[Openswan dev]
Source Port is changing between Prerouting and input without nat
(klips, openswan)
Aron Wieck
aw at entropia.biz
Fri Nov 19 16:02:35 CET 2004
Hello folks,
Maybe this is a bug:
I open a tunnel, using kernel 2.6.9, klips and openswan. (Same behaviour
with racoon)
Ping works through tunnel, if open a telnet connection syn/ack works fine
too, so the connection seems to be open.
However, the connection does not work, because after syn/ack all packets
change their source port between prerouting and input in iptables.
Nov 19 15:56:14 hawaii === SAP IN === IN=eth2 OUT=
MAC=00:60:97:4b:44:e6:00:05:3
2:53:dd:00:08:00 SRC=213.68.161.188 DST=62.159.254.226 LEN=96 TOS=00
PREC=0x00
TTL=55 ID=14472 PROTO=0
Nov 19 15:56:14 hawaii === SAP NAT === IN=eth2 OUT=
MAC=00:60:97:4b:44:e6:00:05:
32:53:dd:00:08:00 SRC=10.1.126.50 DST=172.20.0.196 LEN=40 TOS=00 PREC=0x00
TTL=
126 ID=22434 DF PROTO=TCP SPT=3299 DPT=44430 SEQ=15844235 ACK=272816233
WINDOW=3
2768 ACK URGP=0
Connection closing then again works correctly.
If anyone could help, that would be great!
Greetings
Aron
-------------- next part --------------
hawaii
Fri Nov 19 15:52:53 CET 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.9-gentoo-r1 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.9-gentoo-r1 (root at hawaii) (gcc-Version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)) #8 Tue Nov 16 03:11:01 CET 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
213.191.69.70 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.181 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.180 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.17 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
193.108.212.250 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.179 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.22 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
10.100.50.1 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
193.28.175.30 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.127.102.118 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
172.31.10.30 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
172.20.5.3 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
172.16.1.5 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
10.1.201.36 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
193.28.164.206 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
10.1.126.50 172.20.0.196 255.255.255.255 UGH 0 0 0 dummy0
10.1.202.31 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
153.100.64.205 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
10.225.104.24 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.172.91.80 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
150.1.0.100 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
172.20.0.196 10.10.10.6 255.255.255.255 UGH 0 0 0 eth0
194.127.102.79 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.121.48.4 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
212.65.8.80 172.20.0.1 255.255.255.255 UGH 0 0 0 eth1
194.30.147.88 172.20.0.1 255.255.255.252 UG 0 0 0 eth1
62.159.254.224 0.0.0.0 255.255.255.240 U 0 0 0 eth2
128.1.0.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.150.0.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.150.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.20.251.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.20.254.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.11.199.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.253.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.190.104.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.116.0.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.20.30.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
150.80.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.20.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.20.2.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.20.4.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
194.64.33.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.106.144.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.106.131.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.10.160.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
128.1.100.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.136.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.148.101.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.100.210.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.95.0.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.100.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.16.80.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
193.16.200.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.2.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
193.28.160.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.116.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.13.106.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.1.3.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.71.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.130.3.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
150.1.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
150.1.2.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.16.111.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.16.110.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.31.17.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.35.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
139.16.152.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.18.0.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.140.31.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.41.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.10.20.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.50.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.51.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.140.3.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.10.30.0 172.20.0.10 255.255.255.0 UG 0 0 0 eth1
192.168.60.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.40.1.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.6.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.5.0 10.10.10.4 255.255.255.0 UG 0 0 0 eth0
172.22.5.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.20.30.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.12.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.23.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
10.0.100.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.20.2.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.16.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
172.21.4.0 172.20.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 172.20.0.1 255.255.252.0 UG 0 0 0 eth1
145.46.0.0 172.20.0.1 255.255.0.0 UG 0 0 0 eth1
10.66.0.0 172.20.0.1 255.255.0.0 UG 0 0 0 eth1
10.230.0.0 172.20.0.1 255.255.0.0 UG 0 0 0 eth1
10.71.0.0 172.20.0.1 255.255.0.0 UG 0 0 0 eth1
172.23.0.0 172.20.0.1 255.255.0.0 UG 0 0 0 eth1
172.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 62.159.254.225 0.0.0.0 UG 0 0 0 eth2
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
213.68.161.188 62.159.254.226
esp mode=tunnel spi=3373679906(0xc9164522) reqid=16385(0x00004001)
E: 3des-cbc 2f2af359 15e47465 d4c87fa3 a71961d4 694e5fc4 0c6a5e82
A: hmac-sha1 d1e5fe07 937f49c8 52fa6d14 c13165a5 2a7aea6b
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Nov 19 15:32:09 2004 current: Nov 19 15:52:53 2004
diff: 1244(s) hard: 0(s) soft: 0(s)
last: Nov 19 15:32:15 2004 hard: 0(s) soft: 0(s)
current: 2984(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 50 hard: 0 soft: 0
sadb_seq=1 pid=32661 refcnt=0
62.159.254.226 213.68.161.188
esp mode=tunnel spi=3261187767(0xc261c6b7) reqid=16385(0x00004001)
E: 3des-cbc eff68f55 b37da8c7 b5d44879 5692fa1c 36b001d0 f565326b
A: hmac-sha1 decb6028 13f5652d ff5ff5fa 816a78a0 958860ad
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Nov 19 15:32:09 2004 current: Nov 19 15:52:53 2004
diff: 1244(s) hard: 0(s) soft: 0(s)
last: Nov 19 15:32:14 2004 hard: 0(s) soft: 0(s)
current: 5824(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 52 hard: 0 soft: 0
sadb_seq=0 pid=32661 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
10.1.126.50[any] 172.20.0.196[any] any
in ipsec
esp/tunnel/213.68.161.188-62.159.254.226/unique#16385
created: Nov 19 15:32:09 2004 lastused: Nov 19 15:48:43 2004
lifetime: 0(s) validtime: 0(s)
spid=15328 seq=52 pid=32662
refcnt=1
172.20.0.196[any] 10.1.126.50[any] any
out ipsec
esp/tunnel/62.159.254.226-213.68.161.188/unique#16385
created: Nov 19 15:32:09 2004 lastused: Nov 19 15:48:43 2004
lifetime: 0(s) validtime: 0(s)
spid=15321 seq=51 pid=32662
refcnt=1
10.1.126.50[any] 172.20.0.196[any] any
fwd ipsec
esp/tunnel/213.68.161.188-62.159.254.226/unique#16385
created: Nov 19 15:32:09 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15338 seq=50 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15307 seq=49 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15291 seq=48 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15275 seq=47 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15259 seq=46 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15243 seq=45 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15227 seq=44 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15211 seq=43 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15195 seq=42 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15179 seq=41 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15163 seq=40 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15147 seq=39 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15131 seq=38 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15115 seq=37 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15099 seq=36 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15083 seq=35 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused: Nov 19 15:32:09 2004
lifetime: 0(s) validtime: 0(s)
spid=15067 seq=34 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15051 seq=33 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15035 seq=32 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15019 seq=31 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15003 seq=30 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14987 seq=29 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14971 seq=28 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14955 seq=27 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14939 seq=26 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14923 seq=25 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15316 seq=24 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15300 seq=23 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15284 seq=22 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15268 seq=21 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15252 seq=20 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15236 seq=19 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15220 seq=18 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15204 seq=17 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15188 seq=16 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15172 seq=15 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15156 seq=14 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15140 seq=13 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15124 seq=12 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15108 seq=11 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15092 seq=10 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused: Nov 19 15:32:09 2004
lifetime: 0(s) validtime: 0(s)
spid=15076 seq=9 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15060 seq=8 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15044 seq=7 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15028 seq=6 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=15012 seq=5 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14996 seq=4 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14980 seq=3 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14964 seq=2 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14948 seq=1 pid=32662
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 19 15:32:08 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=14932 seq=0 pid=32662
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.10.10.1
000 interface eth0:1/eth0:1 10.10.10.2
000 interface eth0:2/eth0:2 10.10.10.3
000 interface eth1/eth1 172.20.0.3
000 interface eth1:11/eth1:11 172.20.0.206
000 interface eth1:1/eth1:1 172.20.0.6
000 interface eth1:2/eth1:2 172.20.0.7
000 interface eth1:4/eth1:4 172.20.0.199
000 interface eth1:5/eth1:5 172.20.0.200
000 interface eth1:6/eth1:6 172.20.0.201
000 interface eth1:7/eth1:7 172.20.0.202
000 interface eth1:8/eth1:8 172.20.0.203
000 interface eth1:9/eth1:9 172.20.0.204
000 interface eth1:10/eth1:10 172.20.0.205
000 interface eth2/eth2 62.159.254.226
000 interface eth2:1/eth2:1 62.159.254.227
000 interface eth2:2/eth2:2 62.159.254.228
000 interface eth2:3/eth2:3 62.159.254.229
000 interface eth2:4/eth2:4 62.159.254.230
000 interface eth2:5/eth2:5 62.159.254.231
000 interface eth2:6/eth2:6 62.159.254.232
000 interface eth2:7/eth2:7 62.159.254.233
000 interface eth2:8/eth2:8 62.159.254.234
000 interface dummy0/dummy0 172.20.0.196
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,336} attrs={0,4,224}
000
000 "Netscreen-Gelsenwasser": 172.20.0.196/32===62.159.254.226---172.20.0.196...213.68.161.188===10.1.126.50/32; erouted; eroute owner: #2
000 "Netscreen-Gelsenwasser": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Netscreen-Gelsenwasser": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth2;
000 "Netscreen-Gelsenwasser": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Netscreen-Gelsenwasser": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "Netscreen-Gelsenwasser": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Netscreen-Gelsenwasser": IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 "Netscreen-Gelsenwasser": ESP algorithms wanted: 3_000-2, flags=-strict
000 "Netscreen-Gelsenwasser": ESP algorithms loaded: 3_000-2, flags=-strict
000 "Netscreen-Gelsenwasser": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "Netscreen-Gelsenwasser" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1779s; newest IPSEC; eroute owner
000 #2: "Netscreen-Gelsenwasser" esp.c261c6b7 at 213.68.161.188 esp.c9164522 at 62.159.254.226 tun.0 at 213.68.161.188 tun.0 at 62.159.254.226
000 #1: "Netscreen-Gelsenwasser" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26633s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0 Link encap:Ethernet HWaddr 56:ED:EE:C6:B8:A5
inet addr:172.20.0.196 Bcast:172.20.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth0 Link encap:Ethernet HWaddr 00:02:55:FA:93:84
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2754136 errors:0 dropped:0 overruns:0 frame:0
TX packets:3106275 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:479190573 (456.9 Mb) TX bytes:2306333928 (2199.4 Mb)
eth0:1 Link encap:Ethernet HWaddr 00:02:55:FA:93:84
inet addr:10.10.10.2 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth0:2 Link encap:Ethernet HWaddr 00:02:55:FA:93:84
inet addr:10.10.10.3 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.3 Bcast:172.20.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:725586 errors:0 dropped:0 overruns:0 frame:0
TX packets:859818 errors:0 dropped:0 overruns:0 carrier:0
collisions:18555 txqueuelen:1000
RX bytes:266922082 (254.5 Mb) TX bytes:87643697 (83.5 Mb)
eth1:1 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.6 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:2 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.7 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:4 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.199 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:5 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.200 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:6 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.201 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:7 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.202 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:8 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.203 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:9 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.204 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:10 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.205 Bcast:172.20.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth1:11 Link encap:Ethernet HWaddr 00:02:55:FA:93:85
inet addr:172.20.0.206 Bcast:172.20.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
eth2 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.226 Bcast:62.159.254.239 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2143862 errors:0 dropped:0 overruns:0 frame:0
TX packets:1819555 errors:0 dropped:0 overruns:0 carrier:0
collisions:15661 txqueuelen:1000
RX bytes:1820867508 (1736.5 Mb) TX bytes:365823597 (348.8 Mb)
Interrupt:11 Base address:0xdc00
eth2:1 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.227 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:2 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.228 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:3 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.229 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:4 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.230 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:5 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.231 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:6 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.232 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:7 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.233 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
eth2:8 Link encap:Ethernet HWaddr 00:60:97:4B:44:E6
inet addr:62.159.254.234 Bcast:62.255.255.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:148 (148.0 b)
Interrupt:11 Base address:0xdc00
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-F0-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7052 (6.8 Kb) TX bytes:7052 (6.8 Kb)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.9-gentoo-r1 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: hawaii [MISSING]
Cannot execute command "host -t txt hawaii": No such file or directory
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 226.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 226.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 227.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 227.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 228.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 228.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 229.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 229.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 230.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 230.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 231.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 231.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 232.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 232.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 233.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 233.254.159.62.in-addr.arpa.": No such file or directory
Looking for TXT in reverse dns zone: 234.254.159.62.in-addr.arpa. [MISSING]
Cannot execute command "host -t txt 234.254.159.62.in-addr.arpa.": No such file or directory
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: Intel 82555 rev 4
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-HD, link ok
product info: Intel 82555 rev 4
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-HD 10baseT-HD
eth2: no autonegotiation, 10baseT-HD, link ok
product info: National DP83840A rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hawaii.dsc-gmbh.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
15:53:02 up 7:30, 4 users, load average: 0.46, 0.10, 0.05
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 32629 15402 18 0 4360 1108 wait S+ pts/0 0:00 | \_ /bin/sh /usr/libexec/ipsec/barf
4 0 2291 32629 20 0 1428 476 pipe_w S+ pts/0 0:00 | \_ egrep -i ppid|pluto|ipsec|klips
5 0 32472 1 23 0 2032 980 wait S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug control parsing all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal no --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 32473 32472 23 0 2032 984 wait S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug control parsing all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal no --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 32474 32473 16 0 2288 1136 - S pts/0 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-control --debug-parsing --debug-all --uniqueids
4 0 32499 32474 23 0 1292 272 - S pts/0 0:00 | \_ _pluto_adns -d
4 0 32500 32472 16 0 2036 980 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 32502 1 15 0 1356 472 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# in /usr/lib/ipsec/_updown muss bei setroute das "dev $PLUTOINTERFACE" weg
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug="control parsing all"
interfaces="ipsec0=dummy0"
nat_traversal=no
conn Netscreen-Gelsenwasser
type=tunnel
auto=start
# IP Setup
left=62.159.254.226
leftnexthop=172.20.0.196
leftsubnet=172.20.0.196/32
right=213.68.161.188
rightsubnet=10.1.126.50/32
# Encryption
keyexchange=ike
keyingtries=1
ikelifetime=8h
pfs=yes
auth=esp
authby=secret
keylife=1h
esp=3des-sha1-1024
# ike=3des-sha1
#Disable Opportunistic Encryption
#< /etc/ipsec/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec/ipsec.conf 44
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec/ipsec.secrets 1
62.159.254.226 213.68.161.188: "[sums to 0494...]"
: RSA {
# RSA 2192 bits hawaii Thu Nov 18 17:48:00 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQN9Wi5kx]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec/ipsec.d/policies ']'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15409 Nov 18 19:21 _confread
-rwxr-xr-x 1 root root 5076 Nov 18 19:21 _copyright
-rwxr-xr-x 1 root root 2391 Nov 18 19:21 _include
-rwxr-xr-x 1 root root 1475 Nov 18 19:21 _keycensor
-rwxr-xr-x 1 root root 3586 Nov 18 19:21 _plutoload
-rwxr-xr-x 1 root root 7167 Nov 18 19:21 _plutorun
-rwxr-xr-x 1 root root 10493 Nov 18 19:21 _realsetup
-rwxr-xr-x 1 root root 1975 Nov 18 19:21 _secretcensor
-rwxr-xr-x 1 root root 9016 Nov 18 19:21 _startklips
-rwxr-xr-x 1 root root 12322 Nov 19 14:35 _updown
-rwxr-xr-x 1 root root 7572 Nov 18 19:21 _updown_x509
-rwxr-xr-x 1 root root 1942 Nov 18 19:21 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1224
-rwxr-xr-x 1 root root 9228 Nov 18 19:21 _pluto_adns
-rwxr-xr-x 1 root root 19220 Nov 18 19:21 auto
-rwxr-xr-x 1 root root 10230 Nov 18 19:21 barf
-rwxr-xr-x 1 root root 816 Nov 18 19:21 calcgoo
-rwxr-xr-x 1 root root 75772 Nov 18 19:21 eroute
-rwxr-xr-x 1 root root 57592 Nov 18 19:21 klipsdebug
-rwxr-xr-x 1 root root 2461 Nov 18 19:21 look
-rwxr-xr-x 1 root root 7130 Nov 18 19:21 mailkey
-rwxr-xr-x 1 root root 16188 Nov 18 19:21 manual
-rwxr-xr-x 1 root root 1874 Nov 18 19:21 newhostkey
-rwxr-xr-x 1 root root 51068 Nov 18 19:21 pf_key
-rwxr-xr-x 1 root root 560860 Nov 18 19:21 pluto
-rwxr-xr-x 1 root root 7308 Nov 18 19:21 ranbits
-rwxr-xr-x 1 root root 19380 Nov 18 19:21 rsasigkey
-rwxr-xr-x 1 root root 766 Nov 18 19:21 secrets
-rwxr-xr-x 1 root root 17578 Nov 18 19:21 send-pr
lrwxrwxrwx 1 root root 17 Nov 18 19:21 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Nov 18 19:21 showdefaults
-rwxr-xr-x 1 root root 4370 Nov 18 19:21 showhostkey
-rwxr-xr-x 1 root root 113244 Nov 18 19:21 spi
-rwxr-xr-x 1 root root 65860 Nov 18 19:21 spigrp
-rwxr-xr-x 1 root root 81116 Nov 18 19:21 starter
-rwxr-xr-x 1 root root 9876 Nov 18 19:21 tncfg
-rwxr-xr-x 1 root root 10195 Nov 18 19:21 verify
-rwxr-xr-x 1 root root 61016 Nov 18 19:21 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 7052 72 0 0 0 0 0 0 7052 72 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
gre0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:479340823 2755319 0 0 0 0 0 0 2307269158 3107687 0 0 0 0 0 0
eth1:266949547 725627 0 0 0 0 0 0 87648917 859861 0 0 0 18555 0 0
eth2:1821746244 2145093 0 0 0 0 0 0 365965382 1820747 0 0 0 15664 0 0
dummy0: 0 0 0 0 0 0 0 0 148 2 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 4645BFD5 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 B5667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 B4667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 11667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 FAD46CC1 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 B3667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 16667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 0132640A 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 1EAF1CC1 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 76667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 1E0A1FAC 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 030514AC 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 050110AC 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 24C9010A 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 CEA41CC1 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
dummy0 327E010A C40014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 1FCA010A 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 CD406499 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 1868E10A 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 505BACC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 64000196 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth0 C40014AC 060A0A0A 0007 0 0 0 FFFFFFFF 0 0 0
eth1 4F667FC2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 043079C2 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 500841D4 010014AC 0007 0 0 0 FFFFFFFF 0 0 0
eth1 58931EC2 010014AC 0003 0 0 0 FCFFFFFF 0 0 0
eth2 E0FE9F3E 00000000 0001 0 0 0 F0FFFFFF 0 0 0
eth1 00000180 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0000960A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0001960A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00FE14AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00C70B0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00FDA8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0068BE0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0000740A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 001E140A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00015096 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0001140A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0002140A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0004140A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 002140C2 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00906A0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00836A0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00A00A0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00640180 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0088A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0065940A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00D2640A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00005F0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0064A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 005010AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00C810C1 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0001020A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00A01CC1 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0074A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 006A0D0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0003010A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0047A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0003820A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00010196 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00020196 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 006E10AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00111FAC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0023A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0098108B 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 000012AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 001F8C0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth0 000A0A0A 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 0029A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00140A0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0032A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0033A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 00038C0A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 001E0A0A 0A0014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 003CA8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0001280A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0006A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth0 0005A8C0 040A0A0A 0003 0 0 0 00FFFFFF 0 0 0
eth1 000516AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 001E14AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 000CA8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0017A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0064000A 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 000214AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 000014AC 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 0010A8C0 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 000415AC 010014AC 0003 0 0 0 00FFFFFF 0 0 0
eth1 0000A8C0 010014AC 0003 0 0 0 00FCFFFF 0 0 0
eth1 00002E91 010014AC 0003 0 0 0 0000FFFF 0 0 0
eth1 0000420A 010014AC 0003 0 0 0 0000FFFF 0 0 0
eth1 0000E60A 010014AC 0003 0 0 0 0000FFFF 0 0 0
eth1 0000470A 010014AC 0003 0 0 0 0000FFFF 0 0 0
eth1 000014AC 00000000 0001 0 0 0 0000FFFF 0 0 0
lo 0000007F 0100007F 0003 0 0 0 000000FF 0 0 0
eth2 00000000 E1FE9F3E 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter dummy0/rp_filter eth0/rp_filter eth1/rp_filter eth2/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
dummy0/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
eth2/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux hawaii 2.6.9-gentoo-r1 #8 Tue Nov 16 03:11:01 CET 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.9-gentoo-r1) support detected '
native PFKEY (2.6.9-gentoo-r1) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm firewall support: Datei oder Verzeichnis nicht gefunden
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
100 8584 ULOG all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP IN ===' queue_threshold 20
100 8584 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1
136K 74M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ULOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== Neue aber kein SYN ====' queue_threshold 20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
57 6492 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== Invalid state ====' queue_threshold 20
57 6492 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
63 4948 ICMPACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3592 171K nurintern tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1 48 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1241
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 TCPACCEPT tcp -- * * 172.20.0.0/16 0.0.0.0/0 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 172.21.0.0/16 0.0.0.0/0 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 147.204.2.5 0.0.0.0/0 tcp dpts:3200:3299
0 0 nurintern tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:3200:3299
0 0 nurintern tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 52 -- * * 0.0.0.0/0 0.0.0.0/0
1495 212K nurintern all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
16999 753K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 DROP tcp -- eth0 * !10.10.10.12/30 0.0.0.0/0 tcp dpt:25
220K 35M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
81 3884 nurintern tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:3200:3299
0 0 nurintern tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723
0 0 nurintern 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 47 -- * * 10.10.31.0/24 172.20.0.10
0 0 ACCEPT tcp -- * * 10.10.31.0/24 172.20.0.10 tcp dpt:1723
0 0 DROP all -- * * 10.10.31.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 10.10.31.0/24
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
18 864 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.14 tcp dpt:80
136 6680 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.14 tcp dpt:25
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.12 tcp dpt:143
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 172.20.0.10 udp dpt:500
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 172.20.0.10 udp dpt:1701
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 172.20.0.10 udp dpt:500
0 0 UDPACCEPT udp -- * * 0.0.0.0/0 172.20.0.10 udp dpt:1701
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.10 tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 172.20.0.10
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.21 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.21 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.21 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.22 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.22 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.22 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.27 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.27 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.27 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.24 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.24 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.24 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.23 tcp dpt:8080
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.28 tcp dpts:3200:3299
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.28 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 10.10.10.28 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.20 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.20 tcp dpt:8443
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.20 tcp dpt:8000
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.30 tcp dpt:80
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.30 tcp dpt:8443
50 2160 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.30 tcp dpt:8080
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.30 tcp dpt:82
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.25 tcp dpt:50100
0 0 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.10 tcp dpt:53
67 7047 UDPACCEPT udp -- * * 0.0.0.0/0 172.20.0.10 udp dpt:53
8 384 TCPACCEPT tcp -- * * 0.0.0.0/0 172.20.0.10 tcp dpt:80
9277 470K ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 10.10.20.0/24 0.0.0.0/0
2 156 ACCEPT all -- * * 10.10.30.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 10.10.31.0/24 0.0.0.0/0
17 1810 ACCEPT all -- * * 172.20.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 192.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 192.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ICMPACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== forward paket refused ====' queue_threshold 20
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT 2816K packets, 1893M bytes)
pkts bytes target prot opt in out source destination
Chain ICMPACCEPT (2 references)
pkts bytes target prot opt in out source destination
63 4948 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== ICMP Paket abgewehrt ====' queue_threshold 20
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain TCPACCEPT (41 references)
pkts bytes target prot opt in out source destination
183 8936 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 10/sec burst 5
30 1200 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== SCAN Entdeckt ====' queue_threshold 20
30 1200 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UDPACCEPT (7 references)
pkts bytes target prot opt in out source destination
67 7047 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nurintern (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5046 375K ACCEPT all -- * * 10.10.10.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 10.10.20.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 10.10.30.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 10.10.31.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 state NEW
51 6569 ACCEPT all -- * * 172.20.0.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== State Invalid ====' queue_threshold 20
71 5506 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `==== Extern verworfen ====' queue_threshold 20
71 5506 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 336 packets, 26577 bytes)
pkts bytes target prot opt in out source destination
42 2480 ULOG all -- eth2 * 10.1.126.50 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP NAT ===' queue_threshold 20
42 2480 ACCEPT all -- eth2 * 10.1.126.50 0.0.0.0/0
18 864 DNAT tcp -- * * 0.0.0.0/0 62.159.254.229 tcp dpt:80 to:10.10.10.14
136 6680 DNAT tcp -- * * 0.0.0.0/0 62.159.254.229 tcp dpt:25 to:10.10.10.14
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.229 tcp dpt:143 to:10.10.10.12
0 0 DNAT 47 -- * * 0.0.0.0/0 62.159.254.229 to:172.20.0.10
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.229 tcp dpt:1723 to:172.20.0.10
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.202 tcp dpts:3200:3299 to:10.10.10.21
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.202 tcp dpt:80 to:10.10.10.21
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.202 tcp dpt:8000 to:10.10.10.21
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.201 tcp dpts:3200:3299 to:10.10.10.22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.201 tcp dpt:80 to:10.10.10.22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.201 tcp dpt:8000 to:10.10.10.22
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.203 tcp dpts:3200:3299 to:10.10.10.27
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.203 tcp dpt:80 to:10.10.10.27
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.203 tcp dpt:8000 to:10.10.10.27
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.204 tcp dpts:3200:3299 to:10.10.10.24
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.204 tcp dpt:80 to:10.10.10.24
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.204 tcp dpt:8000 to:10.10.10.24
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.234 tcp dpt:8080 to:10.10.10.23
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.205 tcp dpts:3200:3299 to:10.10.10.28
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.205 tcp dpt:80 to:10.10.10.28
0 0 DNAT tcp -- * * 0.0.0.0/0 172.20.0.205 tcp dpt:8000 to:10.10.10.28
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.231 tcp dpt:80 to:172.20.0.20
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.231 tcp dpt:8443 to:172.20.0.20
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.231 tcp dpt:81 to:172.20.0.20:80
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.231 tcp dpt:8000 to:172.20.0.20
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.233 tcp dpt:80 to:172.20.0.30
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.233 tcp dpt:8443 to:172.20.0.30
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.233 tcp dpt:81 to:172.20.0.30:80
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.233 tcp dpt:8080 to:172.20.0.30
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.233 tcp dpt:82 to:172.20.0.30
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.232 tcp dpt:50100 to:172.20.0.25
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.229 tcp dpt:53 to:172.20.0.10
0 0 DNAT udp -- * * 0.0.0.0/0 62.159.254.229 udp dpt:53 to:172.20.0.10
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.227 tcp dpt:53 to:172.20.0.10
0 0 DNAT udp -- * * 0.0.0.0/0 62.159.254.227 udp dpt:53 to:172.20.0.10
0 0 DNAT tcp -- * * 0.0.0.0/0 62.159.254.227 tcp dpt:80 to:172.20.0.10
0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.20.0.3:3128
21 1008 ACCEPT tcp -- eth0 * 0.0.0.0/0 212.185.116.186 tcp dpt:80
3592 171K DNAT tcp -- eth0 * 0.0.0.0/0 !172.20.0.0/24 tcp dpt:80 to:10.10.10.3:3128
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10148 606K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
180 9995 ACCEPT all -- * * 0.0.0.0/0 10.10.10.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.20.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.30.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 10.10.31.0/24
177 24742 ACCEPT all -- * * 0.0.0.0/0 172.20.0.0/24
0 0 SNAT all -- * * 0.0.0.0/0 147.204.2.5 to:62.159.254.230
8398 387K SNAT all -- * * 10.10.10.14 0.0.0.0/0 to:62.159.254.229
38 1898 SNAT all -- * eth1 10.10.10.0/24 0.0.0.0/0 to:172.20.0.3
5461 322K SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:62.159.254.226
0 0 SNAT 47 -- * eth2 0.0.0.0/0 0.0.0.0/0 to:62.149.254.226
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5519K packets, 2473M bytes)
pkts bytes target prot opt in out source destination
3564 3536K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
1838 1889K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
663 561K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
663 561K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
583 491K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
583 491K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
563 467K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
538 441K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
513 414K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
501 400K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
433 319K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
283 160K ULOG esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
307 191K MARK esp -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
172 19512 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
172 19512 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
169 19224 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
169 19224 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
169 19224 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
169 19224 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
146 16856 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
146 16856 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
133 15448 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
133 15448 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
133 15448 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
133 15448 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
50 5600 ULOG esp -- eth2 * 213.68.161.188 0.0.0.0/0 limit: avg 5/sec burst 20 ULOG copy_range 0 nlgroup 1 prefix `=== SAP CRYPTED ===' queue_threshold 20
50 5600 MARK esp -- eth2 * 213.68.161.188 0.0.0.0/0 MARK set 0x1
Chain INPUT (policy ACCEPT 2563K packets, 1690M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2956K packets, 783M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2816K packets, 1893M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5771K packets, 2677M bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
dummy 2020 0 - Live 0xe083c000
3c59x 34760 0 - Live 0xe0854000
e100 29856 0 - Live 0xe083f000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 513068 kB
MemFree: 10572 kB
Buffers: 0 kB
Cached: 440648 kB
SwapCached: 0 kB
Active: 182148 kB
Inactive: 288172 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 513068 kB
LowFree: 10572 kB
SwapTotal: 1052216 kB
SwapFree: 1052212 kB
Dirty: 1644 kB
Writeback: 0 kB
Mapped: 34464 kB
Slab: 29448 kB
Committed_AS: 45852 kB
PageTables: 620 kB
VmallocTotal: 507896 kB
VmallocUsed: 3940 kB
VmallocChunk: 503788 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
# CONFIG_NETLINK_DEV is not set
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_PHYSDEV is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
domain dsc-gmbh.de
nameserver 10.10.10.14
nameserver 10.10.10.19
search dsc-gmbh.de
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 10 root root 4096 Nov 15 18:04 2.4.20-4GB
drwxr-xr-x 3 root root 4096 Nov 19 08:23 2.6.9-gentoo-r1
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c047dff0 T netif_rx
c047dff0 U netif_rx [3c59x]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20-4GB: U netif_rx
2.6.9-gentoo-r1:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '956,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Nov 19 15:32:08 [ipsec_setup] Starting Openswan IPsec U2.2.0/K2.6.9-gentoo-r1...
Nov 19 15:32:08 [ipsec_setup] KLIPS ipsec0 on dummy0 172.20.0.196/255.255.255.255 broadcast 172.20.255.255
Nov 19 15:32:08 [ipsec__plutorun] Starting Pluto subsystem...
Nov 19 15:32:08 [pluto] Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Nov 19 15:32:08 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 19 15:32:08 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 19 15:32:08 [pluto] Using Linux 2.6 IPsec interface code
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Nov 19 15:32:08 [pluto] Could not change to directory '/etc/ipsec/ipsec.d/aacerts'
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Nov 19 15:32:08 [pluto] Warning: empty directory
Nov 19 15:32:08 [ipsec_setup] ...Openswan IPsec started
Nov 19 15:32:08 [pluto] added connection description "Netscreen-Gelsenwasser"
Nov 19 15:32:08 [pluto] listening for IKE messages
Nov 19 15:32:08 [pluto] adding interface dummy0/dummy0 172.20.0.196
Nov 19 15:32:08 [pluto] adding interface eth2:8/eth2:8 62.159.254.234
Nov 19 15:32:08 [pluto] adding interface eth2:7/eth2:7 62.159.254.233
Nov 19 15:32:08 [pluto] adding interface eth2:6/eth2:6 62.159.254.232
Nov 19 15:32:08 [pluto] adding interface eth2:5/eth2:5 62.159.254.231
Nov 19 15:32:08 [pluto] adding interface eth2:4/eth2:4 62.159.254.230
Nov 19 15:32:08 [pluto] adding interface eth2:3/eth2:3 62.159.254.229
Nov 19 15:32:08 [pluto] adding interface eth2:2/eth2:2 62.159.254.228
Nov 19 15:32:08 [pluto] adding interface eth2:1/eth2:1 62.159.254.227
Nov 19 15:32:08 [pluto] adding interface eth2/eth2 62.159.254.226
Nov 19 15:32:08 [pluto] adding interface eth1:10/eth1:10 172.20.0.205
Nov 19 15:32:08 [pluto] adding interface eth1:9/eth1:9 172.20.0.204
Nov 19 15:32:08 [pluto] adding interface eth1:8/eth1:8 172.20.0.203
Nov 19 15:32:08 [pluto] adding interface eth1:7/eth1:7 172.20.0.202
Nov 19 15:32:08 [pluto] adding interface eth1:6/eth1:6 172.20.0.201
Nov 19 15:32:08 [pluto] adding interface eth1:5/eth1:5 172.20.0.200
Nov 19 15:32:08 [pluto] adding interface eth1:4/eth1:4 172.20.0.199
Nov 19 15:32:08 [pluto] adding interface eth1:2/eth1:2 172.20.0.7
Nov 19 15:32:08 [pluto] adding interface eth1:1/eth1:1 172.20.0.6
Nov 19 15:32:08 [pluto] adding interface eth1:11/eth1:11 172.20.0.206
Nov 19 15:32:08 [pluto] adding interface eth1/eth1 172.20.0.3
Nov 19 15:32:08 [pluto] adding interface eth0:2/eth0:2 10.10.10.3
Nov 19 15:32:08 [pluto] adding interface eth0:1/eth0:1 10.10.10.2
Nov 19 15:32:08 [pluto] adding interface eth0/eth0 10.10.10.1
Nov 19 15:32:08 [pluto] adding interface lo/lo 127.0.0.1
Nov 19 15:32:08 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Nov 19 15:32:08 [pluto] "Netscreen-Gelsenwasser" #1: initiating Main Mode
Nov 19 15:32:08 [ipsec__plutorun] 104 "Netscreen-Gelsenwasser" #1: STATE_MAIN_I1: initiate
Nov 19 15:32:08 [ipsec__plutorun] ...could not start conn "Netscreen-Gelsenwasser"
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Vendor ID payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: I did not send a certificate because I do not have one.
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: Peer ID is ID_IPV4_ADDR: '213.68.161.188'
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ISAKMP SA established
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: sent QI2, IPsec SA established {ESP=>0xc261c6b7 <0xc9164522}
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc261c688) not found (maybe expired)
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: received and ignored informational message
+ _________________________ plog
+ sed -n '958,$p' /var/log/messages
+ egrep -i pluto
+ cat
Nov 19 15:32:08 [ipsec__plutorun] Starting Pluto subsystem...
Nov 19 15:32:08 [pluto] Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Nov 19 15:32:08 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 19 15:32:08 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 19 15:32:08 [pluto] Using Linux 2.6 IPsec interface code
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Nov 19 15:32:08 [pluto] Could not change to directory '/etc/ipsec/ipsec.d/aacerts'
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Nov 19 15:32:08 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Nov 19 15:32:08 [pluto] Warning: empty directory
Nov 19 15:32:08 [pluto] added connection description "Netscreen-Gelsenwasser"
Nov 19 15:32:08 [pluto] listening for IKE messages
Nov 19 15:32:08 [pluto] adding interface dummy0/dummy0 172.20.0.196
Nov 19 15:32:08 [pluto] adding interface eth2:8/eth2:8 62.159.254.234
Nov 19 15:32:08 [pluto] adding interface eth2:7/eth2:7 62.159.254.233
Nov 19 15:32:08 [pluto] adding interface eth2:6/eth2:6 62.159.254.232
Nov 19 15:32:08 [pluto] adding interface eth2:5/eth2:5 62.159.254.231
Nov 19 15:32:08 [pluto] adding interface eth2:4/eth2:4 62.159.254.230
Nov 19 15:32:08 [pluto] adding interface eth2:3/eth2:3 62.159.254.229
Nov 19 15:32:08 [pluto] adding interface eth2:2/eth2:2 62.159.254.228
Nov 19 15:32:08 [pluto] adding interface eth2:1/eth2:1 62.159.254.227
Nov 19 15:32:08 [pluto] adding interface eth2/eth2 62.159.254.226
Nov 19 15:32:08 [pluto] adding interface eth1:10/eth1:10 172.20.0.205
Nov 19 15:32:08 [pluto] adding interface eth1:9/eth1:9 172.20.0.204
Nov 19 15:32:08 [pluto] adding interface eth1:8/eth1:8 172.20.0.203
Nov 19 15:32:08 [pluto] adding interface eth1:7/eth1:7 172.20.0.202
Nov 19 15:32:08 [pluto] adding interface eth1:6/eth1:6 172.20.0.201
Nov 19 15:32:08 [pluto] adding interface eth1:5/eth1:5 172.20.0.200
Nov 19 15:32:08 [pluto] adding interface eth1:4/eth1:4 172.20.0.199
Nov 19 15:32:08 [pluto] adding interface eth1:2/eth1:2 172.20.0.7
Nov 19 15:32:08 [pluto] adding interface eth1:1/eth1:1 172.20.0.6
Nov 19 15:32:08 [pluto] adding interface eth1:11/eth1:11 172.20.0.206
Nov 19 15:32:08 [pluto] adding interface eth1/eth1 172.20.0.3
Nov 19 15:32:08 [pluto] adding interface eth0:2/eth0:2 10.10.10.3
Nov 19 15:32:08 [pluto] adding interface eth0:1/eth0:1 10.10.10.2
Nov 19 15:32:08 [pluto] adding interface eth0/eth0 10.10.10.1
Nov 19 15:32:08 [pluto] adding interface lo/lo 127.0.0.1
Nov 19 15:32:08 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Nov 19 15:32:08 [pluto] "Netscreen-Gelsenwasser" #1: initiating Main Mode
Nov 19 15:32:08 [ipsec__plutorun] 104 "Netscreen-Gelsenwasser" #1: STATE_MAIN_I1: initiate
Nov 19 15:32:08 [ipsec__plutorun] ...could not start conn "Netscreen-Gelsenwasser"
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Vendor ID payload [47d2b126bfcd83489760e2cf8c5d4d5a03497c150000000300000500]
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: I did not send a certificate because I do not have one.
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: Peer ID is ID_IPV4_ADDR: '213.68.161.188'
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ISAKMP SA established
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #2: sent QI2, IPsec SA established {ESP=>0xc261c6b7 <0xc9164522}
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc261c688) not found (maybe expired)
Nov 19 15:32:09 [pluto] "Netscreen-Gelsenwasser" #1: received and ignored informational message
+ _________________________ date
+ date
Fri Nov 19 15:53:05 CET 2004
More information about the Dev
mailing list