[Openswan Users] Connection not coming up automatically
Greg Dickinson
gdickinson at logistasolutions.com
Fri Oct 22 15:40:32 CEST 2004
Hello,
I am a relative newbie to OpenSwan. I have a VPN connection between 2
boxes on the internet, which has 2 net-net tunnels defined. Because the
public address changes frequently, I have a cron job to do a "service
ipsec restart" every 30 minutes to reinitialize the tunnels. When
OpenSwan restarts, it will only bring up the first tunnel listed in the
config file, even though /var/log/messages says it can't. It never even
attempts the second tunnel, but if I manually do a "ipsec auto --up
famcourtnet-selnet" it works until the enxt time the cron job runs.
Below is part one of a sanitized ipsec.barf from the remote machine
(btw, this machine always initiates the VPN connection). I only post
this because I don't know what information will prove helpful in
troubleshooting, and I post it in two parts because GroupWise is choking
over such a large message :-)
famcourt.bps
Fri Oct 22 14:12:55 CDT 2004
+ _________________________ version
+ ipsec --version
Linux Openswan 2.1.4 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.20-31.9custom (root at famcourt.bps) (gcc version 3.2.2
20030222 (Red Hat Linux 3.2.2-5)) #4 SMP Wed Aug 11 09:13:20 CDT 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
1195 10.199.0.0/16 -> 10.10.0.0/16 =>
tun0x1002 at 207.157.9.181
75 10.199.0.0/16 -> 10.227.0.0/16 =>
tun0x1004 at 207.157.9.181
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
172.25.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
172.25.1.0 0.0.0.0 255.255.255.0 U 0 0
0 ipsec0
10.199.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1
10.227.0.0 172.25.1.1 255.255.0.0 UG 0 0
0 ipsec0
10.10.0.0 172.25.1.1 255.255.0.0 UG 0 0
0 ipsec0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 172.25.1.1 0.0.0.0 UG 0 0
0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1004 at 207.157.9.181 esp0xfb894d9d at 207.157.9.181
tun0x1002 at 207.157.9.181 esp0x355e94cb at 207.157.9.181
tun0x1003 at 172.25.1.2 esp0xf680019c at 172.25.1.2
tun0x1001 at 172.25.1.2 esp0xf680019b at 172.25.1.2
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1435) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 172.25.1.2
000 interface ipsec0/eth0 172.25.1.2
000 %myid = (none)
000 debug none
000
000 "famcourtnet-boenet":
10.199.0.0/16===172.25.1.2:4500[@famcourt.bps,S=C]---172.25.1.1...207.157.9.181:4500[@ns2.bps,S=C]===10.10.0.0/16;
erouted; eroute owner: #2
000 "famcourtnet-boenet": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "famcourtnet-boenet": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
16,16; interface: eth0;
000 "famcourtnet-boenet": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "famcourtnet-selnet":
10.199.0.0/16===172.25.1.2:4500[@famcourt.bps,S=C]---172.25.1.1...207.157.9.181:4500[@ns2.bps,S=C]===10.227.0.0/16;
erouted; eroute owner: #3
000 "famcourtnet-selnet": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "famcourtnet-selnet": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
16,16; interface: eth0;
000 "famcourtnet-selnet": newest ISAKMP SA: #0; newest IPsec SA: #3;
000
000 #2: "famcourtnet-boenet" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27900s; newest IPSEC; eroute owner
000 #2: "famcourtnet-boenet" esp.355e94cb at 207.157.9.181
esp.f680019b at 172.25.1.2 tun.1002 at 207.157.9.181 tun.1001 at 172.25.1.2
000 #1: "famcourtnet-boenet" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2797s; newest ISAKMP
000 #3: "famcourtnet-selnet" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27668s; newest IPSEC; eroute owner
000 #3: "famcourtnet-selnet" esp.fb894d9d at 207.157.9.181
esp.f680019c at 172.25.1.2 tun.1004 at 207.157.9.181 tun.1003 at 172.25.1.2
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:90:27:33:CA:00
inet addr:172.25.1.2 Bcast:172.25.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:636847 errors:0 dropped:0 overruns:0 frame:0
TX packets:706145 errors:0 dropped:0 overruns:0 carrier:0
collisions:21085 txqueuelen:100
RX bytes:649643406 (619.5 Mb) TX bytes:109112223 (104.0 Mb)
Interrupt:20 Base address:0xdce0 Memory:f7001000-f7001038
eth1 Link encap:Ethernet HWaddr 00:90:27:33:C9:13
inet addr:10.199.1.1 Bcast:10.199.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:778367 errors:0 dropped:0 overruns:0 frame:0
TX packets:942939 errors:0 dropped:0 overruns:0 carrier:0
collisions:37601 txqueuelen:100
RX bytes:105090231 (100.2 Mb) TX bytes:888059691 (846.9 Mb)
Interrupt:21 Base address:0xdcc0 Memory:f7000000-f7000038
ipsec0 Link encap:Ethernet HWaddr 00:90:27:33:CA:00
inet addr:172.25.1.2 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:1294 errors:0 dropped:0 overruns:0 frame:0
TX packets:1271 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:862931 (842.7 Kb) TX bytes:334938 (327.0 Kb)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:43753 errors:0 dropped:0 overruns:0 frame:0
TX packets:43753 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4090149 (3.9 Mb) TX bytes:4090149 (3.9 Mb)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan 2.1.4 (klips)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
[OK]
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: famcourt.bps
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
No MII transceiver present!.
No MII transceiver present!.
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Unknown host
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Unknown host
+ _________________________ uptime
+ uptime
14:12:57 up 36 days, 42 min, 2 users, load average: 0.16, 0.13,
0.04
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 31850 31086 25 0 4160 1104 wait4 S pts/1 0:00
\_ /bin/sh /usr/local/libexec/ipsec/barf
0 0 31920 31850 25 0 1508 468 pipe_w S pts/1 0:00
\_ grep -E -i ppid|pluto|ipsec|klips
1 0 31693 1 25 0 2128 1048 wait4 S pts/1 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --dump --opts --stderrlog --wait no -
1 0 31694 31693 25 0 2128 1060 wait4 S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --dump --opts --stderrlog --wait
4 0 31695 31694 15 0 2204 1080 schedu S pts/1 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids --nat_traversal
0 0 31699 31695 25 0 1424 252 schedu S pts/1 0:00 |
\_ _pluto_adns
0 0 31697 31693 25 0 2104 1032 pipe_w S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 31696 1 24 0 1368 464 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=172.25.1.2
routenexthop=172.25.1.1
+ _________________________ ipsec/conf
+ ipsec _keycensor
+ ipsec _include /etc/ipsec.conf
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/config.html
#
http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/adv_config.html
#
# Policy groups are enabled by default. See:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/examples
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
nat_traversal=yes
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug=none
conn famcourtnet-boenet
left=%defaultroute # Picks up our dynamic IP
leftid=@famcourt.bps # Local information
leftsubnet=10.199.0.0/16 #
leftrsasigkey=[keyid AQOqHxVId]
right=207.157.9.181 # Remote information
rightsubnet=10.10.0.0/16 #
rightid=@ns2.bps #
rightrsasigkey=[keyid AQOKHtq49]
auto=start # authorizes but doesn't start this
# connection at startup
conn famcourtnet-selnet
left=%defaultroute # Picks up our dynamic IP
leftid=@famcourt.bps # Local information
leftsubnet=10.199.0.0/16 #
leftrsasigkey=[keyid AQOqHxVId]
right=207.157.9.181 # Remote information
rightsubnet=10.227.0.0/16 #
rightid=@ns2.bps #
rightrsasigkey=[keyid AQOKHtq49]
auto=start # authorizes but doesn't start this
# connection at startup
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 54
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits famcourt.bps Tue Jul 27 11:29:52 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOqHxVId]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 268
-rwxr-xr-x 1 root root 15291 Aug 11 09:26 _confread
-rwxr-xr-x 1 root root 15291 Aug 11 09:25 _confread.old
-rwxr-xr-x 1 root root 48431 Aug 11 09:26 _copyright
-rwxr-xr-x 1 root root 48431 Aug 11 09:25 _copyright.old
-rwxr-xr-x 1 root root 2379 Aug 11 09:26 _include
-rwxr-xr-x 1 root root 2379 Aug 11 09:25 _include.old
-rwxr-xr-x 1 root root 1475 Aug 11 09:26 _keycensor
-rwxr-xr-x 1 root root 1475 Aug 11 09:25 _keycensor.old
-rwxr-xr-x 1 root root 3586 Aug 11 09:26 _plutoload
-rwxr-xr-x 1 root root 3586 Aug 11 09:25 _plutoload.old
-rwxr-xr-x 1 root root 6780 Aug 11 09:26 _plutorun
-rwxr-xr-x 1 root root 6780 Aug 11 09:25 _plutorun.old
-rwxr-xr-x 1 root root 10404 Aug 11 09:26 _realsetup
-rwxr-xr-x 1 root root 10404 Aug 11 09:25 _realsetup.old
-rwxr-xr-x 1 root root 1975 Aug 11 09:26 _secretcensor
-rwxr-xr-x 1 root root 1975 Aug 11 09:25
_secretcensor.old
-rwxr-xr-x 1 root root 8427 Aug 11 09:26 _startklips
-rwxr-xr-x 1 root root 8427 Aug 11 09:25
_startklips.old
-rwxr-xr-x 1 root root 11261 Aug 11 09:26 _updown
-rwxr-xr-x 1 root root 11261 Aug 11 09:25 _updown.old
-rwxr-xr-x 1 root root 7572 Aug 11 09:26 _updown_x509
-rwxr-xr-x 1 root root 7572 Aug 11 09:25
_updown_x509.old
-rwxr-xr-x 1 root root 1942 Aug 11 09:26
ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 7312
-rwxr-xr-x 1 root root 69401 Aug 11 09:26 _pluto_adns
-rwxr-xr-x 1 root root 69401 Aug 11 09:25
_pluto_adns.old
-rwxr-xr-x 1 root root 15691 Aug 11 09:26 auto
-rwxr-xr-x 1 root root 15691 Aug 11 09:25 auto.old
-rwxr-xr-x 1 root root 10191 Aug 11 09:26 barf
-rwxr-xr-x 1 root root 10191 Aug 11 09:25 barf.old
-rwxr-xr-x 1 root root 816 Aug 11 09:26 calcgoo
-rwxr-xr-x 1 root root 816 Aug 11 09:25 calcgoo.old
-rwxr-xr-x 1 root root 320017 Aug 11 09:26 eroute
-rwxr-xr-x 1 root root 320017 Aug 11 09:25 eroute.old
-rwxr-xr-x 1 root root 128297 Aug 11 09:26 ikeping
-rwxr-xr-x 1 root root 128297 Aug 11 09:25 ikeping.old
-rwxr-xr-x 1 root root 187062 Aug 11 09:26 klipsdebug
-rwxr-xr-x 1 root root 187062 Aug 11 09:25 klipsdebug.old
-rwxr-xr-x 1 root root 2461 Aug 11 09:26 look
-rwxr-xr-x 1 root root 2461 Aug 11 09:25 look.old
-rwxr-xr-x 1 root root 7130 Aug 11 09:26 mailkey
-rwxr-xr-x 1 root root 7130 Aug 11 09:25 mailkey.old
-rwxr-xr-x 1 root root 16188 Aug 11 09:26 manual
-rwxr-xr-x 1 root root 16188 Aug 11 09:25 manual.old
-rwxr-xr-x 1 root root 1874 Aug 11 09:26 newhostkey
-rwxr-xr-x 1 root root 1874 Aug 11 09:25 newhostkey.old
-rwxr-xr-x 1 root root 169079 Aug 11 09:26 pf_key
-rwxr-xr-x 1 root root 169079 Aug 11 09:25 pf_key.old
-rwxr-xr-x 1 root root 1677066 Aug 11 09:26 pluto
-rwxr-xr-x 1 root root 1677066 Aug 11 09:25 pluto.old
-rwxr-xr-x 1 root root 53461 Aug 11 09:26 ranbits
-rwxr-xr-x 1 root root 53461 Aug 11 09:25 ranbits.old
-rwxr-xr-x 1 root root 83443 Aug 11 09:26 rsasigkey
-rwxr-xr-x 1 root root 83443 Aug 11 09:25 rsasigkey.old
-rwxr-xr-x 1 root root 766 Aug 11 09:26 secrets
-rwxr-xr-x 1 root root 766 Aug 11 09:25 secrets.old
-rwxr-xr-x 1 root root 17602 Aug 11 09:26 send-pr
-rwxr-xr-x 1 root root 17602 Aug 11 09:25 send-pr.old
lrwxrwxrwx 1 root root 22 Aug 11 09:26 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Aug 11 09:26 showdefaults
-rwxr-xr-x 1 root root 1048 Aug 11 09:25
showdefaults.old
-rwxr-xr-x 1 root root 4321 Aug 11 09:26 showhostkey
-rwxr-xr-x 1 root root 4321 Aug 11 09:25
showhostkey.old
-rwxr-xr-x 1 root root 326953 Aug 11 09:26 spi
-rwxr-xr-x 1 root root 326953 Aug 11 09:25 spi.old
-rwxr-xr-x 1 root root 259318 Aug 11 09:26 spigrp
-rwxr-xr-x 1 root root 259318 Aug 11 09:25 spigrp.old
-rwxr-xr-x 1 root root 51949 Aug 11 09:26 tncfg
-rwxr-xr-x 1 root root 51949 Aug 11 09:25 tncfg.old
-rwxr-xr-x 1 root root 10201 Aug 11 09:26 verify
-rwxr-xr-x 1 root root 10201 Aug 11 09:25 verify.old
-rwxr-xr-x 1 root root 225534 Aug 11 09:26 whack
-rwxr-xr-x 1 root root 225534 Aug 11 09:25 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 4090149 43753 0 0 0 0 0 0
4090149 43753 0 0 0 0 0 0
eth0:649645474 636847 0 0 0 0 0 0
109113907 706145 0 0 0 21085 0 0
eth1:105090909 778457 0 0 0 0 0 0
888060399 943021 0 0 0 37603 0 0
ipsec0: 863745 1297 0 0 0 0 0 0
336034 1275 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway
Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 000119AC 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 000119AC 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 0000C70A 00000000 0001 0 0 0 0000FFFF 0 0 0
ipsec0 0000E30A 010119AC 0003 0 0 0 0000FFFF 0 0 0
ipsec0 00000A0A 010119AC 0003 0 0 0 0000FFFF 0 0 0
eth1 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth0 00000000 010119AC 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux famcourt.bps 2.4.20-31.9custom #4 SMP Wed Aug 11 09:13:20 CDT
2004 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.1.4
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 286: no old-style linux 1.x/2.0
ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 39203 packets, 33M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 35628 packets, 29M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 33390 packets, 6893K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1113 packets, 63744 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 562 packets, 32859 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 121 packets, 11553 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 74811 packets, 61M bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 39183 packets, 33M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 35628 packets, 29M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 33366 packets, 6888K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 69025 packets, 36M bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 318432 2
iptable_mangle 2776 0 (autoclean) (unused)
iptable_nat 22424 0 (autoclean) (unused)
ip_conntrack 29928 1 (autoclean) [iptable_nat]
iptable_filter 2444 0 (autoclean) (unused)
ip_tables 15992 5 [iptable_mangle iptable_nat
iptable_filter]
parport_pc 19204 1 (autoclean)
lp 9156 0 (autoclean)
parport 38976 1 (autoclean) [parport_pc lp]
autofs 13684 0 (autoclean) (unused)
e100 56356 2
sr_mod 18200 0 (autoclean)
cdrom 34208 0 (autoclean) [sr_mod]
st 32332 0 (unused)
ext3 73408 4
jbd 56432 4 [ext3]
aic7xxx 142516 5
sd_mod 13452 10
scsi_mod 110872 4 [sr_mod st aic7xxx sd_mod]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 260804608 255041536 5763072 0 101949440 101158912
Swap: 534634496 17006592 517627904
MemTotal: 254692 kB
MemFree: 5628 kB
MemShared: 0 kB
Buffers: 99560 kB
Cached: 91140 kB
SwapCached: 7648 kB
Active: 159628 kB
ActiveAnon: 11816 kB
ActiveCache: 147812 kB
Inact_dirty: 24 kB
Inact_laundry: 38848 kB
Inact_clean: 4224 kB
Inact_target: 40544 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 254692 kB
LowFree: 5628 kB
SwapTotal: 522104 kB
SwapFree: 505496 kB
More information about the Users
mailing list