ph-router Tue Nov 9 09:49:47 CET 2010 + _________________________ version + + ipsec --version Linux Openswan U2.6.23/K2.6.32-25-server (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + + cat /proc/version Linux version 2.6.32-25-server (buildd@allspice) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #45-Ubuntu SMP Sat Oct 16 20:06:58 UTC 2010 + _________________________ /proc/net/ipsec_eroute + + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 217.5.234.16 0.0.0.0 255.255.255.248 U 0 0 0 eth0 192.168.70.0 192.168.1.200 255.255.255.0 UG 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.15.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + + ip xfrm state src 87.189.2.182 dst 217.5.234.18 proto esp spi 0x3ddc5a8d reqid 16397 mode tunnel replay-window 32 auth hmac(sha1) 0x1a840ff94259cbdb52b857702985a941bae0d594 enc cbc(des3_ede) 0xa7a6a55c2b6292e4bc43a6753b0e4607266b20473a323781 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 217.5.234.18 dst 87.189.2.182 proto esp spi 0x1ae1d2d1 reqid 16397 mode tunnel replay-window 32 auth hmac(sha1) 0xe80539e2519ec9f7377f6bb0626807ea2ec00883 enc cbc(des3_ede) 0x4007cec04ad5c21613161660592278b6a7ca2f411af878aa sel src 0.0.0.0/0 dst 0.0.0.0/0 src 87.186.5.28 dst 217.5.234.18 proto esp spi 0x81d39f90 reqid 16393 mode tunnel replay-window 32 auth hmac(sha1) 0x5b3a431884e5799dfc9bdea9eec5774abda4a6b9 enc cbc(des3_ede) 0x9cf8efd3c1a11d419f54d42cb70c238d2c817f820c7a3bcb sel src 0.0.0.0/0 dst 0.0.0.0/0 src 217.5.234.18 dst 87.186.5.28 proto esp spi 0xf5061a09 reqid 16393 mode tunnel replay-window 32 auth hmac(sha1) 0x070b04fd9d13f2e9fab44fe5edbf0150251cbd06 enc cbc(des3_ede) 0x0c81acb5bb2fcbb91a11b4242cd8ec3faab23db8a2a0f25a sel src 0.0.0.0/0 dst 0.0.0.0/0 src 217.225.16.150 dst 217.5.234.18 proto esp spi 0xa4e81784 reqid 16389 mode tunnel replay-window 32 auth hmac(sha1) 0xff351feee94737fd8543d9f3fa26e51468ec5aad enc cbc(des3_ede) 0xc3a4b7d405d5101aa2e322027a64881a435205b49632b13f sel src 0.0.0.0/0 dst 0.0.0.0/0 src 217.5.234.18 dst 217.225.16.150 proto esp spi 0x7482fe39 reqid 16389 mode tunnel replay-window 32 auth hmac(sha1) 0x2a690e6667bfd2e1b15121e6d5f2659ffc89dd20 enc cbc(des3_ede) 0x122b3881d82c4d44069d24381833c67b534eef0f1a847f8e sel src 0.0.0.0/0 dst 0.0.0.0/0 + _________________________ ip-xfrm-policy + + ip xfrm policy src 192.168.1.0/24 dst 192.168.16.0/24 dir out priority 2344 tmpl src 217.5.234.18 dst 87.189.2.182 proto esp reqid 16397 mode tunnel src 192.168.16.0/24 dst 192.168.1.0/24 dir fwd priority 2344 tmpl src 87.189.2.182 dst 217.5.234.18 proto esp reqid 16397 mode tunnel src 192.168.16.0/24 dst 192.168.1.0/24 dir in priority 2344 tmpl src 87.189.2.182 dst 217.5.234.18 proto esp reqid 16397 mode tunnel src 192.168.1.0/24 dst 192.168.11.0/24 dir out priority 2344 tmpl src 217.5.234.18 dst 87.186.5.28 proto esp reqid 16393 mode tunnel src 192.168.1.0/24 dst 192.168.10.0/24 dir out priority 2344 tmpl src 217.5.234.18 dst 217.225.16.150 proto esp reqid 16389 mode tunnel src 192.168.11.0/24 dst 192.168.1.0/24 dir fwd priority 2344 tmpl src 87.186.5.28 dst 217.5.234.18 proto esp reqid 16393 mode tunnel src 192.168.11.0/24 dst 192.168.1.0/24 dir in priority 2344 tmpl src 87.186.5.28 dst 217.5.234.18 proto esp reqid 16393 mode tunnel src 192.168.10.0/24 dst 192.168.1.0/24 dir fwd priority 2344 tmpl src 217.225.16.150 dst 217.5.234.18 proto esp reqid 16389 mode tunnel src 192.168.10.0/24 dst 192.168.1.0/24 dir in priority 2344 tmpl src 217.225.16.150 dst 217.5.234.18 proto esp reqid 16389 mode tunnel src ::/0 dst ::/0 dir 4 priority 0 src ::/0 dst ::/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 + _________________________ /proc/crypto + + test -r /proc/crypto + cat /proc/crypto name : authenc(hmac(sha1),cbc(des3_ede)) driver : authenc(hmac(sha1-generic),cbc(des3_ede-generic)) module : authenc priority : 0 refcnt : 7 selftest : passed type : aead async : no blocksize : 8 ivsize : 8 maxauthsize : 20 geniv : name : cbc(des3_ede) driver : cbc(des3_ede-generic) module : kernel priority : 0 refcnt : 7 selftest : passed type : givcipher async : no blocksize : 8 min keysize : 24 max keysize : 24 ivsize : 8 geniv : eseqiv name : deflate driver : deflate-generic module : deflate priority : 0 refcnt : 1 selftest : passed type : compression name : rfc3686(ctr(aes)) driver : rfc3686(ctr(aes-asm)) module : ctr priority : 200 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 20 max keysize : 36 ivsize : 8 geniv : seqiv name : ctr(aes) driver : ctr(aes-asm) module : ctr priority : 200 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 16 max keysize : 32 ivsize : 16 geniv : chainiv name : cbc(camellia) driver : cbc(camellia-generic) module : kernel priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : camellia driver : camellia-generic module : camellia priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : cbc(cast5) driver : cbc(cast5-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 5 max keysize : 16 ivsize : 8 geniv : name : cast5 driver : cast5-generic module : cast5 priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 5 max keysize : 16 name : cbc(twofish) driver : cbc(twofish-generic) module : kernel priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : cbc(serpent) driver : cbc(serpent-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 0 max keysize : 32 ivsize : 16 geniv : name : cbc(aes) driver : cbc(aes-asm) module : kernel priority : 200 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : cbc(blowfish) driver : cbc(blowfish-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 4 max keysize : 56 ivsize : 8 geniv : name : hmac(sha1) driver : hmac(sha1-generic) module : kernel priority : 0 refcnt : 13 selftest : passed type : shash blocksize : 64 digestsize : 20 name : cbc(des3_ede) driver : cbc(des3_ede-generic) module : kernel priority : 0 refcnt : 7 selftest : passed type : blkcipher blocksize : 8 min keysize : 24 max keysize : 24 ivsize : 8 geniv : name : cbc(des) driver : cbc(des-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 8 max keysize : 8 ivsize : 8 geniv : name : hmac(rmd160) driver : hmac(rmd160-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 20 name : xcbc(aes) driver : xcbc(aes-asm) module : xcbc priority : 200 refcnt : 1 selftest : passed type : shash blocksize : 16 digestsize : 16 name : rmd160 driver : rmd160-generic module : rmd160 priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 20 name : hmac(sha256) driver : hmac(sha256-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 32 name : sha1 driver : sha1-generic module : sha1_generic priority : 0 refcnt : 7 selftest : passed type : shash blocksize : 64 digestsize : 20 name : hmac(md5) driver : hmac(md5-generic) module : kernel priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 16 name : compress_null driver : compress_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : compression name : digest_null driver : digest_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 1 digestsize : 0 name : ecb(cipher_null) driver : ecb-cipher_null module : crypto_null priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 0 max keysize : 0 ivsize : 0 geniv : name : cipher_null driver : cipher_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 1 min keysize : 0 max keysize : 0 name : tnepres driver : tnepres-generic module : serpent priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 0 max keysize : 32 name : serpent driver : serpent-generic module : serpent priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 0 max keysize : 32 name : blowfish driver : blowfish-generic module : blowfish priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 4 max keysize : 56 name : twofish driver : twofish-generic module : twofish priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : sha256 driver : sha256-generic module : sha256_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 32 name : sha224 driver : sha224-generic module : sha256_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 28 name : sha512 driver : sha512-generic module : sha512_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 128 digestsize : 64 name : sha384 driver : sha384-generic module : sha512_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 128 digestsize : 48 name : des3_ede driver : des3_ede-generic module : des_generic priority : 0 refcnt : 7 selftest : passed type : cipher blocksize : 8 min keysize : 24 max keysize : 24 name : des driver : des-generic module : des_generic priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 8 max keysize : 8 name : aes driver : aes-asm module : aes_x86_64 priority : 200 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : aes driver : aes-generic module : aes_generic priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : stdrng driver : krng module : kernel priority : 200 refcnt : 2 selftest : passed type : rng seedsize : 0 name : md5 driver : md5-generic module : kernel priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 16 + __________________________/proc/sys/net/core/xfrm-star /usr/lib/ipsec/barf: 1: __________________________/proc/sys/net/core/xfrm-star: not found + echo -n /proc/sys/net/core/xfrm_acq_expires: /proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires 30 + echo -n /proc/sys/net/core/xfrm_aevent_etime: /proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime 10 + echo -n /proc/sys/net/core/xfrm_aevent_rseqth: /proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth 2 + echo -n /proc/sys/net/core/xfrm_larval_drop: /proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop 1 + _________________________ /proc/sys/net/ipsec-star + + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + + ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 217.5.234.18 000 interface eth0/eth0 217.5.234.18 000 interface eth0:gfi/eth0:gfi 217.5.234.19 000 interface eth0:gfi/eth0:gfi 217.5.234.19 000 interface eth0:pers/eth0:pers 217.5.234.21 000 interface eth0:pers/eth0:pers 217.5.234.21 000 interface eth1/eth1 192.168.1.254 000 interface eth1/eth1 192.168.1.254 000 interface tap0/tap0 192.168.15.1 000 interface tap0/tap0 192.168.15.1 000 %myid = (none) 000 debug raw+parsing+emitting+control 000 000 virtual_private (%priv): 000 - allowed 6 subnets: 192.168.10.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.16.0/24 000 - disallowed 1 subnet: 192.168.1.0/24 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "l2l": 192.168.1.0/24===217.5.234.18<217.5.234.18>[+S=C]...%virtual[+S=C]===?; unrouted; eroute owner: #0 000 "l2l": myip=192.168.1.254; hisip=unset; 000 "l2l": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "l2l": policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; 000 "l2l": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "l2l": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict 000 "l2l": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-2, 000 "l2l": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "l2l": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "l2l"[1]: 192.168.1.0/24===217.5.234.18<217.5.234.18>[+S=C]...217.225.16.150[+S=C]===192.168.10.0/24; erouted; eroute owner: #3 000 "l2l"[1]: myip=192.168.1.254; hisip=unset; 000 "l2l"[1]: ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "l2l"[1]: policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; 000 "l2l"[1]: newest ISAKMP SA: #1; newest IPsec SA: #3; 000 "l2l"[1]: IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict 000 "l2l"[1]: IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-2, 000 "l2l"[1]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "l2l"[1]: ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "l2l"[1]: ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "l2l"[1]: ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 "l2l"[2]: 192.168.1.0/24===217.5.234.18<217.5.234.18>[+S=C]...87.186.5.28[+S=C]===192.168.11.0/24; erouted; eroute owner: #4 000 "l2l"[2]: myip=192.168.1.254; hisip=unset; 000 "l2l"[2]: ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "l2l"[2]: policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; 000 "l2l"[2]: newest ISAKMP SA: #2; newest IPsec SA: #4; 000 "l2l"[2]: IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict 000 "l2l"[2]: IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-2, 000 "l2l"[2]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "l2l"[2]: ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "l2l"[2]: ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "l2l"[2]: ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 "l2l"[3]: 192.168.1.0/24===217.5.234.18<217.5.234.18>[+S=C]...87.189.2.182[+S=C]===192.168.16.0/24; erouted; eroute owner: #6 000 "l2l"[3]: myip=192.168.1.254; hisip=unset; 000 "l2l"[3]: ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "l2l"[3]: policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0; 000 "l2l"[3]: newest ISAKMP SA: #5; newest IPsec SA: #6; 000 "l2l"[3]: IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict 000 "l2l"[3]: IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-2, 000 "l2l"[3]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "l2l"[3]: ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict 000 "l2l"[3]: ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160 000 "l2l"[3]: ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 000 #3: "l2l"[1] 217.225.16.150:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2538s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set 000 #3: "l2l"[1] 217.225.16.150 esp.7482fe39@217.225.16.150 esp.a4e81784@217.5.234.18 tun.0@217.225.16.150 tun.0@217.5.234.18 ref=0 refhim=4294901761 000 #1: "l2l"[1] 217.225.16.150:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27737s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #4: "l2l"[2] 87.186.5.28:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2538s; newest IPSEC; eroute owner; isakmp#2; idle; import:not set 000 #4: "l2l"[2] 87.186.5.28 esp.f5061a09@87.186.5.28 esp.81d39f90@217.5.234.18 tun.0@87.186.5.28 tun.0@217.5.234.18 ref=0 refhim=4294901761 000 #2: "l2l"[2] 87.186.5.28:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27737s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #6: "l2l"[3] 87.189.2.182:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2608s; newest IPSEC; eroute owner; isakmp#5; idle; import:not set 000 #6: "l2l"[3] 87.189.2.182 esp.1ae1d2d1@87.189.2.182 esp.3ddc5a8d@217.5.234.18 tun.0@87.189.2.182 tun.0@217.5.234.18 ref=0 refhim=4294901761 000 #5: "l2l"[3] 87.189.2.182:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27808s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 + _________________________ ifconfig-a + + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:15:17:f5:62:31 inet addr:217.5.234.18 Bcast:217.5.234.23 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5157117 errors:0 dropped:0 overruns:0 frame:0 TX packets:6030083 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2719747874 (2.7 GB) TX bytes:1841788164 (1.8 GB) Memory:b1a00000-b1a20000 eth1 Link encap:Ethernet HWaddr 00:15:17:f5:62:30 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::215:17ff:fef5:6230/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5949641 errors:0 dropped:0 overruns:0 frame:0 TX packets:5039452 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1518745228 (1.5 GB) TX bytes:2509722742 (2.5 GB) Memory:b1900000-b1920000 eth0:gfi Link encap:Ethernet HWaddr 00:15:17:f5:62:31 inet addr:217.5.234.19 Bcast:217.5.234.23 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Memory:b1a00000-b1a20000 eth0:pers Link encap:Ethernet HWaddr 00:15:17:f5:62:31 inet addr:217.5.234.21 Bcast:217.5.234.23 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Memory:b1a00000-b1a20000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3394894 errors:0 dropped:0 overruns:0 frame:0 TX packets:3394894 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:634783448 (634.7 MB) TX bytes:634783448 (634.7 MB) tap0 Link encap:Ethernet HWaddr 06:b9:d4:ea:78:d3 inet addr:192.168.15.1 Bcast:192.168.15.255 Mask:255.255.255.0 inet6 addr: fe80::4b9:d4ff:feea:78d3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:624141 errors:0 dropped:0 overruns:0 frame:0 TX packets:936336 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:54086677 (54.0 MB) TX bytes:158943282 (158.9 MB) + _________________________ ip-addr-list + + ip addr list 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 100 link/ether 00:15:17:f5:62:31 brd ff:ff:ff:ff:ff:ff inet 217.5.234.18/29 brd 217.5.234.23 scope global eth0 inet 217.5.234.19/29 brd 217.5.234.23 scope global secondary eth0:gfi inet 217.5.234.21/29 brd 217.5.234.23 scope global secondary eth0:pers 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 100 link/ether 00:15:17:f5:62:30 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 inet6 fe80::215:17ff:fef5:6230/64 scope link valid_lft forever preferred_lft forever 25: tap0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/ether 06:b9:d4:ea:78:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.15.1/24 brd 192.168.15.255 scope global tap0 inet6 fe80::4b9:d4ff:feea:78d3/64 scope link valid_lft forever preferred_lft forever + _________________________ ip-route-list + + ip route list 217.5.234.16/29 dev eth0 proto kernel scope link src 217.5.234.18 192.168.70.0/24 via 192.168.1.200 dev eth1 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.16.0/24 dev eth0 scope link src 192.168.1.254 192.168.15.0/24 dev tap0 proto kernel scope link src 192.168.15.1 192.168.11.0/24 dev eth0 scope link src 192.168.1.254 192.168.10.0/24 dev eth0 scope link src 192.168.1.254 + _________________________ ip-rule-list + + ip rule list 0: from all lookup local 32763: from all lookup main 32764: from 217.5.234.17 lookup 101 32765: from all fwmark 0x1 lookup 101 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.23/K2.6.32-25-server (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone: ph-router [MISSING] Does the machine have at least one non-private address? [OK] Looking for TXT in reverse dns zone: 18.234.5.217.in-addr.arpa. [MISSING] Looking for TXT in reverse dns zone: 19.234.5.217.in-addr.arpa. [MISSING] Looking for TXT in reverse dns zone: 21.234.5.217.in-addr.arpa. [MISSING] + _________________________ mii-tool + + [ -x /sbin/mii-tool ] + /sbin/mii-tool -v SIOCGMIIREG on eth0 failed: Input/output error SIOCGMIIREG on eth0 failed: Input/output error eth0: negotiated 100baseTx-FD flow-control, link ok product info: vendor 00:13:74, model 4 rev 0 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control SIOCGMIIREG on eth1 failed: Input/output error SIOCGMIIREG on eth1 failed: Input/output error eth1: negotiated 100baseTx-FD, link ok product info: vendor 00:50:43, model 11 rev 1 basic mode: autonegotiation enabled basic status: autonegotiation complete, link ok capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD + _________________________ ipsec/directory + + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + + hostname --fqdn ph-router.peterhoff.de + _________________________ hostname/ipaddress + + hostname --ip-address 192.168.1.250 + _________________________ uptime + + uptime 09:49:48 up 4 days, 21:33, 1 user, load average: 0.21, 0.10, 0.02 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 0 0 32642 32624 20 0 312140 26468 poll_s S pts/0 0:03 \_ gedit /etc/ipsec.conf 0 0 2979 32624 20 0 4096 680 wait S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf 0 0 3079 2979 20 0 6152 684 pipe_w S+ pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips 1 0 2456 1 20 0 17712 584 wait S pts/0 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug raw parsing emitting control --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:192.168.10.0/24,%v4:192.168.11.0/24,%v4:192.168.12.0/24,%v4:192.168.13.0/24,%v4:192.168.14.0/24,%v4:192.168.16.0/24,%v4:!192.168.1.0/24 --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 1 0 2458 2456 20 0 17712 780 wait S pts/0 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug raw parsing emitting control --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:192.168.10.0/24,%v4:192.168.11.0/24,%v4:192.168.12.0/24,%v4:192.168.13.0/24,%v4:192.168.14.0/24,%v4:192.168.16.0/24,%v4:!192.168.1.0/24 --crlcheckinterval 0 --ocspuri --nhelpers 0 --dump --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 4 0 2462 2458 20 0 62772 3312 poll_s S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-raw --debug-parsing --debug-emitting --debug-control --use-netkey --uniqueids --nat_traversal --virtual_private %v4:192.168.10.0/24,%v4:192.168.11.0/24,%v4:192.168.12.0/24,%v4:192.168.13.0/24,%v4:192.168.14.0/24,%v4:192.168.16.0/24,%v4:!192.168.1.0/24 --nhelpers 0 --stderrlog 0 0 2490 2462 20 0 6016 396 poll_s S pts/0 0:00 | \_ _pluto_adns 0 0 2459 2456 20 0 4096 636 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 0 0 2457 1 20 0 4000 652 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + + ipsec showdefaults routephys= routevirt=none routeaddr= routenexthop= + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file # RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $ # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 private" # eg: plutodebug="control parsing" # # ONLY enable plutodebug=all or klipsdebug=all if you are a developer!! # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes virtual_private=%v4:192.168.10.0/24,%v4:192.168.11.0/24,%v4:192.168.12.0/24,%v4:192.168.13.0/24,%v4:192.168.14.0/24,%v4:192.168.16.0/24,%v4:!192.168.1.0/24 # # enable this if you see "failed to find any available worker" protostack=netkey nhelpers=0 #klipsdebug=none plutodebug="control parsing raw emitting" plutostderrlog=/var/log/pluto.log interfaces=%defaultroute uniqueids=yes #forwardcontrol=yes # Add connections here conn %default left=217.5.234.18 #leftnexthop=217.5.234.18 leftsubnet=192.168.1.0/24 auth=esp esp=3des-sha1 pfs=no ike=3des-md5-modp1024 keyingtries=%forever ikelifetime=8h keylife=8h keyexchange=ike authby=secret disablearrivalcheck=no conn l2l type=tunnel leftsourceip=192.168.1.254 auto=add right=%any rightsubnet=vhost:%priv #rightnexthop=%defaultroute #rightsourceip=%config #conn bugtest11 # leftsubnet=192.168.1.0/24 # right=0.0.0.0 # rightsubnet=192.168.11.0/24 # authby=never # type=passthrough # auto=route #conn bugtest14 # leftsubnet=192.168.1.0/24 # right=0.0.0.0 # rightsubnet=192.168.14.0/24 # authby=never # type=passthrough # auto=route + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $ # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". 217.5.234.18 %any : PSK "[sums to cb92...]" + _________________________ ipsec/listall + + ipsec auto --listall 000 000 List of Public Keys: 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 11: PSK %any 217.5.234.18 + [ /etc/ipsec.d/policies ] + basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # root name servers should be in the clear 192.58.128.30/32 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 193.0.14.129/32 199.7.83.42/32 202.12.27.33/32 + basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + + ls -l /usr/lib/ipsec total 2576 -rwxr-xr-x 1 root root 10712 Nov 14 2009 _copyright -rwxr-xr-x 1 root root 2379 Nov 14 2009 _include -rwxr-xr-x 1 root root 1475 Nov 14 2009 _keycensor -rwxr-xr-x 1 root root 14776 Nov 14 2009 _pluto_adns -rwxr-xr-x 1 root root 2632 Nov 14 2009 _plutoload -rwxr-xr-x 1 root root 7621 Nov 14 2009 _plutorun -rwxr-xr-x 1 root root 12943 Nov 14 2009 _realsetup -rwxr-xr-x 1 root root 1975 Nov 14 2009 _secretcensor -rwxr-xr-x 1 root root 8567 Nov 14 2009 _startklips -rwxr-xr-x 1 root root 8567 Nov 14 2009 _startklips.old -rwxr-xr-x 1 root root 5917 Nov 14 2009 _startnetkey -rwxr-xr-x 1 root root 4868 Nov 14 2009 _updown -rwxr-xr-x 1 root root 14022 Nov 14 2009 _updown.klips -rwxr-xr-x 1 root root 14022 Nov 14 2009 _updown.klips.old -rwxr-xr-x 1 root root 11792 Nov 14 2009 _updown.mast -rwxr-xr-x 1 root root 11792 Nov 14 2009 _updown.mast.old -rwxr-xr-x 1 root root 8530 Nov 14 2009 _updown.netkey -rwxr-xr-x 1 root root 218400 Nov 14 2009 addconn -rwxr-xr-x 1 root root 6015 Nov 14 2009 auto -rwxr-xr-x 1 root root 10816 Nov 14 2009 barf -rwxr-xr-x 1 root root 103368 Nov 14 2009 eroute -rwxr-xr-x 1 root root 27120 Nov 14 2009 ikeping -rwxr-xr-x 1 root root 74824 Nov 14 2009 klipsdebug -rwxr-xr-x 1 root root 2591 Nov 14 2009 look -rwxr-xr-x 1 root root 2182 Nov 14 2009 newhostkey -rwxr-xr-x 1 root root 66152 Nov 14 2009 pf_key -rwxr-xr-x 1 root root 1137712 Nov 14 2009 pluto -rwxr-xr-x 1 root root 10888 Nov 14 2009 ranbits -rwxr-xr-x 1 root root 23784 Nov 14 2009 rsasigkey -rwxr-xr-x 1 root root 766 Nov 14 2009 secrets lrwxrwxrwx 1 root root 17 Oct 25 11:37 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Nov 14 2009 showdefaults -rwxr-xr-x 1 root root 290392 Nov 14 2009 showhostkey -rwxr-xr-x 1 root root 27272 Nov 14 2009 showpolicy -rwxr-xr-x 1 root root 165856 Nov 14 2009 spi -rwxr-xr-x 1 root root 86840 Nov 14 2009 spigrp -rwxr-xr-x 1 root root 78312 Nov 14 2009 tncfg -rwxr-xr-x 1 root root 13372 Nov 14 2009 verify -rwxr-xr-x 1 root root 64536 Nov 14 2009 whack + _________________________ ipsec/ls-execdir + + ls -l /usr/lib/ipsec total 2576 -rwxr-xr-x 1 root root 10712 Nov 14 2009 _copyright -rwxr-xr-x 1 root root 2379 Nov 14 2009 _include -rwxr-xr-x 1 root root 1475 Nov 14 2009 _keycensor -rwxr-xr-x 1 root root 14776 Nov 14 2009 _pluto_adns -rwxr-xr-x 1 root root 2632 Nov 14 2009 _plutoload -rwxr-xr-x 1 root root 7621 Nov 14 2009 _plutorun -rwxr-xr-x 1 root root 12943 Nov 14 2009 _realsetup -rwxr-xr-x 1 root root 1975 Nov 14 2009 _secretcensor -rwxr-xr-x 1 root root 8567 Nov 14 2009 _startklips -rwxr-xr-x 1 root root 8567 Nov 14 2009 _startklips.old -rwxr-xr-x 1 root root 5917 Nov 14 2009 _startnetkey -rwxr-xr-x 1 root root 4868 Nov 14 2009 _updown -rwxr-xr-x 1 root root 14022 Nov 14 2009 _updown.klips -rwxr-xr-x 1 root root 14022 Nov 14 2009 _updown.klips.old -rwxr-xr-x 1 root root 11792 Nov 14 2009 _updown.mast -rwxr-xr-x 1 root root 11792 Nov 14 2009 _updown.mast.old -rwxr-xr-x 1 root root 8530 Nov 14 2009 _updown.netkey -rwxr-xr-x 1 root root 218400 Nov 14 2009 addconn -rwxr-xr-x 1 root root 6015 Nov 14 2009 auto -rwxr-xr-x 1 root root 10816 Nov 14 2009 barf -rwxr-xr-x 1 root root 103368 Nov 14 2009 eroute -rwxr-xr-x 1 root root 27120 Nov 14 2009 ikeping -rwxr-xr-x 1 root root 74824 Nov 14 2009 klipsdebug -rwxr-xr-x 1 root root 2591 Nov 14 2009 look -rwxr-xr-x 1 root root 2182 Nov 14 2009 newhostkey -rwxr-xr-x 1 root root 66152 Nov 14 2009 pf_key -rwxr-xr-x 1 root root 1137712 Nov 14 2009 pluto -rwxr-xr-x 1 root root 10888 Nov 14 2009 ranbits -rwxr-xr-x 1 root root 23784 Nov 14 2009 rsasigkey -rwxr-xr-x 1 root root 766 Nov 14 2009 secrets lrwxrwxrwx 1 root root 17 Oct 25 11:37 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Nov 14 2009 showdefaults -rwxr-xr-x 1 root root 290392 Nov 14 2009 showhostkey -rwxr-xr-x 1 root root 27272 Nov 14 2009 showpolicy -rwxr-xr-x 1 root root 165856 Nov 14 2009 spi -rwxr-xr-x 1 root root 86840 Nov 14 2009 spigrp -rwxr-xr-x 1 root root 78312 Nov 14 2009 tncfg -rwxr-xr-x 1 root root 13372 Nov 14 2009 verify -rwxr-xr-x 1 root root 64536 Nov 14 2009 whack + _________________________ /proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo:634783448 3394894 0 0 0 0 0 0 634783448 3394894 0 0 0 0 0 0 eth0:2719754448 5157165 0 0 0 0 0 0 1841793059 6030132 0 0 0 0 0 0 eth1:1518746265 5949658 0 0 0 0 0 0 2509724469 5039469 0 0 0 0 0 0 tap0:54088408 624158 0 0 0 0 0 0 158944152 936351 0 0 0 0 0 0 + _________________________ /proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 10EA05D9 00000000 0001 0 0 0 F8FFFFFF 0 0 0 eth1 0046A8C0 C801A8C0 0003 0 0 0 00FFFFFF 0 0 0 eth1 0001A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 0010A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 tap0 000FA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 000BA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 000AA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc + + cat /proc/sys/net/ipv4/ip_no_pmtu_disc 0 + _________________________ /proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ /proc/sys/net/ipv4/tcp_ecn + + cat /proc/sys/net/ipv4/tcp_ecn 2 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter tap0/rp_filter all/rp_filter:1 default/rp_filter:1 eth0/rp_filter:1 eth1/rp_filter:1 lo/rp_filter:1 tap0/rp_filter:1 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + + cd /proc/sys/net/ipv4/conf + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects tap0/accept_redirects tap0/secure_redirects tap0/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:0 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:0 eth0/secure_redirects:1 eth0/send_redirects:0 eth1/accept_redirects:0 eth1/secure_redirects:1 eth1/send_redirects:0 lo/accept_redirects:0 lo/secure_redirects:1 lo/send_redirects:0 tap0/accept_redirects:0 tap0/secure_redirects:1 tap0/send_redirects:0 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + + uname -a Linux ph-router 2.6.32-25-server #45-Ubuntu SMP Sat Oct 16 20:06:58 UTC 2010 x86_64 GNU/Linux + _________________________ config-built-with + + test -r /proc/config_built_with + _________________________ distro-release + + test -f /etc/redhat-release + test -f /etc/debian-release + test -f /etc/SuSE-release + test -f /etc/mandrake-release + test -f /etc/mandriva-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey + uname -r + echo NETKEY (2.6.32-25-server) support detected NETKEY (2.6.32-25-server) support detected + _________________________ iptables + + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 851K 172M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 583 26722 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 1249K 179M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 26151 2744K inospoof all -- * * 0.0.0.0/0 0.0.0.0/0 26151 2744K iexternalmodules all -- * * 0.0.0.0/0 0.0.0.0/0 26027 2737K iexternal all -- * * 0.0.0.0/0 0.0.0.0/0 21736 2423K inoexternal all -- * * 0.0.0.0/0 0.0.0.0/0 21736 2423K imodules all -- * * 0.0.0.0/0 0.0.0.0/0 21736 2423K iintservs all -- * * 0.0.0.0/0 0.0.0.0/0 21736 2423K iglobal all -- * * 0.0.0.0/0 0.0.0.0/0 1407 118K ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW 12651 1840K idrop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 4 packets, 337 bytes) pkts bytes target prot opt in out source destination 280 34803 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 3491K 1317M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 113K 6967K fnospoof all -- * * 0.0.0.0/0 0.0.0.0/0 113K 6967K fredirects all -- * * 0.0.0.0/0 0.0.0.0/0 111K 6896K fmodules all -- * * 0.0.0.0/0 0.0.0.0/0 111K 6895K ffwdrules all -- * * 0.0.0.0/0 0.0.0.0/0 110K 6794K fnoexternal all -- * * 0.0.0.0/0 0.0.0.0/0 110K 6794K fdns all -- * * 0.0.0.0/0 0.0.0.0/0 110K 6794K fobjects all -- * * 0.0.0.0/0 0.0.0.0/0 110K 6794K fglobal all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW 0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 874K 175M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 1730K 711M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 13043 1032K ointernal all -- * * 0.0.0.0/0 0.0.0.0/0 582 118K omodules all -- * * 0.0.0.0/0 0.0.0.0/0 567 117K oglobal all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 state NEW 0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 state NEW 0 0 odrop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain drop (10 references) pkts bytes target prot opt in out source destination 11365 1686K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix `ebox-firewall drop ' 12695 1843K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fdns (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 194.25.0.60 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.25.0.60 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 194.25.0.52 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.25.0.52 state NEW tcp dpt:53 Chain fdrop (7 references) pkts bytes target prot opt in out source destination 0 0 drop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ffwdrules (1 references) pkts bytes target prot opt in out source destination 109K 6780K RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0 17 899 ACCEPT all -- * * 192.168.10.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.10.0/24 212.117.65.148 679 40619 ACCEPT all -- * * 192.168.11.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.11.0/24 212.117.65.148 62 5645 ACCEPT all -- * * 192.168.12.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.12.0/24 212.117.65.148 0 0 ACCEPT all -- * * 192.168.13.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.13.0/24 212.117.65.148 523 33044 ACCEPT all -- * * 192.168.14.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.14.0/24 212.117.65.148 151 7869 ACCEPT all -- * * 192.168.15.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.15.0/24 212.117.65.148 192 12876 ACCEPT all -- * * 192.168.16.0/24 192.168.1.0/24 0 0 ACCEPT all -- * * 192.168.16.0/24 212.117.65.148 Chain fglobal (1 references) pkts bytes target prot opt in out source destination 8442 405K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 101K 6389K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fmodules (1 references) pkts bytes target prot opt in out source destination Chain fnoexternal (1 references) pkts bytes target prot opt in out source destination 0 0 fdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW Chain fnospoof (1 references) pkts bytes target prot opt in out source destination 0 0 fdrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 fdrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 fdrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 fdrop all -- !eth1 * 192.168.1.0/24 0.0.0.0/0 Chain fobjects (1 references) pkts bytes target prot opt in out source destination Chain fredirects (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.1.249 state NEW udp dpt:443 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 state NEW tcp dpt:443 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.1.246 state NEW udp dpt:443 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.246 state NEW tcp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.1.246 state NEW udp dpt:25 1430 71576 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.1.246 state NEW tcp dpt:25 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.1.249 state NEW udp dpt:25 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.1.249 state NEW tcp dpt:25 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.1.246 state NEW udp dpt:25 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.246 state NEW tcp dpt:25 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.1.249 state NEW udp dpt:25 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.249 state NEW tcp dpt:25 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.1.246 state NEW udp dpt:443 3 180 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.1.246 state NEW tcp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.1.249 state NEW udp dpt:443 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.1.249 state NEW tcp dpt:443 Chain ftoexternalonly (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain idrop (6 references) pkts bytes target prot opt in out source destination 12651 1840K drop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain iexternal (1 references) pkts bytes target prot opt in out source destination 11983 1562K RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0 9753 861K RETURN all -- tap0 * 0.0.0.0/0 0.0.0.0/0 0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 state NEW 0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 state NEW 42 2236 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW 0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW 0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW 2 594 drop udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW 4247 310K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW Chain iexternalmodules (1 references) pkts bytes target prot opt in out source destination 11983 1562K RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0 9753 861K RETURN all -- tap0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- tap0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 124 6981 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 Chain iglobal (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 state NEW 0 0 drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 state NEW 1462 70176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW 2529 174K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW 5 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW 3682 221K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW Chain iintservs (1 references) pkts bytes target prot opt in out source destination Chain imodules (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- tap0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 Chain inoexternal (1 references) pkts bytes target prot opt in out source destination 0 0 idrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW Chain inointernal (0 references) pkts bytes target prot opt in out source destination Chain inospoof (1 references) pkts bytes target prot opt in out source destination 0 0 idrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 idrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 idrop all -- !eth0 * 217.5.234.16/29 0.0.0.0/0 0 0 idrop all -- !eth1 * 192.168.1.0/24 0.0.0.0/0 Chain log (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 50/min burst 10 LOG flags 0 level 7 prefix `ebox-firewall log ' 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain odrop (1 references) pkts bytes target prot opt in out source destination 0 0 drop all -- * * 0.0.0.0/0 0.0.0.0/0 Chain oglobal (1 references) pkts bytes target prot opt in out source destination 567 117K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW Chain ointernal (1 references) pkts bytes target prot opt in out source destination 330 23224 ACCEPT udp -- * * 0.0.0.0/0 194.25.0.60 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.25.0.60 state NEW tcp dpt:53 24 1687 ACCEPT udp -- * * 0.0.0.0/0 194.25.0.52 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.25.0.52 state NEW tcp dpt:53 9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 12098 889K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 Chain omodules (1 references) pkts bytes target prot opt in out source destination 15 900 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT udp -- * tap0 0.0.0.0/0 0.0.0.0/0 udp dpt:520 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 + _________________________ iptables-nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 381K packets, 28M bytes) pkts bytes target prot opt in out source destination 98253 7106K premodules all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT udp -- eth1 * 0.0.0.0/0 217.5.234.21 udp dpt:443 to:192.168.1.249 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 217.5.234.21 tcp dpt:443 to:192.168.1.249 0 0 DNAT udp -- eth1 * 0.0.0.0/0 217.5.234.19 udp dpt:443 to:192.168.1.246 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 217.5.234.19 tcp dpt:443 to:192.168.1.246 0 0 DNAT udp -- eth0 * 0.0.0.0/0 217.5.234.19 udp dpt:25 to:192.168.1.246 1426 71360 DNAT tcp -- eth0 * 0.0.0.0/0 217.5.234.19 tcp dpt:25 to:192.168.1.246 0 0 DNAT udp -- eth0 * 0.0.0.0/0 217.5.234.21 udp dpt:25 to:192.168.1.249 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 217.5.234.21 tcp dpt:25 to:192.168.1.249 0 0 DNAT udp -- eth1 * 0.0.0.0/0 217.5.234.19 udp dpt:25 to:192.168.1.246 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 217.5.234.19 tcp dpt:25 to:192.168.1.246 0 0 DNAT udp -- eth1 * 0.0.0.0/0 217.5.234.21 udp dpt:25 to:192.168.1.249 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 217.5.234.21 tcp dpt:25 to:192.168.1.249 0 0 DNAT udp -- eth0 * 0.0.0.0/0 217.5.234.19 udp dpt:443 to:192.168.1.246 3 180 DNAT tcp -- eth0 * 0.0.0.0/0 217.5.234.19 tcp dpt:443 to:192.168.1.246 0 0 DNAT udp -- eth0 * 0.0.0.0/0 217.5.234.21 udp dpt:443 to:192.168.1.249 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 217.5.234.21 tcp dpt:443 to:192.168.1.249 Chain POSTROUTING (policy ACCEPT 96906 packets, 8790K bytes) pkts bytes target prot opt in out source destination 78063 4701K postmodules all -- * * 0.0.0.0/0 0.0.0.0/0 59392 3450K SNAT all -- * eth0 !217.5.234.18 0.0.0.0/0 to:217.5.234.18 0 0 MASQUERADE all -- * eth0 10.0.0.0/24 !172.16.0.0/24 0 0 MASQUERADE all -- * eth0 192.168.14.0/24 !192.168.1.0/24 Chain OUTPUT (policy ACCEPT 66093 packets, 7262K bytes) pkts bytes target prot opt in out source destination Chain postmodules (1 references) pkts bytes target prot opt in out source destination 133 6829 MASQUERADE all -- * eth1 192.168.15.0/24 0.0.0.0/0 Chain premodules (1 references) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 17M packets, 4852M bytes) pkts bytes target prot opt in out source destination 5757K 1682M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 7162 400K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff MAC 00:0F:F7:1E:51:00 MARK xset 0x1/0xffffffff 91963 6769K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff MARK xset 0x1/0xffffffff 5757K 1682M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Chain INPUT (policy ACCEPT 6434K packets, 1051M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10M packets, 3798M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7620K packets, 2069M bytes) pkts bytes target prot opt in out source destination 2637K 890M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 13159 1031K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff MARK xset 0x1/0xffffffff 2636K 890M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Chain POSTROUTING (policy ACCEPT 18M packets, 5866M bytes) pkts bytes target prot opt in out source destination 6240K 2214M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save nfmask 0xff ctmask ~0xffffffff + _________________________ /proc/modules + + test -f /proc/modules + cat /proc/modules xfrm_user 21932 2 - Live 0xffffffffa1cd9000 ah6 5035 0 - Live 0xffffffffa1cd2000 ah4 4548 0 - Live 0xffffffffa1ccb000 esp6 5376 0 - Live 0xffffffffa1cc4000 esp4 5589 6 - Live 0xffffffffa1cbd000 xfrm4_mode_beet 2131 0 - Live 0xffffffffa1cb7000 xfrm4_tunnel 1979 0 - Live 0xffffffffa1cb1000 xfrm4_mode_tunnel 2000 12 - Live 0xffffffffa1cab000 xfrm4_mode_transport 1511 0 - Live 0xffffffffa1ca5000 xfrm6_mode_transport 1575 0 - Live 0xffffffffa1c9f000 xfrm6_mode_ro 1380 0 - Live 0xffffffffa1c99000 xfrm6_mode_beet 2082 0 - Live 0xffffffffa1c93000 xfrm6_mode_tunnel 1904 0 - Live 0xffffffffa1c8d000 ipcomp 2212 0 - Live 0xffffffffa1c87000 ipcomp6 2214 0 - Live 0xffffffffa1c81000 xfrm6_tunnel 7935 1 ipcomp6, Live 0xffffffffa1c7a000 af_key 27834 0 - Live 0xffffffffa1c5f000 authenc 6792 6 - Live 0xffffffffa037f000 ipt_LOG 5370 2 - Live 0xffffffffa023b000 xt_limit 2180 2 - Live 0xffffffffa0235000 ipt_MASQUERADE 1863 3 - Live 0xffffffffa022f000 xt_tcpudp 2667 62 - Live 0xffffffffa0229000 xt_state 1490 67 - Live 0xffffffffa0223000 iptable_nat 5219 1 - Live 0xffffffffa021c000 iptable_filter 2791 1 - Live 0xffffffffa0216000 nf_conntrack_tftp 4001 0 - Live 0xffffffffa0210000 nf_nat_ftp 2513 0 - Live 0xffffffffa020a000 nf_nat 19501 3 ipt_MASQUERADE,iptable_nat,nf_nat_ftp, Live 0xffffffffa01fe000 nf_conntrack_ftp 7126 1 nf_nat_ftp, Live 0xffffffffa01f7000 xt_mac 1116 1 - Live 0xffffffffa01f1000 xt_MARK 1055 3 - Live 0xffffffffa01eb000 xt_mark 1055 3 - Live 0xffffffffa01e5000 nf_conntrack_ipv4 12980 75 iptable_nat,nf_nat, Live 0xffffffffa01db000 nf_defrag_ipv4 1481 1 nf_conntrack_ipv4, Live 0xffffffffa01d5000 xt_CONNMARK 1473 5 - Live 0xffffffffa01cf000 nf_conntrack 73966 9 ipt_MASQUERADE,xt_state,iptable_nat,nf_conntrack_tftp,nf_nat_ftp,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4,xt_CONNMARK, Live 0xffffffffa01b0000 iptable_mangle 3315 1 - Live 0xffffffffa01aa000 ip_tables 18358 3 iptable_nat,iptable_filter,iptable_mangle, Live 0xffffffffa019f000 x_tables 22461 11 ipt_LOG,xt_limit,ipt_MASQUERADE,xt_tcpudp,xt_state,iptable_nat,xt_mac,xt_MARK,xt_mark,xt_CONNMARK,ip_tables, Live 0xffffffffa0191000 8021q 22232 0 - Live 0xffffffffa0184000 garp 7689 1 8021q, Live 0xffffffffa017c000 stp 2171 1 garp, Live 0xffffffffa0176000 deflate 2181 0 - Live 0xffffffffa0170000 zlib_deflate 21834 1 deflate, Live 0xffffffffa0165000 ctr 4029 0 - Live 0xffffffffa015f000 camellia 19220 0 - Live 0xffffffffa0155000 cast5 15208 0 - Live 0xffffffffa014c000 rmd160 8120 0 - Live 0xffffffffa0145000 sha1_generic 2231 6 - Live 0xffffffffa0139000 crypto_null 2950 0 - Live 0xffffffffa0133000 ccm 8670 0 - Live 0xffffffffa012b000 serpent 18453 0 - Live 0xffffffffa0121000 blowfish 7882 0 - Live 0xffffffffa011a000 twofish 5899 0 - Live 0xffffffffa00eb000 twofish_common 14631 1 twofish, Live 0xffffffffa0111000 xcbc 2847 0 - Live 0xffffffffa00cf000 sha256_generic 10327 0 - Live 0xffffffffa010c000 sha512_generic 4972 0 - Live 0xffffffffa00b1000 des_generic 16599 6 - Live 0xffffffffa0105000 cryptd 8116 0 - Live 0xffffffffa00c9000 aes_x86_64 7912 0 - Live 0xffffffffa00bd000 aes_generic 27607 1 aes_x86_64, Live 0xffffffffa00f6000 tunnel4 2909 1 xfrm4_tunnel, Live 0xffffffffa00c0000 xfrm_ipcomp 5148 2 ipcomp,ipcomp6, Live 0xffffffffa0045000 tunnel6 2712 1 xfrm6_tunnel, Live 0xffffffffa0029000 fbcon 39270 71 - Live 0xffffffffa0096000 tileblit 2487 1 fbcon, Live 0xffffffffa0090000 font 8053 1 fbcon, Live 0xffffffffa0089000 bitblit 5811 1 fbcon, Live 0xffffffffa0082000 softcursor 1565 1 bitblit, Live 0xffffffffa007c000 vga16fb 12757 1 - Live 0xffffffffa0072000 vgastate 9857 1 vga16fb, Live 0xffffffffa006d000 lp 9336 0 - Live 0xffffffffa0064000 parport 37160 1 lp, Live 0xffffffffa0058000 joydev 10976 0 - Live 0xffffffffa0024000 usbhid 41084 0 - Live 0xffffffffa004b000 hid 83440 1 usbhid, Live 0xffffffffa002e000 e1000e 136237 0 - Live 0xffffffffa0000000 + _________________________ /proc/meminfo + + cat /proc/meminfo MemTotal: 4016196 kB MemFree: 2692628 kB Buffers: 202328 kB Cached: 425224 kB SwapCached: 0 kB Active: 956096 kB Inactive: 172368 kB Active(anon): 506940 kB Inactive(anon): 3924 kB Active(file): 449156 kB Inactive(file): 168444 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 7812088 kB SwapFree: 7812088 kB Dirty: 1372 kB Writeback: 0 kB AnonPages: 500604 kB Mapped: 51672 kB Shmem: 9952 kB Slab: 75896 kB SReclaimable: 55604 kB SUnreclaim: 20292 kB KernelStack: 3432 kB PageTables: 14068 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 9820184 kB Committed_AS: 1813872 kB VmallocTotal: 34359738367 kB VmallocUsed: 285624 kB VmallocChunk: 34359373864 kB HardwareCorrupted: 0 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB DirectMap4k: 7952 kB DirectMap2M: 4145152 kB + _________________________ /proc/net/ipsec-ls + + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /proc/config.gz + uname -r + test -f /lib/modules/2.6.32-25-server/build/.config + egrep CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM + uname -r + cat /lib/modules/2.6.32-25-server/build/.config CONFIG_IPC_NS=y CONFIG_XFRM=y CONFIG_XFRM_USER=m # CONFIG_XFRM_SUB_POLICY is not set # CONFIG_XFRM_MIGRATE is not set # CONFIG_XFRM_STATISTICS is not set CONFIG_XFRM_IPCOMP=m CONFIG_NET_KEY=m # CONFIG_NET_KEY_MIGRATE is not set CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_FIB_TRIE is not set CONFIG_IP_FIB_HASH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_INET_LRO=y CONFIG_INET_DIAG=y CONFIG_INET_TCP_DIAG=y CONFIG_IPV6=y CONFIG_IPV6_PRIVACY=y # CONFIG_IPV6_ROUTER_PREF is not set # CONFIG_IPV6_OPTIMISTIC_DAD is not set CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m # CONFIG_IPV6_MIP6 is not set CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET6_TUNNEL=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m CONFIG_IPV6_SIT=m CONFIG_IPV6_NDISC_NODETYPE=y CONFIG_IPV6_TUNNEL=m CONFIG_IPV6_MULTIPLE_TABLES=y # CONFIG_IPV6_SUBTREES is not set # CONFIG_IPV6_MROUTE is not set CONFIG_IP_VS=m CONFIG_IP_VS_IPV6=y # CONFIG_IP_VS_DEBUG is not set CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_AH_ESP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_AH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_MH=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_RAW=m CONFIG_IP6_NF_SECURITY=m CONFIG_IP_DCCP=m CONFIG_INET_DCCP_DIAG=m # CONFIG_IP_DCCP_CCID2_DEBUG is not set CONFIG_IP_DCCP_CCID3=y # CONFIG_IP_DCCP_CCID3_DEBUG is not set CONFIG_IP_DCCP_CCID3_RTO=100 CONFIG_IP_DCCP_TFRC_LIB=y # CONFIG_IP_DCCP_DEBUG is not set CONFIG_IP_SCTP=m CONFIG_IPX=m # CONFIG_IPX_INTERN is not set CONFIG_IPDDP=m CONFIG_IPDDP_ENCAP=y CONFIG_IPDDP_DECAP=y CONFIG_IP1000=m CONFIG_IPW2100=m CONFIG_IPW2100_MONITOR=y # CONFIG_IPW2100_DEBUG is not set CONFIG_IPW2200=m CONFIG_IPW2200_MONITOR=y CONFIG_IPW2200_RADIOTAP=y CONFIG_IPW2200_PROMISCUOUS=y CONFIG_IPW2200_QOS=y # CONFIG_IPW2200_DEBUG is not set CONFIG_IPPP_FILTER=y CONFIG_IPMI_HANDLER=m # CONFIG_IPMI_PANIC_EVENT is not set CONFIG_IPMI_DEVICE_INTERFACE=m CONFIG_IPMI_SI=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_INTEL=m CONFIG_HW_RANDOM_AMD=m CONFIG_HW_RANDOM_VIA=m CONFIG_HW_RANDOM_VIRTIO=m CONFIG_IPWIRELESS=m # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_CRYPTO_DEV_PADLOCK=y CONFIG_CRYPTO_DEV_PADLOCK_AES=m CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_CRYPTO_DEV_HIFN_795X=m CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y + _________________________ etc/syslog.conf + + _________________________ etc/syslog-ng/syslog-ng.conf + + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + cat /etc/syslog.conf cat: /etc/syslog.conf: No such file or directory + _________________________ etc/resolv.conf + + cat /etc/resolv.conf search peterhoff.de nameserver 194.25.0.60 nameserver 194.25.0.52 + _________________________ lib/modules-ls + + ls -ltr /lib/modules total 8 drwxr-xr-x 4 root root 4096 Oct 25 14:37 2.6.32-25-server drwxr-xr-x 4 root root 4096 Oct 25 17:43 2.6.32-24-server + _________________________ fipscheck + + cat /proc/sys/crypto/fips_enabled 0 + _________________________ /proc/ksyms-netif_rx + + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms ffffffff81476960 T netif_rx ffffffff81476c10 T netif_rx_ni ffffffff817767d0 r __ksymtab_netif_rx_ni ffffffff817767e0 r __ksymtab_netif_rx ffffffff817854e8 r __kcrctab_netif_rx_ni ffffffff817854f0 r __kcrctab_netif_rx ffffffff8179dd92 r __kstrtab_netif_rx_ni ffffffff8179dd9e r __kstrtab_netif_rx + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.32-24-server: 2.6.32-25-server: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + + egrep -i ipsec|klips|pluto sed -n 1661,$p /var/log/syslog + cat Nov 9 09:36:25 ph-router ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-25-server... Nov 9 09:36:25 ph-router ipsec_setup: Using NETKEY(XFRM) stack Nov 9 09:36:25 ph-router ipsec_setup: Command line is not complete. Try option "help" Nov 9 09:36:25 ph-router ipsec_setup: ...Openswan IPsec started Nov 9 09:36:25 ph-router pluto: adjusting ipsec.d to /etc/ipsec.d Nov 9 09:36:25 ph-router ipsec__plutorun: 002 added connection description "l2l" Nov 9 09:36:25 ph-router ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T Nov 9 09:36:25 ph-router ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19) Nov 9 09:36:25 ph-router ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T + _________________________ plog + + sed -n 5686,$p+ /var/log/auth.log+ cat egrep -i pluto Nov 9 09:36:25 ph-router ipsec__plutorun: Starting Pluto subsystem... + _________________________ date + + date Tue Nov 9 09:49:48 CET 2010