[Openswan Users] Ipsec error : no connection is known
Frédéric Gonzatti
fred99 at libertysurf.fr
Sat May 29 22:09:40 CEST 2004
Nate Carlson wrote:
>On Sat, 29 May 2004, Frédéric Gonzatti wrote:
>
>
>>I'm trying to connect to my ipsec gateway with windows XP. I've followed
>>nate carlson (www.natecarlson.com <http://www.natecarlson.com>) advices
>>but the error message "no connection is known" appears in my gateway. So
>>it's impossible to ping a LAN computer...
>>
>>Could you please help my to enter the good parameters in my ipsec.conf
>>files (windows and Linux). I'm using Freeswan 2.05.
>>
>>My configuration is :
>>
>>XP freeswan client--Internet---WAN side of the router (public IP
>>62.161.75.XXX)-LAN side of the router (192.168.3.254)---My Ipsec Gateway
>>(192.168.3.1)----My Ipsec Gateway (172.16.2.1)
>>
>>I would like to acces to my LAN (172.16.0.0/16). I think I've to use
>>rightnexhop parmameter but I don't know how ?
>>
>>Thanks a lot for your help.
>>
>>
>
>I've had problems putting the FreeS/WAN gateway behind a NAT router, but
>other people have said it's possible.
>
>Can you show us your configuration files, and the error logs?
>
>------------------------------------------------------------------------
>| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
>| depriving some poor village of its idiot since 1981 |
>------------------------------------------------------------------------
>
>
>
Here is my ipsec.conf file of my linux gateway :
****************************************************
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
uniqueids=yes
plutodebug=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=172.16.0.0/16
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=gandalf.XXX.com.pem
auto=add
pfs=yes
# OE policy groups are disabled by default
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
**********************************
And the results of an ipsec barf on my gateway :
gandalf
Thu May 27 21:26:52 CEST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.05
See `ipsec --copyright' for copyright information.
X.509-1.5.3 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.26 (root at gandalf) (gcc version 3.3.2 20031022 (Red Hat
Linux 3.3.2-1)) #4 Sat May 15 02:37:25 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.3.254 0.0.0.0 UG 0 0 0
eth2
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth2 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c700abc0 27976 c5c30520 0 0 0 0 2 107520 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 3 c5c30520 27976 c700abc0
pf_key_registered: 9 c5c30520 27976 c700abc0
pf_key_registered: 10 c5c30520 27976 c700abc0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth2 192.168.3.1
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 192.168.3.1[C=FR, ST=Herault, L=Montpellier, O=XXX
SA, OU=Informatique, CN=gandalf,
E=postmaster at XXX.com]---192.168.3.254...%any; unrouted; eroute owner: #0
000 "roadwarrior": CAs: 'C=FR, ST=Herault, L=Montpellier,
O=Informatique, OU=XXX SA, CN=gandalf, E=postmaster at XXX.com'...'%any'
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: eth2;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": 172.16.0.0/16===192.168.3.1[C=FR, ST=Herault,
L=Montpellier, O=XXX SA, OU=Informatique, CN=gandalf,
E=postmaster at XXX.com]---192.168.3.254...%any; unrouted; eroute owner: #0
000 "roadwarrior-net": CAs: 'C=FR, ST=Herault, L=Montpellier,
O=Informatique, OU=XXX SA, CN=gandalf, E=postmaster at XXX.com'...'%any'
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 16,32; interface: eth2;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:10:B5:AC:E8:B7
inet addr:172.16.2.1 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25927028 errors:0 dropped:0 overruns:0 frame:0
TX packets:24681317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:853954040 (814.3 Mb) TX bytes:746930408 (712.3 Mb)
Interrupt:11 Base address:0x2f00
eth1 Link encap:Ethernet HWaddr 00:30:F1:45:E2:C7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2462300 errors:0 dropped:0 overruns:0 frame:0
TX packets:2337258 errors:4 dropped:0 overruns:0 carrier:8
collisions:0 txqueuelen:1000
RX bytes:823590655 (785.4 Mb) TX bytes:667022114 (636.1 Mb)
Interrupt:12 Base address:0x800
eth2 Link encap:Ethernet HWaddr 00:50:BA:11:56:66
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23868950 errors:0 dropped:0 overruns:0 frame:0
TX packets:24240844 errors:0 dropped:0 overruns:0 carrier:0
collisions:81528 txqueuelen:1000
RX bytes:663039287 (632.3 Mb) TX bytes:805454643 (768.1 Mb)
Interrupt:11 Base address:0xa400
ipsec0 Link encap:Ethernet HWaddr 00:50:BA:11:56:66
inet addr:192.168.3.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:59 errors:0 dropped:87 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:12478 (12.1 Kb)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:840 (840.0 b) TX bytes:840 (840.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN 2.05
Checking for IPsec kernel support: found KLIPS [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: gandalf
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD flow-control, link ok
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth2: no autonegotiation, 10baseT-HD, link ok
product info: vendor 00:05:be, model 8 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gandalf
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
21:26:52 up 9 days, 1:37, 1 user, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 28256 28046 16 0 4212 984 wait4 S pts/0
0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 28327 28256 15 0 4212 984 - R pts/0
0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 27968 1 9 0 2176 1036 wait4 S ? 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug no --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --ocspuri --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
1 0 27972 27968 9 0 2176 1048 wait4 S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug no --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --ocspuri --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
4 0 27976 27972 8 0 2636 1192 do_sel S ? 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies --debug-no
--uniqueids
0 0 27980 27976 9 0 1440 244 do_sel S ? 0:00
| \_ _pluto_adns
0 0 27973 27968 8 0 2176 1036 pipe_w S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 27969 1 9 0 1504 304 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth2
routevirt=ipsec0
routeaddr=192.168.3.1
routenexthop=192.168.3.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
uniqueids=yes
plutodebug=no
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=172.16.0.0/16
also=roadwarrior
conn roadwarrior
right=%any
left=%defaultroute
leftcert=gandalf.XXX.com.pem
auto=add
pfs=yes
# OE policy groups are disabled by default
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
# Add connections here.
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop
toward right.
#sample# left=%defaultroute
#sample# leftcert=myCert.pem
#sample# leftsubnet=172.16.0.0/24
#sample# # Right security gateway, subnet behind it, next hop
toward left.
#sample# right=10.12.12.1
#sample# rightid="<Distinguished name of right security gateway>"
#sample# rightsubnet=192.168.0.0/24
#sample# # To authorize this connection, but not actually start
it, at startup,
#sample# # uncomment this.
#sample# #auto=start
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA gandalf.XXX.com.key "[sums to 0ac6...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 May 27 21:23:48 2004, 2048 RSA Key AwEAAbaRG, until May 13 18:18:16
2014 ok
000 ID_DER_ASN1_DN 'C=FR, ST=Herault, L=Montpellier, O=XXX,
OU=Info, CN=fred, E=postmaster at XXX.com'
000 Issuer 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 May 27 21:18:18 2004, 2048 RSA Key AwEAAb4PY, until May 13 16:35:35
2014 ok
000 ID_DER_ASN1_DN 'C=FR, ST=Herault, L=Montpellier, O=XXX,
OU=Informatique, CN=gandalf, E=postmaster at XXX.com'
000 Issuer 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000
000 List of X.509 End Certificates:
000
000 May 27 21:18:18 2004, count: 2
000 subject: 'C=FR, ST=Herault, L=Montpellier, O=XXX,
OU=Informatique, CN=gandalf, E=postmaster at XXX.com'
000 issuer: 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 serial: 01
000 pubkey: 2048 RSA Key AwEAAb4PY, has private key
000 validity: not before May 15 16:35:35 2004 ok
000 not after May 13 16:35:35 2014 ok
000 subjkey:
39:02:3b:2e:21:23:9d:f6:87:ad:c3:c7:d3:18:ae:df:70:f9:83:bf
000 authkey:
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000 aserial: 00
000
000 List of X.509 CA Certificates:
000
000 May 27 21:18:18 2004, count: 1
000 subject: 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 issuer: 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 serial: 00
000 pubkey: 2048 RSA Key AwEAAd0Rw
000 validity: not before May 15 16:25:28 2004 ok
000 not after Jul 02 16:25:28 2014 ok
000 subjkey:
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000 authkey:
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000 aserial: 00
000
000 List of X.509 CRLs:
000
000 May 27 21:18:18 2004, revoked certs: 0
000 issuer: 'C=FR, ST=Herault, L=Montpellier, O=Informatique,
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 distPts: 'file:///etc/ipsec.d/crls/crl.pem'
000 updates: this May 15 18:20:54 2004
000 next Jun 14 18:20:54 2004 ok
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 204
-rwxr-xr-x 1 root root 14962 May 15 02:36 _confread
-rwxr-xr-x 1 root root 43944 May 15 02:36 _copyright
-rwxr-xr-x 1 root root 2379 May 15 02:36 _include
-rwxr-xr-x 1 root root 1475 May 15 02:36 _keycensor
-rwxr-xr-x 1 root root 64514 May 15 02:36 _pluto_adns
-rwxr-xr-x 1 root root 3586 May 15 02:36 _plutoload
-rwxr-xr-x 1 root root 5940 May 15 02:36 _plutorun
-rwxr-xr-x 1 root root 9945 May 15 02:36 _realsetup
-rwxr-xr-x 1 root root 1975 May 15 02:36 _secretcensor
-rwxr-xr-x 1 root root 8272 May 15 02:36 _startklips
-rwxr-xr-x 1 root root 7957 May 15 02:36 _updown
-rwxr-xr-x 1 root root 11992 May 15 02:36 _updown_x509
-rwxr-xr-x 1 root root 75 May 15 02:36 distro.txt
-rwxr-xr-x 1 root root 1942 May 15 02:36 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 3352
-rwxr-xr-x 1 root root 15599 May 15 02:36 auto
-rwxr-xr-x 1 root root 8652 May 15 02:36 barf
-rwxr-xr-x 1 root root 816 May 15 02:36 calcgoo
-rwxr-xr-x 1 root root 310856 May 15 02:36 eroute
-rwxr-xr-x 1 root root 175600 May 15 02:36 klipsdebug
-rwxr-xr-x 1 root root 2449 May 15 02:36 look
-rwxr-xr-x 1 root root 7132 May 15 02:36 mailkey
-rwxr-xr-x 1 root root 16188 May 15 02:36 manual
-rwxr-xr-x 1 root root 1898 May 15 02:36 newhostkey
-rwxr-xr-x 1 root root 159473 May 15 02:36 pf_key
-rwxr-xr-x 1 root root 1638469 May 15 02:36 pluto
-rwxr-xr-x 1 root root 48918 May 15 02:36 ranbits
-rwxr-xr-x 1 root root 99602 May 15 02:36 rsasigkey
-rwxr-xr-x 1 root root 766 May 15 02:36 secrets
-rwxr-xr-x 1 root root 17602 May 15 02:36 send-pr
lrwxrwxrwx 1 root root 22 May 15 02:36 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 May 15 02:36 showdefaults
-rwxr-xr-x 1 root root 4489 May 15 02:36 showhostkey
-rwxr-xr-x 1 root root 316655 May 15 02:36 spi
-rwxr-xr-x 1 root root 250700 May 15 02:36 spigrp
-rwxr-xr-x 1 root root 47230 May 15 02:36 tncfg
-rwxr-xr-x 1 root root 10366 May 15 02:36 verify
-rwxr-xr-x 1 root root 218772 May 15 02:36 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 840 14 0 0 0 0 0 0
840 14 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
12478 59 0 87 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0:853959735 25927056 0 0 0 0 0 0
746935332 24681344 0 0 0 0 0 0
eth1:823590715 2462301 0 0 0 0 0 0
667022220 2337259 4 0 0 0 8 0
eth2:663044183 23868976 0 0 0 0 0 0
805460084 24240871 0 0 0 81528 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
ipsec0 3B34AA50 FE03A8C0 0006 0 0 0 FFFFFFFF
0 0
0
eth2 0003A8C0 00000000 0001 0 0 0 00FFFFFF 0
0
0
ipsec0 0003A8C0 00000000 0001 0 0 0 00FFFFFF
0 0
0
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0
0
0
eth0 000010AC 00000000 0001 0 0 0 0000FFFF 0
0
0
eth2 0000FEA9 00000000 0001 0 0 0 0000FFFF 0
0
0
lo 0000007F 00000000 0001 0 0 0 000000FF 0
0
0
eth2 00000000 FE03A8C0 0003 0 0 0 00000000 0
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter eth2/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
eth2/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux gandalf 2.4.26 #4 Sat May 15 02:37:25 CEST 2004 i686 i686 i386
GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 1 (Yarrow)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.05
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 3040 packets, 289K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 444K packets, 176M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1392 packets, 264K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/libexec/ipsec/barf: line 238: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/libexec/ipsec/barf: line 240: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/libexec/ipsec/barf: line 242: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/libexec/ipsec/barf: line 244: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1751K packets, 104M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 934K packets, 48M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/libexec/ipsec/barf: line 248: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/libexec/ipsec/barf: line 250: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 52M packets, 23G bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 232K packets, 27M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 52M packets, 23G bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 33552 packets, 7489K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 51M packets, 23G bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ cat /proc/modules
nls_iso8859-1 3516 0 (autoclean)
nls_cp437 5116 0 (autoclean)
vfat 13164 0 (autoclean)
fat 38840 0 (autoclean) [vfat]
floppy 57692 0 (autoclean)
iptable_mangle 2776 0 (autoclean) (unused)
ip_nat_ftp 3760 0 (unused)
ip_conntrack_ftp 5328 1
ipt_state 1016 0 (autoclean)
iptable_nat 20686 1 (autoclean) [ip_nat_ftp]
ip_conntrack 28644 1 (autoclean) [ip_nat_ftp
ip_conntrack_ftp ipt_state iptable_nat]
autofs 13236 0 (autoclean) (unused)
iptable_filter 2412 0 (autoclean)
ip_tables 15648 6 [iptable_mangle ipt_state iptable_nat
iptable_filter]
via-rhine 15216 1
tulip 43360 1
8139too 17480 1
mii 3880 0 [via-rhine 8139too]
microcode 5924 0 (autoclean)
keybdev 3140 0 (unused)
mousedev 5524 0 (unused)
input 5728 0 [keybdev mousedev]
hid 12408 0 (unused)
usb-uhci 26480 0 (unused)
usbcore 78892 1 [hid usb-uhci]
thermal 8164 0 (unused)
processor 10872 0 [thermal]
fan 2464 0 (unused)
button 3628 0 (unused)
battery 6976 0 (unused)
asus_acpi 10188 0 (unused)
ac 2752 0 (unused)
ext3 70884 2
jbd 52344 2 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 128425984 123904000 4521984 0 38830080 12390400
Swap: 271425536 0 271425536
MemTotal: 125416 kB
MemFree: 4416 kB
MemShared: 0 kB
Buffers: 37920 kB
Cached: 12100 kB
SwapCached: 0 kB
Active: 19092 kB
Inactive: 33068 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 125416 kB
LowFree: 4416 kB
SwapTotal: 265064 kB
SwapFree: 265064 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 May 27 21:26
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 May 27 21:26
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 May 27 21:26
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 May 27 21:26
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 May 27 21:26
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 May 27 21:26
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MTD_OBSOLETE_CHIPS is not set
# CONFIG_PARPORT_IP22 is not set
CONFIG_MD_MULTIPATH=m
CONFIG_NETLINK_DEV=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_LOCAL=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
# IP: Virtual Server Configuration
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=16
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
# CONFIG_IP_VS_SED is not set
# CONFIG_IP_VS_NQ is not set
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
# IPv6: Netfilter Configuration
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
# CONFIG_IP_SCTP is not set
CONFIG_ATM_CLIP=y
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_ATM_BR2684_IPFILTER=y
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPSEC=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
CONFIG_SCSI_IPS=m
# CONFIG_SCSI_IZIP_EPP16 is not set
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
CONFIG_TULIP_MMIO=y
# CONFIG_HIPPI is not set
CONFIG_PLIP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
CONFIG_WANPIPE_FR=y
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_PCMCIA_XIRTULIP=m
CONFIG_IPPP_FILTER=y
CONFIG_HISAX_FRITZ_PCIPNP=m
CONFIG_SERIAL_MULTIPORT=y
CONFIG_TIPAR=m
CONFIG_I2C_PHILIPSPAR=m
CONFIG_INPUT_GRIP=m
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_KCS=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_USB_AIPTEK=m
CONFIG_USB_SERIAL_IPAQ=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 172.16.2.200
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 May 15 00:36 2.4.22-1.2115.nptl
drwxr-xr-x 4 root root 4096 May 15 02:36 2.4.26
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c0207330 netif_rx_R07ec922f
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.22-1.2115.nptl: U netif_rx_R36ab9c93
2.4.26: U netif_rx_R07ec922f
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '452,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
May 27 21:18:17 gandalf ipsec_setup: Starting FreeS/WAN IPsec 2.05...
May 27 21:18:17 gandalf ipsec_setup: KLIPS debug `none'
May 27 21:18:17 gandalf ipsec_setup: KLIPS ipsec0 on eth2
192.168.3.1/255.255.255.0 broadcast 192.168.3.255
May 27 21:18:17 gandalf ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+ sed -n '6845,$p' /var/log/secure
+ egrep -i pluto
+ cat
May 27 21:18:17 gandalf ipsec__plutorun: Starting Pluto subsystem...
May 27 21:18:18 gandalf pluto[27976]: Starting Pluto (FreeS/WAN Version
2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
May 27 21:18:18 gandalf pluto[27976]: Using KLIPS IPsec interface code
May 27 21:18:18 gandalf pluto[27976]: Changing to directory
'/etc/ipsec.d/cacerts'
May 27 21:18:18 gandalf pluto[27976]: loaded CA cert file 'cacert.pem'
(1696 bytes)
May 27 21:18:18 gandalf pluto[27976]: Could not change to directory
'/etc/ipsec.d/aacerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory
'/etc/ipsec.d/ocspcerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory
'/etc/ipsec.d/crls'
May 27 21:18:18 gandalf pluto[27976]: loaded crl file 'crl.pem' (711
bytes)
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file
'/etc/ipsec.d/certs/gandalf.XXX.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description
"roadwarrior"
May 27 21:18:18 gandalf pluto[27976]: loaded host cert file
'/etc/ipsec.d/certs/gandalf.XXX.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description
"roadwarrior-net"
May 27 21:18:18 gandalf pluto[27976]: listening for IKE messages
May 27 21:18:18 gandalf pluto[27976]: adding interface ipsec0/eth2
192.168.3.1
May 27 21:18:18 gandalf pluto[27976]: loading secrets from
"/etc/ipsec.secrets"
May 27 21:18:18 gandalf pluto[27976]: loaded private key file
'/etc/ipsec.d/private/gandalf.XXX.com.key' (1743 bytes)
May 27 21:22:58 gandalf pluto[27976]: packet from 80.170.52.59:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1:
responding to Main Mode from unknown peer 80.170.52.59
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1:
Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX,
OU=Info, CN=fred, E=postmaster at XXX.com'
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1:
deleting connection "roadwarrior" instance with peer 80.170.52.59
{isakmp=#0/ipsec=#0}
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1:
sent MR3, ISAKMP SA established
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#2: responding to Quick Mode
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#2: IPsec SA established {ESP=>0x18b86252 <0x4a0d5e4d}
May 27 21:23:47 gandalf pluto[27976]: packet from 80.170.52.59:500:
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:23:47 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX,
OU=Info, CN=fred, E=postmaster at XXX.com'
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sent MR3, ISAKMP SA established
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: cannot respond to IPsec SA request because no connection is known
for 62.161.75.XXX/32===192.168.3.1[C=FR, ST=Herault, L=Montpellier,
O=XXX, OU=Informatique, CN=gandalf,
E=postmaster at XXX.com]...80.170.52.59[C=FR, ST=Herault, L=Montpellier,
O=XXX, OU=Info, CN=fred, E=postmaster at XXX.com]
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sending encrypted notification INVALID_ID_INFORMATION to
80.170.52.59:500
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1:
received Delete SA(0x18b86252) payload: deleting IPSEC State #2
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59
#3: received Delete SA payload: deleting ISAKMP State #3
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59:
deleting connection "roadwarrior-net" instance with peer 80.170.52.59
{isakmp=#0/ipsec=#0}
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1:
received Delete SA payload: deleting ISAKMP State #1
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59:
deleting connection "roadwarrior" instance with peer 80.170.52.59
{isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
Thu May 27 21:26:52 CEST 2004
*****************************************************************
NB: 80.170.52.59 was the adress of the XP client (it's changing every time)
62.161.75.XXX is my public IP
And finally my ipsec.conf of my XP client :
*******************************************************************
conn roadwarrior
left=%any
right=62.161.75.XXX
rightnexthop=193.168.3.1/32
rightca="C=FR,S=Herault,L=Montpellier,O=Informatique,OU=XXX,CN=gandalf,Email=postmaster at XXX.com"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=62.161.75.XXX
rightnexthop=193.168.3.1/32
rightsubnet=172.16.0.0/16
rightca="C=FR,S=Herault,L=Montpellier,O=Informatique,OU=XXX,CN=gandalf,Email=postmaster at XXX.com"
network=auto
auto=start
pfs=yes
*******************************************************************
Thanks a lot for your help.
Frederic
More information about the Users
mailing list