[Openswan Users]
Please, please help! WinXP Roadwarrior won't connect! (logs
included)
Karim 'Kasi Mir' Senoucci
kasi.mir at melzone.de
Fri Aug 13 03:44:41 CEST 2004
Hello all,
I'm begging anyone on this list - can someone help me getting those
stupid WinXP machines to connect to my Linux-based VPN?
The VPN in question was running fine with two Linux roadwarriors when
the need arose to connect a few WindowsXP machines. I've now
completely rewritten ALL configs twice, re-issued ALL certs (even for
the linux RW, which *were* working already) twice, once even re-building
a new CA. I've tried numerous test keys for the WinXP machines.
Everything has had exactly ZERO effect.
I always get
"IKE failed to find valid machine certificate"
on the Windows side, and
"encrypted Informational Exchange message is invalid because it is for
incomplete ISAKMP SA"
on the Linux side.
I KNOW that this error suggets two possible causes:
1. The machine cert for the WinXP machine isn't included correctly in
XP's list of certs.
But there it is: when I run ipsec.msc, I find
a) under "Certificates (Local Computer)/Personal/Certificates"
* All application policies
Issued to: "KasiTest"
Issued by: kassandra.21st-hq.de
Valid from 13.08.2004 to 05.03.2008
You have a private key that corresponds to this certificate.
b) under "Certificates (Local Computer)/Trusted Root Certification
Authorities/Certificates"
* All issuance policies
* All application policies
Issued to: kassandra.21st-hq.de
Issued by: kassandra.21st-hq.de
Valid from 18.07.2004 to 17.07.2008
So, both the machine cert and the issuing CA are listed in the
(AFAIK) right places.
2. The machine cert is valid for longer than the CA cert. But as you can
see above, that's not the case, either.
Therefore, I'm completely LOST - but I ABSOLUTELY NEED this to WORK.
I've spent nearly 30 hours now ONLY on getting the WinXP part to work -
the Linux part was working from day one and is still working fine.
I'm willing to tra out anything to get this running, as otherwise the
only thing I can do is throw the whole VPN infrastructure out of the
Window and let someone else install a Windows VPN gateway replacing the
Linux machine which worked fine for three years now. :-((
I'm sure I've done something incredibly stupid in any of the
configuration parts, as I seem to be the only one in the whole wide
world who fails to get this simple setup working, but again, *please*
bear with me and show me the error of my ways, as I'm losing all my
sleep over this d*mn WinXP machines. :-(
Any, ANY help will be greatly appreciated.
Below, I include my ipsec barf from the linux machine, plus an example
of the failing connections on my WinXP oakley log, plus the XP
ipsec.conf.
Thanks in advance
Karim Senoucci
------------------------------------------------------------------------------
WinXP ipsec.conf
------------------------------------------------------------------------------
conn XP-p2n
network=lan
auto=start
left=%any
right=kassandra.21st-hq.de
rightsubnet=192.168.168.0/24
rightca="C=DE,L=Hamburg,O=Synaptec Software & Consulting GmbH,OU=VPN Authority,CN=VPN Gateway"
pfs=yes
conn XP-p2p
network=lan
auto=start
left=%any
right=kassandra.21st-hq.de
rightca="C=DE,L=Hamburg,O=Synaptec Software & Consulting GmbH,OU=VPN Authority,CN=VPN Gateway"
pfs=yes
------------------------------------------------------------------------------
WinXP oakley.log (excerpt)
------------------------------------------------------------------------------
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: e7ca166a-22ab-43e2-96821c0237141928 4
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: ac244e6b-a909-4a27-98e3a3c4ee144ebc 4
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 1ce22153-0a87-4c6c-9c470b0ec230719f 3
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 41d8e6a7-3ea1-4b38-9f705bfd8fed568a 3
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 9e320f65-47c0-4053-8421373960e10d09 3
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 115966f7-c186-4775-9cf9d0853dff7678 1
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: b341eb5c-4369-4396-a818c69f0a2f250d 2
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 37d4fa5e-9800-44ec-ae264ea744411355 2
8-13: 02:28:18:750:6ec isadb_schedule_kill_oldPolicy_sas: 8c08972e-a880-47fb-a125bbc9ef69356c 2
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:781:b88 entered kill_old_policy_sas
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: b1070463-a569-48d0-b3bd63f456cbe77a 4
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: 929a2875-f9c3-4b0e-b1b456a60e67cf31 4
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: cff9031c-6f03-4a3f-b4a2cbb9af50f604 3
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: 31fd45ba-806e-4451-9b2dad5e436f3644 3
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: 345d7f2c-bdfe-4763-a7104cbdaea8244c 1
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: 5a7a2873-08dd-4c09-8b4b0f0c702d4b08 2
8-13: 02:28:18:859:6ec isadb_schedule_kill_oldPolicy_sas: db07a51f-460b-44a9-ad74586620664821 2
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:18:875:d20 entered kill_old_policy_sas
8-13: 02:28:36:46:740 Acquire from driver: op=859FA490 src=192.168.13.13.0 dst=192.168.168.200.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=62.206.23.18 Inbound TunnelEndpt=192.168.13.13
8-13: 02:28:36:46:d20 Filter to match: Src 62.206.23.18 Dst 192.168.13.13
8-13: 02:28:36:46:d20 MM PolicyName: 29
8-13: 02:28:36:46:d20 MMPolicy dwFlags 2 SoftSAExpireTime 28800
8-13: 02:28:36:46:d20 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
8-13: 02:28:36:46:d20 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
8-13: 02:28:36:46:d20 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
8-13: 02:28:36:46:d20 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
8-13: 02:28:36:46:d20 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
8-13: 02:28:36:46:d20 MMOffer[2] Encrypt: DES CBC Hash: SHA
8-13: 02:28:36:46:d20 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
8-13: 02:28:36:46:d20 MMOffer[3] Encrypt: DES CBC Hash: MD5
8-13: 02:28:36:46:d20 Auth[0]:RSA Sig C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway
8-13: 02:28:36:46:d20 QM PolicyName: Host-XP-p2n filter action dwFlags 1
8-13: 02:28:36:46:d20 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
8-13: 02:28:36:46:d20 QMOffer[0] dwFlags 0 dwPFSGroup 268435456
8-13: 02:28:36:140:d20 constructing ISAKMP Header
8-13: 02:28:36:156:d20 constructing KE
8-13: 02:28:36:156:d20 constructing NONCE (ISAKMP)
8-13: 02:28:36:156:d20
8-13: 02:28:36:156:d20 Sending: SA = 0x000D9EC0 to 62.206.23.18:Type 2
8-13: 02:28:36:156:d20 ISAKMP Header: (V1.0), len = 184
8-13: 02:28:36:156:d20 I-COOKIE 0c8ee25bfd2d11e6
8-13: 02:28:36:156:d20 R-COOKIE 14f3e57d58c1e3a4
8-13: 02:28:36:156:d20 exchange: Oakley Main Mode
8-13: 02:28:36:156:d20 flags: 0
8-13: 02:28:36:156:d20 next payload: KE
8-13: 02:28:36:156:d20 message ID: 00000000
8-13: 02:28:36:234:d20
8-13: 02:28:36:234:d20 Receive: (get) SA = 0x000d9ec0 from 62.206.23.18
8-13: 02:28:36:234:d20 ISAKMP Header: (V1.0), len = 188
8-13: 02:28:36:234:d20 I-COOKIE 0c8ee25bfd2d11e6
8-13: 02:28:36:234:d20 R-COOKIE 14f3e57d58c1e3a4
8-13: 02:28:36:234:d20 exchange: Oakley Main Mode
8-13: 02:28:36:234:d20 flags: 0
8-13: 02:28:36:234:d20 next payload: KE
8-13: 02:28:36:234:d20 message ID: 00000000
8-13: 02:28:36:234:d20 processing payload KE
8-13: 02:28:36:234:d20 processing payload NONCE
8-13: 02:28:36:234:d20 processing payload CRP
8-13: 02:28:36:234:d20 constructing ISAKMP Header
8-13: 02:28:36:234:d20 constructing ID
8-13: 02:28:36:250:d20 Received no valid CRPs. Using all configured
8-13: 02:28:36:250:d20 Looking for IPSec only cert
8-13: 02:28:36:250:d20 failed to get chain 80092004
8-13: 02:28:36:250:d20 Received no valid CRPs. Using all configured
8-13: 02:28:36:250:d20 Looking for any cert
8-13: 02:28:36:250:d20 failed to get chain 80092004
8-13: 02:28:36:250:d20 ProcessFailure: sa:000D9EC0 centry:00000000 status:35ee
8-13: 02:28:36:250:d20 isadb_set_status sa:000D9EC0 centry:00000000 status 35ee
8-13: 02:28:36:250:d20 Key Exchange Mode (Main Mode)
8-13: 02:28:36:250:d20 Source IP Address 192.168.13.13
Source IP Address Mask 255.255.255.255
Destination IP Address 62.206.23.18
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr
8-13: 02:28:36:250:d20 Certificate based Identity.
Peer IP Address: 62.206.23.18
8-13: 02:28:36:250:d20 Me
8-13: 02:28:36:250:d20 IKE failed to find valid machine certificate
8-13: 02:28:36:250:d20 0x80092004 0x0
8-13: 02:28:36:250:d20 ProcessFailure: sa:000D9EC0 centry:00000000 status:35ee
8-13: 02:28:36:250:d20 constructing ISAKMP Header
8-13: 02:28:36:250:d20 constructing HASH (null)
8-13: 02:28:36:250:d20 constructing NOTIFY 28
8-13: 02:28:36:250:d20 constructing HASH (Notify/Delete)
8-13: 02:28:36:250:d20
8-13: 02:28:36:250:d20 Sending: SA = 0x000D9EC0 to 62.206.23.18:Type 1
8-13: 02:28:36:250:d20 ISAKMP Header: (V1.0), len = 84
8-13: 02:28:36:250:d20 I-COOKIE 0c8ee25bfd2d11e6
8-13: 02:28:36:250:d20 R-COOKIE 14f3e57d58c1e3a4
8-13: 02:28:36:250:d20 exchange: ISAKMP Informational Exchange
8-13: 02:28:36:250:d20 flags: 1 ( encrypted )
8-13: 02:28:36:250:d20 next payload: HASH
8-13: 02:28:36:250:d20 message ID: 61854619
8-13: 02:28:46:390:d20
8-13: 02:28:46:390:d20 Receive: (get) SA = 0x000d9ec0 from 62.206.23.18
8-13: 02:28:46:390:d20 ISAKMP Header: (V1.0), len = 188
8-13: 02:28:46:390:d20 I-COOKIE 0c8ee25bfd2d11e6
8-13: 02:28:46:390:d20 R-COOKIE 14f3e57d58c1e3a4
8-13: 02:28:46:390:d20 exchange: Oakley Main Mode
8-13: 02:28:46:390:d20 flags: 0
8-13: 02:28:46:390:d20 next payload: KE
8-13: 02:28:46:390:d20 message ID: 00000000
8-13: 02:28:46:390:d20 received an unencrypted packet when crypto active
8-13: 02:28:46:390:d20 GetPacket failed 35ec
------------------------------------------------------------------------------
ipsec barf (linux VPN Gateway)
------------------------------------------------------------------------------
kassandra.21st-hq.de
Fri Aug 13 02:49:14 CEST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN super-freeswan-1.99.8
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.26 (root at kassandra.21st-hq.de) (gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)) #2 Wed Jun 16 13:26:16 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0 62.206.23.18/32:0 -> 192.168.251.0/24:0 => tun0x1005 at 62.109.111.168:0
0 192.168.168.0/24:0 -> 192.168.251.0/24:0 => tun0x1007 at 62.109.111.168:0
0 192.168.168.0/24:0 -> 62.109.111.168/32:0 => tun0x1006 at 62.109.111.168:0
404 62.206.23.18/32:0 -> 62.109.111.168/32:0 => tun0x1008 at 62.109.111.168:0
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
62.109.111.168 62.206.23.30 255.255.255.255 UGH 0 0 0 ipsec0
195.143.197.224 0.0.0.0 255.255.255.248 U 0 0 0 eth1
62.206.23.16 0.0.0.0 255.255.255.240 U 0 0 0 eth1
62.206.23.16 0.0.0.0 255.255.255.240 U 0 0 0 ipsec0
192.168.214.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.168.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.251.0 62.206.23.30 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.214.11 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.214.12 0.0.0.0 UG 0 0 0 eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0x2d2b67d4 at 62.206.23.18 ESP_3DES_HMAC_MD5: dir=in src=62.109.111.168 iv_bits=64bits iv=0x20d31a14591eb916 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(40,0,0)
esp0x2d2b67d3 at 62.206.23.18 ESP_3DES_HMAC_MD5: dir=in src=62.109.111.168 iv_bits=64bits iv=0x0dceda272f45820e ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(40,0,0)
esp0x2d2b67d2 at 62.206.23.18 ESP_3DES_HMAC_MD5: dir=in src=62.109.111.168 iv_bits=64bits iv=0x3412966f1ec650d6 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(41,0,0)
esp0x2d2b67d1 at 62.206.23.18 ESP_3DES_HMAC_MD5: dir=in src=62.109.111.168 iv_bits=64bits iv=0x6e62635d23248e47 ooowin=64 seq=161 bit=0xffffffffffffffff max_seq_diff=1 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(14196,0,0)addtime(41,0,0)usetime(30,0,0)packets(161,0,0) idle=0
esp0x331005ab at 62.109.111.168 ESP_3DES_HMAC_MD5: dir=out src=62.206.23.18 iv_bits=64bits iv=0xd93fd40a6a003946 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(40,0,0)
esp0x331005aa at 62.109.111.168 ESP_3DES_HMAC_MD5: dir=out src=62.206.23.18 iv_bits=64bits iv=0xead1b031affbf6dc ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(40,0,0)
esp0x331005a9 at 62.109.111.168 ESP_3DES_HMAC_MD5: dir=out src=62.206.23.18 iv_bits=64bits iv=0x993e3be1e09d5e81 ooowin=64 seq=202 alen=128 aklen=128 eklen=192 life(c,s,h)=bytes(171720,0,0)addtime(40,0,0)usetime(31,0,0)packets(202,0,0) idle=0
esp0x331005a8 at 62.109.111.168 ESP_3DES_HMAC_MD5: dir=out src=62.206.23.18 iv_bits=64bits iv=0x34e62d2b488bb751 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(40,0,0)
tun0x1004 at 62.206.23.18 IPIP: dir=in src=62.109.111.168 policy=192.168.251.0/24->192.168.168.0/24 flags=0x8<> life(c,s,h)=addtime(40,0,0)
tun0x1003 at 62.206.23.18 IPIP: dir=in src=62.109.111.168 policy=62.109.111.168/32->192.168.168.0/24 flags=0x8<> life(c,s,h)=addtime(40,0,0)
tun0x1002 at 62.206.23.18 IPIP: dir=in src=62.109.111.168 policy=192.168.251.0/24->62.206.23.18/32 flags=0x8<> life(c,s,h)=addtime(41,0,0)
tun0x1001 at 62.206.23.18 IPIP: dir=in src=62.109.111.168 policy=62.109.111.168/32->62.206.23.18/32 flags=0x8<> life(c,s,h)=bytes(14196,0,0)addtime(41,0,0)usetime(30,0,0)packets(161,0,0) idle=0
tun0x1008 at 62.109.111.168 IPIP: dir=out src=62.206.23.18 life(c,s,h)=bytes(165127,0,0)addtime(40,0,0)usetime(31,0,0)packets(202,0,0) idle=0
tun0x1007 at 62.109.111.168 IPIP: dir=out src=62.206.23.18 life(c,s,h)=addtime(40,0,0)
tun0x1006 at 62.109.111.168 IPIP: dir=out src=62.206.23.18 life(c,s,h)=addtime(40,0,0)
tun0x1005 at 62.109.111.168 IPIP: dir=out src=62.206.23.18 life(c,s,h)=addtime(40,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1004 at 62.206.23.18 esp0x2d2b67d4 at 62.206.23.18
tun0x1003 at 62.206.23.18 esp0x2d2b67d3 at 62.206.23.18
tun0x1002 at 62.206.23.18 esp0x2d2b67d2 at 62.206.23.18
tun0x1001 at 62.206.23.18 esp0x2d2b67d1 at 62.206.23.18
tun0x1008 at 62.109.111.168 esp0x331005a9 at 62.109.111.168
tun0x1007 at 62.109.111.168 esp0x331005a8 at 62.109.111.168
tun0x1006 at 62.109.111.168 esp0x331005ab at 62.109.111.168
tun0x1005 at 62.109.111.168 esp0x331005aa at 62.109.111.168
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
dfc1e3c0 15237 dbe0e2a0 0 0 0 0 2 106496 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 dbe0e2a0 15237 dfc1e3c0
pf_key_registered: 3 dbe0e2a0 15237 dfc1e3c0
pf_key_registered: 9 dbe0e2a0 15237 dfc1e3c0
pf_key_registered: 10 dbe0e2a0 15237 dfc1e3c0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 253 128 128 256
pf_key_supported: 3 14 7 0 512 512
pf_key_supported: 3 14 5 0 256 256
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 15 252 128 128 256
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 3 15 6 64 40 128
pf_key_supported: 3 15 7 64 96 448
pf_key_supported: 3 14 9 0 128 128
pf_key_supported: 3 15 12 128 128 256
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 62.206.23.18
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_ID9, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "n2n"[1]: 192.168.168.0/24===62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...62.109.111.168[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=Tanja Mattfeldt]===192.168.251.0/24
000 "n2n"[1]: CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "n2n"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "n2n"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "n2n"[1]: newest ISAKMP SA: #0; newest IPsec SA: #5; eroute owner: #5
000 "n2n"[1]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "n2n"[1]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "n2n"[1]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "n2n"[1]: ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "n2n"[1]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 "g2n"[1]: 62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...62.109.111.168[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=Tanja Mattfeldt]===192.168.251.0/24
000 "g2n"[1]: CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "g2n"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "g2n"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "g2n"[1]: newest ISAKMP SA: #0; newest IPsec SA: #3; eroute owner: #3
000 "g2n"[1]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "g2n"[1]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "g2n"[1]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "g2n"[1]: ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "g2n"[1]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 "g2g"[1]: 62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...62.109.111.168[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=Tanja Mattfeldt]
000 "g2g"[1]: CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "g2g"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "g2g"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "g2g"[1]: newest ISAKMP SA: #0; newest IPsec SA: #2; eroute owner: #2
000 "g2g"[1]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "g2g"[1]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "g2g"[1]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "g2g"[1]: ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "g2g"[1]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 "n2g"[2]: 192.168.168.0/24===62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...62.109.111.168[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=Tanja Mattfeldt]
000 "n2g"[2]: CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "n2g"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "n2g"[2]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted
000 "n2g"[2]: newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4
000 "n2g"[2]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "n2g"[2]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "n2g"[2]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "n2g"[2]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "n2g"[2]: ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "n2g"[2]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 "g2n": 62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...%any==={192.168.0.0/16}
000 "g2n": CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "g2n": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "g2n": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "g2n": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "g2n": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "g2n": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "g2n": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "g2n": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "n2n": 192.168.168.0/24===62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...%any==={192.168.0.0/16}
000 "n2n": CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "n2n": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "n2n": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "n2n": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "n2n": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "n2n": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "n2n": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "n2n": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "g2g": 62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...%any
000 "g2g": CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "g2g": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "g2g": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "g2g": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "g2g": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "g2g": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "g2g": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "g2g": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "n2g": 192.168.168.0/24===62.206.23.18[C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=VPN Gateway]---62.206.23.30...%any
000 "n2g": CAs: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=kassandra.21st-hq.de'...'%any'
000 "n2g": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "n2g": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
000 "n2g": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "n2g": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "n2g": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "n2g": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "n2g": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000 #5: "n2n"[1] 62.109.111.168 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28490s; newest IPSEC; eroute owner
000 #5: "n2n"[1] 62.109.111.168 esp.331005a8 at 62.109.111.168 esp.2d2b67d4 at 62.206.23.18 tun.1007 at 62.109.111.168 tun.1004 at 62.206.23.18
000 #4: "n2g"[2] 62.109.111.168 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28490s; newest IPSEC; eroute owner
000 #4: "n2g"[2] 62.109.111.168 esp.331005ab at 62.109.111.168 esp.2d2b67d3 at 62.206.23.18 tun.1006 at 62.109.111.168 tun.1003 at 62.206.23.18
000 #3: "g2n"[1] 62.109.111.168 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28490s; newest IPSEC; eroute owner
000 #3: "g2n"[1] 62.109.111.168 esp.331005aa at 62.109.111.168 esp.2d2b67d2 at 62.206.23.18 tun.1005 at 62.109.111.168 tun.1002 at 62.206.23.18
000 #2: "g2g"[1] 62.109.111.168 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28490s; newest IPSEC; eroute owner
000 #2: "g2g"[1] 62.109.111.168 esp.331005a9 at 62.109.111.168 esp.2d2b67d1 at 62.206.23.18 tun.1008 at 62.109.111.168 tun.1001 at 62.206.23.18
000 #1: "n2g"[2] 62.109.111.168 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3289s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eql Link encap:Serial Line IP
MASTER MTU:576 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:5
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:01:02:98:38:46
inet addr:192.168.168.200 Bcast:192.168.168.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:54010207 errors:121 dropped:0 overruns:17 frame:129
TX packets:56894127 errors:0 dropped:0 overruns:0 carrier:1641
collisions:980843 txqueuelen:1000
RX bytes:901896790 (860.1 Mb) TX bytes:3353763495 (3198.3 Mb)
Interrupt:19 Base address:0xec00
eth1 Link encap:Ethernet HWaddr 00:E0:7D:E6:B9:CB
inet addr:62.206.23.18 Bcast:62.206.23.31 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46743548 errors:0 dropped:0 overruns:0 frame:0
TX packets:38620207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58428413 (55.7 Mb) TX bytes:2806075833 (2676.0 Mb)
Interrupt:17 Base address:0xae00
eth1:0 Link encap:Ethernet HWaddr 00:E0:7D:E6:B9:CB
inet addr:195.143.197.227 Bcast:62.206.23.31 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:17 Base address:0xae00
eth1:1 Link encap:Ethernet HWaddr 00:E0:7D:E6:B9:CB
inet addr:192.168.214.1 Bcast:192.168.214.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:17 Base address:0xae00
ipsec0 Link encap:Ethernet HWaddr 00:E0:7D:E6:B9:CB
inet addr:62.206.23.18 Mask:255.255.255.240
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:165 errors:0 dropped:4 overruns:0 frame:0
TX packets:202 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:10976 (10.7 Kb) TX bytes:174548 (170.4 Kb)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3458040 errors:0 dropped:0 overruns:0 frame:0
TX packets:3458040 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:346617515 (330.5 Mb) TX bytes:346617515 (330.5 Mb)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
kassandra.21st-hq.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
62.206.23.18
+ _________________________ uptime
+ uptime
2:49am up 56 days, 9:29, 1 user, load average: 0.08, 0.03, 0.01
+ _________________________ ps
+ ps alxwf
Warning: /boot/System.map has an incorrect kernel version.
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 15502 14585 9 0 4296 1044 wait4 S pts/1 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf
000 0 15503 15502 16 0 4312 1088 wait4 S pts/1 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf
040 0 15228 1 9 0 2032 956 wait4 S pts/1 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids
040 0 15233 15228 9 0 2032 964 wait4 S pts/1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqu
100 0 15237 15233 9 0 2284 1116 do_sel S pts/1 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-none --uniq
000 0 15240 15237 9 0 1384 252 do_sel S pts/1 0:00 | \_ _pluto_adns 7 10
000 0 15234 15228 8 0 2008 944 pipe_w S pts/1 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st
000 0 15229 1 9 0 1320 352 pipe_w S pts/1 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
leftnexthop=ns1.21st-hq.de
conn n2n
auto=add
# lokale Seite
left=kassandra.21st-hq.de
leftsubnet=192.168.168.0/24
leftcert=GatewayCert.pem
# entfernte Seite
right=%any
rightsubnetwithin=192.168.0.0/16
conn g2n
auto=add
# lokale Seite
left=kassandra.21st-hq.de
leftcert=GatewayCert.pem
# entfernte Seite
right=%any
rightsubnetwithin=192.168.0.0/16
conn n2g
auto=add
# lokale Seite
left=kassandra.21st-hq.de
leftsubnet=192.168.168.0/24
leftcert=GatewayCert.pem
# entfernte Seite
right=%any
conn g2g
auto=add
# lokale Seite
left=kassandra.21st-hq.de
leftcert=GatewayCert.pem
# entfernte Seite
right=%any
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA /etc/ipsec.d/private/GatewayKey.pem "[sums to 19ae...]"
: RSA {
# RSA 2192 bits kassandra.21st-hq.de Tue Jul 15 22:22:12 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQPzx4E6U]
#IN KEY 0x4200 4 1 [keyid AQPzx4E6U]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: PSK "[sums to 482f...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 6536
-rwxr-xr-x 1 root root 11381 Jul 16 2003 _confread
-rwxr-xr-x 1 root root 11381 Jul 15 2003 _confread.old
-rwxr-xr-x 1 root root 48023 Jul 16 2003 _copyright
-rwxr-xr-x 1 root root 48023 Jul 15 2003 _copyright.old
-rwxr-xr-x 1 root root 2164 Jul 16 2003 _include
-rwxr-xr-x 1 root root 2164 Jul 15 2003 _include.old
-rwxr-xr-x 1 root root 1476 Jul 16 2003 _keycensor
-rwxr-xr-x 1 root root 1476 Jul 15 2003 _keycensor.old
-rwxr-xr-x 1 root root 71015 Jul 16 2003 _pluto_adns
-rwxr-xr-x 1 root root 71015 Jul 15 2003 _pluto_adns.old
-rwxr-xr-x 1 root root 3497 Jul 16 2003 _plutoload
-rwxr-xr-x 1 root root 3497 Jul 15 2003 _plutoload.old
-rwxr-xr-x 1 root root 5696 Jul 16 2003 _plutorun
-rwxr-xr-x 1 root root 5696 Jul 15 2003 _plutorun.old
-rwxr-xr-x 1 root root 7759 Jul 16 2003 _realsetup
-rwxr-xr-x 1 root root 7759 Jul 15 2003 _realsetup.old
-rwxr-xr-x 1 root root 1975 Jul 16 2003 _secretcensor
-rwxr-xr-x 1 root root 1975 Jul 15 2003 _secretcensor.old
-rwxr-xr-x 1 root root 7058 Jul 16 2003 _startklips
-rwxr-xr-x 1 root root 7058 Jul 15 2003 _startklips.old
-rwxr-xr-x 1 root root 5015 Jul 16 2003 _updown
-rwxr-xr-x 1 root root 5015 Jul 15 2003 _updown.old
-rwxr-xr-x 1 root root 7572 Jul 16 2003 _updown.x509
-rwxr-xr-x 1 root root 7572 Jul 15 2003 _updown.x509.old
-rwxr-xr-x 1 root root 14235 Jul 16 2003 auto
-rwxr-xr-x 1 root root 14235 Jul 15 2003 auto.old
-rwxr-xr-x 1 root root 7193 Jul 16 2003 barf
-rwxr-xr-x 1 root root 7193 Jul 15 2003 barf.old
-rwxr-xr-x 1 root root 816 Jul 16 2003 calcgoo
-rwxr-xr-x 1 root root 816 Jul 15 2003 calcgoo.old
-rwxr-xr-x 1 root root 328169 Jul 16 2003 eroute
-rwxr-xr-x 1 root root 142262 Jul 16 2003 ikeping
-rwxr-xr-x 1 root root 142262 Jul 15 2003 ikeping.old
-rwxr-xr-x 1 root root 2933 Jul 16 2003 ipsec
-rwxr-xr-x 1 root root 2933 Jul 15 2003 ipsec.old
-rw-r--r-- 1 root root 1950 Jul 16 2003 ipsec_pr.template
-rwxr-xr-x 1 root root 175145 Jul 16 2003 klipsdebug
-rwxr-xr-x 1 root root 2438 Jul 16 2003 look
-rwxr-xr-x 1 root root 2438 Jul 15 2003 look.old
-rwxr-xr-x 1 root root 16158 Jul 16 2003 manual
-rwxr-xr-x 1 root root 16158 Jul 15 2003 manual.old
-rwxr-xr-x 1 root root 1847 Jul 16 2003 newhostkey
-rwxr-xr-x 1 root root 1847 Jul 15 2003 newhostkey.old
-rwxr-xr-x 1 root root 150756 Jul 16 2003 pf_key
-rwxr-xr-x 1 root root 1757592 Jul 16 2003 pluto
-rwxr-xr-x 1 root root 1757592 Jul 15 2003 pluto.old
-rwxr-xr-x 1 root root 52496 Jul 16 2003 ranbits
-rwxr-xr-x 1 root root 52496 Jul 15 2003 ranbits.old
-rwxr-xr-x 1 root root 78670 Jul 16 2003 rsasigkey
-rwxr-xr-x 1 root root 78670 Jul 15 2003 rsasigkey.old
-rwxr-xr-x 1 root root 16730 Jul 16 2003 send-pr
-rwxr-xr-x 1 root root 16730 Jul 15 2003 send-pr.old
lrwxrwxrwx 1 root root 22 Jul 16 2003 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1043 Jul 16 2003 showdefaults
-rwxr-xr-x 1 root root 1043 Jul 15 2003 showdefaults.old
-rwxr-xr-x 1 root root 4203 Jul 16 2003 showhostkey
-rwxr-xr-x 1 root root 4203 Jul 15 2003 showhostkey.old
-rwxr-xr-x 1 root root 449394 Jul 16 2003 spi
-rwxr-xr-x 1 root root 274138 Jul 16 2003 spigrp
-rwxr-xr-x 1 root root 60255 Jul 16 2003 tncfg
-rwxr-xr-x 1 root root 16056 Jul 16 2003 uml_netjig
-rwxr-xr-x 1 root root 7405 Jul 16 2003 verify
-rwxr-xr-x 1 root root 7405 Jul 15 2003 verify.old
-rwxr-xr-x 1 root root 242948 Jul 16 2003 whack
-rwxr-xr-x 1 root root 242948 Jul 15 2003 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.1.1.1 2002/09/05 03:13:22 ken Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.old
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.1.1.1 2002/09/05 03:13:22 ken Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown.x509.old
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:346618003 3458044 0 0 0 0 0 0 346618003 3458044 0 0 0 0 0 0
eth0:901896888 54010208 121 0 17 129 0 0 3353763593 56894128 0 0 0 980843 1641 0
dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth1:58428413 46743548 0 0 0 0 0 0 2806075999 38620208 0 0 0 0 0 0
eql: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 10976 165 0 4 0 0 0 0 174714 203 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ipsec0 A86F6D3E 1E17CE3E 0007 0 0 0 FFFFFFFF 0 0 0
eth1 E0C58FC3 00000000 0001 0 0 0 F8FFFFFF 0 0 0
eth1 1017CE3E 00000000 0001 0 0 0 F0FFFFFF 0 0 0
ipsec0 1017CE3E 00000000 0001 0 0 0 F0FFFFFF 0 0 0
eth1 00D6A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00A8A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 00FBA8C0 1E17CE3E 0003 0 0 0 00FFFFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth1 00000000 0BD6A8C0 0003 0 0 0 00000000 0 0 0
eth1 00000000 0CD6A8C0 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux kassandra.21st-hq.de 2.4.26 #2 Wed Jun 16 13:26:16 CEST 2004 i686 athlon i386 GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: super-freeswan-1.99.8
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 35 packets, 6807 bytes)
pkts bytes target prot opt in out source destination
3010 663K all -- eth1 * 0.0.0.0/0 0.0.0.0/0
876 215K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
102 29344 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
670 89624 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
16 5248 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67
1358 131K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2432 204K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
20 1928 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
68 5094 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/24
3158 604K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 56 ACCEPT udp -- * * 192.168.214.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.214.0/24 0.0.0.0/0 tcp dpt:53
6 365 ACCEPT udp -- * * 192.168.214.0/24 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 192.168.214.0/24 0.0.0.0/0 tcp spt:53
0 0 ACCEPT all -- * * 192.168.168.155 0.0.0.0/0
80 14043 ACCEPT udp -- * * 0.0.0.0/0 192.168.168.255 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.255 tcp dpts:135:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.255 tcp dpt:445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
80 3840 lo-to-fw all -- eth0 * 0.0.0.0/0 192.168.168.200
95 5616 gl-to-fw all -- eth1 * 0.0.0.0/0 62.206.23.18
2 96 gl-to-fw all -- eth1 * 0.0.0.0/0 195.143.197.227
0 0 gl-to-fw all -- eth1 * 0.0.0.0/0 192.168.214.1
5 300 ipsec-in all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
35 6807 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `INPUT-catchall:'
Chain FORWARD (policy DROP 5 packets, 324 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.3 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.214.3 192.168.168.4 tcp dpt:1433
0 0 ACCEPT tcp -- * * 62.206.23.19 192.168.168.4 tcp dpt:1433
0 0 ACCEPT icmp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ipsec+ eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 ipsec+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.168.0/24 212.105.193.142 tcp dpt:3306
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 192.168.168.155
0 0 ACCEPT all -- * ipsec+ 192.168.168.155 0.0.0.0/0
0 0 tcp -- * * 192.168.14.0/24 0.0.0.0/0 tcp dpt:11138
3 228 outgoing all -- eth0 eth1 192.168.168.0/24 0.0.0.0/0
5 324 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `FORWARD-catchall:'
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3282 508K all -- * eth1 0.0.0.0/0 0.0.0.0/0
39 2383 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
128 32900 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
651 256K ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.4 tcp dpt:1433
1358 131K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2538 213K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2776 451K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.214.0/24 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.214.0/24 tcp spt:53
179 10586 ACCEPT udp -- * * 0.0.0.0/0 192.168.214.0/24 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.214.0/24 tcp dpt:53
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.168.155
0 0 ACCEPT udp -- * * 192.168.168.255 0.0.0.0/0 udp spts:137:139
0 0 ACCEPT tcp -- * * 192.168.168.255 0.0.0.0/0 tcp spts:135:139 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 192.168.168.255 0.0.0.0/0 tcp spt:445 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:113 flags:!0x16/0x02
88 5280 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 flags:!0x16/0x02
8 1956 lofromfw all -- * eth0 192.168.168.200 0.0.0.0/0
0 0 glfromfw all -- * eth1 62.206.23.18 0.0.0.0/0
0 0 glfromfw all -- * eth1 195.143.197.227 0.0.0.0/0
408 27177 glfromfw all -- * eth1 192.168.214.1 0.0.0.0/0
0 0 ipsec-out all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `OUTPUT-catchall:'
Chain gl-to-fw (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2402
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
88 5280 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 62.206.23.19 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 192.168.214.3 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:540
9 432 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `gl-to-fw-catchall:'
Chain glfromfw (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2402
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 flags:!0x16/0x02
361 24357 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:701
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/16 tcp spt:110 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:995 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54732
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6789
35 2100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
12 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 62.206.23.19 tcp spt:143 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.214.3 tcp spt:143 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:993 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:540 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6666
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `glfromfw-catchall:'
Chain ipsec-in (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3690
5 300 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ipsec-out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3690
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:3690
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain lo-to-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3690
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2402
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:515
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4558
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4559
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.168.200 udp dpts:137:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:701
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554
44 2112 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54732
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6789
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
36 1728 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6666
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `lo-to-fw-catchall:'
Chain lofromfw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3690
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:3690
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2402
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:4558
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:4559
8 1956 ACCEPT udp -- * * 192.168.168.200 0.0.0.0/0 udp spts:137:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:135:139 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:445 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/16 tcp spt:110 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:23 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2512
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:143 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:993 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `lofromfw-catchall:'
Chain outgoing (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:701
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:37
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2401
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:554
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:54732
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6789
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6666
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
3 228 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `outgoing-catchall:'
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 2124K packets, 149M bytes)
pkts bytes target prot opt in out source destination
2 96 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 to:192.168.168.4:1433
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10204 to:192.168.168.3:443
88 5280 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 redir ports 25
Chain POSTROUTING (policy ACCEPT 5473K packets, 442M bytes)
pkts bytes target prot opt in out source destination
3 312 MASQUERADE udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 masq ports: 500
302 20358 SNAT all -- * eth1 0.0.0.0/0 !192.168.214.0/24 to:62.206.23.18
0 0 SNAT all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0 to:62.206.23.18
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 102M packets, 56G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 35M packets, 17G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 67M packets, 39G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32M packets, 9277M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 99M packets, 48G bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 425280 2
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 526827520 520519680 6307840 0 63799296 303812608
Swap: 1077501952 115343360 962158592
MemTotal: 514480 kB
MemFree: 6160 kB
MemShared: 0 kB
Buffers: 62304 kB
Cached: 265292 kB
SwapCached: 31400 kB
Active: 288856 kB
Inactive: 115572 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 514480 kB
LowFree: 6160 kB
SwapTotal: 1052248 kB
SwapFree: 939608 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Aug 13 02:49 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_PARPORT_IP22 is not set
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=y
# CONFIG_NET_IPGRE is not set
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
CONFIG_IP_NF_IRC=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
# CONFIG_IP_NF_MATCH_MAC is not set
CONFIG_IP_NF_MATCH_PKTTYPE=y
# CONFIG_IP_NF_MATCH_MARK is not set
CONFIG_IP_NF_MATCH_MULTIPORT=y
# CONFIG_IP_NF_MATCH_TOS is not set
CONFIG_IP_NF_MATCH_TIME=y
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_TARGET_TOS is not set
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set
# IP: Virtual Server Configuration
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
CONFIG_IPSEC=m
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_ALG=y
CONFIG_IPSEC_ALG_MD5=y
CONFIG_IPSEC_ALG_SHA1=y
CONFIG_IPSEC_ALG_SHA2=y
CONFIG_IPSEC_ALG_3DES=y
CONFIG_IPSEC_ALG_AES=y
CONFIG_IPSEC_ALG_BLOWFISH=y
CONFIG_IPSEC_ALG_TWOFISH=y
CONFIG_IPSEC_ALG_SERPENT=y
CONFIG_IPSEC_ALG_CAST=y
# CONFIG_IPSEC_ALG_NULL is not set
# CONFIG_IPSEC_ALG_CRYPTOAPI is not set
# CONFIG_IPSEC_ALG_1DES is not set
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
CONFIG_IPSEC_NAT_TRAVERSAL=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
CONFIG_TULIP=y
# CONFIG_TULIP_MWI is not set
# CONFIG_TULIP_MMIO is not set
# CONFIG_HIPPI is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
# CONFIG_TIPAR is not set
# CONFIG_IPMI_HANDLER is not set
# CONFIG_IPMI_PANIC_EVENT is not set
# CONFIG_IPMI_DEVICE_INTERFACE is not set
# CONFIG_IPMI_KCS is not set
# CONFIG_IPMI_WATCHDOG is not set
# CONFIG_USB_AIPTEK is not set
CONFIG_USB_SERIAL_IPAQ=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
*.* /var/log/allmessages
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
hosts
nameserver 127.0.0.1
nameserver 192.168.214.11
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 4 root root 4096 Feb 21 2003 2.4.18-14
drwxr-xr-x 4 root root 4096 Feb 25 2003 2.4.19
drwxr-xr-x 4 root root 4096 Jul 15 2003 2.4.20
drwxr-xr-x 4 root root 4096 Jun 16 13:24 2.4.26
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c02b9550 netif_rx_Rfcb47f67
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18-14: U netif_rx_R61b6a4ab
2.4.19:
2.4.20:
2.4.26:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '89088,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Aug 13 02:48:25 kassandra ipsec_setup: Starting FreeS/WAN IPsec super-freeswan-1.99.8...
Aug 13 02:48:25 kassandra ipsec_setup: Using /lib/modules/2.4.26/kernel/net/ipsec/ipsec.o
Aug 13 02:48:25 kassandra kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: super-freeswan-1.99.8
Aug 13 02:48:25 kassandra kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=15)
Aug 13 02:48:25 kassandra kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
Aug 13 02:48:25 kassandra kernel: ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_blowfish_init(alg_type=15 alg_id=7 name=blowfish): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_cast_init(alg_type=15 alg_id=6 name=cast): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_serpent_init(alg_type=15 alg_id=252 name=serpent): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_sha2_init(alg_type=14 alg_id=5 name=sha2_256): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_sha2_init(alg_type=14 alg_id=7 name=sha2_512): ret=0
Aug 13 02:48:25 kassandra kernel: ipsec_twofish_init(alg_type=15 alg_id=253 name=twofish): ret=0
Aug 13 02:48:25 kassandra ipsec_setup: KLIPS debug `none'
Aug 13 02:48:25 kassandra ipsec_setup: KLIPS ipsec0 on eth1 62.206.23.18/255.255.255.240 broadcast 62.206.23.31
Aug 13 02:48:25 kassandra ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+ sed -n '11167,$p' /var/log/secure
+ egrep -i pluto
+ cat
Aug 13 02:48:25 kassandra ipsec__plutorun: Starting Pluto subsystem...
Aug 13 02:48:25 kassandra pluto[15237]: Starting Pluto (FreeS/WAN Version super-freeswan-1.99.8)
Aug 13 02:48:25 kassandra pluto[15237]: including X.509 patch with traffic selectors (Version 0.9.32)
Aug 13 02:48:25 kassandra pluto[15237]: including NAT-Traversal patch (Version 0.6) [disabled]
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_CAST_CBC: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: ike_alg_register_enc(): Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Aug 13 02:48:25 kassandra pluto[15237]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 13 02:48:25 kassandra pluto[15237]: loaded cacert file 'cacert.pem-old' (1326 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: loaded cacert file 'cacert.pem' (1326 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: Changing to directory '/etc/ipsec.d/crls'
Aug 13 02:48:25 kassandra pluto[15237]: loaded crl file 'crl.pem' (1117 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --esp=3des
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --ike=3des
Aug 13 02:48:25 kassandra pluto[15237]: loaded host cert file '/etc/ipsec.d/GatewayCert.pem' (1127 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: added connection description "n2g"
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --esp=3des
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --ike=3des
Aug 13 02:48:25 kassandra pluto[15237]: loaded host cert file '/etc/ipsec.d/GatewayCert.pem' (1127 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: added connection description "g2g"
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --esp=3des
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --ike=3des
Aug 13 02:48:25 kassandra pluto[15237]: loaded host cert file '/etc/ipsec.d/GatewayCert.pem' (1127 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: added connection description "n2n"
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --esp=3des
Aug 13 02:48:25 kassandra pluto[15237]: | from whack: got --ike=3des
Aug 13 02:48:25 kassandra pluto[15237]: loaded host cert file '/etc/ipsec.d/GatewayCert.pem' (1127 bytes)
Aug 13 02:48:25 kassandra pluto[15237]: added connection description "g2n"
Aug 13 02:48:25 kassandra pluto[15237]: listening for IKE messages
Aug 13 02:48:25 kassandra pluto[15237]: adding interface ipsec0/eth1 62.206.23.18
Aug 13 02:48:25 kassandra pluto[15237]: loading secrets from "/etc/ipsec.secrets"
Aug 13 02:48:25 kassandra pluto[15237]: loaded private key file '/etc/ipsec.d/private/GatewayKey.pem' (951 bytes)
Aug 13 02:48:33 kassandra pluto[15237]: "n2g"[1] 62.109.111.168 #1: responding to Main Mode from unknown peer 62.109.111.168
Aug 13 02:48:33 kassandra pluto[15237]: "n2g"[1] 62.109.111.168 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=DE, L=Hamburg, O=Synaptec Software & Consulting GmbH, OU=VPN Authority, CN=Tanja Mattfeldt'
Aug 13 02:48:33 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: deleting connection "n2g" instance with peer 62.109.111.168
Aug 13 02:48:33 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: sent MR3, ISAKMP SA established
Aug 13 02:48:34 kassandra pluto[15237]: "g2g"[1] 62.109.111.168 #2: responding to Quick Mode
Aug 13 02:48:34 kassandra pluto[15237]: "g2n"[1] 62.109.111.168 #3: responding to Quick Mode
Aug 13 02:48:34 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #4: responding to Quick Mode
Aug 13 02:48:34 kassandra pluto[15237]: "n2n"[1] 62.109.111.168 #5: responding to Quick Mode
Aug 13 02:48:34 kassandra pluto[15237]: "g2n"[1] 62.109.111.168 #3: IPsec SA established
Aug 13 02:48:34 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #4: IPsec SA established
Aug 13 02:48:34 kassandra pluto[15237]: "n2n"[1] 62.109.111.168 #5: IPsec SA established
Aug 13 02:48:34 kassandra pluto[15237]: "g2g"[1] 62.109.111.168 #2: IPsec SA established
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: received and ignored informational message
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: received and ignored informational message
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Aug 13 02:48:44 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: received and ignored informational message
Aug 13 02:48:49 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Aug 13 02:48:49 kassandra pluto[15237]: "n2g"[2] 62.109.111.168 #1: received and ignored informational message
+ _________________________ date
+ date
Fri Aug 13 02:49:15 CEST 2004
More information about the Users
mailing list