[Openswan Users]
Failed VPN connection attempt with "malformed payload in packet"
Darin Ingimarson
dingimarson at quantapoint.com
Wed Oct 27 10:13:06 CEST 2004
Hi,
I have an IPSec installation installed on our NAT-ing firewall/gateway
machine that is intended to provide remote access to our LAN from remote
sites. I am trying to get this work with the sample setup shown below.
Basically my home DSL connection, (a regular ADSL modem plus this little
D-Link DI-624 with IPSec & PPTP passthrough enabled). For reasons I wont
get into here, the firewall machine is also acting as the VPN server.
Internal LAN
192.168.0.0/16
|
|
Firewall (iptables w/NAT)
Inside: 192.168.0.1
Outside: 33.33.33.242
|
|
Router
33.33.33.241
|
|
Internet
|
|
DSL Modem
44.44.44.1
|
|
D-LINK DI-624 Router
10.0.0.1/16
|
|
Win 2K Workstation
10.0.0.100
I've read through all the docs I could find (including Nat Carlson's
docs on setting up a X.509 system -- followed to the letter) and I still
can't bring the tunnel up. I will be upfront and admit this is my first
attempt at a VPN, although I have been doing (simple) network admin for
a few years.
Enclosed is an ipsec barf that shows the setup, plus me trying to
connect to the system. During the connection attempt, pluto seems to
complain about malformed packet payloads, and I cannot ping from the
Win2K system to the internal network. I am at a loss. Can anyone offer
any suggestions?
Thanks in advance!
-darin
------------8<-----------------8<-----------------
fw.mycompany.com
Wed Oct 27 08:50:05 EDT 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.5-1.358 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.5-1.358 (bhcompile at bugs.build.redhat.com) (gcc version
3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 Sat May 8 09:04:50 EDT 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
33.33.33.240 0.0.0.0 255.255.255.252 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 33.33.33.242 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
::/0[any] ::/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1731 seq=13 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1715 seq=12 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1699 seq=11 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused: Oct 27 01:04:18 2004
lifetime: 0(s) validtime: 0(s)
spid=1683 seq=10 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused: Oct 27 01:04:45 2004
lifetime: 0(s) validtime: 0(s)
spid=1667 seq=9 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1651 seq=8 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1635 seq=7 pid=19548
refcnt=1
::/0[any] ::/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1740 seq=6 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1724 seq=5 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1708 seq=4 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1692 seq=3 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused: Oct 27 01:04:44 2004
lifetime: 0(s) validtime: 0(s)
spid=1676 seq=2 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1660 seq=1 pid=19548
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 27 01:03:52 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1644 seq=0 pid=19548
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 33.33.33.242
000 interface eth0/eth0 33.33.33.242
000 interface eth1/eth1 192.168.0.1
000 interface eth1/eth1 192.168.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "darin-from-home": 33.33.33.242[C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com,
E=support at mycompany.com]...%any[C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=cadd26.mycompany.com,
E=dingimarson at mycompany.com]; unrouted; eroute owner: #0
000 "darin-from-home": CAs: 'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com,
E=support at mycompany.com'...'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 "darin-from-home": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "darin-from-home": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,32;
interface: eth0;
000 "darin-from-home": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "darin-from-home": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "darin-from-home": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "darin-from-home": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "darin-from-home": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "darin-from-home-net": 192.168.0.0/16===33.33.33.242[C=US,
ST=Pennsylvania, L=Pittsburgh, O=mycompany, Inc., CN=fw.mycompany.com,
E=support at mycompany.com]...%any[C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=cadd26.mycompany.com,
E=dingimarson at mycompany.com]; unrouted; eroute owner: #0
000 "darin-from-home-net": CAs: 'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com,
E=support at mycompany.com'...'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 "darin-from-home-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "darin-from-home-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
16,32; interface: eth0;
000 "darin-from-home-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "darin-from-home-net": IKE algorithms wanted: 5_000-1-5,
5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "darin-from-home-net": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "darin-from-home-net": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "darin-from-home-net": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:04:D8:80:28
inet addr:33.33.33.242 Bcast:33.33.33.243 Mask:255.255.255.252
inet6 addr: fe80::250:4ff:fed8:8028/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6534995 errors:41704 dropped:0 overruns:0 frame:83408
TX packets:5867280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1650102807 (1573.6 Mb) TX bytes:1429379704 (1363.1 Mb)
Interrupt:10 Base address:0xfc00
eth1 Link encap:Ethernet HWaddr 00:50:DA:08:72:53
inet addr:192.168.0.1 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::250:daff:fe08:7253/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:40716766 errors:0 dropped:0 overruns:0 frame:0
TX packets:41174866 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3455265697 (3295.1 Mb) TX bytes:3651489715 (3482.3 Mb)
Interrupt:9 Base address:0xf880
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1014 errors:0 dropped:0 overruns:0 frame:0
TX packets:1014 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:136862 (133.6 Kb) TX bytes:136862 (133.6 Kb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.5-1.358 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: fw.mycompany.com [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 242.65.100.66.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: no autonegotiation,, link ok
product info: vendor 00:10:18, model 23 rev 4
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 10baseT-FD flow-control
link partner: 10baseT-HD
eth1: negotiated 100baseTx-FD flow-control, link ok
product info: vendor 00:10:18, model 23 rev 4
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 10baseT-FD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
fw.mycompany.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
33.33.33.242
+ _________________________ uptime
+ uptime
08:50:09 up 11 days, 19:05, 3 users, load average: 0.08, 0.02, 0.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 19528 19496 17 0 4404 964 wait4 S pts/18
0:00 \_ /bin/sh /usr/libexec/ipsec/barf
4 0 19607 19528 17 0 2828 404 pipe_w S pts/18
0:00 \_ egrep -i ppid|pluto|ipsec|klips
5 0 18881 1 18 0 2872 852 wait4 S ? 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0
--ocspuri --dump --opts --stderrlog --wait no --pre --post --log
daemon.error --pid /var/run/pluto.pid
5 0 18882 18881 18 0 2872 864 wait4 S ? 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0
--ocspuri --dump --opts --stderrlog --wait no --pre --post --log
daemon.error --pid /var/run/pluto.pid
4 0 18883 18882 16 0 3440 1096 - S ? 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --uniqueids --nat_traversal
4 0 18915 18883 18 0 2668 204 - S ? 0:00
| \_ _pluto_adns
4 0 18884 18881 16 0 3100 840 pipe_w S ? 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 18885 1 18 0 1608 296 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=33.33.33.242
routenexthop=33.33.33.242
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
# virtual_private=%v192.168.0.0/16
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
conn %default
keyingtries=1
# compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
# Darin's Home to the Office
conn darin-from-home-net
leftsubnet=192.168.0.0/16
also=darin-from-home
conn darin-from-home
left=33.33.33.242
leftcert=fw.mycompany.com.cert.pem
right=%any
rightnexthop=33.33.33.242
rightcert=cadd26.mycompany.com.cert.pem
auto=add
pfs=yes
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop
toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop
toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start
it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 58
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA fw.mycompany.com.key.pem "[sums to 8416...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Oct 27 01:03:52 2004, 1024 RSA Key AwEAAb8lt, until Oct 21 23:43:29
2014 ok
000 ID_DER_ASN1_DN 'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=cadd26.mycompany.com, E=dingimarson at mycompany.com'
000 Issuer 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 Oct 27 01:03:52 2004, 1024 RSA Key AwEAAcuZu, until Oct 21 23:33:23
2014 ok
000 ID_DER_ASN1_DN 'C=US, ST=Pennsylvania, L=Pittsburgh,
O=mycompany, Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 Issuer 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000
000 List of X.509 End Certificates:
000
000 Oct 27 01:03:52 2004, count: 2
000 subject: 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=cadd26.mycompany.com, E=dingimarson at mycompany.com'
000 issuer: 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 serial: 02
000 pubkey: 1024 RSA Key AwEAAb8lt
000 validity: not before Oct 23 23:43:29 2004 ok
000 not after Oct 21 23:43:29 2014 ok
000 subjkey:
8c:e0:09:63:d2:6d:ad:3f:11:8e:63:c4:cc:97:f6:58:ed:5f:cf:3b
000 authkey:
74:c8:aa:75:18:75:40:14:7a:64:35:10:31:8c:e7:95:57:85:ef:64
000 aserial: 00
000 Oct 27 01:03:52 2004, count: 2
000 subject: 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 issuer: 'C=US, ST=Pennsylvania, L=Pittsburgh, O=mycompany,
Inc., CN=fw.mycompany.com, E=support at mycompany.com'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAcuZu, has private key
000 validity: not before Oct 23 23:33:23 2004 ok
000 not after Oct 21 23:33:23 2014 ok
000 subjkey:
cc:a5:ce:dd:d3:0e:2b:da:cd:a5:f6:38:38:e3:a0:91:d3:a6:84:b4
000 authkey:
74:c8:aa:75:18:75:40:14:7a:64:35:10:31:8c:e7:95:57:85:ef:64
000 aserial: 00
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15403 Sep 16 11:40 _confread
-rwxr-xr-x 1 root root 47492 Sep 16 11:40 _copyright
-rwxr-xr-x 1 root root 2379 Sep 16 11:40 _include
-rwxr-xr-x 1 root root 1475 Sep 16 11:40 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 16 11:40 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 16 11:40 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 16 11:40 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 16 11:40 _secretcensor
-rwxr-xr-x 1 root root 9016 Sep 16 11:40 _startklips
-rwxr-xr-x 1 root root 12313 Sep 16 11:40 _updown
-rwxr-xr-x 1 root root 7572 Sep 16 11:40 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 16 11:40 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 5096
-rwxr-xr-x 1 root root 70814 Sep 16 11:40 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 16 11:40 auto
-rwxr-xr-x 1 root root 10248 Sep 16 11:40 barf
-rwxr-xr-x 1 root root 816 Sep 16 11:40 calcgoo
-rwxr-xr-x 1 root root 311083 Sep 16 11:40 eroute
-rwxr-xr-x 1 root root 182519 Sep 16 11:40 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 16 11:40 look
-rwxr-xr-x 1 root root 7124 Sep 16 11:40 mailkey
-rwxr-xr-x 1 root root 16188 Sep 16 11:40 manual
-rwxr-xr-x 1 root root 1874 Sep 16 11:40 newhostkey
-rwxr-xr-x 1 root root 164746 Sep 16 11:40 pf_key
-rwxr-xr-x 1 root root 2656271 Sep 16 11:40 pluto
-rwxr-xr-x 1 root root 55200 Sep 16 11:40 ranbits
-rwxr-xr-x 1 root root 81674 Sep 16 11:40 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 16 11:40 secrets
-rwxr-xr-x 1 root root 17578 Sep 16 11:40 send-pr
lrwxrwxrwx 1 root root 22 Oct 15 05:03 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 16 11:40 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 16 11:40 showhostkey
-rwxr-xr-x 1 root root 498713 Sep 16 11:40 spi
-rwxr-xr-x 1 root root 250823 Sep 16 11:40 spigrp
-rwxr-xr-x 1 root root 475538 Sep 16 11:40 starter
-rwxr-xr-x 1 root root 50198 Sep 16 11:40 tncfg
-rwxr-xr-x 1 root root 10195 Sep 16 11:40 verify
-rwxr-xr-x 1 root root 228071 Sep 16 11:40 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 136862 1014 0 0 0 0 0 0
136862 1014 0 0 0 0 0 0
eth0:1650111929 6535028 41704 0 0 83408 0 0
1429385508 5867318 0 0 0 0 0 0
eth1:3455271668 40716804 0 0 0 0 0 0
3651498838 41174898 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
eth0 F0416442 00000000 0001 0 0 0 FCFFFFFF 0
0
0
eth1 0000FEA9 00000000 0001 0 0 0 0000FFFF 0
0
0
eth1 0000A8C0 00000000 0001 0 0 0 0000FFFF 0
0
0
lo 0000007F 00000000 0001 0 0 0 000000FF 0
0
0
eth0 00000000 F2416442 0003 0 0 0 00000000 0
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux fw.mycompany.com 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i686
i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.5-1.358) support detected '
native PFKEY (2.6.5-1.358) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 2775 packets, 424K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4500 dpt:500
30 5912 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
33.33.33.242 state RELATED,ESTABLISHED tcp spts:1024:65535 dpt:20
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
33.33.33.242 state RELATED tcp spts:1024:65535 dpts:1024:65535
Chain FORWARD (policy ACCEPT 19160 packets, 886K bytes)
pkts bytes target prot opt in out source
destination
118K 19M ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
126K 63M ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 775 packets, 250K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4500 dpt:500
53 13996 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 429K packets, 29M bytes)
pkts bytes target prot opt in out source
destination
16211 780K DNAT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.0.20:80
5152 281K DNAT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:192.168.0.20:25
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.0.20:80
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25 to:192.168.0.20:25
Chain POSTROUTING (policy ACCEPT 26359 packets, 1542K bytes)
pkts bytes target prot opt in out source
destination
346K 17M MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 118 packets, 73396 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2048 0 - Live 0x0a898000
loop 10760 0 - Live 0x0a89e000
ipt_MASQUERADE 2560 2 - Live 0x0a8d9000
iptable_nat 17452 2 ipt_MASQUERADE, Live 0x0a92b000
ipt_state 1536 3 - Live 0x0a8a2000
ip_conntrack 24968 3 ipt_MASQUERADE,iptable_nat,ipt_state, Live 0x0a8cd000
iptable_filter 2048 1 - Live 0x0a89c000
ip_tables 13440 5
iptable_mangle,ipt_MASQUERADE,iptable_nat,ipt_state,iptable_filter, Live
0x0a8a6000
ipv6 184288 16 - Live 0x0a979000
deflate 2560 0 - Live 0x0a89a000
zlib_deflate 19480 1 deflate, Live 0x0a931000
twofish 36608 0 - Live 0x0a939000
serpent 12928 0 - Live 0x0a91c000
aes 31296 0 - Live 0x0a922000
blowfish 9600 0 - Live 0x0a8fb000
des 11264 0 - Live 0x0a8f7000
sha256 8704 0 - Live 0x0a8f3000
sha1 7936 0 - Live 0x0a8e7000
crypto_null 1920 0 - Live 0x0a8a4000
ipcomp 5248 0 - Live 0x0a8e4000
esp4 7168 0 - Live 0x0a823000
ah4 5120 0 - Live 0x0a8b2000
af_key 23312 0 - Live 0x0a8ec000
autofs4 10624 0 - Live 0x0a8d5000
sunrpc 101064 1 - Live 0x0a902000
3c59x 30376 0 - Live 0x0a8db000
floppy 47440 0 - Live 0x0a84d000
sg 27552 0 - Live 0x0a829000
scsi_mod 91344 1 sg, Live 0x0a8b5000
microcode 4768 0 - Live 0x0a826000
dm_mod 33184 0 - Live 0x0a843000
uhci_hcd 23708 0 - Live 0x0a83c000
ext3 102376 3 - Live 0x0a85b000
jbd 40216 1 ext3, Live 0x0a831000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 127132 kB
MemFree: 8012 kB
Buffers: 53308 kB
Cached: 12532 kB
SwapCached: 1304 kB
Active: 28404 kB
Inactive: 41872 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 127132 kB
LowFree: 8012 kB
SwapTotal: 262040 kB
SwapFree: 259832 kB
Dirty: 376 kB
Writeback: 0 kB
Mapped: 7536 kB
Slab: 46028 kB
Committed_AS: 52916 kB
PageTables: 900 kB
VmallocTotal: 4005880 kB
VmallocUsed: 1460 kB
VmallocChunk: 4004188 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.5-1.358/build/.config
++ uname -r
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
+ cat /lib/modules/2.6.5-1.358/build/.config
CONFIG_NETLINK_DEV=y
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_RAW=m
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search mycompany.com
nameserver 64.241.125.10
nameserver 63.144.176.10
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 Oct 14 19:36 2.6.5-1.358
drwxr-xr-x 4 root root 4096 Oct 15 18:33 2.6.8-1.521
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ echo 'broken (redhat/fedora) 2.6 kernel without kallsyms'
broken (redhat/fedora) 2.6 kernel without kallsyms
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.5-1.358:
2.6.8-1.521:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '173,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Oct 27 01:03:51 fw ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.6.5-1.358...
+ _________________________ plog
+ sed -n '692,$p' /var/log/secure
+ egrep -i pluto
+ cat
Oct 27 01:03:50 fw ipsec__plutorun: Starting Pluto subsystem...
Oct 27 01:03:50 fw pluto[18883]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Oct 27 01:03:50 fw pluto[18883]: including NAT-Traversal patch
(Version 0.6c)
Oct 27 01:03:50 fw pluto[18883]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Oct 27 01:03:50 fw pluto[18883]: Using Linux 2.6 IPsec interface code
Oct 27 01:03:51 fw pluto[18883]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct 27 01:03:51 fw pluto[18883]: Could not change to directory
'/etc/ipsec.d/aacerts'
Oct 27 01:03:51 fw pluto[18883]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Oct 27 01:03:51 fw pluto[18883]: Changing to directory '/etc/ipsec.d/crls'
Oct 27 01:03:51 fw pluto[18883]: Warning: empty directory
Oct 27 01:03:52 fw pluto[18883]: loaded host cert file
'/etc/ipsec.d/certs/fw.mycompany.com.cert.pem' (3729 bytes)
Oct 27 01:03:52 fw pluto[18883]: loaded host cert file
'/etc/ipsec.d/certs/cadd26.mycompany.com.cert.pem' (3749 bytes)
Oct 27 01:03:52 fw pluto[18883]: added connection description
"darin-from-home"
Oct 27 01:03:52 fw pluto[18883]: loaded host cert file
'/etc/ipsec.d/certs/fw.mycompany.com.cert.pem' (3729 bytes)
Oct 27 01:03:52 fw pluto[18883]: loaded host cert file
'/etc/ipsec.d/certs/cadd26.mycompany.com.cert.pem' (3749 bytes)
Oct 27 01:03:52 fw pluto[18883]: added connection description
"darin-from-home-net"
Oct 27 01:03:52 fw pluto[18883]: listening for IKE messages
Oct 27 01:03:52 fw pluto[18883]: adding interface eth1/eth1 192.168.0.1
Oct 27 01:03:52 fw pluto[18883]: adding interface eth1/eth1 192.168.0.1:4500
Oct 27 01:03:52 fw pluto[18883]: adding interface eth0/eth0 33.33.33.242
Oct 27 01:03:52 fw pluto[18883]: adding interface eth0/eth0
33.33.33.242:4500
Oct 27 01:03:52 fw pluto[18883]: adding interface lo/lo 127.0.0.1
Oct 27 01:03:52 fw pluto[18883]: adding interface lo/lo 127.0.0.1:4500
Oct 27 01:03:52 fw pluto[18883]: adding interface lo/lo ::1
Oct 27 01:03:52 fw pluto[18883]: loading secrets from "/etc/ipsec.secrets"
Oct 27 01:03:52 fw pluto[18883]: loaded private key file
'/etc/ipsec.d/private/fw.mycompany.com.key.pem' (1683 bytes)
Oct 27 01:04:14 fw pluto[18883]: packet from 68.162.148.89:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Oct 27 01:04:14 fw pluto[18883]: packet from 68.162.148.89:500: ignoring
Vendor ID payload [FRAGMENTATION]
Oct 27 01:04:14 fw pluto[18883]: packet from 68.162.148.89:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
responding to Main Mode from unknown peer 68.162.148.89
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
transition from state (null) to state STATE_MAIN_R1
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
next payload type of ISAKMP Hash Payload has an unknown value: 202
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
malformed payload in packet
Oct 27 01:04:14 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
sending encrypted notification PAYLOAD_MALFORMED to 68.162.148.89:500
Oct 27 01:04:18 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
next payload type of ISAKMP Hash Payload has an unknown value: 40
Oct 27 01:04:18 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
malformed payload in packet
Oct 27 01:04:18 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
sending encrypted notification PAYLOAD_MALFORMED to 68.162.148.89:500
Oct 27 01:04:25 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
Informational Exchange message must be encrypted
Oct 27 01:04:45 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
Informational Exchange message must be encrypted
Oct 27 01:05:24 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89 #1:
max number of retransmissions (2) reached STATE_MAIN_R2
Oct 27 01:05:24 fw pluto[18883]: "darin-from-home"[1] 68.162.148.89:
deleting connection "darin-from-home" instance with peer 68.162.148.89
{isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
Wed Oct 27 08:50:10 EDT 2004
More information about the Users
mailing list