[Openswan Users] IKE problems: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Greg Hankins ghankins at mindspring.com
Mon Apr 18 21:19:31 CEST 2005


Hello, I'm trying to establish a tunnel with a Fortinet server that is
maintained by our IT department (ie, I don't have an administrative login).
I'm using openswan-2.3.0-1 on FC2.  They told me to use: 3des-sha1 and
3des-md5, DH group 5 for IKE.

So I configured this, which I think is MD5 DH group 5 (MODP 1536):
conn foo
     left=192.168.0.10
     leftid=@foo.bar.com
     leftxauthclient=yes
     right=xxx.xx.xx.xxx
     rightsubnet=192.168.1.0/24  # corporate private network
     rightxauthserver=yes
     authby=secret
     auto=add
     ike=3des-md5-modp1536

However, I keep getting this error:
Apr 18 19:59:24 misfits pluto[6848]: packet from xxx.xx.xx.xxx:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

And sure enough, if I look on the wire there doesn't seem to be valid
information in what is being sent:
    [...]
    Security Association payload
        Next payload: Vendor ID (13)
        Length: 84
        Domain of interpretation: IPSEC (1)
        Situation: IDENTITY (1)
        Proposal payload # 0
            Next payload: NONE (0)
            Length: 72
            Proposal number: 0
            Protocol ID: ISAKMP (1)
            SPI size: 0
            Number of transforms: 2
            Transform payload # 0
                Next payload: Transform (3)
                Length: 32
                Transform number: 0
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
==============> Encryption-Algorithm (1): UNKNOWN-ENCRYPTION-ALG (65535)
==============> Hash-Algorithm (2): UNKNOWN-HASH-ALG (65535)
==============> Authentication-Method (3): UNKNOWN-AUTH-METHOD (65535)
==============> Group-Description (4): UNKNOWN-GROUP-DESCRIPTION (65535)
            Transform payload # 1
                Next payload: NONE (0)
                Length: 32
                Transform number: 1
                Transform ID: KEY_IKE (1)
                Life-Type (11): Seconds (1)
                Life-Duration (12): Duration-Value (3600)
                Encryption-Algorithm (1): 3DES-CBC (5)
                Hash-Algorithm (2): MD5 (1)
                Authentication-Method (3): XAUTHInitPreShared (65001)
                Group-Description (4): 1536 bit MODP group (5)
            [...]

I also see this in the output of "ipsec auto --status", does this mean
anything since they don't match:
000 "foo":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "foo":   IKE algorithms found:  5_192-1_128-5, 

Full output of barf is below.

Thanks for any ideas,
Greg

misfits.twoguys.org
Mon Apr 18 20:05:14 EDT 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.3.0/K2.6.9 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.9 (root at misfits.twoguys.org) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #2 Mon Apr 18 17:59:57 EDT 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.6.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.0.2.0       0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1347 seq=15 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1331 seq=14 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1315 seq=13 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1299 seq=12 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1283 seq=11 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1267 seq=10 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1251 seq=9 pid=7785
	refcnt=1
(per-socket policy) 
	in none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1235 seq=8 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1356 seq=7 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1340 seq=6 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1324 seq=5 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1308 seq=4 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1292 seq=3 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1276 seq=2 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1260 seq=1 pid=7785
	refcnt=1
(per-socket policy) 
	out none
	created: Apr 18 20:05:07 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1244 seq=0 pid=7785
	refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface eth0/eth0 192.168.0.10
000 interface eth0/eth0 192.168.0.10
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface vmnet1/vmnet1 192.168.6.1
000 interface vmnet1/vmnet1 192.168.6.1
000 interface vmnet8/vmnet8 192.0.2.1
000 interface vmnet8/vmnet8 192.0.2.1
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000  
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "foo": 192.168.0.10[@foo.bar.com,XC+S=C]...xxx.xx.xx.xxx[XS+S=C]===192.168.1.0/24; unrouted; eroute owner: #0
000 "foo":     srcip=unset; dstip=unset
000 "foo":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "foo":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,24; interface: eth0; 
000 "foo":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "foo":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "foo":   IKE algorithms found:  5_192-1_128-5, 
000  
000  
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0    Link encap:Ethernet  HWaddr EA:CD:FD:51:B4:23  
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:0C:6E:59:47:2B  
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1940 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1234221 (1.1 Mb)  TX bytes:220986 (215.8 Kb)
          Interrupt:5 Memory:feafc000-0 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:39908 (38.9 Kb)  TX bytes:39908 (38.9 Kb)

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:C0:00:01  
          inet addr:192.168.6.1  Bcast:192.168.6.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122 errors:0 dropped:0 overruns:0 frame:0
          TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vmnet8    Link encap:Ethernet  HWaddr 00:50:56:C0:00:08  
          inet addr:192.0.2.1  Bcast:192.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

+ _________________________ ip-addr-list
+ ip addr list
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:6e:59:47:2b brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether ea:cd:fd:51:b4:23 brd ff:ff:ff:ff:ff:ff
6: vmnet1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.6.1/24 brd 192.168.6.255 scope global vmnet1
7: vmnet8: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global vmnet8
+ _________________________ ip-route-list
+ ip route list
192.168.6.0/24 dev vmnet1  proto kernel  scope link  src 192.168.6.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.10 
192.0.2.0/24 dev vmnet8  proto kernel  scope link  src 192.0.2.1 
169.254.0.0/16 dev eth0  scope link 
default via 192.168.0.1 dev eth0 
+ _________________________ ip-rule-list
+ ip rule list
RTNETLINK answers: Invalid argument
Dump terminated
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                  	[OK]
Linux Openswan U2.3.0/K2.6.9 (netkey)
Checking for IPsec support in kernel                             	[OK]
Checking for RSA private key (/etc/ipsec.secrets)                	[OK]
Checking that pluto is running                                   	[OK]
Two or more interfaces found, checking IP forwarding             	[FAILED]
Checking for 'ip' command                                        	[OK]
Checking for 'iptables' command                                  	[OK]
Checking for 'setkey' command for NETKEY IPsec stack support     	[OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: misfits.twoguys.org      	[MISSING]
   Does the machine have at least one non-private address?       	[OK]
   Looking for TXT in reverse dns zone: 1.2.0.192.in-addr.arpa.  	[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Bad address
no MII interfaces found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
misfits.twoguys.org
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.0.10
+ _________________________ uptime
+ uptime
 20:05:28 up  2:01,  6 users,  load average: 0.06, 0.11, 0.14
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
4     0  7760  3106  17   0  4304 1044 -      R    pts/4      0:00              \_ /bin/sh /usr/libexec/ipsec/barf
5     0  7642     1  22   0  2012  836 wait   S    pts/4      0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids yes --nocrsend  --strictcrlpolicy  --nat_traversal yes --keep_alive  --force_keepalive  --disable_port_floating  --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid /var/run/pluto.pid
5     0  7643  7642  22   0  2012  848 wait   S    pts/4      0:00  \_ /bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids yes --nocrsend  --strictcrlpolicy  --nat_traversal yes --keep_alive  --force_keepalive  --disable_port_floating  --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid /var/run/pluto.pid
4     0  7644  7643  16   0  2308 1032 -      S    pts/4      0:00  |   \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids --nat_traversal
1     0  7645  7644  30  10  2308  760 -      SN   pts/4      0:00  |       \_ pluto helper  #  0                                                                                                    
4     0  7731  7644  22   0  1328  256 -      S    pts/4      0:00  |       \_ _pluto_adns
4     0  7646  7642  21   0  2012  828 pipe_w S    pts/4      0:00  \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 
4     0  7647     1  22   0  1388  308 pipe_w S    pts/4      0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.0.10
routenexthop=192.168.0.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=all
	#plutodebug=all
        nat_traversal=yes
#        interfaces="ipsec0=eth0"

# Add connections here

conn foo
     left=192.168.0.10
     leftid=@foo.bar.com
     leftxauthclient=yes
     right=xxx.xx.xx.xxx
     rightsubnet=192.168.1.0/24	 # corporate private network
     rightxauthserver=yes
     authby=secret
     auto=add
     ike=3des-md5-modp1536
#     ike=3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024
# IKE (RFC 2409)
# DH Group 1 (MODP 768)
# DH Group 2 (MODP 1024)
# DH Group 5 (MODP 1536)
#     spi=0x200
#     esp=3des-sha1
#     espenckey=[sums to b849...]
#     espauthkey=[sums to b37e...]

conn block 
    auto=ignore

conn private 
    auto=ignore

conn private-or-clear 
    auto=ignore

conn clear-or-private 
    auto=ignore

conn clear 
    auto=ignore

conn packetdefault 
    auto=ignore

+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
: RSA	{
	# RSA 2192 bits   misfits.twoguys.org   Mon Apr 18 14:33:55 2005
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=[keyid AQN2ok16B]
	Modulus: [...]
	PublicExponent: [...]
	# everything after this point is secret
	PrivateExponent: [...]
	Prime1: [...]
	Prime2: [...]
	Exponent1: [...]
	Exponent2: [...]
	Coefficient: [...]
	}
# do not change the indenting of that "[sums to 7d9d...]"

@foo.bar.com xxx.xx.xx.xxx : PSK "[sums to bc0a...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000  
000 List of Public Keys:
000  
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
192.168.6.0/24
192.0.2.0/24
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
10.0.0.0/8
172.16.0.0/12
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

#0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 108
-rwxr-xr-x  1 root root 15468 Jan  6 07:55 _confread
-rwxr-xr-x  1 root root 12460 Jan  6 07:55 _copyright
-rwxr-xr-x  1 root root  2379 Jan  6 07:55 _include
-rwxr-xr-x  1 root root  1475 Jan  6 07:55 _keycensor
-rwxr-xr-x  1 root root  3586 Jan  6 07:55 _plutoload
-rwxr-xr-x  1 root root  7295 Jan  6 07:55 _plutorun
-rwxr-xr-x  1 root root 11409 Jan  6 07:55 _realsetup
-rwxr-xr-x  1 root root  1975 Jan  6 07:55 _secretcensor
-rwxr-xr-x  1 root root  9385 Jan  6 07:55 _startklips
-rwxr-xr-x  1 root root 12329 Jan  6 07:55 _updown
-rwxr-xr-x  1 root root  7572 Jan  6 07:55 _updown_x509
-rwxr-xr-x  1 root root  1942 Jan  6 07:55 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 2540
-rwxr-xr-x  1 root root   22542 Jan  6 07:55 _pluto_adns
-rwxr-xr-x  1 root root   18840 Jan  6 07:55 auto
-rwxr-xr-x  1 root root   10585 Jan  6 07:55 barf
-rwxr-xr-x  1 root root     816 Jan  6 07:55 calcgoo
-rwxr-xr-x  1 root root  153084 Jan  6 07:55 eroute
-rwxr-xr-x  1 root root   46092 Jan  6 07:55 ikeping
-rwxr-xr-x  1 root root  100793 Jan  6 07:55 klipsdebug
-rwxr-xr-x  1 root root    1664 Jan  6 07:55 livetest
-rwxr-xr-x  1 root root    2461 Jan  6 07:55 look
-rwxr-xr-x  1 root root    7124 Jan  6 07:55 mailkey
-rwxr-xr-x  1 root root   15931 Jan  6 07:55 manual
-rwxr-xr-x  1 root root    1874 Jan  6 07:55 newhostkey
-rwxr-xr-x  1 root root   88704 Jan  6 07:55 pf_key
-rwxr-xr-x  1 root root 1464734 Jan  6 07:55 pluto
-rwxr-xr-x  1 root root   17346 Jan  6 07:55 ranbits
-rwxr-xr-x  1 root root   37524 Jan  6 07:55 rsasigkey
-rwxr-xr-x  1 root root     766 Jan  6 07:55 secrets
-rwxr-xr-x  1 root root   17578 Jan  6 07:55 send-pr
lrwxrwxrwx  1 root root      22 Apr 18 16:58 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x  1 root root    1048 Jan  6 07:55 showdefaults
-rwxr-xr-x  1 root root    4748 Jan  6 07:55 showhostkey
-rwxr-xr-x  1 root root  244239 Jan  6 07:55 spi
-rwxr-xr-x  1 root root  124766 Jan  6 07:55 spigrp
-rwxr-xr-x  1 root root   20070 Jan  6 07:55 tncfg
-rwxr-xr-x  1 root root   10195 Jan  6 07:55 verify
-rwxr-xr-x  1 root root  105798 Jan  6 07:55 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
  eth0: 1245978    1957    0    0    0     0          0        22   224518    1809    0    0    0     0       0          0
    lo:   39908     409    0    0    0     0          0         0    39908     409    0    0    0     0       0          0
dummy0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
vmnet1:       0     122    0    0    0     0          0         0        0     151    0    0    0     0       0          0
vmnet8:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface	Destination	Gateway 	Flags	RefCnt	Use	Metric	Mask		MTU	Window	IRTT                                                       
vmnet1	0006A8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0                                                                             
eth0	0000A8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0                                                                               
vmnet8	000200C0	00000000	0001	0	0	0	00FFFFFF	0	0	0                                                                             
eth0	0000FEA9	00000000	0001	0	0	0	0000FFFF	0	0	0                                                                               
eth0	00000000	0100A8C0	0003	0	0	0	00000000	0	0	0                                                                               
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter vmnet1/rp_filter vmnet8/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:1
vmnet1/rp_filter:1
vmnet8/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux misfits.twoguys.org 2.6.9 #2 Mon Apr 18 17:59:57 EDT 2005 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.9) support detected '
NETKEY (2.6.9) support detected 
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
iptables v1.2.9: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
iptables v1.2.9: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
iptables v1.2.9: can't initialize iptables table `mangle': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 16260 0 - Live 0xf8862000
xfrm4_tunnel 3972 0 - Live 0xf8860000
af_key 31760 0 - Live 0xf8891000
vmnet 27676 16 - Live 0xf889a000
vmmon 104972 3 - Live 0xf8987000
nvidia 3918908 12 - Live 0xf8ceb000
deflate 3840 0 - Live 0xf8878000
zlib_deflate 21656 1 deflate, Live 0xf8882000
zlib_inflate 17664 1 deflate, Live 0xf887c000
des 11648 0 - Live 0xf8854000
md5 4096 0 - Live 0xf8873000
sha1 8832 0 - Live 0xf886f000
ipcomp 8200 0 - Live 0xf886b000
esp4 8448 0 - Live 0xf8867000
ah4 6912 0 - Live 0xf8858000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:      1035136 kB
MemFree:         32580 kB
Buffers:         43292 kB
Cached:         759404 kB
SwapCached:          0 kB
Active:         691336 kB
Inactive:       235880 kB
HighTotal:      130240 kB
HighFree:          252 kB
LowTotal:       904896 kB
LowFree:         32328 kB
SwapTotal:      265064 kB
SwapFree:       265064 kB
Dirty:             520 kB
Writeback:           0 kB
Mapped:         570544 kB
Slab:            46684 kB
Committed_AS:   279268 kB
PageTables:       2584 kB
VmallocTotal:   114680 kB
VmallocUsed:     21752 kB
VmallocChunk:    89076 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
# CONFIG_IPV6 is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
*.debug                         /var/log/messages
*.debug                         /dev/console
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search twoguys.org
nameserver 207.69.188.185
nameserver 207.69.188.186
nameserver 207.69.188.187
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 36
drwxr-xr-x  4 root root 4096 Sep 17  2004 2.4.27
drwxr-xr-x  4 root root 4096 Oct 10  2004 2.6.5-1.358
drwxr-xr-x  4 root root 4096 Jan  2 11:30 2.6.9-1.6_FC2
drwxr-xr-x  4 root root 4096 Feb 26 13:23 2.6.9-1.11_FC2
drwxr-xr-x  3 root root 4096 Apr 18 16:13 2.6.10-1.770_FC3smp
drwxr-xr-x  3 root root 4096 Apr 18 16:13 2.6.10-1.770_FC3
drwxr-xr-x  5 root root 4096 Apr 18 16:13 2.6.10-1.771_FC2
drwxr-xr-x  3 root root 4096 Apr 18 17:47 2.6.7
drwxr-xr-x  4 root root 4096 Apr 18 19:44 2.6.9
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02cbcb9 T netif_rx
c02cbcb9 U netif_rx	[vmnet]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.27: 
2.6.10-1.770_FC3: 
2.6.10-1.770_FC3smp: 
2.6.10-1.771_FC2: 
2.6.5-1.358: 
2.6.7: 
2.6.9: 
2.6.9-1.11_FC2: 
2.6.9-1.6_FC2: 
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '8264,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Apr 18 20:05:07 misfits ipsec_setup: Starting Openswan IPsec 2.3.0...
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/key/af_key.ko 
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/ipv4/xfrm4_tunnel.ko 
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/xfrm/xfrm_user.ko 
Apr 18 20:05:07 misfits pluto[7644]: started helper pid=7645 (fd:6)
Apr 18 20:05:07 misfits pluto[7644]: Using Linux 2.6 IPsec interface code
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/crls'
Apr 18 20:05:07 misfits pluto[7644]:   Warning: empty directory
Apr 18 20:05:07 misfits pluto[7644]: added connection description "foo"
Apr 18 20:05:07 misfits pluto[7644]: listening for IKE messages
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10:4500
Apr 18 20:05:07 misfits pluto[7644]: loading secrets from "/etc/ipsec.secrets"
+ _________________________ plog
+ sed -n '8256,$p' /var/log/messages
+ egrep -i pluto
+ cat
Apr 18 20:05:07 misfits ipsec__plutorun: Starting Pluto subsystem...
Apr 18 20:05:07 misfits pluto[7644]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Apr 18 20:05:07 misfits pluto[7644]: Setting port floating to on
Apr 18 20:05:07 misfits pluto[7644]: port floating activate 1/1
Apr 18 20:05:07 misfits pluto[7644]:   including NAT-Traversal patch (Version 0.6c)
Apr 18 20:05:07 misfits pluto[7644]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 18 20:05:07 misfits pluto[7644]: starting up 1 cryptographic helpers
Apr 18 20:05:07 misfits pluto[7644]: started helper pid=7645 (fd:6)
Apr 18 20:05:07 misfits pluto[7644]: Using Linux 2.6 IPsec interface code
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/crls'
Apr 18 20:05:07 misfits pluto[7644]:   Warning: empty directory
Apr 18 20:05:07 misfits pluto[7644]: added connection description "foo"
Apr 18 20:05:07 misfits pluto[7644]: listening for IKE messages
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10:4500
Apr 18 20:05:07 misfits pluto[7644]: loading secrets from "/etc/ipsec.secrets"
+ _________________________ date
+ date
Mon Apr 18 20:05:29 EDT 2005

-- 
Greg Hankins <ghankins at mindspring.com>


More information about the Users mailing list