[Openswan Users] Ipsec error : no connection is known

Frédéric Gonzatti fred99 at libertysurf.fr
Sat May 29 22:09:40 CEST 2004


Nate Carlson wrote:

>On Sat, 29 May 2004, Frédéric Gonzatti wrote:
>  
>
>>I'm trying to connect to my ipsec gateway with windows XP. I've followed
>>nate carlson (www.natecarlson.com <http://www.natecarlson.com>) advices
>>but the error message "no connection is known" appears in my gateway. So
>>it's impossible to ping a LAN computer...
>>
>>Could you please help my to enter the good parameters in my ipsec.conf
>>files (windows and Linux). I'm using Freeswan 2.05.
>> 
>>My configuration is :
>> 
>>XP freeswan client--Internet---WAN side of the router (public IP 
>>62.161.75.XXX)-LAN side of the router (192.168.3.254)---My Ipsec Gateway 
>>(192.168.3.1)----My Ipsec Gateway (172.16.2.1)
>>
>>I would like to acces to my LAN (172.16.0.0/16). I think I've to use
>>rightnexhop parmameter but I don't know how ?
>> 
>>Thanks a lot for your help.
>>    
>>
>
>I've had problems putting the FreeS/WAN gateway behind a NAT router, but 
>other people have said it's possible.
>
>Can you show us your configuration files, and the error logs?
>
>------------------------------------------------------------------------
>| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
>|       depriving some poor village of its idiot since 1981            |
>------------------------------------------------------------------------
>
>  
>
Here is my ipsec.conf file of my linux gateway :
****************************************************
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    interfaces=%defaultroute
    uniqueids=yes
    plutodebug=no

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn roadwarrior-net
    leftsubnet=172.16.0.0/16
    also=roadwarrior

conn roadwarrior
    right=%any
    left=%defaultroute
    leftcert=gandalf.XXX.com.pem
    auto=add
    pfs=yes
# OE policy groups are disabled by default
conn block
    auto=ignore

conn clear
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn packetdefault
    auto=ignore

**********************************

And the results of an ipsec barf on my gateway :
gandalf
Thu May 27 21:26:52 CEST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.05
See `ipsec --copyright' for copyright information.
X.509-1.5.3 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.26 (root at gandalf) (gcc version 3.3.2 20031022 (Red Hat 
Linux 3.3.2-1)) #4 Sat May 15 02:37:25 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth2
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 
ipsec0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth1
172.16.0.0      0.0.0.0         255.255.0.0     U         0 0          0 
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth2
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.3.254   0.0.0.0         UG        0 0          0 
eth2
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth2 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
    sock   pid   socket     next     prev e n p sndbf    Flags     Type St
c700abc0 27976 c5c30520        0        0 0 0 2 107520 00000000        3  1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype   socket   pid       sk
pf_key_registered:     3 c5c30520 27976 c700abc0
pf_key_registered:     9 c5c30520 27976 c700abc0
pf_key_registered:    10 c5c30520 27976 c700abc0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported:     3      15      3   128     168     168
pf_key_supported:     3      14      3     0     160     160
pf_key_supported:     3      14      2     0     128     128
pf_key_supported:     9      15      4     0     128     128
pf_key_supported:     9      15      3     0      32     128
pf_key_supported:     9      15      2     0     128      32
pf_key_supported:     9      15      1     0      32      32
pf_key_supported:    10      15      2     0       1       1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_eroute debug_esp debug_ipcomp debug_netlink 
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose 
debug_xform icmp inbound_policy_check tos
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth2 192.168.3.1
000 %myid = (none)
000 debug none
000 
000 "roadwarrior": 192.168.3.1[C=FR, ST=Herault, L=Montpellier, O=XXX 
SA, OU=Informatique, CN=gandalf, 
E=postmaster at XXX.com]---192.168.3.254...%any; unrouted; eroute owner: #0
000 "roadwarrior":   CAs: 'C=FR, ST=Herault, L=Montpellier, 
O=Informatique, OU=XXX SA, CN=gandalf, E=postmaster at XXX.com'...'%any'
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 
32,32; interface: eth2;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": 172.16.0.0/16===192.168.3.1[C=FR, ST=Herault, 
L=Montpellier, O=XXX SA, OU=Informatique, CN=gandalf, 
E=postmaster at XXX.com]---192.168.3.254...%any; unrouted; eroute owner: #0
000 "roadwarrior-net":   CAs: 'C=FR, ST=Herault, L=Montpellier, 
O=Informatique, OU=XXX SA, CN=gandalf, E=postmaster at XXX.com'...'%any'
000 "roadwarrior-net":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 16,32; interface: eth2;
000 "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 
000 
+ _________________________ ifconfig-a
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:10:B5:AC:E8:B7 
          inet addr:172.16.2.1  Bcast:172.16.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25927028 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24681317 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:853954040 (814.3 Mb)  TX bytes:746930408 (712.3 Mb)
          Interrupt:11 Base address:0x2f00

eth1      Link encap:Ethernet  HWaddr 00:30:F1:45:E2:C7 
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2462300 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2337258 errors:4 dropped:0 overruns:0 carrier:8
          collisions:0 txqueuelen:1000
          RX bytes:823590655 (785.4 Mb)  TX bytes:667022114 (636.1 Mb)
          Interrupt:12 Base address:0x800

eth2      Link encap:Ethernet  HWaddr 00:50:BA:11:56:66 
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23868950 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24240844 errors:0 dropped:0 overruns:0 carrier:0
          collisions:81528 txqueuelen:1000
          RX bytes:663039287 (632.3 Mb)  TX bytes:805454643 (768.1 Mb)
          Interrupt:11 Base address:0xa400

ipsec0    Link encap:Ethernet  HWaddr 00:50:BA:11:56:66 
          inet addr:192.168.3.1  Mask:255.255.255.0
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59 errors:0 dropped:87 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:12478 (12.1 Kb)

ipsec1    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ipsec2    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ipsec3    Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:840 (840.0 b)  TX bytes:840 (840.0 b)

+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                      [OK]
Linux FreeS/WAN 2.05
Checking for IPsec kernel support: found KLIPS                       [OK]
Checking that pluto is running                                       [OK]
Two or more interfaces found, checking IP forwarding                 [OK]
Checking NAT and MASQUERADEing                                       [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: gandalf                              
[MISSING]
Does the machine have at least one non-private address?              
[FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
  product info: vendor 00:00:00, model 0 rev 0
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD flow-control, link ok
  product info: vendor 00:07:49, model 1 rev 1
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth2: no autonegotiation, 10baseT-HD, link ok
  product info: vendor 00:05:be, model 8 rev 0
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gandalf
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
 21:26:52  up 9 days,  1:37,  1 user,  load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
0     0 28256 28046  16   0  4212  984 wait4  S    pts/0      
0:00          \_ /bin/sh /usr/local/libexec/ipsec/barf
1     0 28327 28256  15   0  4212  984 -      R    pts/0      
0:00              \_ /bin/sh /usr/local/libexec/ipsec/barf
1     0 27968     1   9   0  2176 1036 wait4  S    ?          0:00 
/bin/sh /usr/local/lib/ipsec/_plutorun --debug no --uniqueids yes 
--nocrsend  --strictcrlpolicy  --crlcheckinterval 0 --ocspuri  --dump  
--opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid 
/var/run/pluto.pid
1     0 27972 27968   9   0  2176 1048 wait4  S    ?          0:00  \_ 
/bin/sh /usr/local/lib/ipsec/_plutorun --debug no --uniqueids yes 
--nocrsend  --strictcrlpolicy  --crlcheckinterval 0 --ocspuri  --dump  
--opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid 
/var/run/pluto.pid
4     0 27976 27972   8   0  2636 1192 do_sel S    ?          0:00  |   
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile 
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies --debug-no 
--uniqueids
0     0 27980 27976   9   0  1440  244 do_sel S    ?          0:00  
|       \_ _pluto_adns
0     0 27973 27968   8   0  2176 1036 pipe_w S    ?          0:00  \_ 
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0     0 27969     1   9   0  1504  304 pipe_w S    ?          0:00 
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth2
routevirt=ipsec0
routeaddr=192.168.3.1
routenexthop=192.168.3.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    interfaces=%defaultroute
    uniqueids=yes
    plutodebug=no

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn roadwarrior-net
    leftsubnet=172.16.0.0/16
    also=roadwarrior

conn roadwarrior
    right=%any
    left=%defaultroute
    leftcert=gandalf.XXX.com.pem
    auto=add
    pfs=yes
# OE policy groups are disabled by default
conn block
    auto=ignore

conn clear
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn packetdefault
    auto=ignore

# Add connections here.

# sample VPN connection
#sample#    conn sample
#sample#        # Left security gateway, subnet behind it, next hop 
toward right.
#sample#        left=%defaultroute
#sample#        leftcert=myCert.pem
#sample#        leftsubnet=172.16.0.0/24
#sample#        # Right security gateway, subnet behind it, next hop 
toward left.
#sample#        right=10.12.12.1
#sample#        rightid="<Distinguished name of right security gateway>"
#sample#        rightsubnet=192.168.0.0/24
#sample#        # To authorize this connection, but not actually start 
it, at startup,
#sample#        # uncomment this.
#sample#        #auto=start
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
: RSA gandalf.XXX.com.key "[sums to 0ac6...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000 
000 List of Public Keys:
000 
000 May 27 21:23:48 2004, 2048 RSA Key AwEAAbaRG, until May 13 18:18:16 
2014 ok
000        ID_DER_ASN1_DN 'C=FR, ST=Herault, L=Montpellier, O=XXX, 
OU=Info, CN=fred, E=postmaster at XXX.com'
000        Issuer 'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 May 27 21:18:18 2004, 2048 RSA Key AwEAAb4PY, until May 13 16:35:35 
2014 ok
000        ID_DER_ASN1_DN 'C=FR, ST=Herault, L=Montpellier, O=XXX, 
OU=Informatique, CN=gandalf, E=postmaster at XXX.com'
000        Issuer 'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000 
000 List of X.509 End Certificates:
000 
000 May 27 21:18:18 2004, count: 2
000        subject: 'C=FR, ST=Herault, L=Montpellier, O=XXX, 
OU=Informatique, CN=gandalf, E=postmaster at XXX.com'
000        issuer:  'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000        serial:   01
000        pubkey:   2048 RSA Key AwEAAb4PY, has private key
000        validity: not before May 15 16:35:35 2004 ok
000                  not after  May 13 16:35:35 2014 ok
000        subjkey:  
39:02:3b:2e:21:23:9d:f6:87:ad:c3:c7:d3:18:ae:df:70:f9:83:bf
000        authkey:  
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000        aserial:  00
000 
000 List of X.509 CA Certificates:
000 
000 May 27 21:18:18 2004, count: 1
000        subject: 'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000        issuer:  'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000        serial:   00
000        pubkey:   2048 RSA Key AwEAAd0Rw
000        validity: not before May 15 16:25:28 2004 ok
000                  not after  Jul 02 16:25:28 2014 ok
000        subjkey:  
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000        authkey:  
8f:8e:e1:76:20:df:b7:79:d0:b5:73:2c:2e:b2:67:3b:96:8d:7d:99
000        aserial:  00
000 
000 List of X.509 CRLs:
000 
000 May 27 21:18:18 2004, revoked certs: 0
000        issuer:  'C=FR, ST=Herault, L=Montpellier, O=Informatique, 
OU=XXX, CN=gandalf, E=postmaster at XXX.com'
000        distPts: 'file:///etc/ipsec.d/crls/crl.pem'
000        updates:  this May 15 18:20:54 2004
000                  next Jun 14 18:20:54 2004 ok
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic 
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 204
-rwxr-xr-x    1 root     root        14962 May 15 02:36 _confread
-rwxr-xr-x    1 root     root        43944 May 15 02:36 _copyright
-rwxr-xr-x    1 root     root         2379 May 15 02:36 _include
-rwxr-xr-x    1 root     root         1475 May 15 02:36 _keycensor
-rwxr-xr-x    1 root     root        64514 May 15 02:36 _pluto_adns
-rwxr-xr-x    1 root     root         3586 May 15 02:36 _plutoload
-rwxr-xr-x    1 root     root         5940 May 15 02:36 _plutorun
-rwxr-xr-x    1 root     root         9945 May 15 02:36 _realsetup
-rwxr-xr-x    1 root     root         1975 May 15 02:36 _secretcensor
-rwxr-xr-x    1 root     root         8272 May 15 02:36 _startklips
-rwxr-xr-x    1 root     root         7957 May 15 02:36 _updown
-rwxr-xr-x    1 root     root        11992 May 15 02:36 _updown_x509
-rwxr-xr-x    1 root     root           75 May 15 02:36 distro.txt
-rwxr-xr-x    1 root     root         1942 May 15 02:36 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 3352
-rwxr-xr-x    1 root     root        15599 May 15 02:36 auto
-rwxr-xr-x    1 root     root         8652 May 15 02:36 barf
-rwxr-xr-x    1 root     root          816 May 15 02:36 calcgoo
-rwxr-xr-x    1 root     root       310856 May 15 02:36 eroute
-rwxr-xr-x    1 root     root       175600 May 15 02:36 klipsdebug
-rwxr-xr-x    1 root     root         2449 May 15 02:36 look
-rwxr-xr-x    1 root     root         7132 May 15 02:36 mailkey
-rwxr-xr-x    1 root     root        16188 May 15 02:36 manual
-rwxr-xr-x    1 root     root         1898 May 15 02:36 newhostkey
-rwxr-xr-x    1 root     root       159473 May 15 02:36 pf_key
-rwxr-xr-x    1 root     root      1638469 May 15 02:36 pluto
-rwxr-xr-x    1 root     root        48918 May 15 02:36 ranbits
-rwxr-xr-x    1 root     root        99602 May 15 02:36 rsasigkey
-rwxr-xr-x    1 root     root          766 May 15 02:36 secrets
-rwxr-xr-x    1 root     root        17602 May 15 02:36 send-pr
lrwxrwxrwx    1 root     root           22 May 15 02:36 setup -> 
/etc/rc.d/init.d/ipsec
-rwxr-xr-x    1 root     root         1048 May 15 02:36 showdefaults
-rwxr-xr-x    1 root     root         4489 May 15 02:36 showhostkey
-rwxr-xr-x    1 root     root       316655 May 15 02:36 spi
-rwxr-xr-x    1 root     root       250700 May 15 02:36 spigrp
-rwxr-xr-x    1 root     root        47230 May 15 02:36 tncfg
-rwxr-xr-x    1 root     root        10366 May 15 02:36 verify
-rwxr-xr-x    1 root     root       218772 May 15 02:36 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed 
multicast|bytes    packets errs drop fifo colls carrier compressed
    lo:     840      14    0    0    0     0          0         0      
840      14    0    0    0     0       0          0
ipsec0:       0       0    0    0    0     0          0         0    
12478      59    0   87    0     0       0          0
ipsec1:       0       0    0    0    0     0          0         0        
0       0    0    0    0     0       0          0
ipsec2:       0       0    0    0    0     0          0         0        
0       0    0    0    0     0       0          0
ipsec3:       0       0    0    0    0     0          0         0        
0       0    0    0    0     0       0          0
  eth0:853959735 25927056    0    0    0     0          0         0 
746935332 24681344    0    0    0     0       0          0
  eth1:823590715 2462301    0    0    0     0          0         0 
667022220 2337259    4    0    0     0       8          0
  eth2:663044183 23868976    0    0    0     0          0         0 
805460084 24240871    0    0    0 81528       0          0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface    Destination    Gateway     Flags    RefCnt    Use    Metric    
Mask        MTU    Window    
IRTT                                                      
ipsec0    3B34AA50    FE03A8C0    0006    0    0    0    FFFFFFFF    
0    0    
0                                                                             

eth2    0003A8C0    00000000    0001    0    0    0    00FFFFFF    0    
0    
0                                                                               

ipsec0    0003A8C0    00000000    0001    0    0    0    00FFFFFF    
0    0    
0                                                                             

eth1    0002A8C0    00000000    0001    0    0    0    00FFFFFF    0    
0    
0                                                                               

eth0    000010AC    00000000    0001    0    0    0    0000FFFF    0    
0    
0                                                                               

eth2    0000FEA9    00000000    0001    0    0    0    0000FFFF    0    
0    
0                                                                               

lo    0000007F    00000000    0001    0    0    0    000000FF    0    
0    
0                                                                                 

eth2    00000000    FE03A8C0    0003    0    0    0    00000000    0    
0    
0                                                                               

+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter 
eth1/rp_filter eth2/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
eth2/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux gandalf 2.4.26 #4 Sat May 15 02:37:25 CEST 2004 i686 i686 i386 
GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 1 (Yarrow)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.05
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 3040 packets, 289K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain FORWARD (policy ACCEPT 444K packets, 176M bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 1392 packets, 264K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/libexec/ipsec/barf: line 238: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/libexec/ipsec/barf: line 240: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/libexec/ipsec/barf: line 242: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/libexec/ipsec/barf: line 244: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1751K packets, 104M bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain POSTROUTING (policy ACCEPT 934K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/libexec/ipsec/barf: line 248: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/libexec/ipsec/barf: line 250: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 52M packets, 23G bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain INPUT (policy ACCEPT 232K packets, 27M bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain FORWARD (policy ACCEPT 52M packets, 23G bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 33552 packets, 7489K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain POSTROUTING (policy ACCEPT 51M packets, 23G bytes)
 pkts bytes target     prot opt in     out     source               
destination        
+ _________________________ proc/modules
+ cat /proc/modules
nls_iso8859-1           3516   0 (autoclean)
nls_cp437               5116   0 (autoclean)
vfat                   13164   0 (autoclean)
fat                    38840   0 (autoclean) [vfat]
floppy                 57692   0 (autoclean)
iptable_mangle          2776   0 (autoclean) (unused)
ip_nat_ftp              3760   0 (unused)
ip_conntrack_ftp        5328   1
ipt_state               1016   0 (autoclean)
iptable_nat            20686   1 (autoclean) [ip_nat_ftp]
ip_conntrack           28644   1 (autoclean) [ip_nat_ftp 
ip_conntrack_ftp ipt_state iptable_nat]
autofs                 13236   0 (autoclean) (unused)
iptable_filter          2412   0 (autoclean)
ip_tables              15648   6 [iptable_mangle ipt_state iptable_nat 
iptable_filter]
via-rhine              15216   1
tulip                  43360   1
8139too                17480   1
mii                     3880   0 [via-rhine 8139too]
microcode               5924   0 (autoclean)
keybdev                 3140   0 (unused)
mousedev                5524   0 (unused)
input                   5728   0 [keybdev mousedev]
hid                    12408   0 (unused)
usb-uhci               26480   0 (unused)
usbcore                78892   1 [hid usb-uhci]
thermal                 8164   0 (unused)
processor              10872   0 [thermal]
fan                     2464   0 (unused)
button                  3628   0 (unused)
battery                 6976   0 (unused)
asus_acpi              10188   0 (unused)
ac                      2752   0 (unused)
ext3                   70884   2
jbd                    52344   2 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  128425984 123904000  4521984        0 38830080 12390400
Swap: 271425536        0 271425536
MemTotal:       125416 kB
MemFree:          4416 kB
MemShared:           0 kB
Buffers:         37920 kB
Cached:          12100 kB
SwapCached:          0 kB
Active:          19092 kB
Inactive:        33068 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       125416 kB
LowFree:          4416 kB
SwapTotal:      265064 kB
SwapFree:       265064 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug 
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg 
/proc/net/ipsec_version
lrwxrwxrwx    1 root     root           16 May 27 21:26 
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx    1 root     root           16 May 27 21:26 
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx    1 root     root           13 May 27 21:26 
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx    1 root     root           16 May 27 21:26 
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx    1 root     root           11 May 27 21:26 
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx    1 root     root           13 May 27 21:26 
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MTD_OBSOLETE_CHIPS is not set
# CONFIG_PARPORT_IP22 is not set
CONFIG_MD_MULTIPATH=m
CONFIG_NETLINK_DEV=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
#   IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_LOCAL=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
#   IP: Virtual Server Configuration
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=16
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
# CONFIG_IP_VS_SED is not set
# CONFIG_IP_VS_NQ is not set
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
#   IPv6: Netfilter Configuration
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
# CONFIG_IP_SCTP is not set
CONFIG_ATM_CLIP=y
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_ATM_BR2684_IPFILTER=y
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPSEC=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
CONFIG_SCSI_IPS=m
# CONFIG_SCSI_IZIP_EPP16 is not set
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
CONFIG_TULIP_MMIO=y
# CONFIG_HIPPI is not set
CONFIG_PLIP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
CONFIG_WANPIPE_FR=y
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_PCMCIA_XIRTULIP=m
CONFIG_IPPP_FILTER=y
CONFIG_HISAX_FRITZ_PCIPNP=m
CONFIG_SERIAL_MULTIPORT=y
CONFIG_TIPAR=m
CONFIG_I2C_PHILIPSPAR=m
CONFIG_INPUT_GRIP=m
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_KCS=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_USB_AIPTEK=m
CONFIG_USB_SERIAL_IPAQ=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                            /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none        /var/log/messages

# The authpriv file has restricted access.
authpriv.*                        /var/log/secure

# Log all the mail messages in one place.
mail.*                            /var/log/maillog


# Log cron stuff
cron.*                            /var/log/cron

# Everybody gets emergency messages
*.emerg                            *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                        /var/log/spooler

# Save boot messages also to boot.log
local7.*                        /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 172.16.2.200
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x    4 root     root         4096 May 15 00:36 2.4.22-1.2115.nptl
drwxr-xr-x    4 root     root         4096 May 15 02:36 2.4.26
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c0207330 netif_rx_R07ec922f
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.22-1.2115.nptl:          U netif_rx_R36ab9c93
2.4.26:          U netif_rx_R07ec922f
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '452,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
May 27 21:18:17 gandalf ipsec_setup: Starting FreeS/WAN IPsec 2.05...
May 27 21:18:17 gandalf ipsec_setup: KLIPS debug `none'
May 27 21:18:17 gandalf ipsec_setup: KLIPS ipsec0 on eth2 
192.168.3.1/255.255.255.0 broadcast 192.168.3.255
May 27 21:18:17 gandalf ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+ sed -n '6845,$p' /var/log/secure
+ egrep -i pluto
+ cat
May 27 21:18:17 gandalf ipsec__plutorun: Starting Pluto subsystem...
May 27 21:18:18 gandalf pluto[27976]: Starting Pluto (FreeS/WAN Version 
2.05 X.509-1.5.3 PLUTO_USES_KEYRR)
May 27 21:18:18 gandalf pluto[27976]: Using KLIPS IPsec interface code
May 27 21:18:18 gandalf pluto[27976]: Changing to directory 
'/etc/ipsec.d/cacerts'
May 27 21:18:18 gandalf pluto[27976]:   loaded CA cert file 'cacert.pem' 
(1696 bytes)
May 27 21:18:18 gandalf pluto[27976]: Could not change to directory 
'/etc/ipsec.d/aacerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
May 27 21:18:18 gandalf pluto[27976]: Changing to directory 
'/etc/ipsec.d/crls'
May 27 21:18:18 gandalf pluto[27976]:   loaded crl file 'crl.pem' (711 
bytes)
May 27 21:18:18 gandalf pluto[27976]:   loaded host cert file 
'/etc/ipsec.d/certs/gandalf.XXX.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description 
"roadwarrior"
May 27 21:18:18 gandalf pluto[27976]:   loaded host cert file 
'/etc/ipsec.d/certs/gandalf.XXX.com.pem' (5112 bytes)
May 27 21:18:18 gandalf pluto[27976]: added connection description 
"roadwarrior-net"
May 27 21:18:18 gandalf pluto[27976]: listening for IKE messages
May 27 21:18:18 gandalf pluto[27976]: adding interface ipsec0/eth2 
192.168.3.1
May 27 21:18:18 gandalf pluto[27976]: loading secrets from 
"/etc/ipsec.secrets"
May 27 21:18:18 gandalf pluto[27976]:   loaded private key file 
'/etc/ipsec.d/private/gandalf.XXX.com.key' (1743 bytes)
May 27 21:22:58 gandalf pluto[27976]: packet from 80.170.52.59:500: 
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: 
responding to Main Mode from unknown peer 80.170.52.59
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[1] 80.170.52.59 #1: 
Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, 
OU=Info, CN=fred, E=postmaster at XXX.com'
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: 
deleting connection "roadwarrior" instance with peer 80.170.52.59 
{isakmp=#0/ipsec=#0}
May 27 21:22:58 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: 
sent MR3, ISAKMP SA established
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#2: responding to Quick Mode
May 27 21:22:59 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#2: IPsec SA established {ESP=>0x18b86252 <0x4a0d5e4d}
May 27 21:23:47 gandalf pluto[27976]: packet from 80.170.52.59:500: 
received Vendor ID Payload; ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
May 27 21:23:47 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: responding to Main Mode from unknown peer 80.170.52.59
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: Peer ID is ID_DER_ASN1_DN: 'C=FR, ST=Herault, L=Montpellier, O=XXX, 
OU=Info, CN=fred, E=postmaster at XXX.com'
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sent MR3, ISAKMP SA established
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: cannot respond to IPsec SA request because no connection is known 
for 62.161.75.XXX/32===192.168.3.1[C=FR, ST=Herault, L=Montpellier, 
O=XXX, OU=Informatique, CN=gandalf, 
E=postmaster at XXX.com]...80.170.52.59[C=FR, ST=Herault, L=Montpellier, 
O=XXX, OU=Info, CN=fred, E=postmaster at XXX.com]
May 27 21:23:48 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sending encrypted notification INVALID_ID_INFORMATION to 
80.170.52.59:500
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: Quick Mode I1 message is unacceptable because it uses a previously 
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:49 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: Quick Mode I1 message is unacceptable because it uses a previously 
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:51 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: Quick Mode I1 message is unacceptable because it uses a previously 
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:23:55 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: Quick Mode I1 message is unacceptable because it uses a previously 
used Message ID 0x43fdea6a (perhaps this is a duplicated packet)
May 27 21:24:03 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: sending encrypted notification INVALID_MESSAGE_ID to 80.170.52.59:500
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: 
received Delete SA(0x18b86252) payload: deleting IPSEC State #2
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59 
#3: received Delete SA payload: deleting ISAKMP State #3
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior-net"[1] 80.170.52.59: 
deleting connection "roadwarrior-net" instance with peer 80.170.52.59 
{isakmp=#0/ipsec=#0}
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59 #1: 
received Delete SA payload: deleting ISAKMP State #1
May 27 21:24:07 gandalf pluto[27976]: "roadwarrior"[2] 80.170.52.59: 
deleting connection "roadwarrior" instance with peer 80.170.52.59 
{isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
Thu May 27 21:26:52 CEST 2004
*****************************************************************
NB: 80.170.52.59 was the adress of the XP client (it's changing every time)
62.161.75.XXX is my public IP

And finally my ipsec.conf of my XP client :

*******************************************************************
conn roadwarrior
    left=%any
    right=62.161.75.XXX
    rightnexthop=193.168.3.1/32
    
rightca="C=FR,S=Herault,L=Montpellier,O=Informatique,OU=XXX,CN=gandalf,Email=postmaster at XXX.com"
    network=auto
    auto=start
    pfs=yes


conn roadwarrior-net
    left=%any
    right=62.161.75.XXX
    rightnexthop=193.168.3.1/32
    rightsubnet=172.16.0.0/16
    
rightca="C=FR,S=Herault,L=Montpellier,O=Informatique,OU=XXX,CN=gandalf,Email=postmaster at XXX.com"
    network=auto
    auto=start
    pfs=yes
*******************************************************************

Thanks a lot for your help.

    Frederic




More information about the Users mailing list