel scope link src 15.15.15.15 192.168.160.0/20 dev eth0 proto kernel scope link src 192.168.170.38 192.168.160.0/20 dev ipsec0 proto kernel scope link src 192.168.170.38 169.254.0.0/16 dev eth1 scope link default via 192.168.160.1 dev eth0 + _________________________ ip-rule-list + ip rule list 0: from all lookup 255 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.6.18 (klips) Checking for IPsec support in kernel [OK] KLIPS detected, checking for NAT Traversal support [FAILED] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [N/A] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + /sbin/mii-tool -v eth0: negotiated 100baseTx-FD flow-control, link ok product info: vendor 00:40:63, model 52 rev 9 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control eth1: no autonegotiation, 10baseT-HD, link ok product info: vendor 00:40:63, model 52 rev 9 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 10baseT-HD SIOCGMIIPHY on 'eth2' failed: Operation not supported + _________________________ ipsec/directory + ipsec --directory /usr/libexec/ipsec + _________________________ hostname/fqdn + hostname --fqdn dinamico38.dti.digitro.com.br + _________________________ hostname/ipaddress + hostname --ip-address 192.168.170.38 + _________________________ uptime + uptime 14:21:48 up 17 min, 1 user, load average: 0.12, 0.14, 0.11 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 10214 4484 25 0 3544 1144 - R+ pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/barf 1 0 5952 1 25 0 2380 404 wait S pts/0 0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive --disable_port_floating no --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /axs/traces/ipsec.txt --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 1 0 5961 5952 25 0 2380 564 wait S pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive --disable_port_floating no --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog /axs/traces/ipsec.txt --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 4 0 5962 5961 16 0 3084 1500 - S pts/0 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-klips --uniqueids --virtual_private %v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16 --stderrlog 1 0 5963 5962 25 10 3084 676 - SN pts/0 0:00 | \_ pluto helper # 0 0 0 5965 5952 25 0 2372 940 pipe_w S pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post 0 0 5953 1 25 0 1632 500 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults routephys=eth0 routevirt=ipsec0 routeaddr=192.168.170.38 routenexthop=192.168.160.1 + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=all # plutodebug="control parsing" #plutodebug=all plutostderrlog=/axs/traces/ipsec.txt # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey virtual_private=%v4:14.14.14.0/24,%v4:15.15.15.0/24,%v4:10.0.0.0/8,%v4:172.16.0.0/16 protostack=klips nat_traversal=no #interfaces="ipsec0=eth1" #include /etc/ipsec.d/*.conf conn %default rekeymargin=2m keylife=5m ikelifetime=5m # OE policy groups are disabled by default conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore #conn teste # left=172.16.16.1 # leftnexthop=10.0.0.1 # leftid=@left.digitro.com.br # # rsakey AQPQOA8iZ # leftrsasigkey=[keyid AQPQOA8iZ] # right=10.0.0.3 # rightnexthop=172.16.16.2 # rightid=@right.digitro.com.br # # rsakey AQOGAKfBG # rightrsasigkey=[keyid AQOGAKfBG] # auto=add conn net-to-net left=192.168.170.88 leftsubnet=14.14.14.0/24 leftid=@left.digitro.com.br # rsakey AQPQOA8iZ leftrsasigkey=[keyid AQPQOA8iZ] right=192.168.170.38 rightsubnet=15.15.15.0/24 rightid=@right.digitro.com.br # rsakey AQOGAKfBG rightrsasigkey=[keyid AQOGAKfBG] auto=add auth=esp esp=3des-sha1 #conn road # type=tunnel # left=10.0.0.3 # leftsubnet=15.15.15.0/24 # leftid=@right.digitro.com.br # leftrsasigkey=[keyid AQOGAKfBG] # right=%any # rightnexthop=%defaultroute # rightsubnet=vhost:%priv # #rightprotoport=17/0 # rightid=@left.digitro.com.br # rightrsasigkey=[keyid AQPQOA8iZ] # auto=add # auth=esp # esp=3des-sha1 # + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 1024 bits dinamico248.dti.digitro.com.br Tue Nov 18 09:14:32 2008 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQOGAKfBG] Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } # do not change the indenting of that "[sums to 7d9d...]" + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 Dec 01 14:10:27 2008, 1024 RSA Key AQOGAKfBG (has private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@right.digitro.com.br' 000 Dec 01 14:10:27 2008, 1024 RSA Key AQPQOA8iZ (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_FQDN '@left.digitro.com.br' 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 1: RSA (none) (none) + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # root name servers should be in the clear 192.58.128.30/32 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 193.0.14.129/32 199.7.83.42/32 202.12.27.33/32 + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/libexec/ipsec total 2700 -rwxr-xr-x 1 root root 5996 Dec 1 11:50 _copyright -rwxr-xr-x 1 root root 2379 Dec 1 11:50 _include -rwxr-xr-x 1 root root 1475 Dec 1 11:50 _keycensor -rwxr-xr-x 1 root root 2632 Dec 1 11:50 _plutoload -rwxr-xr-x 1 root root 7627 Dec 1 11:50 _plutorun -rwxr-xr-x 1 root root 12863 Dec 1 11:50 _realsetup -rwxr-xr-x 1 root root 1975 Dec 1 11:50 _secretcensor -rwxr-xr-x 1 root root 8119 Dec 1 11:50 _startklips -rwxr-xr-x 1 root root 8119 Dec 1 11:50 _startklips.old -rwxr-xr-x 1 root root 5773 Dec 1 11:50 _startnetkey -rwxr-xr-x 1 root root 4880 Dec 1 11:50 _updown -rwxr-xr-x 1 root root 14030 Dec 1 11:50 _updown.klips -rwxr-xr-x 1 root root 14030 Dec 1 11:50 _updown.klips.old -rwxr-xr-x 1 root root 11798 Dec 1 11:50 _updown.mast -rwxr-xr-x 1 root root 11798 Dec 1 11:50 _updown.mast.old -rwxr-xr-x 1 root root 8534 Dec 1 11:50 _updown.netkey -rwxr-xr-x 1 root root 184192 Dec 1 11:50 addconn -rwxr-xr-x 1 root root 6129 Dec 1 11:50 auto -rwxr-xr-x 1 root root 10758 Dec 1 11:50 barf -rwxr-xr-x 1 root root 90028 Dec 1 11:50 eroute -rwxr-xr-x 1 root root 20072 Dec 1 11:50 ikeping -rwxr-xr-x 1 root root 69744 Dec 1 11:50 klipsdebug -rwxr-xr-x 1 root root 1836 Dec 1 11:50 livetest -rwxr-xr-x 1 root root 2591 Dec 1 11:50 look -rwxr-xr-x 1 root root 414480 Dec 1 11:50 lwdnsq -rwxr-xr-x 1 root root 1921 Dec 1 11:50 newhostkey -rwxr-xr-x 1 root root 60780 Dec 1 11:50 pf_key -rwxr-xr-x 1 root root 991428 Dec 1 11:50 pluto -rwxr-xr-x 1 root root 10176 Dec 1 11:50 ranbits -rwxr-xr-x 1 root root 20532 Dec 1 11:50 rsasigkey -rwxr-xr-x 1 root root 766 Dec 1 11:50 secrets lrwxrwxrwx 1 root root 30 Dec 1 14:04 setup -> ../../../etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1054 Dec 1 11:50 showdefaults -rwxr-xr-x 1 root root 223472 Dec 1 11:50 showhostkey -rwxr-xr-x 1 root root 22684 Dec 1 11:50 showpolicy -rwxr-xr-x 1 root root 148008 Dec 1 11:50 spi -rwxr-xr-x 1 root root 77276 Dec 1 11:50 spigrp -rwxr-xr-x 1 root root 69160 Dec 1 11:50 tncfg -rwxr-xr-x 1 root root 12526 Dec 1 11:50 verify -rwxr-xr-x 1 root root 50600 Dec 1 11:50 whack + _________________________ ipsec/ls-execdir + ls -l /usr/libexec/ipsec total 2700 -rwxr-xr-x 1 root root 5996 Dec 1 11:50 _copyright -rwxr-xr-x 1 root root 2379 Dec 1 11:50 _include -rwxr-xr-x 1 root root 1475 Dec 1 11:50 _keycensor -rwxr-xr-x 1 root root 2632 Dec 1 11:50 _plutoload -rwxr-xr-x 1 root root 7627 Dec 1 11:50 _plutorun -rwxr-xr-x 1 root root 12863 Dec 1 11:50 _realsetup -rwxr-xr-x 1 root root 1975 Dec 1 11:50 _secretcensor -rwxr-xr-x 1 root root 8119 Dec 1 11:50 _startklips -rwxr-xr-x 1 root root 8119 Dec 1 11:50 _startklips.old -rwxr-xr-x 1 root root 5773 Dec 1 11:50 _startnetkey -rwxr-xr-x 1 root root 4880 Dec 1 11:50 _updown -rwxr-xr-x 1 root root 14030 Dec 1 11:50 _updown.klips -rwxr-xr-x 1 root root 14030 Dec 1 11:50 _updown.klips.old -rwxr-xr-x 1 root root 11798 Dec 1 11:50 _updown.mast -rwxr-xr-x 1 root root 11798 Dec 1 11:50 _updown.mast.old -rwxr-xr-x 1 root root 8534 Dec 1 11:50 _updown.netkey -rwxr-xr-x 1 root root 184192 Dec 1 11:50 addconn -rwxr-xr-x 1 root root 6129 Dec 1 11:50 auto -rwxr-xr-x 1 root root 10758 Dec 1 11:50 barf -rwxr-xr-x 1 root root 90028 Dec 1 11:50 eroute -rwxr-xr-x 1 root root 20072 Dec 1 11:50 ikeping -rwxr-xr-x 1 root root 69744 Dec 1 11:50 klipsdebug -rwxr-xr-x 1 root root 1836 Dec 1 11:50 livetest -rwxr-xr-x 1 root root 2591 Dec 1 11:50 look -rwxr-xr-x 1 root root 414480 Dec 1 11:50 lwdnsq -rwxr-xr-x 1 root root 1921 Dec 1 11:50 newhostkey -rwxr-xr-x 1 root root 60780 Dec 1 11:50 pf_key -rwxr-xr-x 1 root root 991428 Dec 1 11:50 pluto -rwxr-xr-x 1 root root 10176 Dec 1 11:50 ranbits -rwxr-xr-x 1 root root 20532 Dec 1 11:50 rsasigkey -rwxr-xr-x 1 root root 766 Dec 1 11:50 secrets lrwxrwxrwx 1 root root 30 Dec 1 14:04 setup -> ../../../etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1054 Dec 1 11:50 showdefaults -rwxr-xr-x 1 root root 223472 Dec 1 11:50 showhostkey -rwxr-xr-x 1 root root 22684 Dec 1 11:50 showpolicy -rwxr-xr-x 1 root root 148008 Dec 1 11:50 spi -rwxr-xr-x 1 root root 77276 Dec 1 11:50 spigrp -rwxr-xr-x 1 root root 69160 Dec 1 11:50 tncfg -rwxr-xr-x 1 root root 12526 Dec 1 11:50 verify -rwxr-xr-x 1 root root 50600 Dec 1 11:50 whack + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 1691559 13762 0 0 0 0 0 0 1691559 13762 0 0 0 0 0 0 eth0: 2943098 42480 0 0 0 0 0 0 375636 4398 0 0 0 0 0 0 eth1: 80660 1121 0 0 0 0 0 0 78594 1106 0 0 0 0 0 0 eth2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 mast0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT ipsec0 000E0E0E 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth1 0000000A 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 000F0F0F 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 00A0A8C0 00000000 0001 0 0 0 00F0FFFF 0 0 0 ipsec0 00A0A8C0 00000000 0001 0 0 0 00F0FFFF 0 0 0 eth1 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0 eth0 00000000 01A0A8C0 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc + cat /proc/sys/net/ipv4/ip_no_pmtu_disc 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:1 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:1 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:1 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 eth1/accept_redirects:1 eth1/secure_redirects:1 eth1/send_redirects:1 ipsec0/accept_redirects:0 ipsec0/secure_redirects:1 ipsec0/send_redirects:0 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux dinamico38.dti.digitro.com.br 2.6.18-53.1.13.el5 #1 SMP Tue Feb 12 13:01:45 EST 2008 i686 athlon i386 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/redhat-release + cat /etc/redhat-release CentOS release 5 (Final) + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/debian-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/SuSE-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandrake-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandriva-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + cat /proc/net/ipsec_version Openswan version: 2.6.18 + _________________________ iptables + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 8 packets, 922 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 922 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules iptable_mangle 6849 0 - Live 0xd8aa6000 iptable_nat 11205 0 - Live 0xd8b28000 ip_nat 20973 1 iptable_nat, Live 0xd8b21000 ip_conntrack 53025 2 iptable_nat,ip_nat, Live 0xd8b32000 nfnetlink 10713 2 ip_nat,ip_conntrack, Live 0xd8b05000 iptable_filter 7105 0 - Live 0xd8aa3000 ip_tables 17029 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xd8aa9000 x_tables 17349 2 iptable_nat,ip_tables, Live 0xd8aff000 ipsec 328228 2 [permanent], Live 0xd8f3a000 ext3 123849 1 - Live 0xd8b46000 jbd 56681 1 ext3, Live 0xd8b12000 dm_mirror 28869 0 - Live 0xd8af6000 dm_multipath 21577 0 - Live 0xd8a9c000 dm_mod 58457 2 dm_mirror,dm_multipath, Live 0xd8ae6000 sg 36061 0 - Live 0xd8adc000 floppy 57125 0 - Live 0xd8aaf000 sata_nv 22469 1 - Live 0xd8a80000 libata 115961 1 sata_nv, Live 0xd8abe000 forcedeth 47561 0 - Live 0xd8a8f000 ohci_hcd 23389 0 - Live 0xd8a5f000 k8temp 9537 0 - Live 0xd887c000 hwmon 7365 1 k8temp, Live 0xd8879000 via_rhine 27597 0 - Live 0xd8a57000 mii 9409 1 via_rhine, Live 0xd884f000 parport_pc 29157 0 - Live 0xd8a44000 parport 37513 1 parport_pc, Live 0xd8a01000 aufs 100656 1 - Live 0xd8a66000 sd_mod 25025 2 - Live 0xd8a16000 usb_storage 76577 0 - Live 0xd8a30000 ehci_hcd 33101 0 - Live 0xd8a0c000 scsi_mod 133069 4 sg,libata,sd_mod,usb_storage, Live 0xd8857000 vfat 15809 1 - Live 0xd8846000 fat 51165 1 vfat, Live 0xd882b000 squashfs 45253 1 - Live 0xd8839000 loop 19017 2 - Live 0xd8825000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 384460 kB MemFree: 70232 kB Buffers: 120552 kB Cached: 149768 kB SwapCached: 0 kB Active: 73856 kB Inactive: 222528 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 384460 kB LowFree: 70232 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 788 kB Writeback: 0 kB AnonPages: 26064 kB Mapped: 10860 kB Slab: 13596 kB PageTables: 1176 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 192228 kB Committed_AS: 77360 kB VmallocTotal: 638968 kB VmallocUsed: 3680 kB VmallocChunk: 631240 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 Hugepagesize: 4096 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version lrwxrwxrwx 1 root root 16 Dec 1 14:21 /proc/net/ipsec_eroute -> ipsec/eroute/all lrwxrwxrwx 1 root root 16 Dec 1 14:21 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug lrwxrwxrwx 1 root root 13 Dec 1 14:21 /proc/net/ipsec_spi -> ipsec/spi/all lrwxrwxrwx 1 root root 16 Dec 1 14:21 /proc/net/ipsec_spigrp -> ipsec/spigrp/all lrwxrwxrwx 1 root root 11 Dec 1 14:21 /proc/net/ipsec_tncfg -> ipsec/tncfg lrwxrwxrwx 1 root root 13 Dec 1 14:21 /proc/net/ipsec_version -> ipsec/version + _________________________ usr/src/linux/.config + test -f /proc/config.gz ++ uname -r + test -f /lib/modules/2.6.18-53.1.13.el5/build/.config + echo 'no .config file found, cannot list kernel properties' no .config file found, cannot list kernel properties + _________________________ etc/syslog.conf + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + cat /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log + _________________________ etc/resolv.conf + cat /etc/resolv.conf ; generated by /sbin/dhclient-script search dti.digitro.com.br nameserver 192.168.50.41 nameserver 192.168.50.42 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 0 drwxr-xr-x 6 root root 280 Dec 1 14:04 2.6.18-53.1.13.el5 + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms c05abbfb T __netif_rx_schedule c05ac941 T netif_rx c05adce4 T netif_rx_ni c05ac941 U netif_rx [ipsec] c05ac941 U netif_rx [forcedeth] c05abbfb U __netif_rx_schedule [via_rhine] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.18-53.1.13.el5: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '432,$p' /var/log/messages + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Dec 1 14:10:23 dinamico38 ipsec_setup: Starting Openswan IPsec 2.6.18... Dec 1 14:10:23 dinamico38 pluto: adjusting ipsec.d to /etc/ipsec.d Dec 1 14:10:23 dinamico38 ipsec__plutorun: 002 added connection description "net-to-net" + _________________________ plog + sed -n '9,$p' /var/log/secure + egrep -i pluto + case "$1" in + cat Dec 1 14:10:23 dinamico38 ipsec__plutorun: Starting Pluto subsystem... + _________________________ date + date Mon Dec 1 14:21:48 BRST 2008