[Openswan Users] Netopia R5100 / OpenSwan
Sumit Khanna
sk1 at tigertranz.net
Wed Dec 14 13:42:28 CET 2005
Well I'm still stuck trying to get this Netopia R5100 to interpolate
with openSwan. I've included my openswan barf output. Any help is
appericated.
Netopia R5100 (firmware 4.11.3) Settings:
Mode: Main (choices are main and aggressive)
Authentication Method: Shared Secret (this is the only option on this
Netopia)
Shared Secrete: **my password**
encryption algrothim: 3des (choices are des and 3des)
Hash algrothim: md5 (choices are md5/sha1)
Diffie-Helman: Group 2 (1024 bits)
Advanced IKE1 options:
Neogation: Normal (options initiate only/respond only)
SA Use policy: Newest SA immediately (options Old SA until expired)
Allow Dangling Phase 2 SA: Yes
Phase 1 SA lifetime in seconds: 3600
Phase 1 SA lifetime in kb: 0
Send Initial Contact Message: yes
Include Vendor ID payload: yes
Independent Phase-2 Re-keys: yes
Strict Port Policy: no
The Phase-2 profile looks like this:
Encapsulation Type: IPSec (options are PPP/HDLC/Frame Relay, etc)
Key Management: IKE (options IKE/Manual)
Encapsulation: ESP (options are ESP, AH ESP+AH)
ESP Encryption Transform: 3DES
ESP Authentication Transform: HMAC-MD5-96
SA Lifetime seconds: 28800
SA Lifetime kb: 0
Perfect Forward Secrecy: Yes
Dead Peer Detection: No
ipsec barf is attached
--
Sumit
-------------- next part --------------
bebop
Tue Dec 13 09:07:46 EST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.14-gentoo-r2 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.14-gentoo-r2 (root at bebop) (gcc version 3.3.6 (Gentoo 3.3.6, ssp-3.3.6-1.0, pie-8.7.8)) #3 Fri Dec 9 15:39:16 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.1.1.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.99.0 10.1.1.9 255.255.255.0 UG 0 0 0 tun0
192.168.12.0 68.60.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.1.1.9 255.255.255.0 UG 0 0 0 tun0
68.60.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 68.60.0.1 0.0.0.0 UG 0 0 0 eth1
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.42.0/24[any] 192.168.12.0/24[any] any
out prio high + 1073739480 ipsec
esp/transport//require
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=785 seq=8 pid=15634
refcnt=1
(per-socket policy)
in none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=771 seq=7 pid=15634
refcnt=1
(per-socket policy)
in none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=755 seq=6 pid=15634
refcnt=1
(per-socket policy)
in none
created: Dec 13 09:07:22 2005 lastused: Dec 13 09:07:44 2005
lifetime: 0(s) validtime: 0(s)
spid=739 seq=5 pid=15634
refcnt=1
(per-socket policy)
in none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=723 seq=4 pid=15634
refcnt=1
(per-socket policy)
out none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=780 seq=3 pid=15634
refcnt=1
(per-socket policy)
out none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=764 seq=2 pid=15634
refcnt=1
(per-socket policy)
out none
created: Dec 13 09:07:22 2005 lastused: Dec 13 09:07:33 2005
lifetime: 0(s) validtime: 0(s)
spid=748 seq=1 pid=15634
refcnt=1
(per-socket policy)
out none
created: Dec 13 09:07:22 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=732 seq=0 pid=15634
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface eth0/eth0 192.168.42.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 68.60.0.8
000 interface tun0/tun0 10.1.1.10
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,108} attrs={0,1,72}
000
000 "tigertranz": 192.168.42.0/24===68.60.0.8---68.60.0.1...68.60.0.1---66.18.43.61===192.168.12.0/24; prospective erouted; eroute owner: #0
000 "tigertranz": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "tigertranz": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tigertranz": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
000 "tigertranz": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tigertranz": ESP algorithms wanted: 3_000-1, flags=-strict
000 "tigertranz": ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1: "tigertranz":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 7s; nodpd
000 #1: pending Phase 2 for "tigertranz" replacing #0
000
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0 Link encap:Ethernet HWaddr 86:41:37:60:18:98
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:60:08:D0:7A:E4
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10558201 errors:0 dropped:0 overruns:0 frame:0
TX packets:8907621 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4008417507 (3822.7 Mb) TX bytes:3861588539 (3682.6 Mb)
Interrupt:9 Base address:0xfcc0
eth1 Link encap:Ethernet HWaddr 00:04:5A:76:9E:75
inet addr:68.60.0.8 Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10800382 errors:1 dropped:0 overruns:0 frame:1
TX packets:9998778 errors:22 dropped:0 overruns:0 carrier:22
collisions:0 txqueuelen:1000
RX bytes:3315216025 (3161.6 Mb) TX bytes:3779291210 (3604.2 Mb)
Interrupt:10 Base address:0xac00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:51630 errors:0 dropped:0 overruns:0 frame:0
TX packets:51630 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8917816 (8.5 Mb) TX bytes:8917816 (8.5 Mb)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.1.1.10 P-t-P:10.1.1.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:36023 errors:0 dropped:0 overruns:0 frame:0
TX packets:35325 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7784172 (7.4 Mb) TX bytes:1888462 (1.8 Mb)
+ _________________________ ip-addr-list
+ ip addr list
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:08:d0:7a:e4 brd ff:ff:ff:ff:ff:ff
inet 192.168.42.1/24 brd 192.168.42.255 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 86:41:37:60:18:98 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:5a:76:9e:75 brd ff:ff:ff:ff:ff:ff
inet 68.60.0.8/22 brd 255.255.255.255 scope global eth1
68: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/[65534]
inet 10.1.1.10 peer 10.1.1.9/32 scope global tun0
+ _________________________ ip-route-list
+ ip route list
10.1.1.9 dev tun0 proto kernel scope link src 10.1.1.10
192.168.99.0/24 via 10.1.1.9 dev tun0
192.168.12.0/24 via 68.60.0.1 dev eth1
192.168.42.0/24 dev eth0 proto kernel scope link src 192.168.42.1
10.1.1.0/24 via 10.1.1.9 dev tun0
68.60.0.0/22 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 68.60.0.1 dev eth1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.14-gentoo-r2 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
grep: /etc/ipsec.conf: No such file or directory
cat: /etc/ipsec.conf: No such file or directory
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: bebop [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 8.0.60.68.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: National DP83840A rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Unknown host
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Unknown host
+ _________________________ uptime
+ uptime
09:07:47 up 3 days, 13:18, 6 users, load average: 0.27, 0.14, 0.05
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 15607 14267 20 0 2236 1084 - R+ pts/5 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
0 0 15680 15607 20 0 1548 464 pipe_w S+ pts/5 0:00 \_ egrep -i ppid|pluto|ipsec|klips
1 0 15492 1 25 0 2232 380 wait S pts/5 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
1 0 15493 15492 25 0 2232 548 wait S pts/5 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
4 0 15496 15493 15 0 2268 1072 - S pts/5 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-all --use-auto --uniqueids
1 0 15497 15496 30 10 2268 488 - SN pts/5 0:00 | \_ pluto helper # 0
0 0 15498 15496 25 0 1392 280 - S pts/5 0:00 | \_ _pluto_adns -d
0 0 15494 15492 15 0 2232 1064 pipe_w S pts/5 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 15495 1 25 0 1452 480 pipe_w S pts/5 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routevirt=ipsec0
routeaddr=68.60.0.8
routenexthop=68.60.0.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
klipsdebug=all
plutodebug=all
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec/ipsec.conf 44
#< /etc/ipsec/tigertranz.conf 1
conn tigertranz
left=68.60.0.8
leftsubnet=192.168.42.0/24
leftnexthop=%defaultroute
right=66.18.43.61
rightsubnet=192.168.12.0/24
rightnexthop=%defaultroute
keyexchange=ike
auto=start
authby=secret
pfs=yes
keylife=28800s
ikelifetime=28800s
compress=yes
esp=3des-md5-96
#> /etc/ipsec/ipsec.conf 45
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec/ipsec.secrets
#< /etc/ipsec/ipsec.secrets 1
66.18.43.62: PSK "[sums to f51a...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 108
-rwxr-xr-x 1 root root 15541 Dec 9 16:14 _confread
-rwxr-xr-x 1 root root 5072 Dec 9 16:14 _copyright
-rwxr-xr-x 1 root root 2391 Dec 9 16:14 _include
-rwxr-xr-x 1 root root 1475 Dec 9 16:14 _keycensor
-rwxr-xr-x 1 root root 3586 Dec 9 16:14 _plutoload
-rwxr-xr-x 1 root root 7431 Dec 9 16:14 _plutorun
-rwxr-xr-x 1 root root 12275 Dec 9 16:14 _realsetup
-rwxr-xr-x 1 root root 1975 Dec 9 16:14 _secretcensor
-rwxr-xr-x 1 root root 9778 Dec 9 16:14 _startklips
-rwxr-xr-x 1 root root 13417 Dec 9 16:14 _updown
-rwxr-xr-x 1 root root 15746 Dec 9 16:14 _updown_x509
-rwxr-xr-x 1 root root 1942 Dec 9 16:14 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1092
-rwxr-xr-x 1 root root 8304 Dec 9 16:14 _pluto_adns
-rwxr-xr-x 1 root root 19081 Dec 9 16:14 auto
-rwxr-xr-x 1 root root 10566 Dec 9 16:14 barf
-rwxr-xr-x 1 root root 816 Dec 9 16:14 calcgoo
-rwxr-xr-x 1 root root 70424 Dec 9 16:14 eroute
-rwxr-xr-x 1 root root 15516 Dec 9 16:14 ikeping
-rwxr-xr-x 1 root root 53596 Dec 9 16:14 klipsdebug
-rwxr-xr-x 1 root root 1836 Dec 9 16:14 livetest
-rwxr-xr-x 1 root root 2605 Dec 9 16:14 look
-rwxr-xr-x 1 root root 7159 Dec 9 16:14 mailkey
-rwxr-xr-x 1 root root 15996 Dec 9 16:14 manual
-rwxr-xr-x 1 root root 1948 Dec 9 16:31 newhostkey
-rwxr-xr-x 1 root root 48820 Dec 9 16:14 pf_key
-rwxr-xr-x 1 root root 534504 Dec 9 16:14 pluto
-rwxr-xr-x 1 root root 6608 Dec 9 16:14 ranbits
-rwxr-xr-x 1 root root 16140 Dec 9 16:14 rsasigkey
-rwxr-xr-x 1 root root 766 Dec 9 16:14 secrets
-rwxr-xr-x 1 root root 17636 Dec 9 16:14 send-pr
lrwxrwxrwx 1 root root 17 Dec 9 16:14 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Dec 9 16:14 showdefaults
-rwxr-xr-x 1 root root 4754 Dec 9 16:14 showhostkey
-rwxr-xr-x 1 root root 104152 Dec 9 16:14 spi
-rwxr-xr-x 1 root root 61708 Dec 9 16:14 spigrp
-rwxr-xr-x 1 root root 9324 Dec 9 16:14 tncfg
-rwxr-xr-x 1 root root 10607 Dec 9 16:14 verify
-rwxr-xr-x 1 root root 40380 Dec 9 16:14 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth0:4008451169 10558240 0 0 0 0 0 0 3861590733 8907653 0 0 0 0 0 0
lo: 8919447 51646 0 0 0 0 0 0 8919447 51646 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth1:3315219373 10800426 1 0 0 1 0 0 3779325221 9998820 22 0 0 0 22 0
tun0: 7784172 36023 0 0 0 0 0 0 1888462 35325 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
tun0 0901010A 00000000 0005 0 0 0 FFFFFFFF 0 0 0
tun0 0063A8C0 0901010A 0003 0 0 0 00FFFFFF 0 0 0
eth1 000CA8C0 01003C44 0003 0 0 0 00FFFFFF 0 0 0
eth0 002AA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
tun0 0001010A 0901010A 0003 0 0 0 00FFFFFF 0 0 0
eth1 00003C44 00000000 0001 0 0 0 00FCFFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth1 00000000 01003C44 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter tun0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:0
tun0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux bebop 2.6.14-gentoo-r2 #3 Fri Dec 9 15:39:16 EST 2005 i686 Pentium II (Klamath) GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.14-gentoo-r2) support detected '
NETKEY (2.6.14-gentoo-r2) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 264 packets, 21546 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1704 packets, 997K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 206 packets, 33669 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 104 packets, 8281 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 15 packets, 1085 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 300 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 1991 packets, 1021K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 266 packets, 21650 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1707 packets, 998K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 206 packets, 33669 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1910 packets, 1031K bytes)
pkts bytes target prot opt in out source destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ echo 'kernel without module support'
kernel without module support
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 141976 kB
MemFree: 29220 kB
Buffers: 0 kB
Cached: 70440 kB
SwapCached: 0 kB
Active: 69264 kB
Inactive: 18216 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 141976 kB
LowFree: 29220 kB
SwapTotal: 503960 kB
SwapFree: 501452 kB
Dirty: 344 kB
Writeback: 0 kB
Mapped: 23900 kB
Slab: 22904 kB
CommitLimit: 574948 kB
Committed_AS: 71804 kB
PageTables: 608 kB
VmallocTotal: 892648 kB
VmallocUsed: 1060 kB
VmallocChunk: 891560 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=y
CONFIG_IP_NF_CT_PROTO_SCTP=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_NETBIOS_NS=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_PHYSDEV is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_DCCP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_CONNMARK is not set
# CONFIG_IP_NF_MATCH_CONNBYTES is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
# CONFIG_IP_NF_MATCH_STRING is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_TARGET_NFQUEUE is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_TARGET_CONNMARK is not set
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 127.0.0.1
domain damagedindustries.net
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
ls: /lib/modules: No such file or directory
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0306d30 T netif_rx
c0306e60 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
ls: /lib/modules: No such file or directory
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1421,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 13 09:07:19 [ipsec_setup] Starting Openswan IPsec U2.4.4/K2.6.14-gentoo-r2...
Dec 13 09:07:20 [ipsec_setup] KLIPS ipsec0 on eth1 68.60.0.8/255.255.252.0 broadcast 255.255.255.255
Dec 13 09:07:20 [ipsec__plutorun] Starting Pluto subsystem...
Dec 13 09:07:20 [pluto] Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Dec 13 09:07:20 [pluto] Setting NAT-Traversal port-4500 floating to off
Dec 13 09:07:20 [pluto] port floating activation criteria nat_t=0/port_fload=1
Dec 13 09:07:20 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Dec 13 09:07:20 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 13 09:07:20 [pluto] starting up 1 cryptographic helpers
Dec 13 09:07:20 [pluto] started helper pid=15497 (fd:6)
Dec 13 09:07:20 [pluto] Using Linux 2.6 IPsec interface code on 2.6.14-gentoo-r2
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Dec 13 09:07:20 [pluto] Warning: empty directory
Dec 13 09:07:20 [ipsec_setup] ...Openswan IPsec started
Dec 13 09:07:22 [pluto] added connection description "tigertranz"
Dec 13 09:07:22 [pluto] listening for IKE messages
Dec 13 09:07:22 [pluto] adding interface tun0/tun0 10.1.1.10:500
Dec 13 09:07:22 [pluto] adding interface eth1/eth1 68.60.0.8:500
Dec 13 09:07:22 [pluto] adding interface lo/lo 127.0.0.1:500
Dec 13 09:07:22 [pluto] adding interface eth0/eth0 192.168.42.1:500
Dec 13 09:07:22 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Dec 13 09:07:23 [pluto] "tigertranz" #1: initiating Main Mode
Dec 13 09:07:23 [ipsec__plutorun] 104 "tigertranz" #1: STATE_MAIN_I1: initiate
Dec 13 09:07:23 [ipsec__plutorun] ...could not start conn "tigertranz"
Dec 13 09:07:28 [pluto] packet from 66.18.43.62:500: initial Main Mode message received on 68.60.0.8:500 but no connection has been authorized
+ _________________________ plog
+ sed -n '1423,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 13 09:07:20 [ipsec__plutorun] Starting Pluto subsystem...
Dec 13 09:07:20 [pluto] Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Dec 13 09:07:20 [pluto] Setting NAT-Traversal port-4500 floating to off
Dec 13 09:07:20 [pluto] port floating activation criteria nat_t=0/port_fload=1
Dec 13 09:07:20 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Dec 13 09:07:20 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 13 09:07:20 [pluto] starting up 1 cryptographic helpers
Dec 13 09:07:20 [pluto] started helper pid=15497 (fd:6)
Dec 13 09:07:20 [pluto] Using Linux 2.6 IPsec interface code on 2.6.14-gentoo-r2
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Dec 13 09:07:20 [pluto] Warning: empty directory
Dec 13 09:07:22 [pluto] added connection description "tigertranz"
Dec 13 09:07:22 [pluto] listening for IKE messages
Dec 13 09:07:22 [pluto] adding interface tun0/tun0 10.1.1.10:500
Dec 13 09:07:22 [pluto] adding interface eth1/eth1 68.60.0.8:500
Dec 13 09:07:22 [pluto] adding interface lo/lo 127.0.0.1:500
Dec 13 09:07:22 [pluto] adding interface eth0/eth0 192.168.42.1:500
Dec 13 09:07:22 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Dec 13 09:07:23 [pluto] "tigertranz" #1: initiating Main Mode
Dec 13 09:07:23 [ipsec__plutorun] 104 "tigertranz" #1: STATE_MAIN_I1: initiate
Dec 13 09:07:23 [ipsec__plutorun] ...could not start conn "tigertranz"
Dec 13 09:07:28 [pluto] packet from 66.18.43.62:500: initial Main Mode message received on 68.60.0.8:500 but no connection has been authorized
+ _________________________ date
+ date
Tue Dec 13 09:07:48 EST 2005
More information about the Users
mailing list