[Openswan Users] Can't reach hosts behind my VPN-Gateway
Sebastian Albrecht
albrecht at irf.de
Thu Apr 15 13:26:46 CEST 2004
First of all, thanks for your help, Nate.
I changed the network settings on the wireless side. Now the whole
network constellation looks like this:
Win2k-Machine (with Marcus Mueller's ipsec-Tool)
192.168.0.3
|
WLAN
|
Access Point
192.168.0.2
|
eth1/ipsec1
192.168.0.1
Suse8.2 with OpenSWAN 2.1.0
eth0/ipsec0
10.0.18.60
|
private LAN 10.0.0.0/8
|
10.0.0.1
Internet Gateway
ipsec.conf of the VPN Gateway now looks like this:
config setup
interfaces="ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=control
conn %default
authby=rsasig
keyingtries=1
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=gatewayCert.pem
left=192.168.0.1
auto=add
pfs=yes
conn test
leftsubnet=0.0.0.0/0
right=%any
rightcert=clientCert.pem
auto=add
ipsec.conf on win2k side:
conn vpn
auth=ah
left=%any
right=192.168.0.1
rightsubnet=*
rightrsasigkey=%cert
rightca="C=DE, S=NRW, L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de"
network=auto
auto=start
pfs=yes
With this config the SA is established and i can ping 192.168.0.1. But
still i can't ping any host in the private LAN 10.0.0.0/8. Even not the
10.0.18.60 on eth0.
tcpdump on eth1 shows me the encrypted packets when pinging 192.168.0.1.
When pinging 10.0.18.60, no encrypted packets are shown.
Thanks for any hints, again.
Sebastian.
Here the whole new barf:
vpnserver
Thu Apr 15 12:10:36 CEST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN U2.04/K2.1.0
See `ipsec --copyright' for copyright information.
X.509-1.4.8 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22 (root at vpnserver) (gcc version 3.3 20030226
(prerelease) (SuSE Linux)) #16 SMP Wed Feb 25 15:09:05 CET 2004
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K2.1.0
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: vpnserver
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
12 0.0.0.0/0 -> 192.168.0.3/32 => tun0x1002 at 192.168.0.3
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.0.3 192.168.0.3 255.255.255.255 UGH 0 0 0
ipsec1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1002 at 192.168.0.3 IPIP: dir=out src=192.168.0.1
life(c,s,h)=bytes(480,0,0)addtime(75,0,0)usetime(72,0,0)packets(6,0,0)
idle=66 refcount=4 ref=12
tun0x1001 at 192.168.0.1 IPIP: dir=in src=192.168.0.3
policy=192.168.0.3/32->0.0.0.0/0 flags=0x8<>
life(c,s,h)=bytes(720,0,0)addtime(75,0,0)usetime(75,0,0)packets(9,0,0)
idle=66 refcount=4 ref=7
esp0x4c3bfdc8 at 192.168.0.3 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.1
iv_bits=64bits iv=0x29b6fb93b0da5275 ooowin=64 seq=6 alen=128 aklen=128
eklen=192
life(c,s,h)=bytes(672,0,0)addtime(75,0,0)usetime(72,0,0)packets(6,0,0)
idle=66 refcount=4 ref=13
esp0x72433dec at 192.168.0.1 ESP_3DES_HMAC_MD5: dir=in src=192.168.0.3
iv_bits=64bits iv=0xd89abcdb2389ea1c ooowin=64 seq=9 bit=0x1ff alen=128
aklen=128 eklen=192
life(c,s,h)=bytes(720,0,0)addtime(75,0,0)usetime(75,0,0)packets(9,0,0)
idle=66 refcount=13 ref=8
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002 at 192.168.0.3 esp0x4c3bfdc8 at 192.168.0.3
tun0x1001 at 192.168.0.1 esp0x72433dec at 192.168.0.1
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> NULL mtu=0(0) -> 0
ipsec1 -> eth1 mtu=16260(1443) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
d094f120 1424 cec969d4 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 cec969d4 1424 d094f120
pf_key_registered: 3 cec969d4 1424 d094f120
pf_key_registered: 9 cec969d4 1424 d094f120
pf_key_registered: 10 cec969d4 1424 d094f120
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec1/eth1 192.168.0.1
000 %myid = (none)
000 debug control
000
000 "test": 0.0.0.0/0===192.168.0.1[C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de]...%any[C=de, ST=nrw, L=dortmund, O=irf, OU=irf,
CN=a]; unrouted; eroute owner: #0
000 "test": CAs: 'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'...'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,32; interface:
eth1;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test"[1]: 0.0.0.0/0===192.168.0.1[C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de]...192.168.0.3[C=de, ST=nrw, L=dortmund, O=irf,
OU=irf, CN=a]; erouted; eroute owner: #3
000 "test"[1]: CAs: 'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'...'C=DE, ST=NRW, L=Dortmund, O=IRF, CN=a,
E=albrecht at irf.de'
000 "test"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "test"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,32;
interface: eth1;
000 "test"[1]: newest ISAKMP SA: #2; newest IPsec SA: #3;
000
000 #3: "test"[1] 192.168.0.3 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3255s; newest IPSEC; eroute owner
000 #3: "test"[1] 192.168.0.3 used 34s ago; esp.4c3bfdc8 at 192.168.0.3
esp.72433dec at 192.168.0.1 tun.1002 at 192.168.0.3 tun.1001 at 192.168.0.1
000 #2: "test"[1] 192.168.0.3 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3254s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:A0:C9:D5:B6:3F
inet addr:10.0.18.60 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6160 errors:0 dropped:0 overruns:0 frame:0
TX packets:300 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:549641 (536.7 Kb) TX bytes:53309 (52.0 Kb)
Interrupt:10 Base address:0xb400 Memory:d7000000-d7000038
eth1 Link encap:Ethernet HWaddr 00:04:75:B0:76:75
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:86 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:13445 (13.1 Kb) TX bytes:3524 (3.4 Kb)
Interrupt:5 Base address:0xb800
ipsec0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:Ethernet HWaddr 00:04:75:B0:76:75
inet addr:192.168.0.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:540 (540.0 b) TX bytes:1008 (1008.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2608 (2.5 Kb) TX bytes:2608 (2.5 Kb)
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Operation not supported
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:5a, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnserver.berns.irf.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.18.60
+ _________________________ uptime
+ uptime
12:10pm up 0:59, 5 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 1530 1223 13 0 4716 1252 taskle S pts/2 0:00 |
| \_ /bin/sh /usr/local/libexec/ipsec/barf
0 0 1608 1530 13 0 3780 496 link_p S pts/2 0:00 |
| \_ /bin/grep -E -i ppid|pluto|ipsec|klips
1 0 1418 1 9 0 4704 1220 taskle S pts/2 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
1 0 1420 1418 9 0 4704 1224 taskle S pts/2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
4 0 1424 1420 9 0 2500 1176 interr S pts/2 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies
--debug-control --uniqueids
0 0 1436 1424 9 0 1420 260 interr S pts/2 0:00
| \_ _pluto_adns
0 0 1421 1418 8 0 4696 1220 link_p S pts/2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 1419 1 9 0 3636 408 link_p S pts/2 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=control
conn %default
authby=rsasig
keyingtries=1
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=gatewayCert.pem
left=192.168.0.1
auto=add
pfs=yes
conn test
leftsubnet=0.0.0.0/0
right=%any
rightcert=clientCert.pem
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits vpnserver.berns.irf.de Mon Nov 17 10:12:58 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQPPGMfJj]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: RSA gatewayKey.pem "[sums to e9c2...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 392
-rwxr-xr-x 1 root root 15011 Jan 5 11:49 _confread
-rwxr-xr-x 1 root root 14890 Nov 17 09:34 _confread.old
-rwxr-xr-x 1 root root 48795 Jan 5 11:49 _copyright
-rwxr-xr-x 1 root root 48795 Nov 17 09:34 _copyright.old
-rwxr-xr-x 1 root root 2379 Jan 5 11:49 _include
-rwxr-xr-x 1 root root 2379 Nov 17 09:34 _include.old
-rwxr-xr-x 1 root root 1475 Jan 5 11:49 _keycensor
-rwxr-xr-x 1 root root 1475 Nov 17 09:34 _keycensor.old
-rwxr-xr-x 1 root root 69465 Jan 5 11:49 _pluto_adns
-rwxr-xr-x 1 root root 69465 Nov 17 09:34 _pluto_adns.old
-rwxr-xr-x 1 root root 3586 Jan 5 11:49 _plutoload
-rwxr-xr-x 1 root root 3586 Nov 17 09:34 _plutoload.old
-rwxr-xr-x 1 root root 5823 Jan 5 11:49 _plutorun
-rwxr-xr-x 1 root root 5165 Nov 17 09:34 _plutorun.old
-rwxr-xr-x 1 root root 9910 Jan 5 11:49 _realsetup
-rwxr-xr-x 1 root root 9719 Nov 17 09:34 _realsetup.old
-rwxr-xr-x 1 root root 1975 Jan 5 11:49 _secretcensor
-rwxr-xr-x 1 root root 1975 Nov 17 09:34 _secretcensor.old
-rwxr-xr-x 1 root root 8065 Jan 5 11:49 _startklips
-rwxr-xr-x 1 root root 8065 Nov 17 09:34 _startklips.old
-rwxr-xr-x 1 root root 11261 Mar 23 13:06 _updown
-rwxr-xr-x 1 root root 7959 Nov 17 09:34 _updown.old
-rwxr-xr-x 1 root root 11992 Jan 5 11:49 _updown_x509
-rwxr-xr-x 1 root root 75 Jan 5 11:49 distro.txt
-rwxr-xr-x 1 root root 1942 Jan 5 11:49 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 6345
-rwxr-xr-x 1 root root 14226 Jan 5 11:49 auto
-rwxr-xr-x 1 root root 12195 Nov 17 09:34 auto.old
-rwxr-xr-x 1 root root 8591 Jan 5 11:49 barf
-rwxr-xr-x 1 root root 8591 Nov 17 09:34 barf.old
-rwxr-xr-x 1 root root 816 Jan 5 11:49 calcgoo
-rwxr-xr-x 1 root root 816 Nov 17 09:34 calcgoo.old
-rwxr-xr-x 1 root root 324883 Jan 5 11:49 eroute
-rwxr-xr-x 1 root root 318713 Nov 17 09:34 eroute.old
-rwxr-xr-x 1 root root 186925 Jan 5 11:49 klipsdebug
-rwxr-xr-x 1 root root 182552 Nov 17 09:34 klipsdebug.old
-rwxr-xr-x 1 root root 2449 Jan 5 11:49 look
-rwxr-xr-x 1 root root 2449 Nov 17 09:34 look.old
-rwxr-xr-x 1 root root 7130 Jan 5 11:49 mailkey
-rwxr-xr-x 1 root root 7130 Nov 17 09:34 mailkey.old
-rwxr-xr-x 1 root root 16188 Jan 5 11:49 manual
-rwxr-xr-x 1 root root 16188 Nov 17 09:34 manual.old
-rwxr-xr-x 1 root root 1874 Jan 5 11:49 newhostkey
-rwxr-xr-x 1 root root 1874 Nov 17 09:34 newhostkey.old
-rwxr-xr-x 1 root root 154698 Jan 5 11:49 pf_key
-rwxr-xr-x 1 root root 152781 Nov 17 09:34 pf_key.old
-rwxr-xr-x 1 root root 1603831 Jan 5 11:49 pluto
-rwxr-xr-x 1 root root 1301335 Nov 17 09:34 pluto.old
-rwxr-xr-x 1 root root 54199 Jan 5 11:49 ranbits
-rwxr-xr-x 1 root root 54199 Nov 17 09:34 ranbits.old
-rwxr-xr-x 1 root root 88410 Jan 5 11:49 rsasigkey
-rwxr-xr-x 1 root root 88410 Nov 17 09:34 rsasigkey.old
-rwxr-xr-x 1 root root 765 Jan 5 11:49 secrets
-rwxr-xr-x 1 root root 17602 Jan 5 11:49 send-pr
-rwxr-xr-x 1 root root 17602 Nov 17 09:34 send-pr.old
lrwxrwxrwx 1 root root 15 Jan 5 11:49 setup ->
/etc/rc.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 5 11:49 showdefaults
-rwxr-xr-x 1 root root 1048 Nov 17 09:34 showdefaults.old
-rwxr-xr-x 1 root root 4321 Jan 5 11:49 showhostkey
-rwxr-xr-x 1 root root 4321 Nov 17 09:34 showhostkey.old
-rwxr-xr-x 1 root root 331538 Jan 5 11:49 spi
-rwxr-xr-x 1 root root 329309 Nov 17 09:34 spi.old
-rwxr-xr-x 1 root root 264075 Jan 5 11:49 spigrp
-rwxr-xr-x 1 root root 259926 Nov 17 09:34 spigrp.old
-rwxr-xr-x 1 root root 52745 Jan 5 11:49 tncfg
-rwxr-xr-x 1 root root 52745 Nov 17 09:34 tncfg.old
-rwxr-xr-x 1 root root 9292 Jan 5 11:49 verify
-rwxr-xr-x 1 root root 9292 Nov 17 09:34 verify.old
-rwxr-xr-x 1 root root 226719 Jan 5 11:49 whack
-rwxr-xr-x 1 root root 212017 Nov 17 09:34 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 2608 40 0 0 0 0 0 0
2608 40 0 0 0 0 0 0
eth0: 549641 6168 0 0 0 0 0 0
53309 300 0 0 0 0 0 0
eth1: 13445 86 0 0 0 0 0 0
3524 18 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 540 9 0 0 0 0 0 0
1008 8 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
ipsec1 0300A8C0 0300A8C0 0007 0 0 0 FFFFFFFF
0 0
0
eth1 0000A8C0 00000000 0001 0 0 0 00FFFFFF 0
0
0
ipsec1 0000A8C0 00000000 0001 0 0 0 00FFFFFF
0 0
0
eth0 0000000A 00000000 0001 0 0 0 000000FF 0
0
0
eth0 00000000 0100000A 0003 0 0 0 00000000 0
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec1/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux vpnserver 2.4.22 #16 SMP Wed Feb 25 15:09:05 CET 2004 i686 unknown
unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.1.0
+ _________________________ iptables/list
+ iptables -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/libexec/ipsec/barf: line 236: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/libexec/ipsec/barf: line 238: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/libexec/ipsec/barf: line 240: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/libexec/ipsec/barf: line 242: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `nat': iptables who?
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/libexec/ipsec/barf: line 246: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/libexec/ipsec/barf: line 248: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `mangle': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 304992 2
keybdev 2148 0 (unused)
hid 11260 0 (unused)
usbmouse 2300 0 (unused)
mousedev 4728 1
input 3744 0 [keybdev usbmouse mousedev]
uhci 27740 0 (unused)
3c59x 28560 1
e100 52456 1
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 394633216 159551488 235081728 0 22654976 67284992
Swap: 789585920 0 789585920
MemTotal: 385384 kB
MemFree: 229572 kB
MemShared: 0 kB
Buffers: 22124 kB
Cached: 65708 kB
SwapCached: 0 kB
Active: 40428 kB
Inactive: 95392 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 385384 kB
LowFree: 229572 kB
SwapTotal: 771080 kB
SwapFree: 771080 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Apr 15 12:10
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Apr 15 12:10
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Apr 15 12:10
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Apr 15 12:10
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Apr 15 12:10
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Apr 15 12:10
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_IPX is not set
CONFIG_IPSEC=m
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_SCSI_IPS is not set
# CONFIG_TULIP is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_PCMCIA_XIRTULIP is not set
# CONFIG_INPUT_GRIP is not set
# CONFIG_IPMI_HANDLER is not set
# CONFIG_IPMI_PANIC_EVENT is not set
# CONFIG_IPMI_DEVICE_INTERFACE is not set
# CONFIG_IPMI_KCS is not set
# CONFIG_IPMI_WATCHDOG is not set
# CONFIG_USB_AIPTEK is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#
#
#
# print most on tty10 and on the xconsole pipe
#
kern.warn;*.err;authpriv.none /dev/tty10
kern.warn;*.err;authpriv.none |/dev/xconsole
*.emerg *
# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert root
#
# all email-messages in one file
#
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# all news-messages
#
# these files are rotated and examined by "news.daily"
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.* -/var/log/news.all
#
# Warnings in one file
#
*.=warn;*.=err -/var/log/warn
*.crit /var/log/warn
#
# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages
#
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages
#
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 10.0.0.1
search local
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 2
drwxr-xr-x 10 root root 568 Oct 16 17:44 2.4.20-64GB-SMP
drwxr-xr-x 4 root root 416 Nov 3 12:55 2.4.20-4GB
drwxr-xr-x 4 root root 416 Apr 15 11:46 2.4.22
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c02a5690 netif_rx_Rsmp_a5311eb3
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20-4GB: U netif_rx
2.4.20-64GB-SMP: U netif_rx
2.4.22:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '12446,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Apr 15 12:08:02 vpnserver ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Apr 15 12:08:02 vpnserver ipsec_setup: Using
/lib/modules/2.4.22/kernel/net/ipsec/ipsec.o
Apr 15 12:08:02 vpnserver kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.1.0
Apr 15 12:08:02 vpnserver ipsec_setup: KLIPS debug `none'
Apr 15 12:08:02 vpnserver ipsec_setup: KLIPS ipsec1 on eth1
192.168.0.1/255.255.255.0 broadcast 192.168.0.255
Apr 15 12:08:03 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Apr 15 12:08:03 vpnserver ipsec_setup: ...FreeS/WAN IPsec started
Apr 15 12:08:03 vpnserver pluto[1424]: Starting Pluto (FreeS/WAN Version
2.04 X.509-1.4.8 PLUTO_USES_KEYRR)
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: Using KLIPS IPsec interface code
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: loaded cacert file 'cacert.pem'
(1472 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list locked by
'load_cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list unlocked by
'load_cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: Changing to directory
'/etc/ipsec.d/crls'
Apr 15 12:08:03 vpnserver pluto[1424]: loaded crl file 'crl.pem' (638
bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list locked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl issuer cacert found
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list unlocked by
'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:08:03 vpnserver pluto[1424]: | crl list locked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl list unlocked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event 8??, timeout in
42717 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: |
Apr 15 12:08:03 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:03 vpnserver pluto[1424]: loaded host cert file
'/etc/ipsec.d/certs/gatewayCert.pem' (1326 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: loaded host cert file
'/etc/ipsec.d/certs/clientCert.pem' (1505 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: added connection description "test"
Apr 15 12:08:03 vpnserver pluto[1424]: | 0.0.0.0/0===192.168.0.1[C=DE,
ST=NRW, O=IRF, CN=b, E=albrecht at irf.de]...%any[C=de, ST=nrw, L=dortmund,
O=irf, OU=irf, CN=a]
Apr 15 12:08:03 vpnserver pluto[1424]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
RSASIG+ENCRYPT+TUNNEL+PFS
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: |
Apr 15 12:08:03 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:03 vpnserver pluto[1424]: listening for IKE messages
Apr 15 12:08:03 vpnserver pluto[1424]: | found lo with address 127.0.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | found eth0 with address 10.0.18.60
Apr 15 12:08:03 vpnserver pluto[1424]: | found eth1 with address 192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | found ipsec1 with address
192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: adding interface ipsec1/eth1
192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | IP interface eth0 10.0.18.60
has no matching ipsec* interface -- ignored
Apr 15 12:08:03 vpnserver pluto[1424]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Apr 15 12:08:03 vpnserver pluto[1424]: | could not open /proc/net/if_inet6
Apr 15 12:08:03 vpnserver pluto[1424]: loading secrets from
"/etc/ipsec.secrets"
Apr 15 12:08:03 vpnserver pluto[1424]: loaded private key file
'/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:16 vpnserver pluto[1424]: |
Apr 15 12:08:16 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:16 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
107 seconds
Apr 15 12:09:20 vpnserver pluto[1424]: |
Apr 15 12:09:20 vpnserver pluto[1424]: | *received 256 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \020K
Apr 15 12:09:20 vpnserver pluto[1424]: | instantiated "test" for 192.168.0.3
Apr 15 12:09:20 vpnserver pluto[1424]: | creating state object #1 at
0x80c45b8
Apr 15 12:09:20 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:20 vpnserver pluto[1424]: | RCOOKIE: af 94 ba 59 d1 49 a1 72
Apr 15 12:09:20 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:20 vpnserver pluto[1424]: | state hash entry 4
Apr 15 12:09:20 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
Apr 15 12:09:20 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #1:
responding to Main Mode from unknown peer 192.168.0.3
Apr 15 12:09:20 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Apr 15 12:09:20 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
10 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 256 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \020K
Apr 15 12:09:21 vpnserver pluto[1424]: | creating state object #2 at
0x80c4928
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2:
responding to Main Mode from unknown peer 192.168.0.3
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 184 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R1
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 1572 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: Peer ID
is ID_DER_ASN1_DN: 'C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
Apr 15 12:09:21 vpnserver pluto[1424]: | subject: 'C=de, ST=nrw,
L=dortmund, O=irf, OU=irf, CN=a'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer cacert found
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer crl found
Apr 15 12:09:21 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | serial number: 04
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate not revoked
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: crl
update is overdue since Feb 20 14:11:51 UTC 2004
Apr 15 12:09:21 vpnserver pluto[1424]: | subject: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer cacert found
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer crl found
Apr 15 12:09:21 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | serial number: 00
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate not revoked
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: crl
update is overdue since Feb 20 14:11:51 UTC 2004
Apr 15 12:09:21 vpnserver pluto[1424]: | requested CA: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | offered CA: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | required CA is 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | key issuer CA is 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | an RSA Sig check passed with
*AwEAAa1ni [preloaded key]
Apr 15 12:09:21 vpnserver pluto[1424]: | signing hash with RSA Key
*AwEAAdiQ+
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SA_REPLACE, timeout in 3330 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: sent
MR3, ISAKMP SA established
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 308 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object not found
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R3
Apr 15 12:09:21 vpnserver pluto[1424]: | peer client is 192.168.0.3
Apr 15 12:09:21 vpnserver pluto[1424]: | peer client protocol/port is 0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | our client is subnet 0.0.0.0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | our client protocol/port is 0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | duplicating state object #2
Apr 15 12:09:21 vpnserver pluto[1424]: | creating state object #3 at
0x80c4f30
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #3
Apr 15 12:09:21 vpnserver pluto[1424]: | generate SPI: 72 43 3d ec
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #3:
responding to Quick Mode
Apr 15 12:09:21 vpnserver pluto[1424]: | install_inbound_ipsec_sa()
checking if we can route
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | add inbound eroute
192.168.0.3/32:0 -> 0.0.0.0/0:0 => tun.1001 at 192.168.0.1:0
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #3
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 52 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #3 found, in
STATE_QUICK_R1
Apr 15 12:09:21 vpnserver pluto[1424]: | install_ipsec_sa() for #3:
outbound only
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | sr for #3: unrouted
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | eroute_connection add eroute
0.0.0.0/0:0 -> 192.168.0.3/32:0 => tun.1002 at 192.168.0.3:0
Apr 15 12:09:21 vpnserver pluto[1424]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:21 vpnserver pluto[1424]: | route_and_eroute:
firewall_notified: true
Apr 15 12:09:21 vpnserver pluto[1424]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:22 vpnserver pluto[1424]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:22 vpnserver pluto[1424]: | route_and_eroute: instance
"test"[1] 192.168.0.3, setting eroute_owner {spd=0x80c3b78,sr=0x80c3b78}
to #3 (was #0) (newest_ipsec_sa=#0)
Apr 15 12:09:22 vpnserver pluto[1424]: | inserting event
EVENT_SA_REPLACE, timeout in 3330 seconds for #3
Apr 15 12:09:22 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #3: IPsec
SA established {ESP=>0x4c3bfdc8 <0x72433dec}
Apr 15 12:09:22 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
8 seconds for #1
Apr 15 12:09:30 vpnserver pluto[1424]: |
Apr 15 12:09:30 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:09:30 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 33 seconds
Apr 15 12:09:30 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:09:30 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 20 seconds for #1
Apr 15 12:09:30 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
20 seconds for #1
Apr 15 12:09:50 vpnserver pluto[1424]: |
Apr 15 12:09:50 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:09:50 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 13 seconds
Apr 15 12:09:50 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:09:50 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
Apr 15 12:09:50 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
13 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: |
Apr 15 12:10:03 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:10:03 vpnserver pluto[1424]: | event after this is
EVENT_RETRANSMIT in 27 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: | scanning for shunt eroutes
Apr 15 12:10:03 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
27 seconds for #1
Apr 15 12:10:30 vpnserver pluto[1424]: |
Apr 15 12:10:30 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:10:30 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 93 seconds
Apr 15 12:10:30 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:10:30 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #1: max
number of retransmissions (2) reached STATE_MAIN_R1
Apr 15 12:10:30 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:10:30 vpnserver pluto[1424]: | RCOOKIE: af 94 ba 59 d1 49 a1 72
Apr 15 12:10:30 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:10:30 vpnserver pluto[1424]: | state hash entry 4
Apr 15 12:10:30 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
93 seconds
Apr 15 12:10:36 vpnserver pluto[1424]: |
Apr 15 12:10:36 vpnserver pluto[1424]: | *received whack message
Apr 15 12:10:36 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
87 seconds
Apr 15 12:10:37 vpnserver pluto[1424]: |
Apr 15 12:10:37 vpnserver pluto[1424]: | *received whack message
Apr 15 12:10:37 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
86 seconds
+ _________________________ plog
+ sed -n '12452,$p' /var/log/messages
+ egrep -i pluto
+ cat
Apr 15 12:08:03 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Apr 15 12:08:03 vpnserver pluto[1424]: Starting Pluto (FreeS/WAN Version
2.04 X.509-1.4.8 PLUTO_USES_KEYRR)
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: Using KLIPS IPsec interface code
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: loaded cacert file 'cacert.pem'
(1472 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list locked by
'load_cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list unlocked by
'load_cacerts'
Apr 15 12:08:03 vpnserver pluto[1424]: Changing to directory
'/etc/ipsec.d/crls'
Apr 15 12:08:03 vpnserver pluto[1424]: loaded crl file 'crl.pem' (638
bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list locked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl issuer cacert found
Apr 15 12:08:03 vpnserver pluto[1424]: | cacert list unlocked by
'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:08:03 vpnserver pluto[1424]: | crl list locked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | crl list unlocked by 'insert_crl'
Apr 15 12:08:03 vpnserver pluto[1424]: | inserting event 8??, timeout in
42717 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: |
Apr 15 12:08:03 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:03 vpnserver pluto[1424]: loaded host cert file
'/etc/ipsec.d/certs/gatewayCert.pem' (1326 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: loaded host cert file
'/etc/ipsec.d/certs/clientCert.pem' (1505 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: added connection description "test"
Apr 15 12:08:03 vpnserver pluto[1424]: | 0.0.0.0/0===192.168.0.1[C=DE,
ST=NRW, O=IRF, CN=b, E=albrecht at irf.de]...%any[C=de, ST=nrw, L=dortmund,
O=irf, OU=irf, CN=a]
Apr 15 12:08:03 vpnserver pluto[1424]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
RSASIG+ENCRYPT+TUNNEL+PFS
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:03 vpnserver pluto[1424]: |
Apr 15 12:08:03 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:03 vpnserver pluto[1424]: listening for IKE messages
Apr 15 12:08:03 vpnserver pluto[1424]: | found lo with address 127.0.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | found eth0 with address 10.0.18.60
Apr 15 12:08:03 vpnserver pluto[1424]: | found eth1 with address 192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | found ipsec1 with address
192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: adding interface ipsec1/eth1
192.168.0.1
Apr 15 12:08:03 vpnserver pluto[1424]: | IP interface eth0 10.0.18.60
has no matching ipsec* interface -- ignored
Apr 15 12:08:03 vpnserver pluto[1424]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Apr 15 12:08:03 vpnserver pluto[1424]: | could not open /proc/net/if_inet6
Apr 15 12:08:03 vpnserver pluto[1424]: loading secrets from
"/etc/ipsec.secrets"
Apr 15 12:08:03 vpnserver pluto[1424]: loaded private key file
'/etc/ipsec.d/private/gatewayKey.pem' (963 bytes)
Apr 15 12:08:03 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
120 seconds
Apr 15 12:08:16 vpnserver pluto[1424]: |
Apr 15 12:08:16 vpnserver pluto[1424]: | *received whack message
Apr 15 12:08:16 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
107 seconds
Apr 15 12:09:20 vpnserver pluto[1424]: |
Apr 15 12:09:20 vpnserver pluto[1424]: | *received 256 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Apr 15 12:09:20 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \020K
Apr 15 12:09:20 vpnserver pluto[1424]: | instantiated "test" for 192.168.0.3
Apr 15 12:09:20 vpnserver pluto[1424]: | creating state object #1 at
0x80c45b8
Apr 15 12:09:20 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:20 vpnserver pluto[1424]: | RCOOKIE: af 94 ba 59 d1 49 a1 72
Apr 15 12:09:20 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:20 vpnserver pluto[1424]: | state hash entry 4
Apr 15 12:09:20 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
Apr 15 12:09:20 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #1:
responding to Main Mode from unknown peer 192.168.0.3
Apr 15 12:09:20 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Apr 15 12:09:20 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
10 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 256 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: @H7Un<h\005%g^\177
Apr 15 12:09:21 vpnserver pluto[1424]: packet from 192.168.0.3:500:
received Vendor ID Payload; ASCII hash: \020K
Apr 15 12:09:21 vpnserver pluto[1424]: | creating state object #2 at
0x80c4928
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2:
responding to Main Mode from unknown peer 192.168.0.3
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 184 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R1
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 1572 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: Peer ID
is ID_DER_ASN1_DN: 'C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
Apr 15 12:09:21 vpnserver pluto[1424]: | subject: 'C=de, ST=nrw,
L=dortmund, O=irf, OU=irf, CN=a'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer cacert found
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer crl found
Apr 15 12:09:21 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | serial number: 04
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate not revoked
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: crl
update is overdue since Feb 20 14:11:51 UTC 2004
Apr 15 12:09:21 vpnserver pluto[1424]: | subject: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | cacert list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer cacert found
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list locked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: | issuer crl found
Apr 15 12:09:21 vpnserver pluto[1424]: | crl signature is valid
Apr 15 12:09:21 vpnserver pluto[1424]: | serial number: 00
Apr 15 12:09:21 vpnserver pluto[1424]: | certificate not revoked
Apr 15 12:09:21 vpnserver pluto[1424]: | crl list unlocked by
'verify_x509cert'
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: crl
update is overdue since Feb 20 14:11:51 UTC 2004
Apr 15 12:09:21 vpnserver pluto[1424]: | requested CA: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | offered CA: 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | required CA is 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | key issuer CA is 'C=DE, ST=NRW,
L=Dortmund, O=IRF, CN=a, E=albrecht at irf.de'
Apr 15 12:09:21 vpnserver pluto[1424]: | an RSA Sig check passed with
*AwEAAa1ni [preloaded key]
Apr 15 12:09:21 vpnserver pluto[1424]: | signing hash with RSA Key
*AwEAAdiQ+
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SA_REPLACE, timeout in 3330 seconds for #2
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #2: sent
MR3, ISAKMP SA established
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 308 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object not found
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #2 found, in
STATE_MAIN_R3
Apr 15 12:09:21 vpnserver pluto[1424]: | peer client is 192.168.0.3
Apr 15 12:09:21 vpnserver pluto[1424]: | peer client protocol/port is 0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | our client is subnet 0.0.0.0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | our client protocol/port is 0/0
Apr 15 12:09:21 vpnserver pluto[1424]: | duplicating state object #2
Apr 15 12:09:21 vpnserver pluto[1424]: | creating state object #3 at
0x80c4f30
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #3
Apr 15 12:09:21 vpnserver pluto[1424]: | generate SPI: 72 43 3d ec
Apr 15 12:09:21 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #3:
responding to Quick Mode
Apr 15 12:09:21 vpnserver pluto[1424]: | install_inbound_ipsec_sa()
checking if we can route
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | add inbound eroute
192.168.0.3/32:0 -> 0.0.0.0/0:0 => tun.1001 at 192.168.0.1:0
Apr 15 12:09:21 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #3
Apr 15 12:09:21 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
9 seconds for #1
Apr 15 12:09:21 vpnserver pluto[1424]: |
Apr 15 12:09:21 vpnserver pluto[1424]: | *received 52 bytes from
192.168.0.3:500 on eth1
Apr 15 12:09:21 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:09:21 vpnserver pluto[1424]: | RCOOKIE: a4 eb ef 8e 47 56 01 32
Apr 15 12:09:21 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:09:21 vpnserver pluto[1424]: | state hash entry 29
Apr 15 12:09:21 vpnserver pluto[1424]: | state object #3 found, in
STATE_QUICK_R1
Apr 15 12:09:21 vpnserver pluto[1424]: | install_ipsec_sa() for #3:
outbound only
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | sr for #3: unrouted
Apr 15 12:09:21 vpnserver pluto[1424]: | route owner of "test"[1]
192.168.0.3 unrouted: NULL; eroute owner: NULL
Apr 15 12:09:21 vpnserver pluto[1424]: | eroute_connection add eroute
0.0.0.0/0:0 -> 192.168.0.3/32:0 => tun.1002 at 192.168.0.3:0
Apr 15 12:09:21 vpnserver pluto[1424]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:21 vpnserver pluto[1424]: | route_and_eroute:
firewall_notified: true
Apr 15 12:09:21 vpnserver pluto[1424]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:22 vpnserver pluto[1424]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='test'
PLUTO_NEXT_HOP='192.168.0.3' PLUTO_INTERFACE='ipsec1'
PLUTO_ME='192.168.0.1' PLUTO_MY_ID='C=DE, ST=NRW, O=IRF, CN=b,
E=albrecht at irf.de' PLUTO_MY_CLIENT='0.0.0.0/0'
PLUTO_MY_CLIENT_NET='0.0.0.0' PLUTO_MY_CLIENT_MASK='0.0.0.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.0.3'
PLUTO_PEER_ID='C=de, ST=nrw, L=dortmund, O=irf, OU=irf, CN=a'
PLUTO_PEER_CLIENT='192.168.0.3/32' PLUTO_PEER_CLIENT_NET='192.168.0.3'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Dortmund, O=IRF,
CN=a, E=albrecht at irf.de' ipsec _updown
Apr 15 12:09:22 vpnserver pluto[1424]: | route_and_eroute: instance
"test"[1] 192.168.0.3, setting eroute_owner {spd=0x80c3b78,sr=0x80c3b78}
to #3 (was #0) (newest_ipsec_sa=#0)
Apr 15 12:09:22 vpnserver pluto[1424]: | inserting event
EVENT_SA_REPLACE, timeout in 3330 seconds for #3
Apr 15 12:09:22 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #3: IPsec
SA established {ESP=>0x4c3bfdc8 <0x72433dec}
Apr 15 12:09:22 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
8 seconds for #1
Apr 15 12:09:30 vpnserver pluto[1424]: |
Apr 15 12:09:30 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:09:30 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 33 seconds
Apr 15 12:09:30 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:09:30 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 20 seconds for #1
Apr 15 12:09:30 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
20 seconds for #1
Apr 15 12:09:50 vpnserver pluto[1424]: |
Apr 15 12:09:50 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:09:50 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 13 seconds
Apr 15 12:09:50 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:09:50 vpnserver pluto[1424]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
Apr 15 12:09:50 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
13 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: |
Apr 15 12:10:03 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:10:03 vpnserver pluto[1424]: | event after this is
EVENT_RETRANSMIT in 27 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
Apr 15 12:10:03 vpnserver pluto[1424]: | scanning for shunt eroutes
Apr 15 12:10:03 vpnserver pluto[1424]: | next event EVENT_RETRANSMIT in
27 seconds for #1
Apr 15 12:10:30 vpnserver pluto[1424]: |
Apr 15 12:10:30 vpnserver pluto[1424]: | *time to handle event
Apr 15 12:10:30 vpnserver pluto[1424]: | event after this is
EVENT_SHUNT_SCAN in 93 seconds
Apr 15 12:10:30 vpnserver pluto[1424]: | handling event EVENT_RETRANSMIT
for 192.168.0.3 "test" #1
Apr 15 12:10:30 vpnserver pluto[1424]: "test"[1] 192.168.0.3 #1: max
number of retransmissions (2) reached STATE_MAIN_R1
Apr 15 12:10:30 vpnserver pluto[1424]: | ICOOKIE: d3 45 72 d0 8c a1 2c c3
Apr 15 12:10:30 vpnserver pluto[1424]: | RCOOKIE: af 94 ba 59 d1 49 a1 72
Apr 15 12:10:30 vpnserver pluto[1424]: | peer: c0 a8 00 03
Apr 15 12:10:30 vpnserver pluto[1424]: | state hash entry 4
Apr 15 12:10:30 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
93 seconds
Apr 15 12:10:36 vpnserver pluto[1424]: |
Apr 15 12:10:36 vpnserver pluto[1424]: | *received whack message
Apr 15 12:10:36 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
87 seconds
Apr 15 12:10:37 vpnserver pluto[1424]: |
Apr 15 12:10:37 vpnserver pluto[1424]: | *received whack message
Apr 15 12:10:37 vpnserver pluto[1424]: | next event EVENT_SHUNT_SCAN in
86 seconds
+ _________________________ date
+ date
Thu Apr 15 12:10:38 CEST 2004
More information about the Users
mailing list