[Openswan Users]
Error : ignoring informational payload, type INVALID_COOKIE
Frédéric Gonzatti
fred99 at libertysurf.fr
Thu Sep 2 23:39:40 CEST 2004
Hi all,
I'm trying to build a VPN on my Fedora Core 2 kernel 2.6.7. I'm using
Openswan 2.1.5.
The main error message is "ignoring informational payload, type
INVALID_COOKIE".
On my vpn server there is there are three ethernet cards :
eth2 which has a public IP : 62.160.X.X
eth1 which has private IP 192.168.2.1/255.255.255.0
eth0 which has private IP 172.16.2.1/255.255.0.0
I tried to access to my VPN server : ping 172.16.2.1 but it didn't work !
Here is the result of the ipsec barf command :
gandalf.XXXXXXXX.com
Thu Sep 2 23:51:33 CEST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.1.5/K2.6.7 (native) (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.7 (root at gandalf.XXXXXXXX.com) (version gcc 3.3.3
20040412 (Red Hat Linux 3.3.3-7)) #1 Thu Jul 29 22:28:24 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
62.160.115.24 0.0.0.0 255.255.255.248 U 0 0 0
eth2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 62.160.115.30 0.0.0.0 UG 0 0 0
eth2
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
::/0[any] ::/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=435 seq=17 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=419 seq=16 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=403 seq=15 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=387 seq=14 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=371 seq=13 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=355 seq=12 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=339 seq=11 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=323 seq=10 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Sep 2 15:41:34 2004 lastused: Sep 2 20:54:42 2004
lifetime: 0(s) validtime: 0(s)
spid=307 seq=9 pid=14391
refcnt=1
::/0[any] ::/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=444 seq=8 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=428 seq=7 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=412 seq=6 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=396 seq=5 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=380 seq=4 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=364 seq=3 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=348 seq=2 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=332 seq=1 pid=14391
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Sep 2 15:41:34 2004 lastused: Sep 2 20:54:42 2004
lifetime: 0(s) validtime: 0(s)
spid=316 seq=0 pid=14391
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.2.1
000 interface eth0/eth0 172.16.2.1
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 interface eth2/eth2 62.160.X.X
000 interface eth2/eth2 62.160.X.X
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 62.160.X.X[C=FR, ST=Herault, L=Montpellier,
O=XXXXXXXX, OU=Info, CN=XXXXXXXXca,
E=postmaster at XXXXXXXX.com,S=C]---62.160.115.30...%virtual[S=C]===?;
unrouted; eroute owner: #0
000 "roadwarrior": CAs: 'C=FR, ST=Herault, L=Montpellier, O=XXXXXXXX,
OU=Info, CN=XXXXXXXXca, E=postmaster at XXXXXXXX.com'...'%any'
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: eth2;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": 172.16.0.0/16===62.160.X.X[C=FR, ST=Herault,
L=Montpellier, O=XXXXXXXX, OU=Info, CN=XXXXXXXXca,
E=postmaster at XXXXXXXX.com,S=C]---62.160.115.30...%virtual[S=C]===?;
unrouted; eroute owner: #0
000 "roadwarrior-net": CAs: 'C=FR, ST=Herault, L=Montpellier,
O=XXXXXXXX, OU=Info, CN=XXXXXXXXca, E=postmaster at XXXXXXXX.com'...'%any'
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 16,32; interface: eth2;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:BA:11:56:66
inet addr:172.16.2.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::250:baff:fe11:5666/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:144 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11239 (10.9 Kb) TX bytes:2310 (2.2 Kb)
Interrupt:11 Base address:0x4e00
eth1 Link encap:Ethernet HWaddr 00:30:F1:45:E2:C7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:f1ff:fe45:e2c7/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:9 dropped:0 overruns:0 carrier:18
collisions:0 txqueuelen:1000
RX bytes:180 (180.0 b) TX bytes:0 (0.0 b)
Interrupt:12 Base address:0x3800
eth2 Link encap:Ethernet HWaddr 00:10:B5:AC:E8:B7
inet addr:62.160.X.X Bcast:62.255.255.255 Mask:255.255.255.248
inet6 addr: fe80::210:b5ff:feac:e8b7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1942 errors:0 dropped:0 overruns:0 frame:0
TX packets:1605 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:253962 (248.0 Kb) TX bytes:231528 (226.1 Kb)
Interrupt:11 Base address:0xac00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:98 errors:0 dropped:0 overruns:0 frame:0
TX packets:98 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8904 (8.6 Kb) TX bytes:8904 (8.6 Kb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.5/K2.6.7 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: gandalf.XXXXXXXX.com
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 26.115.160.62.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: no link
product info: vendor 00:05:be, model 8 rev 0
basic mode: autonegotiation enabled
basic status: no link
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: no link
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: no link
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth2: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gandalf.XXXXXXXX.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
23:51:37 up 10:16, 1 user, load average: 0.24, 0.05, 0.02
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 14371 14339 15 0 4084 964 wait4 S pts/3
0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
4 0 14446 14371 15 0 1508 396 pipe_w S pts/3
0:00 \_ egrep -i ppid|pluto|ipsec|klips
5 0 13783 1 20 0 2056 1032 wait4 S ? 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--force_keepalive --disable_port_floating --virtual_private
%v4:172.16.0.0/12 --crlcheckinterval 0 --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 13784 13783 20 0 2056 1044 wait4 S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--force_keepalive --disable_port_floating --virtual_private
%v4:172.16.0.0/12 --crlcheckinterval 0 --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 13785 13784 15 0 2184 1064 - S ? 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids --nat_traversal
--virtual_private %v4:172.16.0.0/12
4 0 13818 13785 19 0 1316 252 - S ? 0:00
| \_ _pluto_adns
4 0 13786 13783 16 0 2056 1016 pipe_w S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
4 0 13787 1 20 0 1380 288 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth2
routevirt=ipsec0
routeaddr=62.160.X.X
routenexthop=62.160.115.30
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/adv_config.html
#
# Policy groups are enabled by default. See:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.4/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:172.16.0.0/12
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=172.16.0.0/255.255.0.0
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=gandalf.XXXXXXXX.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
# Add connections here.
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop
toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop
toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start
it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#include /etc/ipsec.d/examples/no_oe.conf
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits gandalf.XXXXXXXX.com Thu Jul 29 23:39:06 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNY8EdZv]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 260
-rwxr-xr-x 1 root root 15291 Aug 25 18:08 _confread
-rwxr-xr-x 1 root root 15291 Jul 29 23:38 _confread.old
-rwxr-xr-x 1 root root 44528 Aug 25 18:08 _copyright
-rwxr-xr-x 1 root root 44544 Jul 29 23:38 _copyright.old
-rwxr-xr-x 1 root root 2379 Aug 25 18:08 _include
-rwxr-xr-x 1 root root 2379 Jul 29 23:38 _include.old
-rwxr-xr-x 1 root root 1475 Aug 25 18:08 _keycensor
-rwxr-xr-x 1 root root 1475 Jul 29 23:38 _keycensor.old
-rwxr-xr-x 1 root root 3586 Aug 25 18:08 _plutoload
-rwxr-xr-x 1 root root 3586 Jul 29 23:38 _plutoload.old
-rwxr-xr-x 1 root root 6780 Aug 25 18:08 _plutorun
-rwxr-xr-x 1 root root 6780 Jul 29 23:38 _plutorun.old
-rwxr-xr-x 1 root root 10404 Aug 25 18:08 _realsetup
-rwxr-xr-x 1 root root 10404 Jul 29 23:38 _realsetup.old
-rwxr-xr-x 1 root root 1975 Aug 25 18:08 _secretcensor
-rwxr-xr-x 1 root root 1975 Jul 29 23:38 _secretcensor.old
-rwxr-xr-x 1 root root 8427 Aug 25 18:08 _startklips
-rwxr-xr-x 1 root root 8427 Jul 29 23:38 _startklips.old
-rwxr-xr-x 1 root root 11261 Aug 25 18:08 _updown
-rwxr-xr-x 1 root root 11261 Jul 29 23:38 _updown.old
-rwxr-xr-x 1 root root 7572 Aug 25 18:08 _updown_x509
-rwxr-xr-x 1 root root 7572 Jul 29 23:38 _updown_x509.old
-rwxr-xr-x 1 root root 1942 Aug 25 18:08 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 7968
-rwxr-xr-x 1 root root 66082 Aug 25 18:08 _pluto_adns
-rwxr-xr-x 1 root root 66098 Jul 29 23:38 _pluto_adns.old
-rwxr-xr-x 1 root root 15691 Aug 25 18:08 auto
-rwxr-xr-x 1 root root 15691 Jul 29 23:38 auto.old
-rwxr-xr-x 1 root root 10191 Aug 25 18:08 barf
-rwxr-xr-x 1 root root 10191 Jul 29 23:38 barf.old
-rwxr-xr-x 1 root root 816 Aug 25 18:08 calcgoo
-rwxr-xr-x 1 root root 816 Jul 29 23:38 calcgoo.old
-rwxr-xr-x 1 root root 313906 Aug 25 18:08 eroute
-rwxr-xr-x 1 root root 313922 Jul 29 23:38 eroute.old
-rwxr-xr-x 1 root root 124422 Aug 25 18:08 ikeping
-rwxr-xr-x 1 root root 124438 Jul 29 23:38 ikeping.old
-rwxr-xr-x 1 root root 179623 Aug 25 18:08 klipsdebug
-rwxr-xr-x 1 root root 179639 Jul 29 23:38 klipsdebug.old
-rwxr-xr-x 1 root root 2461 Aug 25 18:08 look
-rwxr-xr-x 1 root root 2461 Jul 29 23:38 look.old
-rwxr-xr-x 1 root root 7130 Aug 25 18:08 mailkey
-rwxr-xr-x 1 root root 7130 Jul 29 23:38 mailkey.old
-rwxr-xr-x 1 root root 16188 Aug 25 18:08 manual
-rwxr-xr-x 1 root root 16188 Jul 29 23:38 manual.old
-rwxr-xr-x 1 root root 1874 Aug 25 18:08 newhostkey
-rwxr-xr-x 1 root root 1874 Jul 29 23:38 newhostkey.old
-rwxr-xr-x 1 root root 163604 Aug 25 18:08 pf_key
-rwxr-xr-x 1 root root 163616 Jul 29 23:38 pf_key.old
-rwxr-xr-x 1 root root 2078195 Aug 25 18:08 pluto
-rwxr-xr-x 1 root root 2078447 Jul 29 23:38 pluto.old
-rwxr-xr-x 1 root root 49550 Aug 25 18:08 ranbits
-rwxr-xr-x 1 root root 49566 Jul 29 23:38 ranbits.old
-rwxr-xr-x 1 root root 79044 Aug 25 18:08 rsasigkey
-rwxr-xr-x 1 root root 79060 Jul 29 23:38 rsasigkey.old
-rwxr-xr-x 1 root root 766 Aug 25 18:08 secrets
-rwxr-xr-x 1 root root 766 Jul 29 23:38 secrets.old
-rwxr-xr-x 1 root root 17602 Aug 25 18:08 send-pr
-rwxr-xr-x 1 root root 17602 Jul 29 23:38 send-pr.old
lrwxrwxrwx 1 root root 22 Aug 25 18:08 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Aug 25 18:08 showdefaults
-rwxr-xr-x 1 root root 1048 Jul 29 23:38 showdefaults.old
-rwxr-xr-x 1 root root 4321 Aug 25 18:08 showhostkey
-rwxr-xr-x 1 root root 4321 Jul 29 23:38 showhostkey.old
-rwxr-xr-x 1 root root 320882 Aug 25 18:08 spi
-rwxr-xr-x 1 root root 320898 Jul 29 23:38 spi.old
-rwxr-xr-x 1 root root 252663 Aug 25 18:08 spigrp
-rwxr-xr-x 1 root root 252679 Jul 29 23:38 spigrp.old
-rwxr-xr-x 1 root root 47646 Aug 25 18:08 tncfg
-rwxr-xr-x 1 root root 47662 Jul 29 23:38 tncfg.old
-rwxr-xr-x 1 root root 10201 Aug 25 18:08 verify
-rwxr-xr-x 1 root root 10201 Jul 29 23:38 verify.old
-rwxr-xr-x 1 root root 221139 Aug 25 18:08 whack
-rwxr-xr-x 1 root root 221155 Jul 29 23:38 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 9194 101 0 0 0 0 0 0
9194 101 0 0 0 0 0 0
eth0: 11239 144 0 0 0 0 0 0
2436 54 0 0 0 0 0 0
eth1: 180 3 0 0 0 0 0 0
0 0 9 0 0 0 18 0
eth2: 254535 1946 0 0 0 0 0 0
231836 1609 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
eth2 1873A03E 00000000 0001 0 0 0 F8FFFFFF 0
0
0
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0
0
0
eth0 000010AC 00000000 0001 0 0 0 0000FFFF 0
0
0
lo 0000007F 00000000 0001 0 0 0 000000FF 0
0
0
eth2 00000000 1E73A03E 0003 0 0 0 00000000 0
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter eth2/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
eth2/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux gandalf.XXXXXXXX.com 2.6.7 #1 Thu Jul 29 22:28:24 CEST 2004 i686
i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.7) support detected '
native PFKEY (2.6.7) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 286: no old-style linux 1.x/2.0
ipfwadm firewall support: Aucun fichier ou répertoire de ce type
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 1358 packets, 159K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1369 packets, 194K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 231 packets, 20036 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
172.16.2.1 tcp dpt:110 to:192.168.2.150:110
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:25 to:192.168.2.100:25
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:110 to:192.168.2.150:110
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:8000 to:192.168.2.100:8000
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:8001 to:192.168.2.150:8001
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:25 to:192.168.2.100:25
0 0 DNAT tcp -- * * 0.0.0.0/0
62.160.115.25 tcp dpt:110 to:192.168.2.150:110
Chain POSTROUTING (policy ACCEPT 25 packets, 1822 bytes)
pkts bytes target prot opt in out source
destination
12 842 MASQUERADE all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 MASQUERADE all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 53 packets, 3887 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 465 packets, 68813 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 465 packets, 68813 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 465 packets, 77661 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 465 packets, 77661 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2560 0 - Live 0xc8a01000
ip_nat_ftp 4464 0 - Live 0xc8a33000
ip_conntrack_ftp 71344 1 ip_nat_ftp, Live 0xc8a3b000
ipt_state 1920 0 - Live 0xc8a6e000
ipt_MASQUERADE 3200 2 - Live 0xc8a76000
iptable_nat 20524 3 ip_nat_ftp,ipt_MASQUERADE, Live 0xc8a27000
ip_conntrack 27656 5
ip_nat_ftp,ip_conntrack_ftp,ipt_state,ipt_MASQUERADE,iptable_nat, Live
0xc8a1f000
iptable_filter 2560 0 - Live 0xc89fd000
ip_tables 15488 5
iptable_mangle,ipt_state,ipt_MASQUERADE,iptable_nat,iptable_filter, Live
0xc89f8000
deflate 3072 0 - Live 0xc89e1000
zlib_deflate 21784 1 deflate, Live 0xc89f1000
twofish 39040 0 - Live 0xc89e6000
serpent 15232 0 - Live 0xc8a05000
aes 32192 0 - Live 0xc8a16000
blowfish 10368 0 - Live 0xc8a12000
des 11904 0 - Live 0xc8a0e000
sha256 9728 0 - Live 0xc89dd000
sha1 8704 0 - Live 0xc89d9000
crypto_null 2432 0 - Live 0xc8951000
ipv6 209760 12 - Live 0xc89a4000
ipcomp 6272 0 - Live 0xc89a1000
esp4 8192 0 - Live 0xc899e000
ah4 6016 0 - Live 0xc89e3000
af_key 26512 0 - Live 0xc8986000
autofs4 15236 0 - Live 0xc8981000
sunrpc 123492 1 - Live 0xc895b000
8139too 20224 0 - Live 0xc8955000
tulip 40864 0 - Live 0xc8946000
via_rhine 17800 0 - Live 0xc897b000
mii 4224 2 8139too,via_rhine, Live 0xc88e6000
floppy 53328 0 - Live 0xc898f000
sg 31648 0 - Live 0xc88dd000
scsi_mod 100556 1 sg, Live 0xc8ae8000
microcode 5664 0 - Live 0xc88b9000
dm_mod 37408 0 - Live 0xc88d2000
uhci_hcd 27792 0 - Live 0xc88ca000
button 5016 0 - Live 0xc88b6000
battery 7564 0 - Live 0xc88b3000
asus_acpi 9368 0 - Live 0xc88af000
ac 3724 0 - Live 0xc88ad000
ext3 103528 1 - Live 0xc88e9000
jbd 46872 1 ext3, Live 0xc88bd000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 125716 kB
MemFree: 3752 kB
Buffers: 9056 kB
Cached: 51464 kB
SwapCached: 0 kB
Active: 44576 kB
Inactive: 20588 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 125716 kB
LowFree: 3752 kB
SwapTotal: 514072 kB
SwapFree: 514072 kB
Dirty: 124 kB
Writeback: 0 kB
Mapped: 8756 kB
Slab: 53932 kB
Committed_AS: 11592 kB
PageTables: 496 kB
VmallocTotal: 901112 kB
VmallocUsed: 2456 kB
VmallocChunk: 898032 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.7/build/.config
++ uname -r
+ cat /lib/modules/2.6.7/build/.config
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NETLINK_DEV=y
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_RAW=m
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search XXXXXXXX.com
nameserver 172.16.2.200
nameserver 194.2.0.20
nameserver 194.2.0.50
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 12
drwxr-xr-x 4 root root 4096 Jul 29 21:52 2.6.5-1.358
drwxr-xr-x 3 root root 4096 Jul 29 23:32 2.6.7
drwxr-xr-x 3 root root 4096 Aug 25 17:59 2.6.8.1
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0273760 T netif_rx
c0273760 U netif_rx [ipv6]
c0273760 U netif_rx [tulip]
c0273760 U netif_rx [via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.5-1.358:
2.6.7:
2.6.8.1:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '914,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Sep 2 15:41:33 gandalf ipsec_setup: Starting Openswan IPsec
U2.1.5/K2.6.7...
Sep 2 15:41:33 gandalf ipsec_setup: KLIPS ipsec0 on eth2
62.160.X.X/255.255.255.248 broadcast 62.255.255.255
Sep 2 15:41:33 gandalf ipsec_setup: ...Openswan IPsec started
+ _________________________ plog
+ sed -n '251,$p' /var/log/secure
+ egrep -i pluto
+ cat
Sep 2 15:41:33 gandalf ipsec__plutorun: Starting Pluto subsystem...
Sep 2 15:41:33 gandalf pluto[13785]: Starting Pluto (Openswan Version
2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Sep 2 15:41:33 gandalf pluto[13785]: including NAT-Traversal patch
(Version 0.6c)
Sep 2 15:41:33 gandalf pluto[13785]: Using Linux 2.6 IPsec interface code
Sep 2 15:41:33 gandalf pluto[13785]: Changing to directory
'/etc/ipsec.d/cacerts'
Sep 2 15:41:33 gandalf pluto[13785]: loaded cacert file 'cacert.pem'
(1667 bytes)
Sep 2 15:41:33 gandalf pluto[13785]: Changing to directory
'/etc/ipsec.d/crls'
Sep 2 15:41:33 gandalf pluto[13785]: loaded crl file 'crl.pem' (703
bytes)
Sep 2 15:41:34 gandalf pluto[13785]: loaded host cert file
'/etc/ipsec.d/certs/gandalf.XXXXXXXX.com.pem' (5062 bytes)
Sep 2 15:41:34 gandalf pluto[13785]: added connection description
"roadwarrior"
Sep 2 15:41:34 gandalf pluto[13785]: loaded host cert file
'/etc/ipsec.d/certs/gandalf.XXXXXXXX.com.pem' (5062 bytes)
Sep 2 15:41:34 gandalf pluto[13785]: added connection description
"roadwarrior-net"
Sep 2 15:41:34 gandalf pluto[13785]: listening for IKE messages
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth2/eth2 62.160.X.X
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth2/eth2
62.160.X.X:4500
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth1/eth1 192.168.2.1
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth1/eth1
192.168.2.1:4500
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth0/eth0 172.16.2.1
Sep 2 15:41:34 gandalf pluto[13785]: adding interface eth0/eth0
172.16.2.1:4500
Sep 2 15:41:34 gandalf pluto[13785]: adding interface lo/lo 127.0.0.1
Sep 2 15:41:34 gandalf pluto[13785]: adding interface lo/lo 127.0.0.1:4500
Sep 2 15:41:34 gandalf pluto[13785]: adding interface lo/lo ::1
Sep 2 15:41:34 gandalf pluto[13785]: loading secrets from
"/etc/ipsec.secrets"
Sep 2 20:51:34 gandalf pluto[13785]: packet from 213.102.202.157:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Sep 2 20:51:34 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: responding to Main Mode from unknown peer 213.102.202.157
Sep 2 20:51:34 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: transition from state (null) to state STATE_MAIN_R1
Sep 2 20:51:35 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 2 20:51:35 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: encrypted Informational Exchange message is invalid because it is
for incomplete ISAKMP SA
Sep 2 20:52:17 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: encrypted Informational Exchange message is invalid because it is
for incomplete ISAKMP SA
Sep 2 20:52:45 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157
#1: max number of retransmissions (2) reached STATE_MAIN_R2
Sep 2 20:52:45 gandalf pluto[13785]: "roadwarrior"[1] 213.102.202.157:
deleting connection "roadwarrior" instance with peer 213.102.202.157
{isakmp=#0/ipsec=#0}
Sep 2 20:54:12 gandalf pluto[13785]: packet from 213.102.202.157:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Sep 2 20:54:12 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: responding to Main Mode from unknown peer 213.102.202.157
Sep 2 20:54:12 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: transition from state (null) to state STATE_MAIN_R1
Sep 2 20:54:12 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 2 20:54:12 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: encrypted Informational Exchange message is invalid because it is
for incomplete ISAKMP SA
Sep 2 20:54:31 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: encrypted Informational Exchange message is invalid because it is
for incomplete ISAKMP SA
Sep 2 20:54:42 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: ignoring informational payload, type INVALID_COOKIE
Sep 2 20:55:22 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157
#2: max number of retransmissions (2) reached STATE_MAIN_R2
Sep 2 20:55:22 gandalf pluto[13785]: "roadwarrior"[2] 213.102.202.157:
deleting connection "roadwarrior" instance with peer 213.102.202.157
{isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
Thu Sep 2 23:51:38 CEST 2004
Here is the the ipsec.conf file of the roadwarrior (Windows XP)
conn roadwarrior
left=%any
right=62.160.X.X
rightca="C=FR,S=Herault,L=Montpellier,O=XXXXXXX,CN=XXXXXXXca,Email=postmaster at XXXXXXX.com"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=62.160.X.X
rightsubnet=172.16.0.0/255.255.0.0
rightca="C=FR,S=Herault,L=Montpellier,O=XXXXXXX,CN=XXXXXXXca,Email=postmaster at XXXXXXX.com"
network=auto
auto=start
pfs=yes
Any idea ?
Thanks a lot
Frederic
More information about the Users
mailing list