[Openswan Users] IKE problems: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
Greg Hankins
ghankins at mindspring.com
Mon Apr 18 21:19:31 CEST 2005
Hello, I'm trying to establish a tunnel with a Fortinet server that is
maintained by our IT department (ie, I don't have an administrative login).
I'm using openswan-2.3.0-1 on FC2. They told me to use: 3des-sha1 and
3des-md5, DH group 5 for IKE.
So I configured this, which I think is MD5 DH group 5 (MODP 1536):
conn foo
left=192.168.0.10
leftid=@foo.bar.com
leftxauthclient=yes
right=xxx.xx.xx.xxx
rightsubnet=192.168.1.0/24 # corporate private network
rightxauthserver=yes
authby=secret
auto=add
ike=3des-md5-modp1536
However, I keep getting this error:
Apr 18 19:59:24 misfits pluto[6848]: packet from xxx.xx.xx.xxx:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
And sure enough, if I look on the wire there doesn't seem to be valid
information in what is being sent:
[...]
Security Association payload
Next payload: Vendor ID (13)
Length: 84
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 0
Next payload: NONE (0)
Length: 72
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI size: 0
Number of transforms: 2
Transform payload # 0
Next payload: Transform (3)
Length: 32
Transform number: 0
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
==============> Encryption-Algorithm (1): UNKNOWN-ENCRYPTION-ALG (65535)
==============> Hash-Algorithm (2): UNKNOWN-HASH-ALG (65535)
==============> Authentication-Method (3): UNKNOWN-AUTH-METHOD (65535)
==============> Group-Description (4): UNKNOWN-GROUP-DESCRIPTION (65535)
Transform payload # 1
Next payload: NONE (0)
Length: 32
Transform number: 1
Transform ID: KEY_IKE (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (3600)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): XAUTHInitPreShared (65001)
Group-Description (4): 1536 bit MODP group (5)
[...]
I also see this in the output of "ipsec auto --status", does this mean
anything since they don't match:
000 "foo": IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "foo": IKE algorithms found: 5_192-1_128-5,
Full output of barf is below.
Thanks for any ideas,
Greg
misfits.twoguys.org
Mon Apr 18 20:05:14 EDT 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.3.0/K2.6.9 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.9 (root at misfits.twoguys.org) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #2 Mon Apr 18 17:59:57 EDT 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1347 seq=15 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1331 seq=14 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1315 seq=13 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1299 seq=12 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1283 seq=11 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1267 seq=10 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1251 seq=9 pid=7785
refcnt=1
(per-socket policy)
in none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1235 seq=8 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1356 seq=7 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1340 seq=6 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1324 seq=5 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1308 seq=4 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1292 seq=3 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1276 seq=2 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1260 seq=1 pid=7785
refcnt=1
(per-socket policy)
out none
created: Apr 18 20:05:07 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1244 seq=0 pid=7785
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface eth0/eth0 192.168.0.10
000 interface eth0/eth0 192.168.0.10
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface vmnet1/vmnet1 192.168.6.1
000 interface vmnet1/vmnet1 192.168.6.1
000 interface vmnet8/vmnet8 192.0.2.1
000 interface vmnet8/vmnet8 192.0.2.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "foo": 192.168.0.10[@foo.bar.com,XC+S=C]...xxx.xx.xx.xxx[XS+S=C]===192.168.1.0/24; unrouted; eroute owner: #0
000 "foo": srcip=unset; dstip=unset
000 "foo": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "foo": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,24; interface: eth0;
000 "foo": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "foo": IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "foo": IKE algorithms found: 5_192-1_128-5,
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0 Link encap:Ethernet HWaddr EA:CD:FD:51:B4:23
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:0C:6E:59:47:2B
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1940 errors:0 dropped:0 overruns:0 frame:0
TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1234221 (1.1 Mb) TX bytes:220986 (215.8 Kb)
Interrupt:5 Memory:feafc000-0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:409 errors:0 dropped:0 overruns:0 frame:0
TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:39908 (38.9 Kb) TX bytes:39908 (38.9 Kb)
vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122 errors:0 dropped:0 overruns:0 frame:0
TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vmnet8 Link encap:Ethernet HWaddr 00:50:56:C0:00:08
inet addr:192.0.2.1 Bcast:192.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:6e:59:47:2b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether ea:cd:fd:51:b4:23 brd ff:ff:ff:ff:ff:ff
6: vmnet1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.6.1/24 brd 192.168.6.255 scope global vmnet1
7: vmnet8: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.1/24 brd 192.0.2.255 scope global vmnet8
+ _________________________ ip-route-list
+ ip route list
192.168.6.0/24 dev vmnet1 proto kernel scope link src 192.168.6.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
192.0.2.0/24 dev vmnet8 proto kernel scope link src 192.0.2.1
169.254.0.0/16 dev eth0 scope link
default via 192.168.0.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
RTNETLINK answers: Invalid argument
Dump terminated
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0/K2.6.9 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: misfits.twoguys.org [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 1.2.0.192.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Bad address
no MII interfaces found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
misfits.twoguys.org
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.0.10
+ _________________________ uptime
+ uptime
20:05:28 up 2:01, 6 users, load average: 0.06, 0.11, 0.14
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 7760 3106 17 0 4304 1044 - R pts/4 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
5 0 7642 1 22 0 2012 836 wait S pts/4 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 7643 7642 22 0 2012 848 wait S pts/4 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 7644 7643 16 0 2308 1032 - S pts/4 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids --nat_traversal
1 0 7645 7644 30 10 2308 760 - SN pts/4 0:00 | \_ pluto helper # 0
4 0 7731 7644 22 0 1328 256 - S pts/4 0:00 | \_ _pluto_adns
4 0 7646 7642 21 0 2012 828 pipe_w S pts/4 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 7647 1 22 0 1388 308 pipe_w S pts/4 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.0.10
routenexthop=192.168.0.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
#plutodebug=all
nat_traversal=yes
# interfaces="ipsec0=eth0"
# Add connections here
conn foo
left=192.168.0.10
leftid=@foo.bar.com
leftxauthclient=yes
right=xxx.xx.xx.xxx
rightsubnet=192.168.1.0/24 # corporate private network
rightxauthserver=yes
authby=secret
auto=add
ike=3des-md5-modp1536
# ike=3des-md5-modp1536,3des-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024
# IKE (RFC 2409)
# DH Group 1 (MODP 768)
# DH Group 2 (MODP 1024)
# DH Group 5 (MODP 1536)
# spi=0x200
# esp=3des-sha1
# espenckey=[sums to b849...]
# espauthkey=[sums to b37e...]
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits misfits.twoguys.org Mon Apr 18 14:33:55 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQN2ok16B]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
@foo.bar.com xxx.xx.xx.xxx : PSK "[sums to bc0a...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
192.168.6.0/24
192.0.2.0/24
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
10.0.0.0/8
172.16.0.0/12
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
#0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 108
-rwxr-xr-x 1 root root 15468 Jan 6 07:55 _confread
-rwxr-xr-x 1 root root 12460 Jan 6 07:55 _copyright
-rwxr-xr-x 1 root root 2379 Jan 6 07:55 _include
-rwxr-xr-x 1 root root 1475 Jan 6 07:55 _keycensor
-rwxr-xr-x 1 root root 3586 Jan 6 07:55 _plutoload
-rwxr-xr-x 1 root root 7295 Jan 6 07:55 _plutorun
-rwxr-xr-x 1 root root 11409 Jan 6 07:55 _realsetup
-rwxr-xr-x 1 root root 1975 Jan 6 07:55 _secretcensor
-rwxr-xr-x 1 root root 9385 Jan 6 07:55 _startklips
-rwxr-xr-x 1 root root 12329 Jan 6 07:55 _updown
-rwxr-xr-x 1 root root 7572 Jan 6 07:55 _updown_x509
-rwxr-xr-x 1 root root 1942 Jan 6 07:55 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 2540
-rwxr-xr-x 1 root root 22542 Jan 6 07:55 _pluto_adns
-rwxr-xr-x 1 root root 18840 Jan 6 07:55 auto
-rwxr-xr-x 1 root root 10585 Jan 6 07:55 barf
-rwxr-xr-x 1 root root 816 Jan 6 07:55 calcgoo
-rwxr-xr-x 1 root root 153084 Jan 6 07:55 eroute
-rwxr-xr-x 1 root root 46092 Jan 6 07:55 ikeping
-rwxr-xr-x 1 root root 100793 Jan 6 07:55 klipsdebug
-rwxr-xr-x 1 root root 1664 Jan 6 07:55 livetest
-rwxr-xr-x 1 root root 2461 Jan 6 07:55 look
-rwxr-xr-x 1 root root 7124 Jan 6 07:55 mailkey
-rwxr-xr-x 1 root root 15931 Jan 6 07:55 manual
-rwxr-xr-x 1 root root 1874 Jan 6 07:55 newhostkey
-rwxr-xr-x 1 root root 88704 Jan 6 07:55 pf_key
-rwxr-xr-x 1 root root 1464734 Jan 6 07:55 pluto
-rwxr-xr-x 1 root root 17346 Jan 6 07:55 ranbits
-rwxr-xr-x 1 root root 37524 Jan 6 07:55 rsasigkey
-rwxr-xr-x 1 root root 766 Jan 6 07:55 secrets
-rwxr-xr-x 1 root root 17578 Jan 6 07:55 send-pr
lrwxrwxrwx 1 root root 22 Apr 18 16:58 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 6 07:55 showdefaults
-rwxr-xr-x 1 root root 4748 Jan 6 07:55 showhostkey
-rwxr-xr-x 1 root root 244239 Jan 6 07:55 spi
-rwxr-xr-x 1 root root 124766 Jan 6 07:55 spigrp
-rwxr-xr-x 1 root root 20070 Jan 6 07:55 tncfg
-rwxr-xr-x 1 root root 10195 Jan 6 07:55 verify
-rwxr-xr-x 1 root root 105798 Jan 6 07:55 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth0: 1245978 1957 0 0 0 0 0 22 224518 1809 0 0 0 0 0 0
lo: 39908 409 0 0 0 0 0 0 39908 409 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
vmnet1: 0 122 0 0 0 0 0 0 0 151 0 0 0 0 0 0
vmnet8: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
vmnet1 0006A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0000A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
vmnet8 000200C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
eth0 00000000 0100A8C0 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter vmnet1/rp_filter vmnet8/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:1
vmnet1/rp_filter:1
vmnet8/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux misfits.twoguys.org 2.6.9 #2 Mon Apr 18 17:59:57 EDT 2005 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.9) support detected '
NETKEY (2.6.9) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
iptables v1.2.9: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
iptables v1.2.9: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
iptables v1.2.9: can't initialize iptables table `mangle': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 16260 0 - Live 0xf8862000
xfrm4_tunnel 3972 0 - Live 0xf8860000
af_key 31760 0 - Live 0xf8891000
vmnet 27676 16 - Live 0xf889a000
vmmon 104972 3 - Live 0xf8987000
nvidia 3918908 12 - Live 0xf8ceb000
deflate 3840 0 - Live 0xf8878000
zlib_deflate 21656 1 deflate, Live 0xf8882000
zlib_inflate 17664 1 deflate, Live 0xf887c000
des 11648 0 - Live 0xf8854000
md5 4096 0 - Live 0xf8873000
sha1 8832 0 - Live 0xf886f000
ipcomp 8200 0 - Live 0xf886b000
esp4 8448 0 - Live 0xf8867000
ah4 6912 0 - Live 0xf8858000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1035136 kB
MemFree: 32580 kB
Buffers: 43292 kB
Cached: 759404 kB
SwapCached: 0 kB
Active: 691336 kB
Inactive: 235880 kB
HighTotal: 130240 kB
HighFree: 252 kB
LowTotal: 904896 kB
LowFree: 32328 kB
SwapTotal: 265064 kB
SwapFree: 265064 kB
Dirty: 520 kB
Writeback: 0 kB
Mapped: 570544 kB
Slab: 46684 kB
Committed_AS: 279268 kB
PageTables: 2584 kB
VmallocTotal: 114680 kB
VmallocUsed: 21752 kB
VmallocChunk: 89076 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
# CONFIG_IPV6 is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
*.debug /var/log/messages
*.debug /dev/console
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search twoguys.org
nameserver 207.69.188.185
nameserver 207.69.188.186
nameserver 207.69.188.187
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 36
drwxr-xr-x 4 root root 4096 Sep 17 2004 2.4.27
drwxr-xr-x 4 root root 4096 Oct 10 2004 2.6.5-1.358
drwxr-xr-x 4 root root 4096 Jan 2 11:30 2.6.9-1.6_FC2
drwxr-xr-x 4 root root 4096 Feb 26 13:23 2.6.9-1.11_FC2
drwxr-xr-x 3 root root 4096 Apr 18 16:13 2.6.10-1.770_FC3smp
drwxr-xr-x 3 root root 4096 Apr 18 16:13 2.6.10-1.770_FC3
drwxr-xr-x 5 root root 4096 Apr 18 16:13 2.6.10-1.771_FC2
drwxr-xr-x 3 root root 4096 Apr 18 17:47 2.6.7
drwxr-xr-x 4 root root 4096 Apr 18 19:44 2.6.9
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02cbcb9 T netif_rx
c02cbcb9 U netif_rx [vmnet]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.27:
2.6.10-1.770_FC3:
2.6.10-1.770_FC3smp:
2.6.10-1.771_FC2:
2.6.5-1.358:
2.6.7:
2.6.9:
2.6.9-1.11_FC2:
2.6.9-1.6_FC2:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '8264,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Apr 18 20:05:07 misfits ipsec_setup: Starting Openswan IPsec 2.3.0...
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/key/af_key.ko
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/ipv4/xfrm4_tunnel.ko
Apr 18 20:05:07 misfits ipsec_setup: insmod /lib/modules/2.6.9/kernel/net/xfrm/xfrm_user.ko
Apr 18 20:05:07 misfits pluto[7644]: started helper pid=7645 (fd:6)
Apr 18 20:05:07 misfits pluto[7644]: Using Linux 2.6 IPsec interface code
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/crls'
Apr 18 20:05:07 misfits pluto[7644]: Warning: empty directory
Apr 18 20:05:07 misfits pluto[7644]: added connection description "foo"
Apr 18 20:05:07 misfits pluto[7644]: listening for IKE messages
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10:4500
Apr 18 20:05:07 misfits pluto[7644]: loading secrets from "/etc/ipsec.secrets"
+ _________________________ plog
+ sed -n '8256,$p' /var/log/messages
+ egrep -i pluto
+ cat
Apr 18 20:05:07 misfits ipsec__plutorun: Starting Pluto subsystem...
Apr 18 20:05:07 misfits pluto[7644]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Apr 18 20:05:07 misfits pluto[7644]: Setting port floating to on
Apr 18 20:05:07 misfits pluto[7644]: port floating activate 1/1
Apr 18 20:05:07 misfits pluto[7644]: including NAT-Traversal patch (Version 0.6c)
Apr 18 20:05:07 misfits pluto[7644]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 18 20:05:07 misfits pluto[7644]: starting up 1 cryptographic helpers
Apr 18 20:05:07 misfits pluto[7644]: started helper pid=7645 (fd:6)
Apr 18 20:05:07 misfits pluto[7644]: Using Linux 2.6 IPsec interface code
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 18 20:05:07 misfits pluto[7644]: Changing to directory '/etc/ipsec.d/crls'
Apr 18 20:05:07 misfits pluto[7644]: Warning: empty directory
Apr 18 20:05:07 misfits pluto[7644]: added connection description "foo"
Apr 18 20:05:07 misfits pluto[7644]: listening for IKE messages
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet8/vmnet8 192.0.2.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface vmnet1/vmnet1 192.168.6.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1
Apr 18 20:05:07 misfits pluto[7644]: adding interface lo/lo 127.0.0.1:4500
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10
Apr 18 20:05:07 misfits pluto[7644]: adding interface eth0/eth0 192.168.0.10:4500
Apr 18 20:05:07 misfits pluto[7644]: loading secrets from "/etc/ipsec.secrets"
+ _________________________ date
+ date
Mon Apr 18 20:05:29 EDT 2005
--
Greg Hankins <ghankins at mindspring.com>
More information about the Users
mailing list