richard-desktop Tue Oct 27 15:55:18 GMT 2009 + _________________________ version + + ipsec --version Linux Openswan U2.4.9/K2.6.24-19-generic (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + + cat /proc/version Linux version 2.6.24-19-generic (buildd@king) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) #1 SMP Wed Aug 20 17:53:40 UTC 2008 + _________________________ /proc/net/ipsec_eroute + + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlan0 + _________________________ /proc/net/ipsec_spi + + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + + ip xfrm state + _________________________ ip-xfrm-policy + + ip xfrm policy src ::/0 dst ::/0 dir in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 0 src ::/0 dst ::/0 dir out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 0 + _________________________ /proc/sys/net/ipsec-star + + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + + ipsec auto --status 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface wlan0/wlan0 192.168.0.2 000 interface wlan0/wlan0 192.168.0.2 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,32,64} trans={0,32,960} attrs={0,32,320} 000 000 "cernis": 192.168.0.2[@home,XC+S=C]...00.000.00.0---00.000.000.00[@000,XS+S=C]===192.168.168.0/24; unrouted; eroute owner: #0 000 "cernis": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "cernis": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "cernis": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: wlan0; encap: esp; 000 "cernis": newest ISAKMP SA: #10; newest IPsec SA: #0; 000 "cernis": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict 000 "cernis": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2) 000 "cernis": IKE algorithm newest: AES_CBC_128-SHA1-MODP1024 000 "cernis": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict 000 "cernis": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict 000 000 #31: "cernis":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 30s; lastdpd=-1s(seq in:0 out:0) 000 #10: "cernis":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 914s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0) 000 #10: pending Phase 2 for "cernis" replacing #0 000 + _________________________ ifconfig-a + + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:13:77:78:41:4a UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:51 errors:0 dropped:0 overruns:0 frame:0 TX packets:262 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16549 (16.1 KB) TX bytes:24248 (23.6 KB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8492 errors:0 dropped:0 overruns:0 frame:0 TX packets:8492 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:651035 (635.7 KB) TX bytes:651035 (635.7 KB) vboxnet0 Link encap:Ethernet HWaddr 00:76:62:6e:65:74 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) wlan0 Link encap:Ethernet HWaddr 00:1f:3c:1c:73:f1 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21f:3cff:fe1c:73f1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24929 errors:0 dropped:0 overruns:0 frame:0 TX packets:28574 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:13758950 (13.1 MB) TX bytes:5685707 (5.4 MB) wmaster0 Link encap:UNSPEC HWaddr 00-1F-3C-1C-73-F1-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) + _________________________ ip-addr-list + + ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:77:78:41:4a brd ff:ff:ff:ff:ff:ff 3: wmaster0: mtu 1500 qdisc ieee80211 qlen 1000 link/ieee802.11 00:1f:3c:1c:73:f1 brd ff:ff:ff:ff:ff:ff 4: wlan0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:1f:3c:1c:73:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.0.2/24 brd 192.168.0.255 scope global wlan0 inet6 fe80::21f:3cff:fe1c:73f1/64 scope link valid_lft forever preferred_lft forever 5: vboxnet0: mtu 1500 qdisc noop qlen 1000 link/ether 00:76:62:6e:65:74 brd ff:ff:ff:ff:ff:ff + _________________________ ip-route-list + + ip route list 192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.2 169.254.0.0/16 dev wlan0 scope link metric 1000 default via 192.168.0.1 dev wlan0 + _________________________ ip-rule-list + + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.9/K2.6.24-19-generic (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking for RSA private key (/etc/ipsec.secrets) [DISABLED] ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + + [ -x /sbin/mii-tool ] + /sbin/mii-tool -v eth0: no link product info: vendor 00:50:43, model 8 rev 3 basic mode: autonegotiation enabled basic status: no link capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control + _________________________ ipsec/directory + + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + + hostname --fqdn richard-desktop + _________________________ hostname/ipaddress + + hostname --ip-address 127.0.1.1 + _________________________ uptime + + uptime 15:55:18 up 7:01, 2 users, load average: 0.10, 0.11, 0.10 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 4 0 29784 24489 20 0 3764 440 finish T pts/0 0:00 \_ /usr/lib/ipsec/whack --name cernis --initiate 4 0 4866 24489 20 0 3944 600 wait S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf 1 0 4944 4866 20 0 3944 324 - R+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf 1 0 24721 1 20 0 8968 488 wait S pts/0 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 1 0 24722 24721 20 0 8968 692 wait S pts/0 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid 4 0 24723 24722 20 0 57020 2912 - S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal --nhelpers 0 0 0 24812 24723 20 0 5848 396 - S pts/0 0:00 | \_ _pluto_adns 0 0 24725 24721 20 0 3944 592 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 0 0 24724 1 20 0 3848 616 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + + ipsec showdefaults routephys=wlan0 routevirt=ipsec0 routeaddr=192.168.0.2 routenexthop=192.168.0.1 + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $ # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: plutodebug="control parsing" # # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !! # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 # # enable this if you see "failed to find any available worker" nhelpers=0 # Add connections here conn cernis type=tunnel left=%defaultroute leftid=@home leftxauthclient=yes right=00.000.000.00 rightnexthop=00.000.00.0 rightsubnet=000.000.000.000/24 #gateway IP for your LAN. This will work for most rightxauthserver=yes rightid=@xxxxxxxxxx keyingtries=0 pfs=no aggrmode=no auto=add auth=esp esp=AES-128-SHA1 keyexchange=ike ike=AES-128-SHA1 authby=secret # xauth=yes # sample VPN connections, see /etc/ipsec.d/examples/ #Disable Opportunistic Encryption #< /etc/ipsec.d/examples/no_oe.conf 1 # 'include' this file to disable Opportunistic Encryption. # See /usr/share/doc/openswan/policygroups.html for details. # # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $ conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #> /etc/ipsec.conf 53 + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $ # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". @home @0017C52619D4 : PSK "[sums to 447e...]" + _________________________ ipsec/listall + + ipsec auto --listall 000 000 List of Public Keys: 000 + [ /etc/ipsec.d/policies ] + basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear.in,v 1.4.30.3 2006/11/21 19:49:51 paul Exp $ # # # Michael's idea: Always have ROOT NAMESERVERS in the clear. # It will make OE work much better on machines running caching # resolvers. # # Based on: http://www.internic.net/zones/named.root # This file holds the information on root name servers needed to # last update: Jan 29, 2004 # related version of root zone: 2004012900 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 192.58.128.30/32 193.0.14.129/32 198.32.64.12/32 202.12.27.33/32 + basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + + ls -l /usr/lib/ipsec total 1504 -rwxr-xr-x 1 root root 15848 Jan 24 2008 _confread -rwxr-xr-x 1 root root 7008 Jan 24 2008 _copyright -rwxr-xr-x 1 root root 2379 Jan 24 2008 _include -rwxr-xr-x 1 root root 1475 Jan 24 2008 _keycensor -rwxr-xr-x 1 root root 11072 Jan 24 2008 _pluto_adns -rwxr-xr-x 1 root root 3586 Jan 24 2008 _plutoload -rwxr-xr-x 1 root root 8055 Jan 24 2008 _plutorun -rwxr-xr-x 1 root root 12480 Jan 24 2008 _realsetup -rwxr-xr-x 1 root root 1975 Jan 24 2008 _secretcensor -rwxr-xr-x 1 root root 11021 Jan 24 2008 _startklips -rwxr-xr-x 1 root root 13912 Jan 24 2008 _updown -rwxr-xr-x 1 root root 15740 Jan 24 2008 _updown_x509 -rwxr-xr-x 1 root root 18891 Jan 24 2008 auto -rwxr-xr-x 1 root root 11343 Jan 24 2008 barf -rwxr-xr-x 1 root root 816 Jan 24 2008 calcgoo -rwxr-xr-x 1 root root 86488 Jan 24 2008 eroute -rwxr-xr-x 1 root root 21376 Jan 24 2008 ikeping -rwxr-xr-x 1 root root 66280 Jan 24 2008 klipsdebug -rwxr-xr-x 1 root root 1836 Jan 24 2008 livetest -rwxr-xr-x 1 root root 2604 Jan 24 2008 look -rwxr-xr-x 1 root root 7082 Jan 24 2008 mailkey -rwxr-xr-x 1 root root 16015 Jan 24 2008 manual -rwxr-xr-x 1 root root 1951 Jan 24 2008 newhostkey -rwxr-xr-x 1 root root 57576 Jan 24 2008 pf_key -rwxr-xr-x 1 root root 706488 Jan 24 2008 pluto -rwxr-xr-x 1 root root 11168 Jan 24 2008 ranbits -rwxr-xr-x 1 root root 24056 Jan 24 2008 rsasigkey -rwxr-xr-x 1 root root 766 Jan 24 2008 secrets lrwxrwxrwx 1 root root 17 Sep 5 11:48 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jan 24 2008 showdefaults -rwxr-xr-x 1 root root 4845 Jan 24 2008 showhostkey -rwxr-xr-x 1 root root 136368 Jan 24 2008 spi -rwxr-xr-x 1 root root 74096 Jan 24 2008 spigrp -rwxr-xr-x 1 root root 12272 Jan 24 2008 tncfg -rwxr-xr-x 1 root root 13518 Jan 24 2008 verify -rwxr-xr-x 1 root root 57608 Jan 24 2008 whack + _________________________ ipsec/ls-execdir + + ls -l /usr/lib/ipsec total 1504 -rwxr-xr-x 1 root root 15848 Jan 24 2008 _confread -rwxr-xr-x 1 root root 7008 Jan 24 2008 _copyright -rwxr-xr-x 1 root root 2379 Jan 24 2008 _include -rwxr-xr-x 1 root root 1475 Jan 24 2008 _keycensor -rwxr-xr-x 1 root root 11072 Jan 24 2008 _pluto_adns -rwxr-xr-x 1 root root 3586 Jan 24 2008 _plutoload -rwxr-xr-x 1 root root 8055 Jan 24 2008 _plutorun -rwxr-xr-x 1 root root 12480 Jan 24 2008 _realsetup -rwxr-xr-x 1 root root 1975 Jan 24 2008 _secretcensor -rwxr-xr-x 1 root root 11021 Jan 24 2008 _startklips -rwxr-xr-x 1 root root 13912 Jan 24 2008 _updown -rwxr-xr-x 1 root root 15740 Jan 24 2008 _updown_x509 -rwxr-xr-x 1 root root 18891 Jan 24 2008 auto -rwxr-xr-x 1 root root 11343 Jan 24 2008 barf -rwxr-xr-x 1 root root 816 Jan 24 2008 calcgoo -rwxr-xr-x 1 root root 86488 Jan 24 2008 eroute -rwxr-xr-x 1 root root 21376 Jan 24 2008 ikeping -rwxr-xr-x 1 root root 66280 Jan 24 2008 klipsdebug -rwxr-xr-x 1 root root 1836 Jan 24 2008 livetest -rwxr-xr-x 1 root root 2604 Jan 24 2008 look -rwxr-xr-x 1 root root 7082 Jan 24 2008 mailkey -rwxr-xr-x 1 root root 16015 Jan 24 2008 manual -rwxr-xr-x 1 root root 1951 Jan 24 2008 newhostkey -rwxr-xr-x 1 root root 57576 Jan 24 2008 pf_key -rwxr-xr-x 1 root root 706488 Jan 24 2008 pluto -rwxr-xr-x 1 root root 11168 Jan 24 2008 ranbits -rwxr-xr-x 1 root root 24056 Jan 24 2008 rsasigkey -rwxr-xr-x 1 root root 766 Jan 24 2008 secrets lrwxrwxrwx 1 root root 17 Sep 5 11:48 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Jan 24 2008 showdefaults -rwxr-xr-x 1 root root 4845 Jan 24 2008 showhostkey -rwxr-xr-x 1 root root 136368 Jan 24 2008 spi -rwxr-xr-x 1 root root 74096 Jan 24 2008 spigrp -rwxr-xr-x 1 root root 12272 Jan 24 2008 tncfg -rwxr-xr-x 1 root root 13518 Jan 24 2008 verify -rwxr-xr-x 1 root root 57608 Jan 24 2008 whack + _________________________ ipsec/updowns + + ls /usr/lib/ipsec + egrep updown + cat /usr/lib/ipsec/_updown #! /bin/sh # iproute2 version, default updown script # # Copyright (C) 2003-2004 Nigel Metheringham # Copyright (C) 2002-2004 Michael Richardson # Copyright (C) 2003-2005 Tuomo Soini # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See . # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $ # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway # communications is IPv6, then a suffix of -v6 is added # to the verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/default/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/default/pluto_updown ] then . /etc/default/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource rc=$? if [ $rc -ne 0 ]; then changesource fi fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 # check if given sourceip is local and add as alias if not if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: File exists'*) # should not happen, but ... ignore if the # address was already assigned on interface oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { # Change used route source to destination if there is previous # Route to same PLUTO_PEER_CLIENT. This is basically to fix # configuration errors where all conns to same destination don't # have (left/right)sourceip set. st=0 parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}" parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route change $parms" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such file or directory'*) # Will happen every time first tunnel is activated because # there is no previous route to PLUTO_PEER_CLIENT. So we # need to ignore this error. oops="" st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + cat /usr/lib/ipsec/_updown_x509 #! /bin/sh # # customized updown script # # logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then S_MY_PORT="--sport $PLUTO_MY_PORT" D_MY_PORT="--dport $PLUTO_MY_PORT" fi if [ "$PLUTO_PEER_PORT" != 0 ] then S_PEER_PORT="--sport $PLUTO_PEER_PORT" D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi # CAUTION: Installing a new version of Openswan will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # Openswan use yours instead of this default one. LC_ALL=C export LC_ALL # things that this script gets (from ipsec_pluto(8) man page) # # # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This # is upwardly compatible with version 1.0. # # PLUTO_VERB # specifies the name of the operation to be performed # (prepare-host, prepare-client, up-host, up-client, # down-host, or down-client). If the address family # for security gateway to security gateway communica­ # tions is IPv6, then a suffix of -v6 is added to the # verb. # # PLUTO_CONNECTION # is the name of the connection for which we are # routing. # # PLUTO_CONN_POLICY # the policy of the connection, as in: # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD # # PLUTO_NEXT_HOP # is the next hop to which packets bound for the peer # must be sent. # # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_ME # is the IP address of our host. # # PLUTO_MY_CLIENT # is the IP address / count of our client subnet. If # the client is just the host, this will be the # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # # PLUTO_MY_CLIENT_NET # is the IP address of our client net. If the client # is just the host, this will be the host's own IP # address. # # PLUTO_MY_CLIENT_MASK # is the mask for our client net. If the client is # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP # if non-empty, then the source address for the route will be # set to this IP address. # # PLUTO_MY_PROTOCOL # is the protocol for this connection. Useful for # firewalling. # # PLUTO_MY_PORT # is the port. Useful for firewalling. # # PLUTO_PEER # is the IP address of our peer. # # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub­ # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # # PLUTO_PEER_CLIENT_NET # is the IP address of the peer's client net. If the # client is just the peer, this will be the peer's # own IP address. # # PLUTO_PEER_CLIENT_MASK # is the mask for the peer's client net. If the # client is just the peer, this will be # 255.255.255.255. # # PLUTO_PEER_PROTOCOL # is the protocol set for remote end with port # selector. # # PLUTO_PEER_PORT # is the peer's port. Useful for firewalling. # # PLUTO_CONNECTION_TYPE # # Import default _updown configs from the /etc/default/pluto_updown file # # Two variables can be set in this file: # # DEFAULTSOURCE # is the default value for PLUTO_MY_SOURCEIP # # IPROUTETABLE # is the default value for IPROUTETABLE # # IPROUTEARGS # is the extra argument list for ip route command # # IPRULEARGS # is the extra argument list for ip rule command # if [ -f /etc/default/pluto_updown ] then . /etc/default/pluto_updown fi # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add ip route flush cache } downroute() { doroute delete ip route flush cache } uprule() { # policy based advanced routing if [ -n "$IPROUTETABLE" ] then dorule delete dorule add fi # virtual sourceip support if [ -n "$PLUTO_MY_SOURCEIP" ] then addsource changesource fi ip route flush cache } downrule() { if [ -n "$IPROUTETABLE" ] then dorule delete ip route flush cache fi } addsource() { st=0 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local then it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}" oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: addsource \`$it' failed ($oops)" >&2 fi fi return $st } changesource() { st=0 parms="$PLUTO_PEER_CLIENT" parms2="dev ${PLUTO_INTERFACE%:*}" parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table '$IPROUTETABLE'" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around it= ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: changesource \`$it' failed ($oops)" >&2 fi return $st } dorule() { st=0 it2= iprule="from $PLUTO_MY_CLIENT" iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around st=0 ;; *) if [ -z "$PLUTO_MY_SOURCEIP" ] then if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" fi else if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ] then it="ip rule $1 iif lo $iprule2" else it="ip rule $1 $iprule $iprule2" it2="ip rule $1 iif lo $iprule2" fi fi oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it' failed ($oops)" >&2 fi if test "$st" = "0" -a -n "$it2" then oops="`eval $it2 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi case "$oops" in 'RTNETLINK answers: No such process'*) # This is what ip rule gives # for "could not find such a rule" oops= st=0 ;; esac if test " $oops" != " " -o " $st" != " 0" then echo "$0: dorule \`$it2' failed ($oops)" >&2 fi fi ;; esac return $st } doroute() { st=0 parms="$PLUTO_PEER_CLIENT" parms2= if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ] then parms2="via $PLUTO_NEXT_HOP" fi parms2="$parms2 dev ${PLUTO_INTERFACE%:*}" parms3="$IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms3="$parms3 table $IPROUTETABLE" fi if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] then PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}" fi if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" then addsource parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" fi case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # opportunistic encryption work around # need to provide route that eclipses default, without # replacing it. it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ip route $1 128.0.0.0/1 $parms2 $parms3" ;; *) it="ip route $1 $parms $parms2 $parms3" ;; esac oops="`eval $it 2>&1`" st=$? if test " $oops" = " " -a " $st" != " 0" then oops="silent error, exit status $st" fi if test " $oops" != " " -o " $st" != " 0" then echo "$0: doroute \`$it' failed ($oops)" >&2 fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # need to provide route that eclipses default, without # replacing it. parms1="0.0.0.0/1" parms2="128.0.0.0/1" it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1" oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`" ;; *) parms="$PLUTO_PEER_CLIENT $IPROUTEARGS" if [ -n "$IPROUTETABLE" ] then parms="$parms table $IPROUTETABLE" fi it="ip route delete $parms 2>&1" oops="`ip route delete $parms 2>&1`" ;; esac status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in *'RTNETLINK answers: No such process'*) # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; down-host:*) # connection to me going down downrule # If you are doing a custom version, firewall commands go here. iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" fi ;; up-client:) # connection to my client subnet coming up uprule # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO \ "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; down-client:) # connection to my client subnet going down downrule # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT # if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" else logger -t $TAG -p $FAC_PRIO -- \ "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up uprule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down downrule # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK ;; # # IPv6 # prepare-host-v6:*|prepare-client-v6:*) ;; route-host-v6:*|route-client-v6:*) # connection to me or my client subnet being routed #uproute_v6 ;; unroute-host-v6:*|unroute-client-v6:*) # connection to me or my client subnet being unrouted #downroute_v6 ;; up-host-v6:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host-v6:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client-v6:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client-v6:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ /proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 651035 8492 0 0 0 0 0 0 651035 8492 0 0 0 0 0 0 eth0: 16549 51 0 0 0 0 0 0 24248 262 0 0 0 0 0 0 wmaster0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 wlan0:13758950 24929 0 0 0 0 0 0 5685707 28574 0 0 0 0 0 0 vboxnet0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ /proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT wlan0 0000A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 wlan0 0000FEA9 00000000 0001 0 0 1000 0000FFFF 0 0 0 wlan0 00000000 0100A8C0 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 0 + _________________________ /proc/sys/net/ipv4/tcp_ecn + + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter vboxnet0/rp_filter wlan0/rp_filter wmaster0/rp_filter all/rp_filter:1 default/rp_filter:1 eth0/rp_filter:1 lo/rp_filter:1 vboxnet0/rp_filter:1 wlan0/rp_filter:1 wmaster0/rp_filter:1 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter vboxnet0/rp_filter wlan0/rp_filter wmaster0/rp_filter all/rp_filter:1 default/rp_filter:1 eth0/rp_filter:1 lo/rp_filter:1 vboxnet0/rp_filter:1 wlan0/rp_filter:1 wmaster0/rp_filter:1 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + + cd /proc/sys/net/ipv4/conf + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects vboxnet0/accept_redirects vboxnet0/secure_redirects vboxnet0/send_redirects wlan0/accept_redirects wlan0/secure_redirects wlan0/send_redirects wmaster0/accept_redirects wmaster0/secure_redirects wmaster0/send_redirects all/accept_redirects:1 all/secure_redirects:1 all/send_redirects:1 default/accept_redirects:1 default/secure_redirects:1 default/send_redirects:1 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 vboxnet0/accept_redirects:1 vboxnet0/secure_redirects:1 vboxnet0/send_redirects:1 wlan0/accept_redirects:1 wlan0/secure_redirects:1 wlan0/send_redirects:1 wmaster0/accept_redirects:1 wmaster0/secure_redirects:1 wmaster0/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + + uname -a Linux richard-desktop 2.6.24-19-generic #1 SMP Wed Aug 20 17:53:40 UTC 2008 x86_64 GNU/Linux + _________________________ config-built-with + + test -r /proc/config_built_with + _________________________ distro-release + + test -f /etc/redhat-release + test -f /etc/debian-release + test -f /etc/SuSE-release + test -f /etc/mandrake-release + test -f /etc/mandriva-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey + uname -r + echo NETKEY (2.6.24-19-generic) support detected NETKEY (2.6.24-19-generic) support detected + _________________________ ipfwadm + + test -r /sbin/ipfwadm + no old-style linux 1.x/2.0 ipfwadm firewall support /usr/lib/ipsec/barf: 1: no old-style linux 1.x/2.0 ipfwadm firewall support: not found + _________________________ ipchains + + test -r /sbin/ipchains + echo no old-style linux 2.0 ipchains firewall support no old-style linux 2.0 ipchains firewall support + _________________________ iptables + + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 35009 packets, 14M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 36648 packets, 5419K bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 7 packets, 1544 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 211 packets, 16858 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 211 packets, 16858 bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 1232 packets, 620K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1232 packets, 620K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1297 packets, 201K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1405 packets, 210K bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + + test -f /proc/modules + cat /proc/modules iptable_mangle 4480 0 - Live 0xffffffff88791000 iptable_nat 9604 0 - Live 0xffffffff8878d000 nf_nat 23980 1 iptable_nat, Live 0xffffffff88786000 nf_conntrack_ipv4 21904 2 iptable_nat, Live 0xffffffff8877f000 nf_conntrack 79216 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffff8876a000 af_packet 27272 6 - Live 0xffffffff88762000 ipv6 311848 27 - Live 0xffffffff88714000 i915 38144 2 - Live 0xffffffff88709000 drm 105896 3 i915, Live 0xffffffff886ee000 rfcomm 47392 4 - Live 0xffffffff886e1000 l2cap 28800 13 rfcomm, Live 0xffffffff886d8000 vboxnetflt 108812 0 - Live 0xffffffff886bc000 vboxdrv 1704076 1 vboxnetflt, Live 0xffffffff8851a000 ppdev 11400 0 - Live 0xffffffff88516000 acpi_cpufreq 10832 2 - Live 0xffffffff88512000 cpufreq_conservative 10632 0 - Live 0xffffffff8850e000 cpufreq_ondemand 11152 1 - Live 0xffffffff8850a000 cpufreq_stats 8416 0 - Live 0xffffffff88506000 cpufreq_userspace 6180 0 - Live 0xffffffff88503000 cpufreq_powersave 3200 0 - Live 0xffffffff88104000 freq_table 6464 3 acpi_cpufreq,cpufreq_ondemand,cpufreq_stats, Live 0xffffffff88500000 sbs 17808 0 - Live 0xffffffff884fa000 sbshc 8960 1 sbs, Live 0xffffffff884f6000 container 6656 0 - Live 0xffffffff884f3000 dock 12960 0 - Live 0xffffffff884ee000 nls_utf8 3456 0 - Live 0xffffffff880a8000 cifs 251280 0 - Live 0xffffffff884af000 xfrm_user 29440 2 - Live 0xffffffff884a6000 xfrm4_tunnel 4480 0 - Live 0xffffffff884a3000 tunnel4 5648 1 xfrm4_tunnel, Live 0xffffffff884a0000 ipcomp 10124 0 - Live 0xffffffff8849c000 esp4 10240 0 - Live 0xffffffff88498000 ah4 8320 0 - Live 0xffffffff88494000 aes_generic 27712 0 - Live 0xffffffff8848c000 iptable_filter 4608 0 - Live 0xffffffff88489000 ip_tables 24104 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xffffffff88482000 x_tables 23560 2 iptable_nat,ip_tables, Live 0xffffffff8847b000 deflate 5632 0 - Live 0xffffffff88478000 zlib_deflate 23192 1 deflate, Live 0xffffffff88471000 twofish 7680 0 - Live 0xffffffff8846e000 twofish_common 40832 1 twofish, Live 0xffffffff88463000 camellia 26624 0 - Live 0xffffffff8845b000 serpent 20352 0 - Live 0xffffffff88455000 blowfish 9856 0 - Live 0xffffffff88451000 des_generic 18304 0 - Live 0xffffffff8844b000 xcbc 7944 0 - Live 0xffffffff88448000 sha1_generic 4352 0 - Live 0xffffffff88445000 crypto_null 4352 0 - Live 0xffffffff88442000 af_key 41620 0 - Live 0xffffffff88436000 sbp2 27272 0 - Live 0xffffffff8842e000 parport_pc 41128 0 - Live 0xffffffff88422000 lp 14916 0 - Live 0xffffffff8841d000 parport 44300 3 ppdev,parport_pc,lp, Live 0xffffffff88411000 loop 21508 0 - Live 0xffffffff8840a000 arc4 3456 2 - Live 0xffffffff88094000 ecb 5248 2 - Live 0xffffffff88407000 pcmcia 45976 0 - Live 0xffffffff883fa000 joydev 15488 0 - Live 0xffffffff883f5000 hci_usb 19228 2 - Live 0xffffffff883ef000 bluetooth 67748 7 rfcomm,l2cap,hci_usb, Live 0xffffffff883dd000 uvcvideo 62084 0 - Live 0xffffffff883cc000 compat_ioctl32 11136 1 uvcvideo, Live 0xffffffff883c8000 videodev 30720 1 uvcvideo, Live 0xffffffff883bf000 v4l1_compat 15492 2 uvcvideo,videodev, Live 0xffffffff883ba000 v4l2_common 21888 3 uvcvideo,compat_ioctl32,videodev, Live 0xffffffff883b3000 snd_hda_intel 440408 3 - Live 0xffffffff88346000 wmi_acer 11076 0 - Live 0xffffffff88342000 snd_pcm_oss 47648 0 - Live 0xffffffff88335000 snd_mixer_oss 20224 2 snd_pcm_oss, Live 0xffffffff8832f000 iwl3945 100468 0 - Live 0xffffffff88315000 iwlwifi_mac80211 251876 1 iwl3945, Live 0xffffffff882d6000 snd_pcm 92168 2 snd_hda_intel,snd_pcm_oss, Live 0xffffffff882be000 snd_page_alloc 13200 2 snd_hda_intel,snd_pcm, Live 0xffffffff882b9000 snd_hwdep 12552 1 snd_hda_intel, Live 0xffffffff882b4000 sky2 53892 0 - Live 0xffffffff882a5000 cfg80211 17680 1 iwlwifi_mac80211, Live 0xffffffff8829f000 snd_seq_dummy 5764 0 - Live 0xffffffff8829c000 snd_seq_oss 38912 0 - Live 0xffffffff88291000 snd_seq_midi 10688 0 - Live 0xffffffff8828d000 snd_rawmidi 29856 1 snd_seq_midi, Live 0xffffffff88284000 snd_seq_midi_event 10112 2 snd_seq_oss,snd_seq_midi, Live 0xffffffff88280000 snd_seq 63232 6 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_seq_midi_event, Live 0xffffffff8826f000 sdhci 21508 0 - Live 0xffffffff88268000 snd_timer 27912 2 snd_pcm,snd_seq, Live 0xffffffff88260000 snd_seq_device 10644 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi,snd_rawmidi,snd_seq, Live 0xffffffff8825c000 mmc_core 59272 1 sdhci, Live 0xffffffff8824c000 serio_raw 9092 0 - Live 0xffffffff88246000 yenta_socket 30092 1 - Live 0xffffffff8823b000 rsrc_nonstatic 14080 1 yenta_socket, Live 0xffffffff88236000 pcmcia_core 46116 3 pcmcia,yenta_socket,rsrc_nonstatic, Live 0xffffffff88229000 snd 70856 15 snd_hda_intel,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_hwdep,snd_seq_dummy,snd_seq_oss,snd_rawmidi,snd_seq,snd_timer,snd_seq_device, Live 0xffffffff88216000 battery 16776 0 - Live 0xffffffff88210000 ac 8328 0 - Live 0xffffffff8820a000 button 10912 0 - Live 0xffffffff88206000 intel_agp 30624 1 - Live 0xffffffff881fd000 shpchp 38172 0 - Live 0xffffffff881f2000 pci_hotplug 34608 1 shpchp, Live 0xffffffff881e8000 iTCO_wdt 15312 0 - Live 0xffffffff881e3000 iTCO_vendor_support 5764 1 iTCO_wdt, Live 0xffffffff881e0000 soundcore 10400 2 snd, Live 0xffffffff881dc000 pcspkr 4992 0 - Live 0xffffffff881d9000 evdev 14976 8 - Live 0xffffffff881d4000 psmouse 46236 0 - Live 0xffffffff881c7000 ext3 149264 2 - Live 0xffffffff881a1000 jbd 57000 1 ext3, Live 0xffffffff88192000 mbcache 11392 1 ext3, Live 0xffffffff8818e000 sha256_generic 10368 0 - Live 0xffffffff8818a000 aes_x86_64 26920 2 - Live 0xffffffff88182000 cbc 6400 1 - Live 0xffffffff8817f000 blkcipher 9476 2 ecb,cbc, Live 0xffffffff8817b000 usbhid 35296 0 - Live 0xffffffff88171000 hid 44992 1 usbhid, Live 0xffffffff88165000 sg 41880 0 - Live 0xffffffff88159000 sr_mod 20132 0 - Live 0xffffffff88153000 cdrom 41512 1 sr_mod, Live 0xffffffff88147000 sd_mod 33280 3 - Live 0xffffffff8813d000 ata_piix 24196 2 - Live 0xffffffff88136000 ata_generic 9988 0 - Live 0xffffffff88132000 pata_acpi 9856 0 - Live 0xffffffff8812e000 ohci1394 36532 0 - Live 0xffffffff88122000 ieee1394 106968 2 sbp2,ohci1394, Live 0xffffffff88106000 libata 176432 3 ata_piix,ata_generic,pata_acpi, Live 0xffffffff880d7000 scsi_mod 178488 5 sbp2,sg,sr_mod,sd_mod,libata, Live 0xffffffff880aa000 ehci_hcd 41996 0 - Live 0xffffffff8809c000 dm_crypt 16776 1 - Live 0xffffffff88096000 uhci_hcd 29856 0 - Live 0xffffffff8808b000 usbcore 169904 6 hci_usb,uvcvideo,usbhid,ehci_hcd,uhci_hcd, Live 0xffffffff88060000 dm_mirror 26368 0 - Live 0xffffffff88058000 dm_snapshot 20680 0 - Live 0xffffffff88051000 dm_mod 71160 10 dm_crypt,dm_mirror,dm_snapshot, Live 0xffffffff8803e000 thermal 19744 0 - Live 0xffffffff88038000 processor 41448 4 acpi_cpufreq,thermal, Live 0xffffffff8802c000 fan 6792 0 - Live 0xffffffff88029000 fbcon 46336 0 - Live 0xffffffff8801c000 tileblit 4096 1 fbcon, Live 0xffffffff8801a000 font 10112 1 fbcon, Live 0xffffffff88016000 bitblit 7424 1 fbcon, Live 0xffffffff88013000 softcursor 3712 1 bitblit, Live 0xffffffff88011000 fuse 56112 3 - Live 0xffffffff88002000 + _________________________ /proc/meminfo + + cat /proc/meminfo MemTotal: 3088240 kB MemFree: 1218072 kB Buffers: 94084 kB Cached: 769872 kB SwapCached: 0 kB Active: 1100652 kB Inactive: 537760 kB SwapTotal: 9261048 kB SwapFree: 9261048 kB Dirty: 64 kB Writeback: 0 kB AnonPages: 774140 kB Mapped: 174712 kB Slab: 104440 kB SReclaimable: 81444 kB SUnreclaim: 22996 kB PageTables: 22048 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 10805168 kB Committed_AS: 1991304 kB VmallocTotal: 34359738367 kB VmallocUsed: 23792 kB VmallocChunk: 34359714299 kB + _________________________ /proc/net/ipsec-ls + + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /proc/config.gz + uname -r + test -f /lib/modules/2.6.24-19-generic/build/.config + uname -r + egrep CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM + cat /lib/modules/2.6.24-19-generic/build/.config CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_AMD=m CONFIG_HW_RANDOM_INTEL=m CONFIG_INET=y CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET_AH=m CONFIG_INET_DCCP_DIAG=m CONFIG_INET_DIAG=y CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_LRO=m CONFIG_INET_TCP_DIAG=y CONFIG_INET_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_IP1000=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_MATCH_AH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_MH=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_RAW=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IPDDP=m CONFIG_IPDDP_DECAP=y CONFIG_IPDDP_ENCAP=y CONFIG_IPMI_DEVICE_INTERFACE=m CONFIG_IPMI_HANDLER=m # CONFIG_IPMI_PANIC_EVENT is not set CONFIG_IPMI_POWEROFF=m CONFIG_IPMI_SI=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPPP_FILTER=y CONFIG_IPV6=m # CONFIG_IPV6_MIP6 is not set # CONFIG_IPV6_OPTIMISTIC_DAD is not set CONFIG_IPV6_PRIVACY=y # CONFIG_IPV6_ROUTER_PREF is not set CONFIG_IPV6_SIT=m CONFIG_IPV6_TUNNEL=m CONFIG_IPW2100=m # CONFIG_IPW2100_DEBUG is not set CONFIG_IPW2100_MONITOR=y CONFIG_IPW2200=m # CONFIG_IPW2200_DEBUG is not set CONFIG_IPW2200_MONITOR=y CONFIG_IPW2200_PROMISCUOUS=y CONFIG_IPW2200_QOS=y CONFIG_IPW2200_RADIOTAP=y CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_DCCP=m CONFIG_IP_DCCP_ACKVEC=y CONFIG_IP_DCCP_CCID2=m # CONFIG_IP_DCCP_CCID2_DEBUG is not set CONFIG_IP_DCCP_CCID3=m # CONFIG_IP_DCCP_CCID3_DEBUG is not set CONFIG_IP_DCCP_CCID3_RTO=100 # CONFIG_IP_DCCP_DEBUG is not set CONFIG_IP_DCCP_TFRC_LIB=m CONFIG_IP_FIB_HASH=y # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_MROUTE=y CONFIG_IP_MULTICAST=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y # CONFIG_IP_PNP is not set CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_SCTP=m CONFIG_IP_VS=m # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_DH=m CONFIG_IP_VS_FTP=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_WLC=m CONFIG_IP_VS_WRR=m CONFIG_NET_KEY=m # CONFIG_NET_KEY_MIGRATE is not set # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_XFRM=y # CONFIG_XFRM_MIGRATE is not set # CONFIG_XFRM_SUB_POLICY is not set CONFIG_XFRM_USER=m # CONFIG_IPV6_MULTIPLE_TABLES is not set + _________________________ etc/syslog.conf + + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole + _________________________ etc/syslog-ng/syslog-ng.conf + + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + _________________________ etc/resolv.conf + + cat /etc/resolv.conf ### BEGIN INFO # # Modified_by: NetworkManager # Process: /usr/bin/NetworkManager # Process_id: 5570 # ### END INFO nameserver 192.168.0.1 + _________________________ lib/modules-ls + + ls -ltr /lib/modules total 32 drwxr-xr-x 7 root root 4096 Jan 22 2009 2.6.24-22-generic drwxr-xr-x 7 root root 4096 Jan 22 2009 2.6.24-21-generic drwxr-xr-x 7 root root 4096 May 30 15:33 2.6.24-23-generic drwxr-xr-x 3 root root 4096 Oct 16 10:05 2.6.24-24-rt drwxr-xr-x 3 root root 4096 Oct 16 10:05 2.6.24-24-server drwxr-xr-x 8 root root 4096 Oct 16 10:05 2.6.24-19-generic drwxr-xr-x 8 root root 4096 Oct 16 10:06 2.6.24-24-generic drwxr-xr-x 7 root root 4096 Oct 22 09:34 2.6.24-25-generic + _________________________ /proc/ksyms-netif_rx + + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms ffffffff803eae50 T netif_rx ffffffff803eb110 T netif_rx_ni ffffffff8055f460 r __ksymtab_netif_rx ffffffff8055f650 r __ksymtab_netif_rx_ni ffffffff80568160 r __kcrctab_netif_rx ffffffff80568258 r __kcrctab_netif_rx_ni ffffffff80579401 r __kstrtab_netif_rx ffffffff805796ea r __kstrtab_netif_rx_ni ffffffff803eae50 u netif_rx [ipv6] ffffffff803eb110 u netif_rx_ni [vboxnetflt] ffffffff803eae50 u netif_rx [iwlwifi_mac80211] + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.24-19-generic: 2.6.24-21-generic: 2.6.24-22-generic: 2.6.24-23-generic: 2.6.24-24-generic: 2.6.24-24-rt: 2.6.24-24-server: 2.6.24-25-generic: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + sed -n 311,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Oct 27 12:58:22 richard-desktop ipsec_setup: Starting Openswan IPsec U2.4.9/K2.6.24-19-generic... Oct 27 12:58:22 richard-desktop ipsec__plutorun: 034 esp string error: Non initial digit found for auth keylen, just after "AES-128-SHA1-" (old_state=ST_AA_END) Oct 27 12:58:22 richard-desktop ipsec__plutorun: ...could not add conn "cernis" + _________________________ plog + + sed -n 188,$p /var/log/auth.log + egrep -i pluto + cat Oct 27 12:58:22 richard-desktop ipsec__plutorun: Starting Pluto subsystem... Oct 27 12:58:22 richard-desktop pluto[24723]: Starting Pluto (Openswan Version 2.4.9 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OESJIo`rkcdb) Oct 27 12:58:22 richard-desktop pluto[24723]: Setting NAT-Traversal port-4500 floating to on Oct 27 12:58:22 richard-desktop pluto[24723]: port floating activation criteria nat_t=1/port_fload=1 Oct 27 12:58:22 richard-desktop pluto[24723]: including NAT-Traversal patch (Version 0.6c) Oct 27 12:58:22 richard-desktop pluto[24723]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Oct 27 12:58:22 richard-desktop pluto[24723]: no helpers will be started, all cryptographic operations will be done inline Oct 27 12:58:22 richard-desktop pluto[24723]: Using NETKEY IPsec interface code on 2.6.24-19-generic Oct 27 12:58:22 richard-desktop pluto[24723]: Changing to directory '/etc/ipsec.d/cacerts' Oct 27 12:58:22 richard-desktop pluto[24723]: Changing to directory '/etc/ipsec.d/aacerts' Oct 27 12:58:22 richard-desktop pluto[24723]: Changing to directory '/etc/ipsec.d/ocspcerts' Oct 27 12:58:22 richard-desktop pluto[24723]: Changing to directory '/etc/ipsec.d/crls' Oct 27 12:58:22 richard-desktop pluto[24723]: Warning: empty directory Oct 27 12:58:22 richard-desktop pluto[24723]: esp string error: Non initial digit found for auth keylen, just after "AES-128-SHA1-" (old_state=ST_AA_END) Oct 27 12:58:22 richard-desktop pluto[24723]: listening for IKE messages Oct 27 12:58:22 richard-desktop pluto[24723]: adding interface wlan0/wlan0 192.168.0.2:500 Oct 27 12:58:22 richard-desktop pluto[24723]: adding interface wlan0/wlan0 192.168.0.2:4500 Oct 27 12:58:22 richard-desktop pluto[24723]: adding interface lo/lo 127.0.0.1:500 Oct 27 12:58:22 richard-desktop pluto[24723]: adding interface lo/lo 127.0.0.1:4500 Oct 27 12:58:22 richard-desktop pluto[24723]: adding interface lo/lo ::1:500 Oct 27 12:58:22 richard-desktop pluto[24723]: loading secrets from "/etc/ipsec.secrets" Oct 27 12:58:22 richard-desktop pluto[24723]: loaded private key file '/etc/ipsec.d/private/richard-desktopKey.pem' (1675 bytes) Oct 27 13:00:40 richard-desktop pluto[24723]: esp string error: Non initial digit found for auth keylen, just after "AES-128-SHA1-" (old_state=ST_AA_END) Oct 27 13:36:20 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: initiating Main Mode Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6] Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: received Vendor ID payload [XAUTH] Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: received Vendor ID payload [Dead Peer Detection] Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: I did not send a certificate because I do not have one. Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Oct 27 13:36:24 richard-desktop pluto[24723]: "cernis" #1: Mode Config message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3) Oct 27 13:36:34 richard-desktop pluto[24723]: "cernis" #1: Main mode peer ID is ID_FQDN: '@0017C52619D4' Oct 27 13:36:34 richard-desktop pluto[24723]: "cernis" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Oct 27 13:36:34 richard-desktop pluto[24723]: "cernis" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Oct 27 13:37:24 richard-desktop pluto[24723]: "cernis" #1: next payload type of ISAKMP Hash Payload has an unknown value: 185 Oct 27 13:37:24 richard-desktop pluto[24723]: "cernis" #1: malformed payload in packet Oct 27 13:37:24 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 13:37:24 richard-desktop pluto[24723]: | 52 a2 f2 64 a8 07 99 3b 78 78 5d d7 a4 1d d1 54 Oct 27 13:37:24 richard-desktop pluto[24723]: "cernis" #1: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 13:38:25 richard-desktop pluto[24723]: "cernis" #1: next payload type of ISAKMP Hash Payload has an unknown value: 185 Oct 27 13:38:25 richard-desktop pluto[24723]: "cernis" #1: malformed payload in packet Oct 27 13:38:25 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 13:38:25 richard-desktop pluto[24723]: | 52 a2 f2 64 a8 07 99 3b 78 78 5d d7 a4 1d d1 54 Oct 27 13:38:25 richard-desktop pluto[24723]: "cernis" #1: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 14:07:33 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 14:07:33 richard-desktop pluto[24723]: "cernis" #1: deleting state (STATE_MAIN_I4) Oct 27 14:07:33 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 14:07:33 richard-desktop pluto[24723]: packet from 81.136.230.43:4500: ignoring informational payload, type INVALID_COOKIE Oct 27 14:07:33 richard-desktop pluto[24723]: packet from 81.136.230.43:4500: received and ignored informational message Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: initiating Main Mode Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: STATE_MAIN_I2: sent MI2, expecting MR2 Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: ignoring unknown Vendor ID payload [404bf439522ca3f6] Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: received Vendor ID payload [XAUTH] Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: received Vendor ID payload [Dead Peer Detection] Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: I did not send a certificate because I do not have one. Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: STATE_MAIN_I3: sent MI3, expecting MR3 Oct 27 14:07:37 richard-desktop pluto[24723]: "cernis" #2: Mode Config message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3) Oct 27 14:07:47 richard-desktop pluto[24723]: "cernis" #2: Main mode peer ID is ID_FQDN: '@0017C52619D4' Oct 27 14:07:47 richard-desktop pluto[24723]: "cernis" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Oct 27 14:07:47 richard-desktop pluto[24723]: "cernis" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Oct 27 14:08:34 richard-desktop pluto[24723]: "cernis" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#2} Oct 27 14:08:38 richard-desktop pluto[24723]: "cernis" #2: next payload type of ISAKMP Hash Payload has an unknown value: 41 Oct 27 14:08:38 richard-desktop pluto[24723]: "cernis" #2: malformed payload in packet Oct 27 14:08:38 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 14:08:38 richard-desktop pluto[24723]: | e0 4a e9 ea 61 cb 9d a0 2d 04 c1 21 ed 62 50 b9 Oct 27 14:08:38 richard-desktop pluto[24723]: "cernis" #2: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 14:08:41 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 14:08:41 richard-desktop pluto[24723]: "cernis" #3: deleting state (STATE_QUICK_I1) Oct 27 14:08:42 richard-desktop pluto[24723]: "cernis" #2: deleting state (STATE_MAIN_I4) Oct 27 14:08:42 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 14:08:43 richard-desktop pluto[24723]: "cernis" #4: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:08:43 richard-desktop pluto[24723]: "cernis" #4: transform (7,2,2,128) ignored. Oct 27 14:08:43 richard-desktop pluto[24723]: "cernis" #4: initiating Aggressive Mode #4, connection "cernis" Oct 27 14:08:43 richard-desktop pluto[24723]: "cernis" #4: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:08:43 richard-desktop pluto[24723]: "cernis" #4: transform (7,2,2,128) ignored. Oct 27 14:08:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:08:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:08:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:08:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:09:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:09:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:09:54 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:09:54 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:10:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:10:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:11:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:11:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:11:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:11:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:12:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:12:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:13:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:13:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:13:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:13:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:14:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:14:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:15:14 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:15:14 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:15:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:15:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:16:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:16:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:17:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:17:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:17:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:17:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:18:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:18:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:19:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:19:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:19:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:19:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:20:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:20:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:21:14 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:21:14 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #4: max number of retransmissions (20) reached STATE_AGGR_I1 Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #4: starting keying attempt 2 of an unlimited number, but releasing whack Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #5: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #5: transform (7,2,2,128) ignored. Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #5: initiating Aggressive Mode #5 to replace #4, connection "cernis" Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #5: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:21:53 richard-desktop pluto[24723]: "cernis" #5: transform (7,2,2,128) ignored. Oct 27 14:21:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:21:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:22:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:22:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:22:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:22:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:23:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:23:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:23:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:23:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:24:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:24:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:25:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:25:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:25:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:25:44 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:26:24 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:26:24 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:27:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:27:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:27:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:27:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:28:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:28:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:29:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:29:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:29:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:29:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:30:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:30:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:31:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:31:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:31:44 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:31:44 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:32:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:32:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:33:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:33:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:33:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:33:43 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:34:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:34:23 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #5: max number of retransmissions (20) reached STATE_AGGR_I1 Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #5: starting keying attempt 3 of an unlimited number Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #6: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #6: transform (7,2,2,128) ignored. Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #6: initiating Aggressive Mode #6 to replace #5, connection "cernis" Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #6: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:35:03 richard-desktop pluto[24723]: "cernis" #6: transform (7,2,2,128) ignored. Oct 27 14:35:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:35:03 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:35:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:35:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:35:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:35:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:36:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:36:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:36:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:36:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:37:34 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:37:34 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:38:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:38:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:38:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:38:53 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:39:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:39:33 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:40:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:40:13 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:40:37 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 14:40:37 richard-desktop pluto[24723]: "cernis" #6: deleting state (STATE_AGGR_I1) Oct 27 14:40:37 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 14:40:40 richard-desktop pluto[24723]: "cernis" #7: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:40:40 richard-desktop pluto[24723]: "cernis" #7: transform (7,2,2,128) ignored. Oct 27 14:40:40 richard-desktop pluto[24723]: "cernis" #7: initiating Aggressive Mode #7, connection "cernis" Oct 27 14:40:40 richard-desktop pluto[24723]: "cernis" #7: multiple transforms were set in aggressive mode. Only first one used. Oct 27 14:40:40 richard-desktop pluto[24723]: "cernis" #7: transform (7,2,2,128) ignored. Oct 27 14:40:40 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:40:40 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:40:50 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:40:50 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:41:10 richard-desktop pluto[24723]: packet from 81.136.230.43:500: ignoring informational payload, type INVALID_ID_INFORMATION Oct 27 14:41:10 richard-desktop pluto[24723]: packet from 81.136.230.43:500: received and ignored informational message Oct 27 14:41:14 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 14:41:14 richard-desktop pluto[24723]: "cernis" #7: deleting state (STATE_AGGR_I1) Oct 27 14:41:14 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 14:41:15 richard-desktop pluto[24723]: "cernis" #8: initiating Main Mode Oct 27 14:41:16 richard-desktop pluto[24723]: "cernis" #8: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:41:16 richard-desktop pluto[24723]: "cernis" #8: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:41:16 richard-desktop pluto[24723]: "cernis" #8: Can't authenticate: no preshared key found for `@GROUPVPN' and `@0017C52619D4'. Attribute OAKLEY_AUTHENTICATION_METHOD Oct 27 14:41:16 richard-desktop pluto[24723]: "cernis" #8: no acceptable Oakley Transform Oct 27 14:41:16 richard-desktop pluto[24723]: "cernis" #8: sending notification NO_PROPOSAL_CHOSEN to 81.136.230.43:500 Oct 27 14:41:20 richard-desktop pluto[24723]: "cernis" #8: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:41:20 richard-desktop pluto[24723]: "cernis" #8: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:41:20 richard-desktop pluto[24723]: "cernis" #8: Can't authenticate: no preshared key found for `@GROUPVPN' and `@0017C52619D4'. Attribute OAKLEY_AUTHENTICATION_METHOD Oct 27 14:41:20 richard-desktop pluto[24723]: "cernis" #8: no acceptable Oakley Transform Oct 27 14:41:20 richard-desktop pluto[24723]: "cernis" #8: sending notification NO_PROPOSAL_CHOSEN to 81.136.230.43:500 Oct 27 14:41:32 richard-desktop pluto[24723]: "cernis" #8: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:41:32 richard-desktop pluto[24723]: "cernis" #8: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:41:32 richard-desktop pluto[24723]: "cernis" #8: Can't authenticate: no preshared key found for `@GROUPVPN' and `@0017C52619D4'. Attribute OAKLEY_AUTHENTICATION_METHOD Oct 27 14:41:32 richard-desktop pluto[24723]: "cernis" #8: no acceptable Oakley Transform Oct 27 14:41:32 richard-desktop pluto[24723]: "cernis" #8: sending notification NO_PROPOSAL_CHOSEN to 81.136.230.43:500 Oct 27 14:41:51 richard-desktop pluto[24723]: "cernis" #8: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:41:51 richard-desktop pluto[24723]: "cernis" #8: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:41:51 richard-desktop pluto[24723]: "cernis" #8: Can't authenticate: no preshared key found for `@GROUPVPN' and `@0017C52619D4'. Attribute OAKLEY_AUTHENTICATION_METHOD Oct 27 14:41:51 richard-desktop pluto[24723]: "cernis" #8: no acceptable Oakley Transform Oct 27 14:41:51 richard-desktop pluto[24723]: "cernis" #8: sending notification NO_PROPOSAL_CHOSEN to 81.136.230.43:500 Oct 27 14:42:06 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 14:42:06 richard-desktop pluto[24723]: "cernis" #8: deleting state (STATE_MAIN_I1) Oct 27 14:42:06 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: initiating Main Mode Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: STATE_MAIN_I2: sent MI2, expecting MR2 Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: ignoring unknown Vendor ID payload [404bf439522ca3f6] Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: received Vendor ID payload [XAUTH] Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: received Vendor ID payload [Dead Peer Detection] Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: I did not send a certificate because I do not have one. Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: STATE_MAIN_I3: sent MI3, expecting MR3 Oct 27 14:42:08 richard-desktop pluto[24723]: "cernis" #9: Mode Config message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3) Oct 27 14:42:18 richard-desktop pluto[24723]: "cernis" #9: Main mode peer ID is ID_FQDN: '@0017C52619D4' Oct 27 14:42:18 richard-desktop pluto[24723]: "cernis" #9: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Oct 27 14:42:18 richard-desktop pluto[24723]: "cernis" #9: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Oct 27 14:43:09 richard-desktop pluto[24723]: "cernis" #9: next payload type of ISAKMP Hash Payload has an unknown value: 63 Oct 27 14:43:09 richard-desktop pluto[24723]: "cernis" #9: malformed payload in packet Oct 27 14:43:09 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 14:43:09 richard-desktop pluto[24723]: | 87 76 c7 65 c5 19 c8 6b 30 7b 0e e6 ab df 56 d1 Oct 27 14:43:09 richard-desktop pluto[24723]: "cernis" #9: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 14:44:10 richard-desktop pluto[24723]: "cernis" #9: next payload type of ISAKMP Hash Payload has an unknown value: 63 Oct 27 14:44:10 richard-desktop pluto[24723]: "cernis" #9: malformed payload in packet Oct 27 14:44:10 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 14:44:10 richard-desktop pluto[24723]: | 87 76 c7 65 c5 19 c8 6b 30 7b 0e e6 ab df 56 d1 Oct 27 14:44:10 richard-desktop pluto[24723]: "cernis" #9: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 15:21:08 richard-desktop pluto[24723]: "cernis": deleting connection Oct 27 15:21:08 richard-desktop pluto[24723]: "cernis" #9: deleting state (STATE_MAIN_I4) Oct 27 15:21:08 richard-desktop pluto[24723]: added connection description "cernis" Oct 27 15:21:08 richard-desktop pluto[24723]: packet from 81.136.230.43:4500: ignoring informational payload, type INVALID_COOKIE Oct 27 15:21:08 richard-desktop pluto[24723]: packet from 81.136.230.43:4500: received and ignored informational message Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: initiating Main Mode Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: ignoring unknown Vendor ID payload [5b362bc820f60006] Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: received Vendor ID payload [RFC 3947] method set to=110 Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Oct 27 15:21:11 richard-desktop pluto[24723]: "cernis" #10: STATE_MAIN_I2: sent MI2, expecting MR2 Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: ignoring unknown Vendor ID payload [404bf439522ca3f6] Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: received Vendor ID payload [XAUTH] Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: received Vendor ID payload [Dead Peer Detection] Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: I did not send a certificate because I do not have one. Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: STATE_MAIN_I3: sent MI3, expecting MR3 Oct 27 15:21:12 richard-desktop pluto[24723]: "cernis" #10: Mode Config message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3) Oct 27 15:21:22 richard-desktop pluto[24723]: "cernis" #10: Main mode peer ID is ID_FQDN: '@0017C52619D4' Oct 27 15:21:22 richard-desktop pluto[24723]: "cernis" #10: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Oct 27 15:21:22 richard-desktop pluto[24723]: "cernis" #10: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Oct 27 15:22:13 richard-desktop pluto[24723]: "cernis" #10: next payload type of ISAKMP Hash Payload has an unknown value: 237 Oct 27 15:22:13 richard-desktop pluto[24723]: "cernis" #10: malformed payload in packet Oct 27 15:22:13 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 15:22:13 richard-desktop pluto[24723]: | 8c 84 a9 2b 85 fe 54 ec e8 46 bc 9e 25 ff 6b 34 Oct 27 15:22:13 richard-desktop pluto[24723]: "cernis" #10: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 15:23:14 richard-desktop pluto[24723]: "cernis" #10: next payload type of ISAKMP Hash Payload has an unknown value: 237 Oct 27 15:23:14 richard-desktop pluto[24723]: "cernis" #10: malformed payload in packet Oct 27 15:23:14 richard-desktop pluto[24723]: | payload malformed after IV Oct 27 15:23:14 richard-desktop pluto[24723]: | 8c 84 a9 2b 85 fe 54 ec e8 46 bc 9e 25 ff 6b 34 Oct 27 15:23:14 richard-desktop pluto[24723]: "cernis" #10: sending notification PAYLOAD_MALFORMED to 81.136.230.43:4500 Oct 27 15:31:18 richard-desktop pluto[24723]: "cernis" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#10} Oct 27 15:31:18 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:32:28 richard-desktop pluto[24723]: "cernis" #11: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:32:28 richard-desktop pluto[24723]: "cernis" #11: starting keying attempt 2 of an unlimited number, but releasing whack Oct 27 15:32:28 richard-desktop pluto[24723]: "cernis" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #11 {using isakmp#10} Oct 27 15:32:28 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:32:39 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:33:38 richard-desktop pluto[24723]: "cernis" #12: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:33:38 richard-desktop pluto[24723]: "cernis" #12: starting keying attempt 3 of an unlimited number Oct 27 15:33:38 richard-desktop pluto[24723]: "cernis" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #12 {using isakmp#10} Oct 27 15:33:38 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:34:48 richard-desktop pluto[24723]: "cernis" #13: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:34:48 richard-desktop pluto[24723]: "cernis" #13: starting keying attempt 4 of an unlimited number Oct 27 15:34:48 richard-desktop pluto[24723]: "cernis" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #13 {using isakmp#10} Oct 27 15:34:49 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:35:58 richard-desktop pluto[24723]: "cernis" #14: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:35:58 richard-desktop pluto[24723]: "cernis" #14: starting keying attempt 5 of an unlimited number Oct 27 15:35:58 richard-desktop pluto[24723]: "cernis" #15: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #14 {using isakmp#10} Oct 27 15:35:58 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:37:08 richard-desktop pluto[24723]: "cernis" #15: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:37:08 richard-desktop pluto[24723]: "cernis" #15: starting keying attempt 6 of an unlimited number Oct 27 15:37:08 richard-desktop pluto[24723]: "cernis" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15 {using isakmp#10} Oct 27 15:37:08 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:38:18 richard-desktop pluto[24723]: "cernis" #16: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:38:18 richard-desktop pluto[24723]: "cernis" #16: starting keying attempt 7 of an unlimited number Oct 27 15:38:18 richard-desktop pluto[24723]: "cernis" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #16 {using isakmp#10} Oct 27 15:38:19 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:39:28 richard-desktop pluto[24723]: "cernis" #17: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:39:28 richard-desktop pluto[24723]: "cernis" #17: starting keying attempt 8 of an unlimited number Oct 27 15:39:28 richard-desktop pluto[24723]: "cernis" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #17 {using isakmp#10} Oct 27 15:39:28 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:40:38 richard-desktop pluto[24723]: "cernis" #18: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:40:38 richard-desktop pluto[24723]: "cernis" #18: starting keying attempt 9 of an unlimited number Oct 27 15:40:38 richard-desktop pluto[24723]: "cernis" #19: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #18 {using isakmp#10} Oct 27 15:40:39 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:41:48 richard-desktop pluto[24723]: "cernis" #19: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:41:48 richard-desktop pluto[24723]: "cernis" #19: starting keying attempt 10 of an unlimited number Oct 27 15:41:48 richard-desktop pluto[24723]: "cernis" #20: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #19 {using isakmp#10} Oct 27 15:41:48 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:42:58 richard-desktop pluto[24723]: "cernis" #20: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:42:58 richard-desktop pluto[24723]: "cernis" #20: starting keying attempt 11 of an unlimited number Oct 27 15:42:58 richard-desktop pluto[24723]: "cernis" #21: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #20 {using isakmp#10} Oct 27 15:42:58 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:44:08 richard-desktop pluto[24723]: "cernis" #21: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:44:08 richard-desktop pluto[24723]: "cernis" #21: starting keying attempt 12 of an unlimited number Oct 27 15:44:08 richard-desktop pluto[24723]: "cernis" #22: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #21 {using isakmp#10} Oct 27 15:44:08 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:45:18 richard-desktop pluto[24723]: "cernis" #22: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:45:18 richard-desktop pluto[24723]: "cernis" #22: starting keying attempt 13 of an unlimited number Oct 27 15:45:18 richard-desktop pluto[24723]: "cernis" #23: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #22 {using isakmp#10} Oct 27 15:45:18 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:46:28 richard-desktop pluto[24723]: "cernis" #23: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:46:28 richard-desktop pluto[24723]: "cernis" #23: starting keying attempt 14 of an unlimited number Oct 27 15:46:28 richard-desktop pluto[24723]: "cernis" #24: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #23 {using isakmp#10} Oct 27 15:46:28 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:47:38 richard-desktop pluto[24723]: "cernis" #24: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:47:38 richard-desktop pluto[24723]: "cernis" #24: starting keying attempt 15 of an unlimited number Oct 27 15:47:38 richard-desktop pluto[24723]: "cernis" #25: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #24 {using isakmp#10} Oct 27 15:47:38 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:48:48 richard-desktop pluto[24723]: "cernis" #25: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:48:48 richard-desktop pluto[24723]: "cernis" #25: starting keying attempt 16 of an unlimited number Oct 27 15:48:48 richard-desktop pluto[24723]: "cernis" #26: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #25 {using isakmp#10} Oct 27 15:48:48 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:49:58 richard-desktop pluto[24723]: "cernis" #26: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:49:58 richard-desktop pluto[24723]: "cernis" #26: starting keying attempt 17 of an unlimited number Oct 27 15:49:58 richard-desktop pluto[24723]: "cernis" #27: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #26 {using isakmp#10} Oct 27 15:49:58 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:51:08 richard-desktop pluto[24723]: "cernis" #27: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:51:08 richard-desktop pluto[24723]: "cernis" #27: starting keying attempt 18 of an unlimited number Oct 27 15:51:08 richard-desktop pluto[24723]: "cernis" #28: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #27 {using isakmp#10} Oct 27 15:51:08 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:52:18 richard-desktop pluto[24723]: "cernis" #28: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:52:18 richard-desktop pluto[24723]: "cernis" #28: starting keying attempt 19 of an unlimited number Oct 27 15:52:18 richard-desktop pluto[24723]: "cernis" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #28 {using isakmp#10} Oct 27 15:52:18 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:53:28 richard-desktop pluto[24723]: "cernis" #29: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:53:28 richard-desktop pluto[24723]: "cernis" #29: starting keying attempt 20 of an unlimited number Oct 27 15:53:28 richard-desktop pluto[24723]: "cernis" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #29 {using isakmp#10} Oct 27 15:53:28 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted Oct 27 15:54:38 richard-desktop pluto[24723]: "cernis" #30: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Oct 27 15:54:38 richard-desktop pluto[24723]: "cernis" #30: starting keying attempt 21 of an unlimited number Oct 27 15:54:38 richard-desktop pluto[24723]: "cernis" #31: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #30 {using isakmp#10} Oct 27 15:54:38 richard-desktop pluto[24723]: "cernis" #10: Informational Exchange message must be encrypted + _________________________ date + + date Tue Oct 27 15:55:18 GMT 2009