[Openswan dev] [PATCH] Source changes required to build KLIPS
on 2.6
Ferdinand O. Tempel
pw at linuxops.net
Mon Jun 28 21:47:57 CEST 2004
On Fri, 2004-06-25 at 15:08, Nate Carlson wrote:
> On Fri, 25 Jun 2004, Paul Wouters wrote:
> > I fixed some silly things I did wrong in the various builds and got it
> > to compile. I got the module loaded. Then I ran ifconfig and it failed
> > gracefully with a kernel crash :)
>
> That's not very nice of it, is it? :)
Well, Nate, if it makes you happy, I replayed all your steps too, and I got a nice ipsec connection going with KLIPS.
As proof, I attached a barf :P
When I first tried I couldn't get things to compile as it missed source files. Then I figured out you're supposed to run move-files *and* move-files-2 (D'oh!). So after I did that, the module built just fine.
It also loaded just fine, and my test connection comes up fine. So, you can take pride in your hard work, you now have at least one success report.
Also attached you'll find a patch to your Makefile which removes the hardcoded paths. Of course it assumes you want to build the module for the running 2.6 kernel :P If that is not the case, a method should be devised to use KERNELSRC from the toplevel Makefile.inc. But that's integration work, later.
Good work.
--
Regards,
Ferdinand O. Tempel
Your friendly neighborhood linuxops.net administrator.
-------------- next part --------------
dualbox
Mon Jun 28 22:20:57 CEST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan Ucvs2004Mar28_22:20:06/K2cvs (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.7 (polarwolf at dualbox) (gcc version 3.3.4 (Debian 1:3.3.4-2)) #1 SMP Sun Jun 27 16:23:37 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.164.10.200/32 -> 10.164.10.1/32 => tun0x1002 at 10.164.10.1
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.164.10.1 10.164.10.1 255.255.255.255 UGH 0 0 0 ipsec0
10.164.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.164.10.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
0.0.0.0 10.164.10.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002 at 10.164.10.1 esp0x18026092 at 10.164.10.1
tun0x1001 at 10.164.10.200 esp0x64a170a7 at 10.164.10.200
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.164.10.200
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "test": 10.164.10.200...10.164.10.1; erouted; eroute owner: #2
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32; interface: eth0;
000 "test": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "test": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "test": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "test": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "test": ESP algorithms wanted: 12_000-1, 12_000-2, flags=-strict
000 "test": ESP algorithms loaded: 12_000-1, 12_000-2, flags=-strict
000 "test": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "test" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28451s; newest IPSEC; eroute owner
000 #2: "test" esp.18026092 at 10.164.10.1 esp.64a170a7 at 10.164.10.200 tun.1002 at 10.164.10.1 tun.1001 at 10.164.10.200
000 #1: "test" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3249s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:60:08:77:D7:CB
inet addr:10.164.10.200 Bcast:10.164.10.255 Mask:255.255.255.0
inet6 addr: fe80::260:8ff:fe77:d7cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4298 errors:0 dropped:0 overruns:0 frame:0
TX packets:2827 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:381769 (372.8 KiB) TX bytes:577108 (563.5 KiB)
Interrupt:18 Base address:0xcc00
eth1 Link encap:Ethernet HWaddr 00:10:5A:B1:DF:14
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:17 Base address:0xd000
ipsec0 Link encap:Ethernet HWaddr 00:60:08:77:D7:CB
inet addr:10.164.10.200 Mask:255.255.255.0
inet6 addr: fe80::260:8ff:fe77:d7cb/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr 38-30-3A-30-30-30-30-3A-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan Ucvs2004Mar28_22:20:06/K2cvs (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: dualbox [MISSING]
Cannot execute command "host -t txt dualbox": No such file or directory
Does the machine have at least one non-private address? [FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: National DP83840A rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: no link
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: no link
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
dualbox.dualbox
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.164.10.200
+ _________________________ uptime
+ uptime
22:20:58 up 1:21, 1 user, load average: 0.07, 0.06, 0.06
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 1734 559 19 0 2332 1084 wait4 S+ pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
4 0 1808 1734 22 0 1572 476 pipe_w S+ pts/0 0:00 \_ grep -E -i ppid|pluto|ipsec|klips
5 0 1382 1 21 0 2336 1088 wait4 S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 1383 1382 22 0 2336 1096 wait4 S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 1386 1383 15 0 2448 1200 - S pts/0 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids
4 0 1397 1386 17 0 1448 272 - S pts/0 0:00 | \_ _pluto_adns
4 0 1385 1382 16 0 2312 1064 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 1384 1 22 0 1512 392 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=10.164.10.200
routenexthop=10.164.10.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# Add connections here
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 35
#< /etc/ipsec.d/conns/ipsec.test.conf 1
conn test
left=%defaultroute
right=10.164.10.1
esp=aes
authby=secret
auto=ignore
#> /etc/ipsec.conf 37
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
10.164.10.200 10.164.10.1: PSK "[sums to d8e8...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 144
-rwxr-xr-x 1 root root 15390 Jun 27 17:30 _confread
-rwxr-xr-x 1 root root 50188 Jun 27 17:30 _copyright
-rwxr-xr-x 1 root root 2379 Jun 27 17:30 _include
-rwxr-xr-x 1 root root 1475 Jun 27 17:30 _keycensor
-rwxr-xr-x 1 root root 3586 Jun 27 17:30 _plutoload
-rwxr-xr-x 1 root root 7167 Jun 27 17:30 _plutorun
-rwxr-xr-x 1 root root 10493 Jun 27 17:30 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 27 17:30 _secretcensor
-rwxr-xr-x 1 root root 8625 Jun 27 17:30 _startklips
-rwxr-xr-x 1 root root 12313 Jun 27 17:30 _updown
-rwxr-xr-x 1 root root 7572 Jun 27 17:30 _updown_x509
-rwxr-xr-x 1 root root 1942 Jun 27 17:30 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 5180
-rwxr-xr-x 1 root root 73906 Jun 27 17:30 _pluto_adns
-rwxr-xr-x 1 root root 18935 Jun 27 17:30 auto
-rwxr-xr-x 1 root root 10248 Jun 27 17:30 barf
-rwxr-xr-x 1 root root 816 Jun 27 17:30 calcgoo
-rwxr-xr-x 1 root root 326040 Jun 27 17:30 eroute
-rwxr-xr-x 1 root root 128828 Jun 27 17:30 ikeping
-rwxr-xr-x 1 root root 191341 Jun 27 17:30 klipsdebug
-rwxr-xr-x 1 root root 2461 Jun 27 17:30 look
-rwxr-xr-x 1 root root 7124 Jun 27 17:30 mailkey
-rwxr-xr-x 1 root root 16188 Jun 27 17:30 manual
-rwxr-xr-x 1 root root 1874 Jun 27 17:30 newhostkey
-rwxr-xr-x 1 root root 174684 Jun 27 17:30 pf_key
-rwxr-xr-x 1 root root 2560063 Jun 27 17:30 pluto
-rwxr-xr-x 1 root root 54252 Jun 27 17:30 ranbits
-rwxr-xr-x 1 root root 86362 Jun 27 17:30 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 27 17:30 secrets
-rwxr-xr-x 1 root root 17578 Jun 27 17:30 send-pr
lrwxrwxrwx 1 root root 17 Jun 27 17:30 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jun 27 17:30 showdefaults
-rwxr-xr-x 1 root root 4364 Jun 27 17:30 showhostkey
-rwxr-xr-x 1 root root 516545 Jun 27 17:30 spi
-rwxr-xr-x 1 root root 264993 Jun 27 17:30 spigrp
-rwxr-xr-x 1 root root 487974 Jun 27 17:30 starter
-rwxr-xr-x 1 root root 53836 Jun 27 17:30 tncfg
-rwxr-xr-x 1 root root 10195 Jun 27 17:30 verify
-rwxr-xr-x 1 root root 233419 Jun 27 17:30 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth0: 381769 4298 0 0 0 0 0 0 577108 2827 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ipsec0 010AA40A 010AA40A 0007 0 0 0 FFFFFFFF 0 0 0
eth0 000AA40A 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 000AA40A 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 010AA40A 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux dualbox 2.6.7 #1 SMP Sun Jun 27 16:23:37 CEST 2004 i686 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2cvs
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 97 packets, 5908 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 106 packets, 22488 bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 244 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 88 packets, 5440 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 88 packets, 5440 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 93 packets, 20260 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 93 packets, 20260 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 3104 0 - Live 0xf08e5000
iptable_nat 25092 0 - Live 0xf0911000
ip_conntrack 37060 1 iptable_nat, Live 0xf0906000
iptable_filter 3104 0 - Live 0xf08a9000
ip_tables 19168 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xf08f3000
blowfish 10208 0 - Live 0xf08a5000
cast5 16544 0 - Live 0xf08d9000
serpent 13856 0 - Live 0xf08b6000
twofish 38880 0 - Live 0xf08e8000
aes 32832 2 - Live 0xf08ac000
ipsec 337408 5 [unsafe], Live 0xf09c9000
ipv6 266464 12 - Live 0xf0926000
usbkbd 7648 0 - Live 0xf089d000
usbcore 115136 2 usbkbd, Live 0xf08bb000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 775580 kB
MemFree: 723436 kB
Buffers: 4896 kB
Cached: 27064 kB
SwapCached: 0 kB
Active: 28720 kB
Inactive: 7148 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 775580 kB
LowFree: 723436 kB
SwapTotal: 996020 kB
SwapFree: 996020 kB
Dirty: 40 kB
Writeback: 0 kB
Mapped: 6980 kB
Slab: 9968 kB
Committed_AS: 10132 kB
PageTables: 296 kB
VmallocTotal: 253876 kB
VmallocUsed: 1816 kB
VmallocChunk: 251712 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jun 28 22:20 /proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jun 28 22:20 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jun 28 22:20 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jun 28 22:20 /proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jun 28 22:20 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jun 28 22:20 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NETLINK_DEV=m
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
# CONFIG_IP_VS is not set
CONFIG_IPV6=m
# CONFIG_IPV6_PRIVACY is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_RAW=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search dualbox
nameserver 10.164.10.100
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Jun 27 14:38 2.4.18-bf2.4-xfs
drwxr-xr-x 3 root root 4096 Jun 27 17:42 2.6.7
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0327070 T netif_rx
c0327070 U netif_rx [ipsec]
c0327070 U netif_rx [ipv6]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18-bf2.4-xfs: U netif_rx
2.6.7:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1708,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Jun 28 22:15:24 dualbox ipsec_setup: Starting Openswan IPsec Ucvs2004Mar28_22:20:06/K2cvs...
Jun 28 22:15:24 dualbox ipsec_setup: WARNING: changing route filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)
Jun 28 22:15:33 dualbox kernel: ipsec0: no IPv6 routers present
+ _________________________ plog
+ sed -n '599,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Jun 28 22:15:24 dualbox ipsec__plutorun: Starting Pluto subsystem...
Jun 28 22:15:24 dualbox pluto[1386]: Starting Pluto (Openswan Version cvs2004Mar28_22:20:06 X.509-1.4.8 PLUTO_USES_KEYRR)
Jun 28 22:15:24 dualbox pluto[1386]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 28 22:15:24 dualbox pluto[1386]: Using KLIPS IPsec interface code
Jun 28 22:15:24 dualbox pluto[1386]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 28 22:15:24 dualbox pluto[1386]: Could not change to directory '/etc/ipsec.d/aacerts'
Jun 28 22:15:24 dualbox pluto[1386]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 28 22:15:24 dualbox pluto[1386]: Changing to directory '/etc/ipsec.d/crls'
Jun 28 22:15:24 dualbox pluto[1386]: Warning: empty directory
Jun 28 22:15:24 dualbox pluto[1386]: listening for IKE messages
Jun 28 22:15:24 dualbox pluto[1386]: adding interface ipsec0/eth0 10.164.10.200
Jun 28 22:15:24 dualbox pluto[1386]: loading secrets from "/etc/ipsec.secrets"
Jun 28 22:15:37 dualbox pluto[1386]: added connection description "test"
Jun 28 22:16:02 dualbox pluto[1386]: "test": deleting connection
Jun 28 22:17:05 dualbox pluto[1386]: added connection description "test"
Jun 28 22:17:14 dualbox pluto[1386]: forgetting secrets
Jun 28 22:17:14 dualbox pluto[1386]: loading secrets from "/etc/ipsec.secrets"
Jun 28 22:19:04 dualbox pluto[1386]: "test": deleting connection
Jun 28 22:19:19 dualbox pluto[1386]: added connection description "test"
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: responding to Main Mode
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: transition from state (null) to state STATE_MAIN_R1
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: Peer ID is ID_IPV4_ADDR: '10.164.10.1'
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: I did not send a certificate because I do not have one.
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 28 22:19:36 dualbox pluto[1386]: "test" #1: sent MR3, ISAKMP SA established
Jun 28 22:19:36 dualbox pluto[1386]: "test" #2: responding to Quick Mode
Jun 28 22:19:36 dualbox pluto[1386]: "test" #2: transition from state (null) to state STATE_QUICK_R1
Jun 28 22:19:38 dualbox pluto[1386]: "test" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 28 22:19:38 dualbox pluto[1386]: "test" #2: IPsec SA established {ESP=>0x18026092 <0x64a170a7}
+ _________________________ date
+ date
Mon Jun 28 22:21:01 CEST 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Makefile.patch
Type: text/x-patch
Size: 824 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20040628/b1b401c4/Makefile-0001.bin
More information about the Dev
mailing list