[Openswan Users] Netopia R5100 / OpenSwan

Sumit Khanna sk1 at tigertranz.net
Wed Dec 14 13:42:28 CET 2005


Well I'm still stuck trying to get this Netopia R5100 to interpolate 
with openSwan. I've included my openswan barf output. Any help is 
appericated.

Netopia R5100 (firmware 4.11.3) Settings:
Mode: Main (choices are main and aggressive)
Authentication Method: Shared Secret (this is the only option on this 
Netopia)
Shared Secrete: **my password**
encryption algrothim: 3des (choices are des and 3des)
Hash algrothim: md5 (choices are md5/sha1)
Diffie-Helman: Group 2 (1024 bits)

Advanced IKE1 options:
Neogation: Normal (options initiate only/respond only)
SA Use policy: Newest SA immediately (options Old SA until expired)
Allow Dangling Phase 2 SA: Yes
Phase 1 SA lifetime in seconds: 3600
Phase 1 SA lifetime in kb: 0

Send Initial Contact Message: yes
Include Vendor ID payload: yes
Independent Phase-2 Re-keys: yes
Strict Port Policy: no

The Phase-2 profile looks like this:
Encapsulation Type: IPSec (options are PPP/HDLC/Frame Relay, etc)
Key Management: IKE (options IKE/Manual)
Encapsulation: ESP (options are ESP, AH ESP+AH)
ESP Encryption Transform: 3DES
ESP Authentication Transform: HMAC-MD5-96
SA Lifetime seconds: 28800
SA Lifetime kb: 0
Perfect Forward Secrecy: Yes
Dead Peer Detection: No

ipsec barf is attached

-- 
Sumit


-------------- next part --------------
bebop
Tue Dec 13 09:07:46 EST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.14-gentoo-r2 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.14-gentoo-r2 (root at bebop) (gcc version 3.3.6 (Gentoo 3.3.6, ssp-3.3.6-1.0, pie-8.7.8)) #3 Fri Dec 9 15:39:16 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.1.1.9        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.99.0    10.1.1.9        255.255.255.0   UG        0 0          0 tun0
192.168.12.0    68.60.0.1       255.255.255.0   UG        0 0          0 eth1
192.168.42.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.1.1.0        10.1.1.9        255.255.255.0   UG        0 0          0 tun0
68.60.0.0       0.0.0.0         255.255.252.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         68.60.0.1       0.0.0.0         UG        0 0          0 eth1
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.42.0/24[any] 192.168.12.0/24[any] any
	out prio high + 1073739480 ipsec
	esp/transport//require
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=785 seq=8 pid=15634
	refcnt=1
(per-socket policy) 
	in none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=771 seq=7 pid=15634
	refcnt=1
(per-socket policy) 
	in none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=755 seq=6 pid=15634
	refcnt=1
(per-socket policy) 
	in none
	created: Dec 13 09:07:22 2005  lastused: Dec 13 09:07:44 2005
	lifetime: 0(s) validtime: 0(s)
	spid=739 seq=5 pid=15634
	refcnt=1
(per-socket policy) 
	in none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=723 seq=4 pid=15634
	refcnt=1
(per-socket policy) 
	out none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=780 seq=3 pid=15634
	refcnt=1
(per-socket policy) 
	out none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=764 seq=2 pid=15634
	refcnt=1
(per-socket policy) 
	out none
	created: Dec 13 09:07:22 2005  lastused: Dec 13 09:07:33 2005
	lifetime: 0(s) validtime: 0(s)
	spid=748 seq=1 pid=15634
	refcnt=1
(per-socket policy) 
	out none
	created: Dec 13 09:07:22 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=732 seq=0 pid=15634
	refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface eth0/eth0 192.168.42.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 68.60.0.8
000 interface tun0/tun0 10.1.1.10
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,108} attrs={0,1,72} 
000  
000 "tigertranz": 192.168.42.0/24===68.60.0.8---68.60.0.1...68.60.0.1---66.18.43.61===192.168.12.0/24; prospective erouted; eroute owner: #0
000 "tigertranz":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "tigertranz":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tigertranz":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; 
000 "tigertranz":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "tigertranz":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "tigertranz":   ESP algorithms loaded: 3_000-1, flags=-strict
000  
000 #1: "tigertranz":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 7s; nodpd
000 #1: pending Phase 2 for "tigertranz" replacing #0
000  
+ _________________________ ifconfig-a
+ ifconfig -a
dummy0    Link encap:Ethernet  HWaddr 86:41:37:60:18:98  
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:60:08:D0:7A:E4  
          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10558201 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8907621 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4008417507 (3822.7 Mb)  TX bytes:3861588539 (3682.6 Mb)
          Interrupt:9 Base address:0xfcc0 

eth1      Link encap:Ethernet  HWaddr 00:04:5A:76:9E:75  
          inet addr:68.60.0.8  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10800382 errors:1 dropped:0 overruns:0 frame:1
          TX packets:9998778 errors:22 dropped:0 overruns:0 carrier:22
          collisions:0 txqueuelen:1000 
          RX bytes:3315216025 (3161.6 Mb)  TX bytes:3779291210 (3604.2 Mb)
          Interrupt:10 Base address:0xac00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:51630 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51630 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8917816 (8.5 Mb)  TX bytes:8917816 (8.5 Mb)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.1.10  P-t-P:10.1.1.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:36023 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35325 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:7784172 (7.4 Mb)  TX bytes:1888462 (1.8 Mb)

+ _________________________ ip-addr-list
+ ip addr list
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:08:d0:7a:e4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.1/24 brd 192.168.42.255 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 86:41:37:60:18:98 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:5a:76:9e:75 brd ff:ff:ff:ff:ff:ff
    inet 68.60.0.8/22 brd 255.255.255.255 scope global eth1
68: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534] 
    inet 10.1.1.10 peer 10.1.1.9/32 scope global tun0
+ _________________________ ip-route-list
+ ip route list
10.1.1.9 dev tun0  proto kernel  scope link  src 10.1.1.10 
192.168.99.0/24 via 10.1.1.9 dev tun0 
192.168.12.0/24 via 68.60.0.1 dev eth1 
192.168.42.0/24 dev eth0  proto kernel  scope link  src 192.168.42.1 
10.1.1.0/24 via 10.1.1.9 dev tun0 
68.60.0.0/22 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 
default via 68.60.0.1 dev eth1 
+ _________________________ ip-rule-list
+ ip rule list
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.4.4/K2.6.14-gentoo-r2 (netkey)
Checking for IPsec support in kernel                        	[OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)     	[FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Checking for 'setkey' command for NETKEY IPsec stack support	[OK]
grep: /etc/ipsec.conf: No such file or directory
cat: /etc/ipsec.conf: No such file or directory

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: bebop               	[MISSING]
   Does the machine have at least one non-private address?  	[OK]
   Looking for TXT in reverse dns zone: 8.0.60.68.in-addr.arpa.	[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
  product info: National DP83840A rev 1
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD, link ok
  product info: vendor 00:07:49, model 1 rev 1
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Unknown host
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Unknown host
+ _________________________ uptime
+ uptime
 09:07:47 up 3 days, 13:18,  6 users,  load average: 0.27, 0.14, 0.05
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
0     0 15607 14267  20   0   2236  1084 -      R+   pts/5      0:00          \_ /bin/sh /usr/libexec/ipsec/barf
0     0 15680 15607  20   0   1548   464 pipe_w S+   pts/5      0:00              \_ egrep -i ppid|pluto|ipsec|klips
1     0 15492     1  25   0   2232   380 wait   S    pts/5      0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating  --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid /var/run/pluto/pluto.pid
1     0 15493 15492  25   0   2232   548 wait   S    pts/5      0:00  \_ /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating  --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid /var/run/pluto/pluto.pid
4     0 15496 15493  15   0   2268  1072 -      S    pts/5      0:00  |   \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-all --use-auto --uniqueids
1     0 15497 15496  30  10   2268   488 -      SN   pts/5      0:00  |       \_ pluto helper  #  0                                                                                                                       
0     0 15498 15496  25   0   1392   280 -      S    pts/5      0:00  |       \_ _pluto_adns -d
0     0 15494 15492  15   0   2232  1064 pipe_w S    pts/5      0:00  \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 
0     0 15495     1  25   0   1452   480 pipe_w S    pts/5      0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routevirt=ipsec0
routeaddr=68.60.0.8
routenexthop=68.60.0.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
        klipsdebug=all
	plutodebug=all
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

# sample VPN connection
#conn sample
#		# Left security gateway, subnet behind it, nexthop toward right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		#auto=start

#Disable Opportunistic Encryption

#< /etc/ipsec/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block 
    auto=ignore

conn private 
    auto=ignore

conn private-or-clear 
    auto=ignore

conn clear-or-private 
    auto=ignore

conn clear 
    auto=ignore

conn packetdefault 
    auto=ignore

#> /etc/ipsec/ipsec.conf 44

#< /etc/ipsec/tigertranz.conf 1
conn tigertranz 
   left=68.60.0.8
   leftsubnet=192.168.42.0/24
   leftnexthop=%defaultroute
   right=66.18.43.61
   rightsubnet=192.168.12.0/24
   rightnexthop=%defaultroute
   keyexchange=ike
   auto=start
   authby=secret
   pfs=yes
   keylife=28800s
   ikelifetime=28800s
   compress=yes
   esp=3des-md5-96

#> /etc/ipsec/ipsec.conf 45
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec/ipsec.secrets

#< /etc/ipsec/ipsec.secrets 1
66.18.43.62: PSK "[sums to f51a...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000  
000 List of Public Keys:
000  
+ '[' /etc/ipsec/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.4.4/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 108
-rwxr-xr-x  1 root root 15541 Dec  9 16:14 _confread
-rwxr-xr-x  1 root root  5072 Dec  9 16:14 _copyright
-rwxr-xr-x  1 root root  2391 Dec  9 16:14 _include
-rwxr-xr-x  1 root root  1475 Dec  9 16:14 _keycensor
-rwxr-xr-x  1 root root  3586 Dec  9 16:14 _plutoload
-rwxr-xr-x  1 root root  7431 Dec  9 16:14 _plutorun
-rwxr-xr-x  1 root root 12275 Dec  9 16:14 _realsetup
-rwxr-xr-x  1 root root  1975 Dec  9 16:14 _secretcensor
-rwxr-xr-x  1 root root  9778 Dec  9 16:14 _startklips
-rwxr-xr-x  1 root root 13417 Dec  9 16:14 _updown
-rwxr-xr-x  1 root root 15746 Dec  9 16:14 _updown_x509
-rwxr-xr-x  1 root root  1942 Dec  9 16:14 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1092
-rwxr-xr-x  1 root root   8304 Dec  9 16:14 _pluto_adns
-rwxr-xr-x  1 root root  19081 Dec  9 16:14 auto
-rwxr-xr-x  1 root root  10566 Dec  9 16:14 barf
-rwxr-xr-x  1 root root    816 Dec  9 16:14 calcgoo
-rwxr-xr-x  1 root root  70424 Dec  9 16:14 eroute
-rwxr-xr-x  1 root root  15516 Dec  9 16:14 ikeping
-rwxr-xr-x  1 root root  53596 Dec  9 16:14 klipsdebug
-rwxr-xr-x  1 root root   1836 Dec  9 16:14 livetest
-rwxr-xr-x  1 root root   2605 Dec  9 16:14 look
-rwxr-xr-x  1 root root   7159 Dec  9 16:14 mailkey
-rwxr-xr-x  1 root root  15996 Dec  9 16:14 manual
-rwxr-xr-x  1 root root   1948 Dec  9 16:31 newhostkey
-rwxr-xr-x  1 root root  48820 Dec  9 16:14 pf_key
-rwxr-xr-x  1 root root 534504 Dec  9 16:14 pluto
-rwxr-xr-x  1 root root   6608 Dec  9 16:14 ranbits
-rwxr-xr-x  1 root root  16140 Dec  9 16:14 rsasigkey
-rwxr-xr-x  1 root root    766 Dec  9 16:14 secrets
-rwxr-xr-x  1 root root  17636 Dec  9 16:14 send-pr
lrwxrwxrwx  1 root root     17 Dec  9 16:14 setup -> /etc/init.d/ipsec
-rwxr-xr-x  1 root root   1054 Dec  9 16:14 showdefaults
-rwxr-xr-x  1 root root   4754 Dec  9 16:14 showhostkey
-rwxr-xr-x  1 root root 104152 Dec  9 16:14 spi
-rwxr-xr-x  1 root root  61708 Dec  9 16:14 spigrp
-rwxr-xr-x  1 root root   9324 Dec  9 16:14 tncfg
-rwxr-xr-x  1 root root  10607 Dec  9 16:14 verify
-rwxr-xr-x  1 root root  40380 Dec  9 16:14 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
  eth0:4008451169 10558240    0    0    0     0          0         0 3861590733 8907653    0    0    0     0       0          0
    lo: 8919447   51646    0    0    0     0          0         0  8919447   51646    0    0    0     0       0          0
dummy0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth1:3315219373 10800426    1    0    0     1          0         0 3779325221 9998820   22    0    0     0      22          0
  tun0: 7784172   36023    0    0    0     0          0         0  1888462   35325    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface	Destination	Gateway 	Flags	RefCnt	Use	Metric	Mask		MTU	Window	IRTT                                                       
tun0	0901010A	00000000	0005	0	0	0	FFFFFFFF	0	0	0                                                                               
tun0	0063A8C0	0901010A	0003	0	0	0	00FFFFFF	0	0	0                                                                               
eth1	000CA8C0	01003C44	0003	0	0	0	00FFFFFF	0	0	0                                                                               
eth0	002AA8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0                                                                               
tun0	0001010A	0901010A	0003	0	0	0	00FFFFFF	0	0	0                                                                               
eth1	00003C44	00000000	0001	0	0	0	00FCFFFF	0	0	0                                                                               
lo	0000007F	00000000	0001	0	0	0	000000FF	0	0	0                                                                                 
eth1	00000000	01003C44	0003	0	0	0	00000000	0	0	0                                                                               
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter tun0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:0
tun0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux bebop 2.6.14-gentoo-r2 #3 Fri Dec 9 15:39:16 EST 2005 i686 Pentium II (Klamath) GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.14-gentoo-r2) support detected '
NETKEY (2.6.14-gentoo-r2) support detected 
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 264 packets, 21546 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1704 packets, 997K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 206 packets, 33669 bytes)
 pkts bytes target     prot opt in     out     source               destination         
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 104 packets, 8281 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 15 packets, 1085 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 1991 packets, 1021K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 266 packets, 21650 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1707 packets, 998K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 206 packets, 33669 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1910 packets, 1031K bytes)
 pkts bytes target     prot opt in     out     source               destination         
+ _________________________ /proc/modules
+ test -f /proc/modules
+ echo 'kernel without module support'
kernel without module support
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:       141976 kB
MemFree:         29220 kB
Buffers:             0 kB
Cached:          70440 kB
SwapCached:          0 kB
Active:          69264 kB
Inactive:        18216 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       141976 kB
LowFree:         29220 kB
SwapTotal:      503960 kB
SwapFree:       501452 kB
Dirty:             344 kB
Writeback:           0 kB
Mapped:          23900 kB
Slab:            22904 kB
CommitLimit:    574948 kB
Committed_AS:    71804 kB
PageTables:        608 kB
VmallocTotal:   892648 kB
VmallocUsed:      1060 kB
VmallocChunk:   891560 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_PNP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=y
CONFIG_IP_NF_CT_PROTO_SCTP=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_NETBIOS_NS=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_PHYSDEV is not set
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_DCCP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_CONNMARK is not set
# CONFIG_IP_NF_MATCH_CONNBYTES is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
# CONFIG_IP_NF_MATCH_STRING is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_TARGET_NFQUEUE is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_TARGET_CONNMARK is not set
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 127.0.0.1
domain damagedindustries.net
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
ls: /lib/modules: No such file or directory
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0306d30 T netif_rx
c0306e60 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
ls: /lib/modules: No such file or directory
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1421,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 13 09:07:19 [ipsec_setup] Starting Openswan IPsec U2.4.4/K2.6.14-gentoo-r2...
Dec 13 09:07:20 [ipsec_setup] KLIPS ipsec0 on eth1 68.60.0.8/255.255.252.0 broadcast 255.255.255.255 
Dec 13 09:07:20 [ipsec__plutorun] Starting Pluto subsystem...
Dec 13 09:07:20 [pluto] Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Dec 13 09:07:20 [pluto] Setting NAT-Traversal port-4500 floating to off
Dec 13 09:07:20 [pluto] port floating activation criteria nat_t=0/port_fload=1
Dec 13 09:07:20 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Dec 13 09:07:20 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 13 09:07:20 [pluto] starting up 1 cryptographic helpers
Dec 13 09:07:20 [pluto] started helper pid=15497 (fd:6)
Dec 13 09:07:20 [pluto] Using Linux 2.6 IPsec interface code on 2.6.14-gentoo-r2
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Dec 13 09:07:20 [pluto] Warning: empty directory
Dec 13 09:07:20 [ipsec_setup] ...Openswan IPsec started
Dec 13 09:07:22 [pluto] added connection description "tigertranz"
Dec 13 09:07:22 [pluto] listening for IKE messages
Dec 13 09:07:22 [pluto] adding interface tun0/tun0 10.1.1.10:500
Dec 13 09:07:22 [pluto] adding interface eth1/eth1 68.60.0.8:500
Dec 13 09:07:22 [pluto] adding interface lo/lo 127.0.0.1:500
Dec 13 09:07:22 [pluto] adding interface eth0/eth0 192.168.42.1:500
Dec 13 09:07:22 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Dec 13 09:07:23 [pluto] "tigertranz" #1: initiating Main Mode
Dec 13 09:07:23 [ipsec__plutorun] 104 "tigertranz" #1: STATE_MAIN_I1: initiate
Dec 13 09:07:23 [ipsec__plutorun] ...could not start conn "tigertranz"
Dec 13 09:07:28 [pluto] packet from 66.18.43.62:500: initial Main Mode message received on 68.60.0.8:500 but no connection has been authorized
+ _________________________ plog
+ sed -n '1423,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 13 09:07:20 [ipsec__plutorun] Starting Pluto subsystem...
Dec 13 09:07:20 [pluto] Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Dec 13 09:07:20 [pluto] Setting NAT-Traversal port-4500 floating to off
Dec 13 09:07:20 [pluto] port floating activation criteria nat_t=0/port_fload=1
Dec 13 09:07:20 [pluto] including NAT-Traversal patch (Version 0.6c) [disabled]
Dec 13 09:07:20 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 13 09:07:20 [pluto] starting up 1 cryptographic helpers
Dec 13 09:07:20 [pluto] started helper pid=15497 (fd:6)
Dec 13 09:07:20 [pluto] Using Linux 2.6 IPsec interface code on 2.6.14-gentoo-r2
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Dec 13 09:07:20 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Dec 13 09:07:20 [pluto] Warning: empty directory
Dec 13 09:07:22 [pluto] added connection description "tigertranz"
Dec 13 09:07:22 [pluto] listening for IKE messages
Dec 13 09:07:22 [pluto] adding interface tun0/tun0 10.1.1.10:500
Dec 13 09:07:22 [pluto] adding interface eth1/eth1 68.60.0.8:500
Dec 13 09:07:22 [pluto] adding interface lo/lo 127.0.0.1:500
Dec 13 09:07:22 [pluto] adding interface eth0/eth0 192.168.42.1:500
Dec 13 09:07:22 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Dec 13 09:07:23 [pluto] "tigertranz" #1: initiating Main Mode
Dec 13 09:07:23 [ipsec__plutorun] 104 "tigertranz" #1: STATE_MAIN_I1: initiate
Dec 13 09:07:23 [ipsec__plutorun] ...could not start conn "tigertranz"
Dec 13 09:07:28 [pluto] packet from 66.18.43.62:500: initial Main Mode message received on 68.60.0.8:500 but no connection has been authorized
+ _________________________ date
+ date
Tue Dec 13 09:07:48 EST 2005


More information about the Users mailing list