[Openswan Users]
stuck at: "STATE_MAIN_R1: sent MR1, expecting MI2" - suggestions?
aram price
me at aramprice.com
Thu Dec 15 17:00:41 CET 2005
Hi all,
I've been banging on this for a few days now with no luck.
the machine is a freshly built FC4 machine with the following RPMs
installed from openswan.org:
openswan-2.4.4-1
l2tpd-0.69-13
the certs and self signed CA were generated on different machine in
our network and installed under /etc/ipsec.d/
I haven't been able to connect using either PSK or CERT authentication.
on both cases I pluto stops at the state:
STATE_MAIN_R1: sent MR1, expecting MI2
ideally I wouldn't use PSK at all, I included it here to test whether
there was a problem with the certificates.
I'm hoping that I'm missing some simple tweak to my config(s) which
someone on this list will notice.
I've included what I think are all the relevant bits of information
and configuration, please let me know if there is something missing
or unclear.
regards,
aram
ps. thanks for the helpful notes at:
http://www.natecarlson.com/linux/ipsec-l2tp.php
http://www.jacco2.dds.nl/networking/
############ network ############
client (osx 10.4.3)
[d.e.f.135]
|
|
|
[a.b.c.4] -ext
vpnserver (linux fc4)
[10.10.1.140] -int
|
|
|
10.10.1.0/24
############/network ############
############ file layout ############
etc/
ipsec.conf
ipsec.info
ipsec.secrets
ipsec.d/
cacerts/
cacert.pem
certs/
me.foo.com.p12
me.foo.com.pem
vpnserver.foo.com.p12
vpnserver.foo.com.pem
private/
me.foo.com.key
vpnserver.foo.com.key
l2tpd/
l2tpd.conf
ppp/
chap-secrets
options.l2tpd
sysconfig/
iptables
############/file layout ############
############ l2tpd.conf ############
[global]
; listen-addr = 192.168.1.98
[lns default]
ip range = 10.10.1.161-10.10.1.169
local ip = 10.10.1.140
require chap = yes
refuse pap = yes
require authentication = yes
name = FooVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
############/l2tpd.conf ############
############ chap-secrets ############
# client server secret IP addresses
me * mysecret *
############/chap-secrets ############
############ options.l2tpd ############
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.10.1.1
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd
############/options.l2tpd ############
############ ipsec barf ############
vpnserver.foo.com
Thu Dec 15 15:43:46 PST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.14-1.1644_FC4 (bhcompile at hs20-
bc1-1.build.redhat.com) (gcc version 4.0.1 20050727 (Red Hat
4.0.1-5)) #1 Sun Nov 27 03:25:11 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
a.b.c.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0
10.10.1.0 0.0.0.0 255.255.255.0 U 0
0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0
0 0 eth1
0.0.0.0 a.b.c.1 0.0.0.0 UG 0
0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1891 seq=13 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1875 seq=12 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1859 seq=11 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1843 seq=10 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused: Dec 15 15:35:19 2005
lifetime: 0(s) validtime: 0(s)
spid=1827 seq=9 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1811 seq=8 pid=21073
refcnt=1
(per-socket policy)
in none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1795 seq=7 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1900 seq=6 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1884 seq=5 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1868 seq=4 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1852 seq=3 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused: Dec 15 15:35:49 2005
lifetime: 0(s) validtime: 0(s)
spid=1836 seq=2 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1820 seq=1 pid=21073
refcnt=1
(per-socket policy)
out none
created: Dec 15 15:34:50 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1804 seq=0 pid=21073
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 a.b.c.4
000 interface eth0/eth0 a.b.c.4
000 interface eth1/eth1 10.10.1.140
000 interface eth1/eth1 10.10.1.140
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-a-psk": 10.10.1.0/24===a.b.c.4:17/1701...%virtual:17/%
any===?; unrouted; eroute owner: #0
000 "l2tp-a-psk": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "l2tp-a-psk": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-a-psk": policy: PSK+ENCRYPT+COMPRESS+TUNNEL; prio: 24,32;
interface: eth0;
000 "l2tp-a-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-b-cert": 10.10.1.0/24===a.b.c.4[C=US, ST=California,
L=OurCity, O=Foo, Inc., CN=vpnserver.foo.com, E=noc at foo.com]:
17/1701...%virtual:17/%any===?; unrouted; eroute owner: #0
000 "l2tp-b-cert": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "l2tp-b-cert": CAs: 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=ca.foo.com, E=noc at foo.com'...'%any'
000 "l2tp-b-cert": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-b-cert": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:
24,32; interface: eth0;
000 "l2tp-b-cert": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:C0:F0:56:8B:BF
inet addr:a.b.c.4 Bcast:a.b.c.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:f0ff:fe56:8bbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:126310 errors:2 dropped:0 overruns:0 frame:0
TX packets:12229 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:10087434 (9.6 MiB) TX bytes:2336698 (2.2 MiB)
Interrupt:11 Base address:0x2f00
eth1 Link encap:Ethernet HWaddr 00:0A:E6:5F:89:7B
inet addr:10.10.1.140 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::20a:e6ff:fe5f:897b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82139 errors:0 dropped:0 overruns:0 frame:0
TX packets:18768 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6690618 (6.3 MiB) TX bytes:2610425 (2.4 MiB)
Interrupt:11 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:730 (730.0 b) TX bytes:730 (730.0 b)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:f0:56:8b:bf brd ff:ff:ff:ff:ff:ff
inet a.b.c.4/24 brd a.b.c.255 scope global eth0
inet6 fe80::2c0:f0ff:fe56:8bbf/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0a:e6:5f:89:7b brd ff:ff:ff:ff:ff:ff
inet 10.10.1.140/24 brd 10.10.1.255 scope global eth1
inet6 fe80::20a:e6ff:fe5f:897b/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
+ _________________________ ip-route-list
+ ip route list
a.b.c.0/24 dev eth0 proto kernel scope link src a.b.c.4
10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.140
169.254.0.0/16 dev eth1 scope link
default via a.b.c.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support
[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:c0:b4, model 0 rev 8
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-
control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-
control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnserver.foo.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
a.b.c.4
+ _________________________ uptime
+ uptime
15:43:47 up 22:22, 3 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 19881 15519 16 0 1408 276 finish T pts/1
0:00 \_ /usr/sbin/sesh /bin/vi /etc/ipsec.secrets
0 0 19882 19881 15 0 4420 1244 finish T pts/1
0:00 | \_ /bin/vi /etc/ipsec.secrets
4 0 19901 15519 16 0 1404 284 finish T pts/1
0:00 \_ /usr/sbin/sesh /bin/vi /etc/ipsec.conf
0 0 19902 19901 15 0 4420 1260 finish T pts/1
0:00 | \_ /bin/vi /etc/ipsec.conf
0 0 21052 21003 19 0 4328 1068 - R+ pts/1
0:00 \_ /bin/sh /usr/libexec/ipsec/barf
1 0 20793 1 22 0 2300 400 wait S pts/1 0:00 /
bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --protostack
auto --force_keepalive --disable_port_floating --virtual_private %
v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 --crlcheckinterval
0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --
pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
1 0 20794 20793 22 0 2300 596 wait S pts/1 0:00
\_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --
nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --
protostack auto --force_keepalive --disable_port_floating --
virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 --
crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --
stderrlog --wait no --pre --post --log daemon.error --pid /var/run/
pluto/pluto.pid
4 0 20795 20794 15 0 2556 1232 - S pts/1 0:00
| \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/
ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --
nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16
1 0 20796 20795 30 10 2500 304 - SN pts/1 0:00
| \_ pluto helper # 0
0 0 20831 20795 25 0 1484 296 - S pts/1 0:00
| \_ _pluto_adns
0 0 20797 20793 17 0 2296 1108 pipe_w S pts/1 0:00
\_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 20798 1 22 0 1544 408 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16
interfaces="ipsec0=eth0"
# Add connections here
conn %default
keyingtries=1
compress=yes
pfs=no
disablearrivalcheck=no
left=a.b.c.4
leftsubnet=10.10.1.0/24
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
conn l2tp-a-psk
authby=secret
auto=add
conn l2tp-b-cert
authby=rsasig
leftcert=vpnserver.foo.com.pem
leftrsasigkey=%cert
rightcert=%any
rightrsasigkey=%cert
auto=add
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 66
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA vpnserver.foo.com.key "[sums to 6445...]"
a.b.c.4 %any: PSK "[sums to 29f7...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 15 15:34:50 2005, 1024 RSA Key AwEAAdTPx, until Dec 13
16:21:49 2006 ok
000 ID_DER_ASN1_DN 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=vpnserver.foo.com, E=noc at foo.com'
000 Issuer 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000
000 List of X.509 End Certificates:
000
000 Dec 15 15:34:50 2005, count: 1
000 subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=vpnserver.foo.com, E=noc at foo.com'
000 issuer: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAdTPx, has private key
000 validity: not before Dec 13 16:21:49 2005 ok
000 not after Dec 13 16:21:49 2006 ok
000 subjkey: 1f:47:56:86:bd:ec:db:52:be:ab:43:28:1e:
99:1d:f0:9a:77:e0:dd
000 authkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 aserial: 00:ea:d7:fe:7a:0d:9c:50:b0
000
000 List of X.509 CA Certificates:
000
000 Dec 15 15:34:50 2005, count: 1
000 subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 issuer: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 serial: 00:ea:d7:fe:7a:0d:9c:50:b0
000 pubkey: 1024 RSA Key AwEAAe8+d
000 validity: not before Dec 13 16:15:49 2005 ok
000 not after Dec 13 16:15:49 2006 ok
000 subjkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 authkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 aserial: 00:ea:d7:fe:7a:0d:9c:50:b0
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 164
-rwxr-xr-x 1 root root 15535 Nov 19 00:42 _confread
-rwxr-xr-x 1 root root 14986 Nov 19 00:42 _copyright
-rwxr-xr-x 1 root root 2379 Nov 19 00:42 _include
-rwxr-xr-x 1 root root 1475 Nov 19 00:42 _keycensor
-rwxr-xr-x 1 root root 3586 Nov 19 00:42 _plutoload
-rwxr-xr-x 1 root root 7431 Nov 19 00:42 _plutorun
-rwxr-xr-x 1 root root 12275 Nov 19 00:42 _realsetup
-rwxr-xr-x 1 root root 1975 Nov 19 00:42 _secretcensor
-rwxr-xr-x 1 root root 9778 Nov 19 00:42 _startklips
-rwxr-xr-x 1 root root 13417 Nov 19 00:42 _updown
-rwxr-xr-x 1 root root 15746 Nov 19 00:42 _updown_x509
-rwxr-xr-x 1 root root 1942 Nov 19 00:42 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 3120
-rwxr-xr-x 1 root root 28005 Nov 19 00:42 _pluto_adns
-rwxr-xr-x 1 root root 19081 Nov 19 00:42 auto
-rwxr-xr-x 1 root root 10584 Nov 19 00:42 barf
-rwxr-xr-x 1 root root 816 Nov 19 00:42 calcgoo
-rwxr-xr-x 1 root root 184043 Nov 19 00:42 eroute
-rwxr-xr-x 1 root root 58188 Nov 19 00:42 ikeping
-rwxr-xr-x 1 root root 121204 Nov 19 00:42 klipsdebug
-rwxr-xr-x 1 root root 1836 Nov 19 00:42 livetest
-rwxr-xr-x 1 root root 2605 Nov 19 00:42 look
-rwxr-xr-x 1 root root 7153 Nov 19 00:42 mailkey
-rwxr-xr-x 1 root root 15996 Nov 19 00:42 manual
-rwxr-xr-x 1 root root 1926 Nov 19 00:42 newhostkey
-rwxr-xr-x 1 root root 106773 Nov 19 00:42 pf_key
-rwxr-xr-x 1 root root 1746023 Nov 19 00:42 pluto
-rwxr-xr-x 1 root root 25958 Nov 19 00:42 ranbits
-rwxr-xr-x 1 root root 47954 Nov 19 00:42 rsasigkey
-rwxr-xr-x 1 root root 766 Nov 19 00:42 secrets
-rwxr-xr-x 1 root root 17636 Nov 19 00:42 send-pr
lrwxrwxrwx 1 root root 22 Dec 12 14:26 setup -> /etc/rc.d/
init.d/ipsec
-rwxr-xr-x 1 root root 1054 Nov 19 00:42 showdefaults
-rwxr-xr-x 1 root root 4748 Nov 19 00:42 showhostkey
-rwxr-xr-x 1 root root 290498 Nov 19 00:42 spi
-rwxr-xr-x 1 root root 151233 Nov 19 00:42 spigrp
-rwxr-xr-x 1 root root 25331 Nov 19 00:42 tncfg
-rwxr-xr-x 1 root root 10607 Nov 19 00:42 verify
-rwxr-xr-x 1 root root 126409 Nov 19 00:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|
bytes packets errs drop fifo colls carrier compressed
lo: 730 14 0 0 0 0 0
0 730 14 0 0 0 0 0 0
eth0:10087434 126310 2 0 0 0 0 0
2336698 12229 3 0 0 0 3 0
eth1: 6699828 82275 0 0 0 0 0 1
2659240 19039 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use
Metric Mask MTU Window IRTT
eth0 00F66D43 00000000 0001 0 0
0 00FFFFFF 0 00
eth1 00010A0A 00000000 0001 0 0
0 00FFFFFF 0 00
eth1 0000FEA9 00000000 0001 0 0
0 0000FFFF 0 00
eth0 00000000 01F66D43 0003 0 0
0 00000000 0 00
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/
rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux vpnserver.foo.com 2.6.14-1.1644_FC4 #1 Sun Nov 27 03:25:11 EST
2005 i686 athlon i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 4 (Stentz)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.14-1.1644_FC4) support detected '
NETKEY (2.6.14-1.1644_FC4) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
3143 321K RH-Firewall-1-INPUT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2412 packets, 347K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
33 4224 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:520
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
2993 300K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2 160 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
115 16597 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- * * 10.0.0.0/8
0.0.0.0/0
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 3009 0 - Live 0xe0969000
iptable_nat 7749 0 - Live 0xe0a1f000
ip_nat 18773 1 iptable_nat, Live 0xe0af4000
xfrm4_tunnel 4165 0 - Live 0xe097c000
af_key 34257 0 - Live 0xe0a79000
ipt_REJECT 5953 1 - Live 0xe0a33000
ipt_state 1985 2 - Live 0xe0971000
ip_conntrack 52081 3 iptable_nat,ip_nat,ipt_state, Live 0xe0b31000
nfnetlink 6745 2 ip_nat,ip_conntrack, Live 0xe0976000
iptable_filter 3137 1 - Live 0xe0841000
ip_tables 20289 5
iptable_mangle,iptable_nat,ipt_REJECT,ipt_state,iptable_filter, Live
0xe0a2d000
sis 10625 1 - Live 0xe0a4b000
drm 72149 2 sis, Live 0xe0b0b000
deflate 4033 0 - Live 0xe0974000
zlib_deflate 23001 1 deflate, Live 0xe0a5e000
twofish 44225 0 - Live 0xe0ae8000
serpent 25025 0 - Live 0xe0a66000
blowfish 9281 0 - Live 0xe0a3b000
sha256 10817 0 - Live 0xe0a29000
crypto_null 2369 0 - Live 0xe0964000
aes 27777 0 - Live 0xe0a56000
des 16449 0 - Live 0xe0a50000
ipcomp 8137 0 - Live 0xe0a1c000
esp4 8257 0 - Live 0xe097f000
ah4 6337 0 - Live 0xe0979000
autofs4 19781 2 - Live 0xe0a23000
sunrpc 141821 1 - Live 0xe0ac4000
ipv6 249889 16 - Live 0xe0a85000
video 16325 0 - Live 0xe08f7000
button 6737 0 - Live 0xe08e8000
battery 9541 0 - Live 0xe0948000
ac 4933 0 - Live 0xe08eb000
ohci_hcd 22497 0 - Live 0xe0941000
shpchp 93701 0 - Live 0xe0983000
i2c_sis630 7885 0 - Live 0xe08c1000
i2c_sis96x 5829 0 - Live 0xe08e2000
i2c_core 22209 2 i2c_sis630,i2c_sis96x, Live 0xe093a000
snd_intel8x0 32929 1 - Live 0xe0930000
snd_ac97_codec 88893 1 snd_intel8x0, Live 0xe094d000
snd_ac97_bus 2497 1 snd_ac97_codec, Live 0xe08c4000
snd_seq_dummy 3781 0 - Live 0xe08a9000
snd_seq_oss 31937 0 - Live 0xe08ee000
snd_seq_midi_event 7105 1 snd_seq_oss, Live 0xe0854000
snd_seq 49873 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live
0xe0922000
snd_seq_device 9165 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xe08ce000
snd_pcm_oss 51057 0 - Live 0xe0914000
snd_mixer_oss 18113 1 snd_pcm_oss, Live 0xe08c8000
snd_pcm 87749 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss, Live 0xe08fd000
snd_timer 25285 2 snd_seq,snd_pcm, Live 0xe089a000
snd 54949 11
snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_o
ss,snd_mixer_oss,snd_pcm,snd_timer, Live 0xe08d3000
soundcore 9889 1 snd, Live 0xe08bd000
snd_page_alloc 10825 2 snd_intel8x0,snd_pcm, Live 0xe08b9000
sis900 21697 0 - Live 0xe08a2000
mii 5441 1 sis900, Live 0xe0857000
tulip 51041 0 - Live 0xe08ab000
floppy 61957 0 - Live 0xe0867000
dm_snapshot 17901 0 - Live 0xe0861000
dm_zero 2113 0 - Live 0xe081c000
dm_mirror 22549 0 - Live 0xe085a000
ext3 130505 2 - Live 0xe0879000
jbd 57941 1 ext3, Live 0xe0831000
dm_mod 57053 6 dm_snapshot,dm_zero,dm_mirror, Live 0xe0843000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 515724 kB
MemFree: 52660 kB
Buffers: 134348 kB
Cached: 154292 kB
SwapCached: 0 kB
Active: 186232 kB
Inactive: 164800 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515724 kB
LowFree: 52660 kB
SwapTotal: 1048568 kB
SwapFree: 1048568 kB
Dirty: 208 kB
Writeback: 0 kB
Mapped: 91968 kB
Slab: 95432 kB
CommitLimit: 1306428 kB
Committed_AS: 173024 kB
PageTables: 2492 kB
VmallocTotal: 507896 kB
VmallocUsed: 3424 kB
VmallocChunk: 500312 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.14-1.1644_FC4/build/.config
++ uname -r
+ cat /lib/modules/2.6.14-1.1644_FC4/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_DCCP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_CONNBYTES=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_TARGET_NFQUEUE=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_PHYSDEV=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_NFQUEUE=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
CONFIG_IP_DCCP_UNLOAD_HACK=y
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/
messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/
maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/
boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# generated by NetworkManager, do not edit!
search foo.com
nameserver 10.10.1.1
nameserver a.b.c.5
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Dec 12 14:15 2.6.14-1.1644_FC4
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02ae97a T netif_rx
c02aeb29 T netif_rx_ni
c02ae97a U netif_rx [ipv6]
c02ae97a U netif_rx [sis900]
c02ae97a U netif_rx [tulip]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.14-1.1644_FC4:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1898,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 15 15:34:50 vpnserver ipsec_setup: Starting Openswan IPsec 2.4.4...
Dec 15 15:34:50 vpnserver ipsec_setup: insmod /lib/modules/
2.6.14-1.1644_FC4/kernel/net/key/af_key.ko
Dec 15 15:34:50 vpnserver ipsec_setup: insmod /lib/modules/
2.6.14-1.1644_FC4/kernel/net/ipv4/xfrm4_tunnel.ko
+ _________________________ plog
+ sed -n '3851,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 15 15:34:50 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Dec 15 15:34:50 vpnserver pluto[20795]: Starting Pluto (Openswan
Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEz}FFFfgr_e)
Dec 15 15:34:50 vpnserver pluto[20795]: Setting NAT-Traversal
port-4500 floating to on
Dec 15 15:34:50 vpnserver pluto[20795]: port floating activation
criteria nat_t=1/port_fload=1
Dec 15 15:34:50 vpnserver pluto[20795]: including NAT-Traversal
patch (Version 0.6c)
Dec 15 15:34:50 vpnserver pluto[20795]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 15 15:34:50 vpnserver pluto[20795]: starting up 1 cryptographic
helpers
Dec 15 15:34:50 vpnserver pluto[20795]: started helper pid=20796 (fd:6)
Dec 15 15:34:50 vpnserver pluto[20795]: Using Linux 2.6 IPsec
interface code on 2.6.14-1.1644_FC4
Dec 15 15:34:50 vpnserver pluto[20795]: Changing to directory '/etc/
ipsec.d/cacerts'
Dec 15 15:34:50 vpnserver pluto[20795]: loaded CA cert file
'cacert.pem' (1363 bytes)
Dec 15 15:34:50 vpnserver pluto[20795]: Could not change to directory
'/etc/ipsec.d/aacerts'
Dec 15 15:34:50 vpnserver pluto[20795]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Dec 15 15:34:50 vpnserver pluto[20795]: Could not change to directory
'/etc/ipsec.d/crls'
Dec 15 15:34:50 vpnserver pluto[20795]: added connection description
"l2tp-a-psk"
Dec 15 15:34:50 vpnserver pluto[20795]: loaded host cert file '/etc/
ipsec.d/certs/vpnserver.foo.com.pem' (3815 bytes)
Dec 15 15:34:50 vpnserver pluto[20795]: could not open host cert
file '/etc/ipsec.d/certs/%any'
Dec 15 15:34:50 vpnserver pluto[20795]: added connection description
"l2tp-b-cert"
Dec 15 15:34:50 vpnserver pluto[20795]: listening for IKE messages
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface eth1/eth1
10.10.1.140:500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface eth1/eth1
10.10.1.140:4500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface eth0/eth0
a.b.c.4:500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface eth0/eth0
a.b.c.4:4500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface lo/lo
127.0.0.1:500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface lo/lo
127.0.0.1:4500
Dec 15 15:34:50 vpnserver pluto[20795]: adding interface lo/lo ::1:500
Dec 15 15:34:50 vpnserver pluto[20795]: loading secrets from "/etc/
ipsec.secrets"
Dec 15 15:34:50 vpnserver pluto[20795]: loaded private key file '/
etc/ipsec.d/private/vpnserver.foo.com.key' (1692 bytes)
Dec 15 15:34:55 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:34:55 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #1:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:34:55 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:34:55 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:34:58 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:34:58 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #2:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:34:58 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #2:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:34:58 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #2:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:01 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:01 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #3:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:01 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:01 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:04 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:04 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #4:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:04 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #4:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:04 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #4:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:07 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:07 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #5:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:07 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:07 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:10 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:10 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #6:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:10 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #6:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:10 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #6:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:13 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:13 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #7:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:13 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #7:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:13 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #7:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:16 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:16 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #8:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:16 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #8:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:16 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #8:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:35:19 vpnserver pluto[20795]: packet from d.e.f.135:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 15:35:19 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #9:
responding to Main Mode from unknown peer d.e.f.135
Dec 15 15:35:19 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #9:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 15:35:19 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #9:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 15:36:05 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #1:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:08 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #2:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:11 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #3:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:14 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #4:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:17 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #5:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:20 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #6:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:23 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #7:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:26 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #8:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:29 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135 #9:
max number of retransmissions (2) reached STATE_MAIN_R1
Dec 15 15:36:29 vpnserver pluto[20795]: "l2tp-a-psk"[1] d.e.f.135:
deleting connection "l2tp-a-psk" instance with peer d.e.f.135
{isakmp=#0/ipsec=#0}
+ _________________________ date
+ date
############/ipsec barf ############
More information about the Users
mailing list