[Openswan Users]
Itai Tavor
itai at iinet.net.au
Wed Dec 1 09:53:22 CET 2004
On 30/11/2004, at 9:34 PM, Paul Wouters wrote:
> On Tue, 30 Nov 2004, Itai Tavor wrote:
>
>> Both sides act as LAN gateways, left with a fixed IP, right connected
>> to ADSL with a dynamic IP. The connection (triggered from right)
>> starts fine but pings don't work in either direction. I tried both
>> with the firewall on and off on both sides, with identical results.
Hi Paul,
Thanks for looking at my problem.
> I don't see any established tunnels or attempts in the logs. you
> either ran a barf
> without starting the conns or you cut it from the barf.
Hmm... strange. I was sure I started the tunnel. Sorry about that.
> One thing I notice:
>
> conn Tir-Na-Nogth-IM
> right=%defaultroute
> rightsubnet=10.0.1.0/24
> #
> left=210.229.239.65
> leftsubnet=10.0.2.0/24
>
> Since that side also uses interfaces=%defaultroute, I would swap right
> and left
> in that connection.
I guess I don't understand left and right... I thought the selection
was arbitrary. Anyway, I swapped left and right.
> Other then that, why not run 2.4 or 2.6 on both ends? And why openswan
> 2.1.2? It's
> a bit old.
Wish I could... my local machine needs a recent 2.6 for other services
it runs, and I can't mess with the remote box too much so I'd rather
leave it on 2.4. As for openswan 2.1.2... I installed the latest
openswan and kernel-openswan-modules from atrpms. Package
openswan-2.2.0-17.rhfc1.at, ipsec version 2.1.2. Go figure. Think that
might cause a problem?
> I cannot tell you more without seeing more. All the kernel modules
> seem to have been
> loaded, including xfrm4_tunnel. I do see you are doing lots of
> blocking of icmp packets,
> which might break PMTU, while you are also doing tcp clamping. The
> drop rules have a match
> for icmp 'invalid state', which I am not entirely sure what that
> means, since icmp consists
> of packets, not of a stateful connection. You can try and allowing all
> icmp to see if that
> helps. Also show us exactly how you are testing your 'ping' so we know
> it does not involve
> wrong testing. In general, I don't look throgh firewall rules. You
> have MANY of them, you
> might want to try to temporary insert an 'allow all' rule to see if
> that might be the cause.
Ok, I completely opened the firewall on both sides. New barfs attached.
I was able to connect to both gateways using their external IP's so I
don't think the firewall is getting in the way anymore. All those
firewall rules are generated by shorewall, I don't understand most of
them myself.
As for the ping tests, on 10.0.1.1 I simply try ping 10.0.2.1 and ping
10.0.2.60 (a running host on right), and I get nothing. Same the other
way.
Itai
edo
Wed Dec 1 07:45:06 JST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22-1.2199.nptl_52.rhfc1.at (bachbuilder at n27) (gcc
version 3.2.3 20030422 (Red Hat Linux 3.2.3-6)) #1 Wed Aug 11 19:48:01
EDT 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.0.2.0/24 -> 10.0.1.0/24 =>
tun0x1002 at 203.206.236.211
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ipsec0
10.0.1.0 154.33.4.102 255.255.255.0 UG 0 0
0 ipsec0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 154.33.4.102 0.0.0.0 UG 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002 at 203.206.236.211 esp0x67b4c13c at 203.206.236.211
tun0x1001 at 210.229.239.65 esp0xed2385f1 at 210.229.239.65
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1454) -> 1454
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_netlink debug_pfkey
debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform
icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 210.229.239.65
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "Tir-Na-Nogth-IM":
10.0.2.0/24===210.229.239.65[@edo.insentiv.co.jp]--
-154.33.4.102...%any[@amber.tir-na-nogth.net]===10.0.1.0/24; unrouted;
eroute owner: #0
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Tir-Na-Nogth-IM": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM"[1]:
10.0.2.0/24===210.229.239.65[@edo.insentiv.co.jp]--
-154.33.4.102...203.206.236.211[@amber.tir-na-nogth.net]===10.0.1.0/24;
erouted; eroute owner: #2
000 "Tir-Na-Nogth-IM"[1]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Tir-Na-Nogth-IM"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Tir-Na-Nogth-IM"[1]: IKE algorithms wanted: 5_000-1-5,
5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM"[1]: IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM"[1]: IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536
000 "Tir-Na-Nogth-IM"[1]: ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM"[1]: ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM"[1]: ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #2: "Tir-Na-Nogth-IM"[1] 203.206.236.211 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 28485s; newest IPSEC; eroute owner
000 #2: "Tir-Na-Nogth-IM"[1] 203.206.236.211
esp.67b4c13c at 203.206.236.211 esp.ed2385f1 at 210.229.239.65
tun.1002 at 203.206.236.211 tun.1001 at 210.229.239.65
000 #1: "Tir-Na-Nogth-IM"[1] 203.206.236.211 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3284s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:F4:60:9B:31
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:164398 errors:0 dropped:0 overruns:0 frame:0
TX packets:337949 errors:3 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18843646 (17.9 Mb) TX bytes:430949138 (410.9 Mb)
Interrupt:11 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:90:CC:51:B9:77
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:351706 errors:0 dropped:0 overruns:0 frame:0
TX packets:235413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:430898068 (410.9 Mb) TX bytes:23371201 (22.2 Mb)
Interrupt:10 Base address:0x9000
ipsec0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:13 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:49726 errors:0 dropped:0 overruns:0 frame:0
TX packets:49726 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3459169 (3.2 Mb) TX bytes:3459169 (3.2 Mb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 P-t-P:154.33.4.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:348820 errors:0 dropped:0 overruns:0 frame:0
TX packets:232663 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:422860300 (403.2 Mb) TX bytes:18169637 (17.3 Mb)
ppp0:0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.99 P-t-P:210.229.239.99
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:1 Link encap:Point-to-Point Protocol
inet addr:210.229.239.98 P-t-P:210.229.239.98
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:2 Link encap:Point-to-Point Protocol
inet addr:210.229.239.102 P-t-P:210.229.239.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking tun0x1002 at 203.206.236.211 from 10.0.2.0/24 to 10.0.1.0/24
[FAILED]
ppp0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 ->
10.0.1.0/24
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: edo
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 65.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 99.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 98.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 102.239.229.210.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: Davicom DM9101 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
edo
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
07:45:11 up 14:44, 2 users, load average: 0.29, 0.23, 0.13
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 17188 11722 22 0 4852 936 - R pts/1 0:00 |
\_ /bin/sh /usr/libexec/ipsec/barf
0 0 17285 17188 17 0 3092 392 pipe_w S pts/1 0:00 |
\_ egrep -i ppid|pluto|ipsec|klips
1 0 17101 1 20 0 3188 988 wait4 S pts/1 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wai
1 0 17102 17101 20 0 3188 996 wait4 S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog -
4 0 17103 17102 17 0 3288 1044 schedu S pts/1 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
0 0 17114 17103 24 0 2108 176 schedu S pts/1 0:00 |
\_ _pluto_adns
0 0 17104 17101 15 0 2792 984 pipe_w S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 17106 1 20 0 2388 288 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# edo.isentiv.co.jp
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
uniqueids=yes
# Standard server security definition (right)
conn %default
# Allow only 1 try since we are the passive end
keyingtries=1
#
# Security gateway - right
right=210.229.239.65
rightsubnet=10.0.2.0/24
rightnexthop=154.33.4.102
rightupdown=/usr/lib/ipsec/_updown
#
# Add but don't start connection on startup
auto=add
#
#
# RSA authentication
authby=rsasig
rightid=@edo.insentiv.co.jp
rightrsasigkey=[keyid AQOrd0max]
# Load client (right) definitions from subdirectory
#< /etc/ipsec.d/remote.tir-na-nogth.conn 1
# /etc/ipsec.d/remote.tir-na-nogth.conn - FreeS/WAN IPsec remote
connection file
# Connection from Tir-Na-Nog'th gateway
conn Tir-Na-Nogth-IM
# Left - Tir-Na-Nog'th security gateway
left=%any
leftsubnet=10.0.1.0/24
#
leftid=@amber.tir-na-nogth.net
leftrsasigkey=[keyid AQN/IxlHw]
#> /etc/ipsec.conf 37
#
# Disable opportunistic encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 42
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits edo.insentiv.co.jp Fri Jan 30 20:14:18 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOrd0max]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 01 07:44:06 2004, 2192 RSA Key AQOrd0max, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@edo.insentiv.co.jp'
000 Dec 01 07:44:06 2004, 2192 RSA Key AQN/IxlHw, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@amber.tir-na-nogth.net'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15403 Sep 19 09:25 _confread
-rwxr-xr-x 1 root root 6312 Sep 19 09:25 _copyright
-rwxr-xr-x 1 root root 2379 Sep 19 09:25 _include
-rwxr-xr-x 1 root root 1475 Sep 19 09:25 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 19 09:25 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 19 09:25 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 19 09:25 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 19 09:25 _secretcensor
-rwxr-xr-x 1 root root 9010 Sep 19 09:25 _startklips
-rwxr-xr-x 1 root root 12313 Sep 19 09:25 _updown
-rwxr-xr-x 1 root root 7572 Sep 19 09:25 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 19 09:25
ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1280
-rwxr-xr-x 1 root root 11316 Sep 19 09:25 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 19 09:25 auto
-rwxr-xr-x 1 root root 10224 Sep 19 09:25 barf
-rwxr-xr-x 1 root root 816 Sep 19 09:25 calcgoo
-rwxr-xr-x 1 root root 80140 Sep 19 09:25 eroute
-rwxr-xr-x 1 root root 63744 Sep 19 09:25 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 19 09:25 look
-rwxr-xr-x 1 root root 7118 Sep 19 09:25 mailkey
-rwxr-xr-x 1 root root 16188 Sep 19 09:25 manual
-rwxr-xr-x 1 root root 1874 Sep 19 09:25 newhostkey
-rwxr-xr-x 1 root root 54584 Sep 19 09:25 pf_key
-rwxr-xr-x 1 root root 567772 Sep 19 09:25 pluto
-rwxr-xr-x 1 root root 12148 Sep 19 09:25 ranbits
-rwxr-xr-x 1 root root 20124 Sep 19 09:25 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 19 09:25 secrets
-rwxr-xr-x 1 root root 17578 Sep 19 09:25 send-pr
lrwxrwxrwx 1 root root 22 Nov 30 16:39 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 19 09:25 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 19 09:25 showhostkey
-rwxr-xr-x 1 root root 119928 Sep 19 09:25 spi
-rwxr-xr-x 1 root root 69940 Sep 19 09:25 spigrp
-rwxr-xr-x 1 root root 83384 Sep 19 09:25 starter
-rwxr-xr-x 1 root root 11276 Sep 19 09:25 tncfg
-rwxr-xr-x 1 root root 10189 Sep 19 09:25 verify
-rwxr-xr-x 1 root root 46148 Sep 19 09:25 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 3459169 49726 0 0 0 0 0 0
3459169 49726 0 0 0 0 0 0
eth0:18843988 164399 0 0 0 0 0 0
430949138 337949 3 0 3 0 0 0
eth1:430900591 351733 0 0 0 0 0 0
23405262 235448 0 0 0 0 0 0
ppp0:422862229 348847 0 0 0 0 0 0
18202928 232698 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 13 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
ipsec0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
ipsec0 0001000A 6604219A 0003 0 0 0
00FFFFFF0 0 0
eth0 0002000A 00000000 0001 0 0 0
00FFFFFF0 0 0
eth0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 6604219A 0003 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux edo 2.4.22-1.2199.nptl_52.rhfc1.at #1 Wed Aug 11 19:48:01 EDT
2004 i586 i586 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 1 (Yarrow)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.1.2rc3
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 4 packets, 776 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
130 14765 ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
15 4432 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 3 packets, 140 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
663 31820 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
766 74504 ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
766 74504 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
137 50682 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
2 168 fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
13 1092 fw2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
13 1092 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain common (0 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
10.0.2.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
13 4264 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
15 4432 loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
2 168 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
134 50408 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
2 200 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
1 74 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
13 1092 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 vpn2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 vpn2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
2 168 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
13 4264 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (58 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
1 60 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
129 14705 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.1 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
1 60 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.61 multiport dports 80,21 state NEW ctorigdst
210.229.239.99
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.62 state NEW tcp dpt:80 ctorigdst 210.229.239.102
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,81,443 state NEW ctorigdst
210.229.239.98
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.100
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.101
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:21 ctorigdst 210.229.239.101
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:22 ctorigdst 210.229.239.98
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpts:16384:16403
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (12 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
766 74504 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
766 74504 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
766 74504 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 net2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
1 60 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
1 60 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
1 60 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
130 14765 net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 255.255.255.255
0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 255.255.255.255
0 0 DROP all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 169.254.0.0/16
0 0 logdrop all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 logdrop all -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.0.2.0/24
0 0 logdrop all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 0.0.0.0/7
0 0 logdrop all -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 2.0.0.0/8
0 0 logdrop all -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 5.0.0.0/8
0 0 logdrop all -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 7.0.0.0/8
0 0 logdrop all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
0 0 logdrop all -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 23.0.0.0/8
0 0 logdrop all -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 27.0.0.0/8
0 0 logdrop all -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 31.0.0.0/8
0 0 logdrop all -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 36.0.0.0/7
0 0 logdrop all -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 39.0.0.0/8
0 0 logdrop all -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 41.0.0.0/8
0 0 logdrop all -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 42.0.0.0/8
0 0 logdrop all -- * * 49.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 49.0.0.0/8
0 0 logdrop all -- * * 50.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 50.0.0.0/8
0 0 logdrop all -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 58.0.0.0/7
0 0 logdrop all -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 70.0.0.0/7
0 0 logdrop all -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 72.0.0.0/5
0 0 logdrop all -- * * 83.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 83.0.0.0/8
0 0 logdrop all -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 84.0.0.0/6
0 0 logdrop all -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 88.0.0.0/5
0 0 logdrop all -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 96.0.0.0/3
0 0 logdrop all -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 127.0.0.0/8
0 0 logdrop all -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 197.0.0.0/8
0 0 logdrop all -- * * 198.18.0.0/15
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 198.18.0.0/15
0 0 logdrop all -- * * 223.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 223.0.0.0/8
0 0 logdrop all -- * * 240.0.0.0/4
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 240.0.0.0/4
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 23389 packets, 1462K bytes)
pkts bytes target prot opt in out source
destination
5 608 net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 21422 packets, 940K bytes)
pkts bytes target prot opt in out source
destination
6 718 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4081 packets, 248K bytes)
pkts bytes target prot opt in out source
destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 LOG flags 0 level 5 prefix
`Shorewall:net_dnat:DNAT:'
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.2.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.99 multiport dports 80,21 to:10.0.2.61
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.102 tcp dpt:80 to:10.0.2.62
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 multiport dports 80,81,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.100 multiport dports 80,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 multiport dports 80,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 tcp dpt:21 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 tcp dpt:223 to:10.0.2.60:22
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.2.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.2.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 10.0.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 562K packets, 443M bytes)
pkts bytes target prot opt in out source
destination
916 93961 pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 470K packets, 397M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 91787 packets, 46M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 546K packets, 403M bytes)
pkts bytes target prot opt in out source
destination
158 58398 outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 620K packets, 448M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
125 54917 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
40 5254 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 244512 2
autofs 11156 0 (autoclean) (unused)
ipt_REDIRECT 1336 1 (autoclean)
ipt_TOS 1592 28 (autoclean)
ipt_MASQUERADE 2104 2 (autoclean)
ipt_REJECT 3960 4 (autoclean)
ipt_LOG 4152 3 (autoclean)
ipt_TCPMSS 2968 1 (autoclean)
ipt_state 1112 58 (autoclean)
ip_nat_irc 2896 0 (unused)
ip_nat_tftp 2288 0 (unused)
ip_nat_ftp 3568 0 (unused)
ip_conntrack_irc 3728 1
ip_conntrack_tftp 2192 1
ip_conntrack_ftp 4720 1
ipt_multiport 1176 8 (autoclean)
ipt_conntrack 1656 38 (autoclean)
iptable_filter 2348 1 (autoclean)
iptable_mangle 2712 1 (autoclean)
iptable_nat 20760 4 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack 27464 6 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp
ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack
iptable_nat]
ip_tables 14688 14 [ipt_REDIRECT ipt_TOS ipt_MASQUERADE
ipt_REJECT ipt_LOG ipt_TCPMSS ipt_state ipt_multiport ipt_conntrack
iptable_filter iptable_mangle iptable_nat]
ppp_synctty 6272 0 (unused)
ppp_async 7936 1
ppp_generic 23516 3 [ppp_synctty ppp_async]
slhc 6612 0 [ppp_generic]
tulip 40832 1 (autoclean)
via-rhine 14224 1
mii 3736 0 [via-rhine]
loop 10808 0 (autoclean)
keybdev 2464 0 (unused)
mousedev 5044 0 (unused)
hid 22724 0 (unused)
input 5664 0 [keybdev mousedev hid]
usb-ohci 20520 0 (unused)
usbcore 73120 1 [hid usb-ohci]
ext3 81576 4
jbd 47752 4 [ext3]
lvm-mod 63488 3
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 191524864 185085952 6438912 0 37384192 26890240
Swap: 394805248 16384 394788864
MemTotal: 187036 kB
MemFree: 6288 kB
MemShared: 0 kB
Buffers: 36508 kB
Cached: 26244 kB
SwapCached: 16 kB
Active: 47904 kB
Inactive: 34388 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 187036 kB
LowFree: 6288 kB
SwapTotal: 385552 kB
SwapFree: 385536 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Dec 1 07:45
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Dec 1 07:45
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Dec 1 07:45
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Dec 1 07:45
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Dec 1 07:45
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Dec 1 07:45
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.4.22-1.2199.nptl_52.rhfc1.at/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# MADE-BY-RP-PPPOE
nameserver 154.33.63.214
nameserver 154.33.63.210
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 Nov 30 16:37
2.4.22-1.2199.nptl_52.rhfc1.at
drwxr-xr-x 4 root root 4096 Nov 30 16:42
2.4.22-1.2115.nptl
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ egrep netif_rx /proc/ksyms
c0201b10 netif_rx_Rc41991c0
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.22-1.2115.nptl: U netif_rx_R07a1a075
2.4.22-1.2199.nptl_52.rhfc1.at: U netif_rx_Rc41991c0
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '41872,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Dec 1 07:44:05 edo ipsec_setup: Starting Openswan IPsec
cvs2002Mar11_19:19:03...
Dec 1 07:44:05 edo ipsec_setup: Using
/lib/modules/2.4.22-1.2199.nptl_52.rhfc1.at/kernel/net/ipsec/ipsec.o
+ _________________________ plog
+ sed -n '392,$p' /var/log/secure
+ egrep -i pluto
+ cat
Dec 1 07:44:05 edo ipsec__plutorun: Starting Pluto subsystem...
Dec 1 07:44:05 edo pluto[17103]: Starting Pluto (Openswan Version
cvs2002Mar11_19:19:03 X.509-1.5.4 PLUTO_USES_KEYRR)
Dec 1 07:44:05 edo pluto[17103]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Dec 1 07:44:05 edo pluto[17103]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 1 07:44:05 edo pluto[17103]: Using KLIPS IPsec interface code
Dec 1 07:44:05 edo pluto[17103]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 1 07:44:05 edo pluto[17103]: Could not change to directory
'/etc/ipsec.d/aacerts'
Dec 1 07:44:05 edo pluto[17103]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Dec 1 07:44:05 edo pluto[17103]: Changing to directory
'/etc/ipsec.d/crls'
Dec 1 07:44:05 edo pluto[17103]: Warning: empty directory
Dec 1 07:44:06 edo pluto[17103]: added connection description
"Tir-Na-Nogth-IM"
Dec 1 07:44:06 edo pluto[17103]: listening for IKE messages
Dec 1 07:44:06 edo pluto[17103]: adding interface ipsec0/ppp0
210.229.239.65
Dec 1 07:44:06 edo pluto[17103]: loading secrets from
"/etc/ipsec.secrets"
Dec 1 07:44:19 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: responding to Main Mode from unknown peer 203.206.236.211
Dec 1 07:44:19 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: transition from state (null) to state STATE_MAIN_R1
Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: Peer Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1]
203.206.236.211 #1: I did not send a certificate because I do not have
one.
Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#1: sent MR3, ISAKMP SA established
Dec 1 07:44:20 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#2: responding to Quick Mode
Dec 1 07:44:21 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#2: transition from state (null) to state STATE_QUICK_R1
Dec 1 07:44:21 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 1 07:44:21 edo pluto[17103]: "Tir-Na-Nogth-IM"[1] 203.206.236.211
#2: IPsec SA established {ESP=>0x67b4c13c <0xed2385f1}
+ _________________________ date
+ date
Wed Dec 1 07:45:12 JST 2004
amber
Wed Dec 1 09:45:25 EST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.10-rc1 (root at amber) (gcc version 3.3.3 20040412 (Red
Hat Linux 3.3.3-7)) #10 Sun Nov 28 17:34:20 EST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
203.55.229.88 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0
0 br0
10.0.2.0 203.55.229.88 255.255.255.0 UG 0 0
0 ppp0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 203.55.229.88 0.0.0.0 UG 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
203.206.236.211 210.229.239.65
esp mode=tunnel spi=3978528241(0xed2385f1)
reqid=16385(0x00004001)
E: 3des-cbc c3316419 6c82dddb e09666d7 a07e8127 9f68e122
94dce1f2
A: hmac-md5 6efff558 b36bc568 494850b0 f1f1aad4
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Dec 1 09:44:25 2004 current: Dec 1 09:45:25 2004
diff: 60(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=13850 refcnt=0
210.229.239.65 203.206.236.211
esp mode=tunnel spi=1739899196(0x67b4c13c)
reqid=16385(0x00004001)
E: 3des-cbc 9838af7b 945fa3d2 272a9be8 d7e8809b a1f00bbf
03bd35fb
A: hmac-md5 a8e6261b ce7b2090 f29a2dc6 c00610b9
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Dec 1 09:44:25 2004 current: Dec 1 09:45:25 2004
diff: 60(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=13850 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
10.0.2.0/24[any] 10.0.1.0/24[any] any
in ipsec
esp/tunnel/210.229.239.65-203.206.236.211/unique#16385
created: Dec 1 09:44:25 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=968 seq=8 pid=13851
refcnt=1
10.0.1.0/24[any] 10.0.2.0/24[any] any
out ipsec
esp/tunnel/203.206.236.211-210.229.239.65/unique#16385
created: Dec 1 09:44:25 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=985 seq=7 pid=13851
refcnt=1
10.0.2.0/24[any] 10.0.1.0/24[any] any
fwd ipsec
esp/tunnel/210.229.239.65-203.206.236.211/unique#16385
created: Dec 1 09:44:25 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=978 seq=6 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 1 09:44:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=955 seq=5 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 1 09:44:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=939 seq=4 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 1 09:44:06 2004 lastused: Dec 1 09:44:25 2004
lifetime: 0(s) validtime: 0(s)
spid=923 seq=3 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 1 09:44:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=964 seq=2 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 1 09:44:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=948 seq=1 pid=13851
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 1 09:44:06 2004 lastused: Dec 1 09:44:25 2004
lifetime: 0(s) validtime: 0(s)
spid=932 seq=0 pid=13851
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface br0/br0 10.0.1.1
000 interface ppp0/ppp0 203.206.236.211
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,336} attrs={0,4,224}
000
000 "Tir-Na-Nogth-IM":
10.0.1.0/24===203.206.236.211[@amber.tir-na-nogth.net]--
-203.55.229.88...154.33.4.102--
-210.229.239.65[@edo.insentiv.co.jp]===10.0.2.0/24; erouted; eroute
owner: #2
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Tir-Na-Nogth-IM": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "Tir-Na-Nogth-IM": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #2: "Tir-Na-Nogth-IM" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 28147s; newest IPSEC; eroute owner
000 #2: "Tir-Na-Nogth-IM" esp.ed2385f1 at 210.229.239.65
esp.67b4c13c at 203.206.236.211 tun.0 at 210.229.239.65 tun.0 at 203.206.236.211
000 #1: "Tir-Na-Nogth-IM" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2949s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
ath0 Link encap:Ethernet HWaddr 00:09:5B:E7:2A:2D
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:199
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Memory:e0960000-e0970000
br0 Link encap:Ethernet HWaddr 00:09:5B:E7:2A:2D
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8423892 errors:0 dropped:0 overruns:0 frame:0
TX packets:10555558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2401951544 (2290.6 Mb) TX bytes:3150618510 (3004.6
Mb)
eth0 Link encap:Ethernet HWaddr 00:0E:A6:A1:3B:A3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8499906 errors:0 dropped:0 overruns:0 frame:0
TX packets:10539119 errors:15 dropped:0 overruns:0 carrier:15
collisions:1435843 txqueuelen:1000
RX bytes:2548921990 (2430.8 Mb) TX bytes:3147609335 (3001.7
Mb)
Interrupt:9 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:02:44:47:8C:09
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8002278 errors:0 dropped:0 overruns:0 frame:0
TX packets:7010867 errors:0 dropped:0 overruns:0 carrier:0
collisions:42022 txqueuelen:1000
RX bytes:3562771465 (3397.7 Mb) TX bytes:2379507345 (2269.2
Mb)
Interrupt:5 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:32896 errors:0 dropped:0 overruns:0 frame:0
TX packets:32896 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8151281 (7.7 Mb) TX bytes:8151281 (7.7 Mb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:203.206.236.211 P-t-P:203.55.229.88
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:1247747 errors:0 dropped:0 overruns:0 frame:0
TX packets:1133885 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:539151992 (514.1 Mb) TX bytes:287351576 (274.0 Mb)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Checking for 'setkey' command for native IPsec stack support
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: amber
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 211.236.206.203.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-HD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-HD 10baseT-HD
eth1: autonegotiation failed, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
amber.tir-na-nogth.net
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.1.1
+ _________________________ uptime
+ uptime
09:45:26 up 2 days, 10:44, 1 user, load average: 0.23, 0.10, 0.02
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 13831 7482 16 0 4084 960 wait S pts/1 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
4 0 13914 13831 16 0 1508 396 pipe_w S pts/1 0:00
\_ egrep -i ppid|pluto|ipsec|klips
5 0 13379 1 21 0 2056 1032 wait S pts/1 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 13380 13379 21 0 2056 1044 wait S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 13381 13380 16 0 2308 1040 - S pts/1 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
4 0 13421 13381 21 0 1320 192 - S pts/1 0:00 |
\_ _pluto_adns
4 0 13382 13379 16 0 2056 1020 pipe_w S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 13383 1 21 0 1380 288 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=203.206.236.211
routenexthop=203.55.229.88
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - OpenS/WAN IPsec configuration file
#
# amber.tir-na-nogth.net
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
keyingtries=3
#
# Tir-Na-Nog'th to Insentiv Media tunnel
#
# Right: IM Left: Tir-Na-Nog'th
#
conn Tir-Na-Nogth-IM
left=%defaultroute
leftsubnet=10.0.1.0/24
#
right=210.229.239.65
rightsubnet=10.0.2.0/24
rightnexthop=154.33.4.102
#
auto=add
leftupdown=/usr/lib/ipsec/_updown
#
authby=rsasig
leftid=@amber.tir-na-nogth.net
rightid=@edo.insentiv.co.jp
leftrsasigkey=[keyid AQN/IxlHw]
rightrsasigkey=[keyid AQOrd0max]
#
#Disable Opportunistic Encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 43
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits amber.tir-na-nogth.net Fri Sep 24 10:51:07
2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQN/IxlHw]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 01 09:44:06 2004, 2192 RSA Key AQOrd0max, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@edo.insentiv.co.jp'
000 Dec 01 09:44:06 2004, 2192 RSA Key AQN/IxlHw, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@amber.tir-na-nogth.net'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15403 Sep 17 01:40 _confread
-rwxr-xr-x 1 root root 47492 Sep 17 01:40 _copyright
-rwxr-xr-x 1 root root 2379 Sep 17 01:40 _include
-rwxr-xr-x 1 root root 1475 Sep 17 01:40 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 17 01:40 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 17 01:40 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 17 01:40 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 17 01:40 _secretcensor
-rwxr-xr-x 1 root root 9016 Sep 17 01:40 _startklips
-rwxr-xr-x 1 root root 12313 Sep 17 01:40 _updown
-rwxr-xr-x 1 root root 7572 Sep 17 01:40 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 17 01:40 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 5096
-rwxr-xr-x 1 root root 70814 Sep 17 01:40 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 17 01:40 auto
-rwxr-xr-x 1 root root 10248 Sep 17 01:40 barf
-rwxr-xr-x 1 root root 816 Sep 17 01:40 calcgoo
-rwxr-xr-x 1 root root 311083 Sep 17 01:40 eroute
-rwxr-xr-x 1 root root 182519 Sep 17 01:40 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 17 01:40 look
-rwxr-xr-x 1 root root 7124 Sep 17 01:40 mailkey
-rwxr-xr-x 1 root root 16188 Sep 17 01:40 manual
-rwxr-xr-x 1 root root 1874 Sep 17 01:40 newhostkey
-rwxr-xr-x 1 root root 164746 Sep 17 01:40 pf_key
-rwxr-xr-x 1 root root 2656271 Sep 17 01:40 pluto
-rwxr-xr-x 1 root root 55200 Sep 17 01:40 ranbits
-rwxr-xr-x 1 root root 81674 Sep 17 01:40 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 17 01:40 secrets
-rwxr-xr-x 1 root root 17578 Sep 17 01:40 send-pr
lrwxr-xr-x 1 root root 22 Nov 30 17:54 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 17 01:40 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 17 01:40 showhostkey
-rwxr-xr-x 1 root root 498713 Sep 17 01:40 spi
-rwxr-xr-x 1 root root 250823 Sep 17 01:40 spigrp
-rwxr-xr-x 1 root root 475538 Sep 17 01:40 starter
-rwxr-xr-x 1 root root 50198 Sep 17 01:40 tncfg
-rwxr-xr-x 1 root root 10195 Sep 17 01:40 verify
-rwxr-xr-x 1 root root 228071 Sep 17 01:40 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 8151281 32896 0 0 0 0 0 0
8151281 32896 0 0 0 0 0 0
eth0:2548933292 8499959 0 0 0 0 0 0
3147675200 10539200 15 0 0 1435843 15 0
br0:2401961952 8423945 0 0 0 0 0 0
3150684375 10555639 0 0 0 0 0 0
ath0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth1:3562796859 8002331 0 0 0 0 0 0
2379518427 7010913 0 0 0 42022 0 0
ppp0:539176220 1247800 0 0 0 0 0 0
287361640 1133931 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 58E537CB 00000000 0005 0 0 0
FFFFFFFF0 0 0
br0 0001000A 00000000 0001 0 0 0
00FFFFFF0 0 0
ppp0 0002000A 58E537CB 0003 0 0 0
00FFFFFF0 0 0
br0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 58E537CB 0003 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter br0/rp_filter default/rp_filter lo/rp_filter
ppp0/rp_filter
all/rp_filter:0
br0/rp_filter:1
default/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux amber 2.6.10-rc1 #10 Sun Nov 28 17:34:20 EST 2004 i686 athlon
i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.10-rc1) support detected '
native PFKEY (2.6.10-rc1) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 11 packets, 526 bytes)
pkts bytes target prot opt in out source
destination
94 23043 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2 80 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
103 36218 ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
207 18909 br0_in all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 12 packets, 570 bytes)
pkts bytes target prot opt in out source
destination
17 716 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
730 35772 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
6465 2764K ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
5692 1308K br0_fwd all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
94 23043 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
156 17525 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
193 68014 fw2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (0 references)
pkts bytes target prot opt in out source
destination
0 0 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
10 1380 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain br0_fwd (1 references)
pkts bytes target prot opt in out source
destination
349 17394 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
5690 1308K loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
2 360 ACCEPT all -- * br0 0.0.0.0/0
0.0.0.0/0
Chain br0_in (1 references)
pkts bytes target prot opt in out source
destination
17 1734 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
207 18909 loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
183 66634 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.11
10 1380 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
106 13443 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
1 62 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
45 3780 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
4 240 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
190 17175 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
1 60 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
15 1626 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
5343 1291K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
347 17034 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
97 32976 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.1 tcp dpt:22
2 200 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:50
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:51
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 8100,8041
4 3042 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
6055 2734K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4762
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4772
250 22486 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4862
160 7884 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4872
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpts:6881:6889
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.101 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpts:16384:16403
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
410 30370 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
410 30370 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
410 30370 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
6465 2764K net2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
6 3242 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
6 3242 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
6 3242 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
103 36218 net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:rfc1918:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 ULOG all -- * * 10.0.1.255
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 ULOG all -- * * 255.255.255.255
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 ULOG all -- * * 224.0.0.0/4
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 238K packets, 18M bytes)
pkts bytes target prot opt in out source
destination
417 33604 net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
212 11210 loc_dnat all -- br0 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 575K packets, 29M bytes)
pkts bytes target prot opt in out source
destination
209 10804 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source
destination
1 48 REDIRECT tcp -- * * 0.0.0.0/0
!10.0.2.0/24 tcp dpt:80 redir ports 3128
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4762 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4772 to:10.0.1.20
251 22534 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 to:10.0.1.20
161 7932 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:888 to:10.0.1.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.1.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:6881:6889 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8888 to:10.0.1.101:80
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.1.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
200 10166 MASQUERADE all -- * * 10.0.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 16M packets, 5800M bytes)
pkts bytes target prot opt in out source
destination
12599 4160K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
12595 4157K tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 1891K packets, 301M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 15M packets, 5498M bytes)
pkts bytes target prot opt in out source
destination
12193 4080K tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3046K packets, 4034M bytes)
pkts bytes target prot opt in out source
destination
444 114K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
444 114K tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 18M packets, 9528M bytes)
pkts bytes target prot opt in out source
destination
12624 4194K tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
143 61212 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
208 17558 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
41 5485 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
6 240 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
6 240 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm4_tunnel 2884 0 - Live 0xe0a85000
lt_serial 25712 1 - Live 0xe0d6d000
lt_modem 567728 3 lt_serial, Live 0xe0df1000
dvb_bt8xx 7236 0 - Live 0xe0ad6000
dvb_core 74736 1 dvb_bt8xx, Live 0xe0b17000
mt352 4996 1 dvb_bt8xx, Live 0xe0ad3000
sp887x 7428 1 dvb_bt8xx, Live 0xe0ab1000
dst 12040 1 dvb_bt8xx, Live 0xe0acf000
bt878 8696 2 dvb_bt8xx,dst, Live 0xe0aa9000
bttv 145488 2 dvb_bt8xx,bt878, Live 0xe0af2000
video_buf 16964 1 bttv, Live 0xe0a9f000
firmware_class 7616 3 dvb_bt8xx,sp887x,bttv, Live 0xe0a7c000
i2c_algo_bit 8328 1 bttv, Live 0xe0a78000
v4l2_common 4864 1 bttv, Live 0xe0a64000
btcx_risc 3720 1 bttv, Live 0xe0a48000
i2c_core 19216 6 dvb_bt8xx,mt352,sp887x,dst,bttv,i2c_algo_bit, Live
0xe0a7f000
videodev 7232 1 bttv, Live 0xe0a61000
v4l1_compat 12932 0 - Live 0xe0a73000
nfsd 100616 9 - Live 0xe0ab5000
exportfs 4928 1 nfsd, Live 0xe0a45000
lockd 64168 2 nfsd, Live 0xe0a87000
deflate 2688 0 - Live 0xe0a43000
zlib_deflate 21080 1 deflate, Live 0xe0a5a000
twofish 37120 0 - Live 0xe0a68000
serpent 13248 0 - Live 0xe0a55000
aes_i586 38452 0 - Live 0xe0a4a000
blowfish 8000 0 - Live 0xe0a40000
des 11264 2 - Live 0xe09f8000
sha256 8960 0 - Live 0xe0a38000
sha1 8512 0 - Live 0xe0a34000
md5 3648 2 - Live 0xe0974000
crypto_null 1984 0 - Live 0xe0981000
ipcomp 6472 0 - Live 0xe0a26000
esp4 6720 2 - Live 0xe0a23000
ah4 5312 0 - Live 0xe0a20000
af_key 27024 0 - Live 0xe0a2c000
ipt_LOG 6272 0 - Live 0xe0a29000
ipt_TOS 1984 12 - Live 0xe0a1e000
ipt_MASQUERADE 2880 2 - Live 0xe0a1c000
ipt_REDIRECT 1728 1 - Live 0xe0a08000
ipt_REJECT 5632 4 - Live 0xe0a10000
ipt_ULOG 6244 4 - Live 0xe0a0d000
ipt_TCPMSS 3520 1 - Live 0xe09fc000
ipt_state 1472 20 - Live 0xe0a06000
ipt_pkttype 1344 4 - Live 0xe0a04000
ipt_physdev 1808 0 - Live 0xe0a02000
ipt_multiport 1664 1 - Live 0xe0a00000
ipt_conntrack 1984 3 - Live 0xe09fe000
iptable_mangle 2176 1 - Live 0xe0996000
ip_nat_irc 3504 0 - Live 0xe0994000
ip_nat_tftp 2992 0 - Live 0xe097f000
ip_nat_ftp 4144 0 - Live 0xe0991000
iptable_nat 21960 6
ipt_MASQUERADE,ipt_REDIRECT,ip_nat_irc,ip_nat_tftp,ip_nat_ftp, Live
0xe09e0000
ip_conntrack_irc 70512 1 ip_nat_irc, Live 0xe09cd000
ip_conntrack_tftp 3056 0 - Live 0xe0908000
ip_conntrack_ftp 71408 1 ip_nat_ftp, Live 0xe09ba000
ip_conntrack 39732 10
ipt_MASQUERADE,ipt_state,ipt_conntrack,ip_nat_irc,ip_nat_tftp,ip_nat_ftp
,iptable_nat,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp, Live
0xe0983000
iptable_filter 2176 1 - Live 0xe08f0000
ip_tables 16000 15
ipt_LOG,ipt_TOS,ipt_MASQUERADE,ipt_REDIRECT,ipt_REJECT,ipt_ULOG,ipt_TCPM
SS,ipt_state,ipt_pkttype,ipt_physdev,ipt_multiport,ipt_conntrack,iptable
_mangle,iptable_nat,iptable_filter, Live 0xe08fd000
sunrpc 132388 13 nfsd,lockd, Live 0xe0998000
ppp_synctty 7936 0 - Live 0xe0971000
ppp_async 9024 1 - Live 0xe095c000
crc_ccitt 1664 1 ppp_async, Live 0xe08f2000
ppp_generic 21524 6 ppp_synctty,ppp_async, Live 0xe0918000
slhc 7232 1 ppp_generic, Live 0xe08fa000
8139too 20032 0 - Live 0xe0902000
ath_pci 50912 0 - Live 0xe090a000
ath_rate_onoe 6728 1 ath_pci, Live 0xe0820000
wlan 103964 3 ath_pci,ath_rate_onoe, Live 0xe0941000
ath_hal 131344 2 ath_pci, Live 0xe091f000
via_rhine 18308 0 - Live 0xe08f4000
mii 3904 2 8139too,via_rhine, Live 0xe084f000
crc32 3840 3 dvb_core,8139too,via_rhine, Live 0xe0823000
usblp 10816 0 - Live 0xe083a000
uhci_hcd 29712 0 - Live 0xe0844000
ehci_hcd 26052 0 - Live 0xe0832000
usbcore 102296 4 usblp,uhci_hcd,ehci_hcd, Live 0xe0851000
thermal 10568 0 - Live 0xe0804000
sata_via 4484 6 - Live 0xe081a000
libata 38916 1 sata_via, Live 0xe0827000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 515788 kB
MemFree: 2820 kB
Buffers: 20068 kB
Cached: 314700 kB
SwapCached: 880 kB
Active: 400236 kB
Inactive: 87060 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515788 kB
LowFree: 2820 kB
SwapTotal: 1052216 kB
SwapFree: 1050096 kB
Dirty: 224 kB
Writeback: 0 kB
Mapped: 179900 kB
Slab: 16188 kB
CommitLimit: 1310108 kB
Committed_AS: 487044 kB
CommitAvail: 823064 kB
PageTables: 1896 kB
VmallocTotal: 516056 kB
VmallocUsed: 6064 kB
VmallocChunk: 509412 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.10-rc1/build/.config
++ uname -r
+ cat /lib/modules/2.6.10-rc1/build/.config
+ egrep
'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
# CONFIG_NETLINK_DEV is not set
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_IPRANGE is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_TARGET_NETMAP is not set
# CONFIG_IP_NF_TARGET_SAME is not set
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
# CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_COMPAT_IPFWADM=m
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 203.0.178.191
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 528
drwxr-xr-x 4 root root 4096 Oct 28 17:58 2.6.5-1.358
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-enc.bin
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-dec.bin
drwxr-xr-x 7 root root 4096 Nov 28 17:34 2.6.10-rc1
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02cbbd0 T netif_rx
c02cbd70 T netif_rx_ni
c02cbbd0 U netif_rx [dvb_core]
c02cbbd0 U netif_rx [ppp_generic]
c02cbbd0 U netif_rx [ath_pci]
c02cbbd0 U netif_rx [wlan]
c02cbbd0 U netif_rx [via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-rc1:
2.6.5-1.358:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '4425808,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Dec 1 09:44:06 amber ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.6.10-rc1...
+ _________________________ plog
+ sed -n '635,$p' /var/log/secure
+ cat
+ egrep -i pluto
Dec 1 09:44:06 amber ipsec__plutorun: Starting Pluto subsystem...
Dec 1 09:44:06 amber pluto[13381]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Dec 1 09:44:06 amber pluto[13381]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Dec 1 09:44:06 amber pluto[13381]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 1 09:44:06 amber pluto[13381]: Using Linux 2.6 IPsec interface code
Dec 1 09:44:06 amber pluto[13381]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 1 09:44:06 amber pluto[13381]: Could not change to directory
'/etc/ipsec.d/aacerts'
Dec 1 09:44:06 amber pluto[13381]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Dec 1 09:44:06 amber pluto[13381]: Changing to directory
'/etc/ipsec.d/crls'
Dec 1 09:44:06 amber pluto[13381]: Warning: empty directory
Dec 1 09:44:06 amber pluto[13381]: added connection description
"Tir-Na-Nogth-IM"
Dec 1 09:44:06 amber pluto[13381]: listening for IKE messages
Dec 1 09:44:06 amber pluto[13381]: adding interface ppp0/ppp0
203.206.236.211
Dec 1 09:44:06 amber pluto[13381]: adding interface br0/br0 10.0.1.1
Dec 1 09:44:06 amber pluto[13381]: adding interface lo/lo 127.0.0.1
Dec 1 09:44:06 amber pluto[13381]: loading secrets from
"/etc/ipsec.secrets"
Dec 1 09:44:23 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: initiating
Main Mode
Dec 1 09:44:24 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 1 09:44:24 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: I did not
send a certificate because I do not have one.
Dec 1 09:44:24 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: Peer ID is
ID_FQDN: '@Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #1:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #1: ISAKMP SA
established
Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #2: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 1 09:44:25 amber pluto[13381]: "Tir-Na-Nogth-IM" #2: sent QI2,
IPsec SA established {ESP=>0xed2385f1 <0x67b4c13c}
+ _________________________ date
+ date
Wed Dec 1 09:45:32 EST 2004
More information about the Users
mailing list