[Openswan Users] Can't reach hosts behind my VPN-Gateway
Sebastian Albrecht
albrecht at irf.de
Tue Apr 6 16:52:22 CEST 2004
Hello users-list,
i want to access my private LAN and Internet via WLAN and a VPN-Gateway
in following constellation:
Win2k-Machine (with Marcus Mueller's ipsec-Tool)
10.0.18.202
|
WLAN
|
Access Point
10.0.18.201
|
eth1/ipsec1
10.0.18.200
Suse8.2 with OpenSWAN 2.1.0
eth0/ipsec0
10.0.18.60
|
private LAN 10.0.0.0/8
|
10.0.0.1
Internet Gateway
ipsec.conf of the VPN Gateway:
config setup
interfaces="%defaultroute ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=control
conn %default
authby=rsasig
keyingtries=1
compress=yes
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=gatewayCert.pem
left=10.0.18.200
auto=add
pfs=yes
conn test
leftsubnet=10.0.0.0/8
leftupdown="/usr/local/lib/ipsec/_updown_x509"
right=10.0.18.202
rightcert=clientCert.pem
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.conf of the Win2k Machine:
conn vpn
auth=ah
left=%any
right=10.0.18.200
rightsubnet=10.0.0.0/8
rightrsasigkey=%cert
rightca="C=DE, S=NRW, L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de"
network=auto
auto=start
pfs=yes
Might also be helpful:
vpnserver:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.18.202 10.0.18.202 255.255.255.255 UGH 0 0 0
ipsec1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ipsec0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ipsec1
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
Now, the problem is, when I established a connection to the VPN server,
I can ping both interfaces of the server, but no host in the private LAN
10.0.0.0/8. I suggest, it is a routing problem, but i have no clue what
exactly.
I'd be very glad if someone could help me.
Thanks & Greetings, Sebastian.
P.S.: an ipsec barf
vpnserver
Tue Apr 6 14:27:57 CEST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN U2.04/K2.1.0
See `ipsec --copyright' for copyright information.
X.509-1.4.8 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22 (root at vpnserver) (gcc version 3.3 20030226
(prerelease) (SuSE Linux)) #16 SMP Wed Feb 25 15:09:05 CET 2004
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K2.1.0
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: vpnserver
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.0.0.0/8 -> 10.0.18.202/32 => %trap
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.0.18.202 10.0.18.202 255.255.255.255 UGH 0 0 0
ipsec1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ipsec0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ipsec1
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> eth1 mtu=16260(1500) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
d2405c40 3178 cc8946b4 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 cc8946b4 3178 d2405c40
pf_key_registered: 3 cc8946b4 3178 d2405c40
pf_key_registered: 9 cc8946b4 3178 d2405c40
pf_key_registered: 10 cc8946b4 3178 d2405c40
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.0.18.60
000 interface ipsec1/eth1 10.0.18.200
000 %myid = (none)
000 debug control
000
000 "test": 10.0.0.0/8===10.0.18.200[C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de]...10.0.18.202[C=de, ST=nrw, L=dortmund, O=irf,
OU=irf, CN=a]; prospective erouted; eroute owner: #0
000 "test": CAs: 'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'...'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "test": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 8,32;
interface: eth1;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:A0:C9:D5:B6:3F
inet addr:10.0.18.60 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22351 errors:0 dropped:0 overruns:0 frame:0
TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1982619 (1.8 Mb) TX bytes:181234 (176.9 Kb)
Interrupt:10 Base address:0xb400 Memory:d7000000-d7000038
eth1 Link encap:Ethernet HWaddr 00:04:75:B0:76:75
inet addr:10.0.18.200 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:377 errors:0 dropped:0 overruns:0 frame:0
TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:51321 (50.1 Kb) TX bytes:29194 (28.5 Kb)
Interrupt:5 Base address:0xb800
ipsec0 Link encap:Ethernet HWaddr 00:A0:C9:D5:B6:3F
inet addr:10.0.18.60 Mask:255.0.0.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:Ethernet HWaddr 00:04:75:B0:76:75
inet addr:10.0.18.200 Mask:255.0.0.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6412 (6.2 Kb) TX bytes:6412 (6.2 Kb)
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Operation not supported
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:5a, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnserver.berns.irf.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.18.60
+ _________________________ uptime
+ uptime
2:27pm up 3:29, 6 users, load average: 0.05, 0.02, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 3291 2056 13 0 4716 1252 taskle S pts/3 0:00 |
| \_ /bin/sh /usr/local/libexec/ipsec/barf
0 0 3369 3291 14 0 3780 496 link_p S pts/3 0:00 |
| \_ /bin/grep -E -i ppid|pluto|ipsec|klips
1 0 3172 1 9 0 4704 1220 taskle S pts/3 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
1 0 3174 3172 9 0 4704 1224 taskle S pts/3 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
4 0 3178 3174 8 0 2440 1076 interr S pts/3 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies
--debug-control --uniqueids
0 0 3180 3178 9 0 1420 260 interr S pts/3 0:00
| \_ _pluto_adns
0 0 3175 3172 8 0 4696 1220 link_p S pts/3 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 3173 1 9 0 3636 408 link_p S pts/3 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=10.0.18.60
routenexthop=10.0.0.1
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="%defaultroute ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=control
conn %default
authby=rsasig
keyingtries=1
compress=yes
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=gatewayCert.pem
left=10.0.18.200
auto=add
pfs=yes
conn test
leftsubnet=10.0.0.0/8
leftupdown="/usr/local/lib/ipsec/_updown_x509"
right=10.0.18.202
rightcert=clientCert.pem
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits vpnserver.berns.irf.de Mon Nov 17 10:12:58 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQPPGMfJj]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: RSA gatewayKey.pem "[sums to e9c2...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 392
-rwxr-xr-x 1 root root 15011 Jan 5 11:49 _confread
-rwxr-xr-x 1 root root 14890 Nov 17 09:34 _confread.old
-rwxr-xr-x 1 root root 48795 Jan 5 11:49 _copyright
-rwxr-xr-x 1 root root 48795 Nov 17 09:34 _copyright.old
-rwxr-xr-x 1 root root 2379 Jan 5 11:49 _include
-rwxr-xr-x 1 root root 2379 Nov 17 09:34 _include.old
-rwxr-xr-x 1 root root 1475 Jan 5 11:49 _keycensor
-rwxr-xr-x 1 root root 1475 Nov 17 09:34 _keycensor.old
-rwxr-xr-x 1 root root 69465 Jan 5 11:49 _pluto_adns
-rwxr-xr-x 1 root root 69465 Nov 17 09:34 _pluto_adns.old
-rwxr-xr-x 1 root root 3586 Jan 5 11:49 _plutoload
-rwxr-xr-x 1 root root 3586 Nov 17 09:34 _plutoload.old
-rwxr-xr-x 1 root root 5823 Jan 5 11:49 _plutorun
-rwxr-xr-x 1 root root 5165 Nov 17 09:34 _plutorun.old
-rwxr-xr-x 1 root root 9910 Jan 5 11:49 _realsetup
-rwxr-xr-x 1 root root 9719 Nov 17 09:34 _realsetup.old
-rwxr-xr-x 1 root root 1975 Jan 5 11:49 _secretcensor
-rwxr-xr-x 1 root root 1975 Nov 17 09:34 _secretcensor.old
-rwxr-xr-x 1 root root 8065 Jan 5 11:49 _startklips
-rwxr-xr-x 1 root root 8065 Nov 17 09:34 _startklips.old
-rwxr-xr-x 1 root root 11261 Mar 23 13:06 _updown
-rwxr-xr-x 1 root root 7959 Nov 17 09:34 _updown.old
-rwxr-xr-x 1 root root 11992 Jan 5 11:49 _updown_x509
-rwxr-xr-x 1 root root 75 Jan 5 11:49 distro.txt
-rwxr-xr-x 1 root root 1942 Jan 5 11:49 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 6345
-rwxr-xr-x 1 root root 14226 Jan 5 11:49 auto
-rwxr-xr-x 1 root root 12195 Nov 17 09:34 auto.old
-rwxr-xr-x 1 root root 8591 Jan 5 11:49 barf
-rwxr-xr-x 1 root root 8591 Nov 17 09:34 barf.old
-rwxr-xr-x 1 root root 816 Jan 5 11:49 calcgoo
-rwxr-xr-x 1 root root 816 Nov 17 09:34 calcgoo.old
-rwxr-xr-x 1 root root 324883 Jan 5 11:49 eroute
-rwxr-xr-x 1 root root 318713 Nov 17 09:34 eroute.old
-rwxr-xr-x 1 root root 186925 Jan 5 11:49 klipsdebug
-rwxr-xr-x 1 root root 182552 Nov 17 09:34 klipsdebug.old
-rwxr-xr-x 1 root root 2449 Jan 5 11:49 look
-rwxr-xr-x 1 root root 2449 Nov 17 09:34 look.old
-rwxr-xr-x 1 root root 7130 Jan 5 11:49 mailkey
-rwxr-xr-x 1 root root 7130 Nov 17 09:34 mailkey.old
-rwxr-xr-x 1 root root 16188 Jan 5 11:49 manual
-rwxr-xr-x 1 root root 16188 Nov 17 09:34 manual.old
-rwxr-xr-x 1 root root 1874 Jan 5 11:49 newhostkey
-rwxr-xr-x 1 root root 1874 Nov 17 09:34 newhostkey.old
-rwxr-xr-x 1 root root 154698 Jan 5 11:49 pf_key
-rwxr-xr-x 1 root root 152781 Nov 17 09:34 pf_key.old
-rwxr-xr-x 1 root root 1603831 Jan 5 11:49 pluto
-rwxr-xr-x 1 root root 1301335 Nov 17 09:34 pluto.old
-rwxr-xr-x 1 root root 54199 Jan 5 11:49 ranbits
-rwxr-xr-x 1 root root 54199 Nov 17 09:34 ranbits.old
-rwxr-xr-x 1 root root 88410 Jan 5 11:49 rsasigkey
-rwxr-xr-x 1 root root 88410 Nov 17 09:34 rsasigkey.old
-rwxr-xr-x 1 root root 765 Jan 5 11:49 secrets
-rwxr-xr-x 1 root root 17602 Jan 5 11:49 send-pr
-rwxr-xr-x 1 root root 17602 Nov 17 09:34 send-pr.old
lrwxrwxrwx 1 root root 15 Jan 5 11:49 setup ->
/etc/rc.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 5 11:49 showdefaults
-rwxr-xr-x 1 root root 1048 Nov 17 09:34 showdefaults.old
-rwxr-xr-x 1 root root 4321 Jan 5 11:49 showhostkey
-rwxr-xr-x 1 root root 4321 Nov 17 09:34 showhostkey.old
-rwxr-xr-x 1 root root 331538 Jan 5 11:49 spi
-rwxr-xr-x 1 root root 329309 Nov 17 09:34 spi.old
-rwxr-xr-x 1 root root 264075 Jan 5 11:49 spigrp
-rwxr-xr-x 1 root root 259926 Nov 17 09:34 spigrp.old
-rwxr-xr-x 1 root root 52745 Jan 5 11:49 tncfg
-rwxr-xr-x 1 root root 52745 Nov 17 09:34 tncfg.old
-rwxr-xr-x 1 root root 9292 Jan 5 11:49 verify
-rwxr-xr-x 1 root root 9292 Nov 17 09:34 verify.old
-rwxr-xr-x 1 root root 226719 Jan 5 11:49 whack
-rwxr-xr-x 1 root root 212017 Nov 17 09:34 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 6412 67 0 0 0 0 0 0
6412 67 0 0 0 0 0 0
eth0: 1982697 22351 0 0 0 0 0 0
181234 1112 0 0 0 0 0 0
eth1: 51321 377 0 0 0 0 0 0
29194 196 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
ipsec1 CA12000A CA12000A 0007 0 0 0 FFFFFFFF 0
0
0
eth0 0000000A 00000000 0001 0 0 0 000000FF 0
0
0
eth1 0000000A 00000000 0001 0 0 0 000000FF 0
0
0
ipsec0 0000000A 00000000 0001 0 0 0 000000FF 0
0
0
ipsec1 0000000A 00000000 0001 0 0 0 000000FF 0
0
0
eth0 00000000 0100000A 0003 0 0 0 00000000 0
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
ipsec1/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux vpnserver 2.4.22 #16 SMP Wed Feb 25 15:09:05 CET 2004 i686 unknown
unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.1.0
+ _________________________ iptables/list
+ iptables -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/libexec/ipsec/barf: line 236: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/libexec/ipsec/barf: line 238: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/libexec/ipsec/barf: line 240: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/libexec/ipsec/barf: line 242: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/libexec/ipsec/barf: line 246: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/libexec/ipsec/barf: line 248: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `mangle': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 304992 3
keybdev 2148 0 (unused)
hid 11260 0 (unused)
usbmouse 2300 0 (unused)
mousedev 4728 1
input 3744 0 [keybdev usbmouse mousedev]
uhci 27740 0 (unused)
3c59x 28560 1
e100 52456 1
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 394633216 191590400 203042816 0 36839424 86044672
Swap: 789585920 0 789585920
MemTotal: 385384 kB
MemFree: 198284 kB
MemShared: 0 kB
Buffers: 35976 kB
Cached: 84028 kB
SwapCached: 0 kB
Active: 44012 kB
Inactive: 121088 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 385384 kB
LowFree: 198284 kB
SwapTotal: 771080 kB
SwapFree: 771080 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Apr 6 14:27
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Apr 6 14:27
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Apr 6 14:27
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Apr 6 14:27
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Apr 6 14:27
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Apr 6 14:27
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_IPX is not set
CONFIG_IPSEC=m
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_SCSI_IPS is not set
# CONFIG_TULIP is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_PCMCIA_XIRTULIP is not set
# CONFIG_INPUT_GRIP is not set
# CONFIG_IPMI_HANDLER is not set
# CONFIG_IPMI_PANIC_EVENT is not set
# CONFIG_IPMI_DEVICE_INTERFACE is not set
# CONFIG_IPMI_KCS is not set
# CONFIG_IPMI_WATCHDOG is not set
# CONFIG_USB_AIPTEK is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#
#
#
# print most on tty10 and on the xconsole pipe
#
kern.warn;*.err;authpriv.none /dev/tty10
kern.warn;*.err;authpriv.none |/dev/xconsole
*.emerg *
# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert root
#
# all email-messages in one file
#
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# all news-messages
#
# these files are rotated and examined by "news.daily"
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.* -/var/log/news.all
#
# Warnings in one file
#
*.=warn;*.=err -/var/log/warn
*.crit /var/log/warn
#
# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages
#
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages
#
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 10.0.0.1
search local
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 2
drwxr-xr-x 10 root root 568 Oct 16 17:44 2.4.20-64GB-SMP
drwxr-xr-x 4 root root 416 Nov 3 12:55 2.4.20-4GB
drwxr-xr-x 4 root root 416 Mar 25 14:53 2.4.22
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c02a5690 netif_rx_Rsmp_a5311eb3
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20-4GB: U netif_rx
2.4.20-64GB-SMP: U netif_rx
2.4.22:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '9821,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Apr 6 14:26:46 vpnserver ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Apr 6 14:26:47 vpnserver ipsec_setup: Using
/lib/modules/2.4.22/kernel/net/ipsec/ipsec.o
Apr 6 14:26:47 vpnserver kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.1.0
Apr 6 14:26:47 vpnserver ipsec_setup: KLIPS debug `none'
Apr 6 14:26:47 vpnserver ipsec_setup: KLIPS ipsec0 on eth0
10.0.18.60/255.0.0.0 broadcast 10.255.255.255
Apr 6 14:26:47 vpnserver ipsec_setup: KLIPS ipsec1 on eth1
10.0.18.200/255.0.0.0 broadcast 10.255.255.255
Apr 6 14:26:47 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Apr 6 14:26:47 vpnserver ipsec_setup: ...FreeS/WAN IPsec started
Apr 6 14:26:47 vpnserver pluto[3178]: Starting Pluto (FreeS/WAN Version
2.04 X.509-1.4.8 PLUTO_USES_KEYRR)
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: Using KLIPS IPsec interface code
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: loaded cacert file 'cacert.pem'
(1472 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list locked by
'load_cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list unlocked by
'load_cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: Changing to directory
'/etc/ipsec.d/crls'
Apr 6 14:26:47 vpnserver pluto[3178]: loaded crl file 'crl.pem' (638
bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list locked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl issuer cacert found
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list unlocked by
'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl signature is valid
Apr 6 14:26:47 vpnserver pluto[3178]: | crl list locked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl list unlocked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event 8??, timeout in
34393 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: |
Apr 6 14:26:47 vpnserver pluto[3178]: | *received whack message
Apr 6 14:26:47 vpnserver pluto[3178]: loaded host cert file
'/etc/ipsec.d/certs/gatewayCert.pem' (1326 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: loaded host cert file
'/etc/ipsec.d/certs/clientCert.pem' (1505 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: added connection description "test"
Apr 6 14:26:47 vpnserver pluto[3178]: | 10.0.0.0/8===10.0.18.200[C=DE,
ST=NRW, O=IRF, CN=b, E=albrecht at irf.de]...10.0.18.202[C=de, ST=nrw,
L=dortmund, O=irf, OU=irf, CN=a]
Apr 6 14:26:47 vpnserver pluto[3178]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: |
Apr 6 14:26:47 vpnserver pluto[3178]: | *received whack message
Apr 6 14:26:47 vpnserver pluto[3178]: listening for IKE messages
Apr 6 14:26:47 vpnserver pluto[3178]: | found lo with address 127.0.0.1
Apr 6 14:26:47 vpnserver pluto[3178]: | found eth0 with address 10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | found eth1 with address 10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: | found ipsec0 with address
10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | found ipsec1 with address
10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: adding interface ipsec1/eth1
10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: adding interface ipsec0/eth0
10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Apr 6 14:26:47 vpnserver pluto[3178]: | could not open /proc/net/if_inet6
Apr 6 14:26:47 vpnserver pluto[3178]: loading secrets from
"/etc/ipsec.secrets"
Apr 6 14:26:47 vpnserver pluto[3178]: loaded private key file
'/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:27:05 vpnserver pluto[3178]: |
Apr 6 14:27:05 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:05 vpnserver pluto[3178]: | route owner of "test" unrouted:
NULL; eroute owner: NULL
Apr 6 14:27:05 vpnserver pluto[3178]: | route owner of "test" unrouted:
NULL; eroute owner: NULL
Apr 6 14:27:05 vpnserver pluto[3178]: | eroute_connection add eroute
10.0.0.0/8:0 -> 10.0.18.202/32:0 => %trap:0
Apr 6 14:27:05 vpnserver pluto[3178]: | route_and_eroute:
firewall_notified: true
Apr 6 14:27:05 vpnserver pluto[3178]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='10.0.18.202' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='10.0.18.200' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='10.0.0.0/8'
PLUTO_MY_CLIENT_NET='10.0.0.0' PLUTO_MY_CLIENT_MASK='255.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.18.202'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='10.0.18.202/32' PLUTO_PEER_CLIENT_NET='10.0.18.202'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' /usr/local/lib/ipsec/_updown_x509
Apr 6 14:27:05 vpnserver pluto[3178]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='10.0.18.202' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='10.0.18.200' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='10.0.0.0/8'
PLUTO_MY_CLIENT_NET='10.0.0.0' PLUTO_MY_CLIENT_MASK='255.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.18.202'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='10.0.18.202/32' PLUTO_PEER_CLIENT_NET='10.0.18.202'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' /usr/local/lib/ipsec/_updown_x509
Apr 6 14:27:05 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
102 seconds
Apr 6 14:27:57 vpnserver pluto[3178]: |
Apr 6 14:27:57 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:57 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
50 seconds
Apr 6 14:27:57 vpnserver pluto[3178]: |
Apr 6 14:27:57 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:57 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
50 seconds
+ _________________________ plog
+ sed -n '9828,$p' /var/log/messages
+ egrep -i pluto
+ cat
Apr 6 14:26:47 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Apr 6 14:26:47 vpnserver pluto[3178]: Starting Pluto (FreeS/WAN Version
2.04 X.509-1.4.8 PLUTO_USES_KEYRR)
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: Using KLIPS IPsec interface code
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: loaded cacert file 'cacert.pem'
(1472 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list locked by
'load_cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list unlocked by
'load_cacerts'
Apr 6 14:26:47 vpnserver pluto[3178]: Changing to directory
'/etc/ipsec.d/crls'
Apr 6 14:26:47 vpnserver pluto[3178]: loaded crl file 'crl.pem' (638
bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list locked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl issuer cacert found
Apr 6 14:26:47 vpnserver pluto[3178]: | cacert list unlocked by
'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl signature is valid
Apr 6 14:26:47 vpnserver pluto[3178]: | crl list locked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | crl list unlocked by 'insert_crl'
Apr 6 14:26:47 vpnserver pluto[3178]: | inserting event 8??, timeout in
34393 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: |
Apr 6 14:26:47 vpnserver pluto[3178]: | *received whack message
Apr 6 14:26:47 vpnserver pluto[3178]: loaded host cert file
'/etc/ipsec.d/certs/gatewayCert.pem' (1326 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: loaded host cert file
'/etc/ipsec.d/certs/clientCert.pem' (1505 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: added connection description "test"
Apr 6 14:26:47 vpnserver pluto[3178]: | 10.0.0.0/8===10.0.18.200[C=DE,
ST=NRW, O=IRF, CN=b, E=albrecht at irf.de]...10.0.18.202[C=de, ST=nrw,
L=dortmund, O=irf, OU=irf, CN=a]
Apr 6 14:26:47 vpnserver pluto[3178]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:26:47 vpnserver pluto[3178]: |
Apr 6 14:26:47 vpnserver pluto[3178]: | *received whack message
Apr 6 14:26:47 vpnserver pluto[3178]: listening for IKE messages
Apr 6 14:26:47 vpnserver pluto[3178]: | found lo with address 127.0.0.1
Apr 6 14:26:47 vpnserver pluto[3178]: | found eth0 with address 10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | found eth1 with address 10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: | found ipsec0 with address
10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | found ipsec1 with address
10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: adding interface ipsec1/eth1
10.0.18.200
Apr 6 14:26:47 vpnserver pluto[3178]: adding interface ipsec0/eth0
10.0.18.60
Apr 6 14:26:47 vpnserver pluto[3178]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Apr 6 14:26:47 vpnserver pluto[3178]: | could not open /proc/net/if_inet6
Apr 6 14:26:47 vpnserver pluto[3178]: loading secrets from
"/etc/ipsec.secrets"
Apr 6 14:26:47 vpnserver pluto[3178]: loaded private key file
'/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
Apr 6 14:26:47 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 6 14:27:05 vpnserver pluto[3178]: |
Apr 6 14:27:05 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:05 vpnserver pluto[3178]: | route owner of "test" unrouted:
NULL; eroute owner: NULL
Apr 6 14:27:05 vpnserver pluto[3178]: | route owner of "test" unrouted:
NULL; eroute owner: NULL
Apr 6 14:27:05 vpnserver pluto[3178]: | eroute_connection add eroute
10.0.0.0/8:0 -> 10.0.18.202/32:0 => %trap:0
Apr 6 14:27:05 vpnserver pluto[3178]: | route_and_eroute:
firewall_notified: true
Apr 6 14:27:05 vpnserver pluto[3178]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='10.0.18.202' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='10.0.18.200' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='10.0.0.0/8'
PLUTO_MY_CLIENT_NET='10.0.0.0' PLUTO_MY_CLIENT_MASK='255.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.18.202'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='10.0.18.202/32' PLUTO_PEER_CLIENT_NET='10.0.18.202'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' /usr/local/lib/ipsec/_updown_x509
Apr 6 14:27:05 vpnserver pluto[3178]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='10.0.18.202' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='10.0.18.200' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='10.0.0.0/8'
PLUTO_MY_CLIENT_NET='10.0.0.0' PLUTO_MY_CLIENT_MASK='255.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.18.202'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='10.0.18.202/32' PLUTO_PEER_CLIENT_NET='10.0.18.202'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' /usr/local/lib/ipsec/_updown_x509
Apr 6 14:27:05 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
102 seconds
Apr 6 14:27:57 vpnserver pluto[3178]: |
Apr 6 14:27:57 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:57 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
50 seconds
Apr 6 14:27:57 vpnserver pluto[3178]: |
Apr 6 14:27:57 vpnserver pluto[3178]: | *received whack message
Apr 6 14:27:57 vpnserver pluto[3178]: | next event EVENT_SHUNT_SCAN in
50 seconds
+ _________________________ date
+ date
Tue Apr 6 14:27:58 CEST 2004
More information about the Users
mailing list