[Openswan Users] problem connecting: INVALID_CERTIFICATE

aram price me at aramprice.com
Thu Dec 15 21:51:25 CET 2005


Paul,

I made all the modifications you suggested aside from updating which  
I'll take care of back at the office.
based on the message:
	ignoring informational payload, type INVALID_CERTIFICATE
I'm assuming there's an issue with my certs?  I did try connecting  
with an invalid username:passwd and did not receive an error.  I  
can't remember if the ppp chap takes place before or after the RSA  
cert exchange.

I've tried both with and without iptables and /var/log/secure seemed  
to be the same.  the ipsec barf included is from the attempt with  
iptables off.

thanks again for the help on this.

regards,


aram

On 15 Dec, 2005, at 18:44 , Paul Wouters wrote:

> l2tpd is now a Fedora Extras package. It has appeared in  
> "development", but
> I'm waiting for teh branches to appear so I can request builds for  
> FC-3 and
> FC-4 as well. You can grab the .src.rpm from "development" and just  
> built
> that. It should be easy and painless.

I'll update l2tpd and openswan (2.4.5dr3) as soon as I can.
is there a .spec for openswan that I should crib from?

> Are you using certificates on OSX? How did you configure those for  
> X.509?

> You do not need the "me" certificates there.
> and the "me" private key should not be on the server.

I wasn't certain if this were needed for auth.
glad to hear it can stay safely on our CA machine.

> Add:
> *	me	mysecret	*
> Though for the last * I would use a real network/mask notation,
> eg 10.10.1.160/27

done:
aram                    *       mysecret                10.10.1.160/27
*                       aram    mysecret                10.10.1.160/27

> You must enable forwarding in /etc/sysctl.conf

done

> You must exlucde your 10.10.1.0/24 range by adding %v4:!10.10.1.0/24

done.

> You need to remove the subnet. l2tp will get an IP address in the  
> subnet,
> and the IPsec SA does not cover the subnet at all. It is a host- 
> host connection.

done.

> Using a mix of PSK and RSA will not work right now. auto=ignore one  
> of them
> until this issue is addressed.

done.  all I really care about is RSA

> Please temporarilly disable teh firewall rules for testing purposes.

done

> I do ot understand this loop. But try comenting out the PSK  
> connections
> when trying certificates.
>
> Perhaps the OAKLEY.LOG on the windows side has more information.

I'm testing w/ osx at the moment, if I can get ahold of an xp machine  
I'll send that along.
the only info in the logs on my mac is the following:
	L2TP connecting to server 'vpnserver.foo.com' (a.b.c.4)...
	L2TP sent SCCRQ
	L2TP cannot connect to the server

###### ipsec barf ######
vpnserver.foo.com
Thu Dec 15 21:19:28 PST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.14-1.1644_FC4 (bhcompile at hs20- 
bc1-1.build.redhat.com) (gcc version 4.0.1 20050727 (Red Hat  
4.0.1-5)) #1 Sun Nov 27 03:25:11 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window   
irtt Iface
d.e.f.128       a.b.c.3         255.255.255.192 UG        0  
0          0 eth0
10.20.1.0       a.b.c.3         255.255.255.0   UG        0  
0          0 eth0
a.b.c.0         0.0.0.0         255.255.255.0   U         0  
0          0 eth0
10.10.1.0       0.0.0.0         255.255.255.0   U         0  
0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0  
0          0 eth1
0.0.0.0         a.b.c.1    0.0.0.0         UG        0 0          0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=211 seq=13 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=195 seq=12 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=179 seq=11 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=163 seq=10 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused: Dec 15 21:17:58 2005
         lifetime: 0(s) validtime: 0(s)
         spid=147 seq=9 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=131 seq=8 pid=4812
         refcnt=1
(per-socket policy)
         in none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=115 seq=7 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=220 seq=6 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=204 seq=5 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=188 seq=4 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=172 seq=3 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused: Dec 15 21:19:26 2005
         lifetime: 0(s) validtime: 0(s)
         spid=156 seq=2 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=140 seq=1 pid=4812
         refcnt=1
(per-socket policy)
         out none
         created: Dec 15 19:24:31 2005  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=124 seq=0 pid=4812
         refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 a.b.c.4
000 interface eth0/eth0 a.b.c.4
000 interface eth1/eth1 10.10.1.140
000 interface eth1/eth1 10.10.1.140
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,  
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,  
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,  
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,  
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,  
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,  
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,  
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,  
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,  
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,  
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,  
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}  
trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-b-cert": a.b.c.4[C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=vpnserver.foo.com, E=noc at foo.com]:17/1701...%virtual:17/% 
any===?; unrouted; eroute owner: #0
000 "l2tp-b-cert":     srcip=unset; dstip=unset; srcup=ipsec _updown;  
dstup=ipsec _updown;
000 "l2tp-b-cert":   CAs: 'C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=ca.foo.com, E=noc at foo.com'...'%any'
000 "l2tp-b-cert":   ike_life: 3600s; ipsec_life: 28800s;  
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-b-cert":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:  
32,32; interface: eth0;
000 "l2tp-b-cert":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-b-cert"[4]: a.b.c.4[C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=vpnserver.foo.com, E=noc at foo.com]:17/1701...w.x.y.z[C=US,  
ST=California, L=OurCity, O=Foo, Inc., CN=aram.foo.com,  
E=aram at foo.com]:17/%any===?; unrouted; eroute owner: #0
000 "l2tp-b-cert"[4]:     srcip=unset; dstip=unset; srcup=ipsec  
_updown; dstup=ipsec _updown;
000 "l2tp-b-cert"[4]:   CAs: 'C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=ca.foo.com, E=noc at foo.com'...'%any'
000 "l2tp-b-cert"[4]:   ike_life: 3600s; ipsec_life: 28800s;  
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-b-cert"[4]:   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:  
32,32; interface: eth0;
000 "l2tp-b-cert"[4]:   newest ISAKMP SA: #5; newest IPsec SA: #0;
000 "l2tp-b-cert"[4]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #4: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP  
SA established); EVENT_SA_REPLACE in 2042s; nodpd
000 #3: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP  
SA established); EVENT_SA_REPLACE in 1779s; nodpd
000 #5: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP  
SA established); EVENT_SA_REPLACE in 3210s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:C0:F0:56:8B:BF
           inet addr:a.b.c.4  Bcast:a.b.c.255  Mask:255.255.255.0
           inet6 addr: fe80::2c0:f0ff:fe56:8bbf/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:15386 errors:1 dropped:0 overruns:0 frame:0
           TX packets:5569 errors:3 dropped:0 overruns:0 carrier:3
           collisions:0 txqueuelen:1000
           RX bytes:3729140 (3.5 MiB)  TX bytes:1611557 (1.5 MiB)
           Interrupt:11 Base address:0x2f00
eth1      Link encap:Ethernet  HWaddr 00:0A:E6:5F:89:7B
           inet addr:10.10.1.140  Bcast:10.10.1.255  Mask:255.255.255.0
           inet6 addr: fe80::20a:e6ff:fe5f:897b/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:5474 errors:0 dropped:0 overruns:0 frame:0
           TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:383400 (374.4 KiB)  TX bytes:9908 (9.6 KiB)
           Interrupt:11 Base address:0xd400
lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
sit0      Link encap:IPv6-in-IPv4
           NOARP  MTU:1480  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:c0:f0:56:8b:bf brd ff:ff:ff:ff:ff:ff
     inet a.b.c.4/24 brd a.b.c.255 scope global eth0
     inet6 fe80::2c0:f0ff:fe56:8bbf/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:0a:e6:5f:89:7b brd ff:ff:ff:ff:ff:ff
     inet 10.10.1.140/24 brd 10.10.1.255 scope global eth1
     inet6 fe80::20a:e6ff:fe5f:897b/64 scope link
        valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
+ _________________________ ip-route-list
+ ip route list
d.e.f.128/26 via a.b.c.3 dev eth0  proto zebra  metric 2 equalize
10.20.1.0/24 via a.b.c.3 dev eth0  proto zebra  metric 2 equalize
a.b.c.0/24 dev eth0  proto kernel  scope link  src a.b.c.4
10.10.1.0/24 dev eth1  proto kernel  scope link  src 10.10.1.140
169.254.0.0/16 dev eth1  scope link
default via a.b.c.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started  
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                 
[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
   product info: vendor 00:c0:b4, model 0 rev 8
   basic mode:   autonegotiation enabled
   basic status: autonegotiation complete, link ok
   capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow- 
control
eth1: negotiated 100baseTx-FD, link ok
   product info: vendor 00:00:20, model 32 rev 1
   basic mode:   autonegotiation enabled
   basic status: autonegotiation complete, link ok
   capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow- 
control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnserver.foo.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
a.b.c.4
+ _________________________ uptime
+ uptime
21:19:28 up  2:08,  1 user,  load average: 0.08, 0.03, 0.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME  
COMMAND
4     0  4790  3662  16   0   1408   276 wait   S+   pts/0       
0:00              \_ /usr/sbin/sesh /usr/sbin/ipsec barf
0     0  4791  4790  19   0   4328  1068 -      R+   pts/0       
0:00                  \_ /bin/sh /usr/libexec/ipsec/barf
1     0  2778     1  22   0   2300   400 wait   S    ?          0:00 / 
bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids yes --nocrsend   
--strictcrlpolicy  --nat_traversal yes --keep_alive  --protostack  
auto --force_keepalive  --disable_port_floating  --virtual_private % 
v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16%v4:!10.10.1.0/24 -- 
crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  -- 
stderrlog  --wait no --pre  --post  --log daemon.error --pid /var/run/ 
pluto/pluto.pid
1     0  2779  2778  22   0   2300   592 wait   S    ?          0:00   
\_ /bin/sh /usr/lib/ipsec/_plutorun --debug  --uniqueids yes -- 
nocrsend  --strictcrlpolicy  --nat_traversal yes --keep_alive  -- 
protostack auto --force_keepalive  --disable_port_floating  -- 
virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16% 
v4:!10.10.1.0/24 --crlcheckinterval 0 --ocspuri  --nhelpers  --dump   
--opts  --stderrlog  --wait no --pre  --post  --log daemon.error -- 
pid /var/run/pluto/pluto.pid
4     0  2780  2779  15   0   2560  1320 -      S    ?          0:00   
|   \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ 
ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids -- 
nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,% 
v4:192.168.0.0/16%v4:!10.10.1.0/24
1     0  2781  2780  26  10   2500   412 -      SN   ?          0:00   
|       \_ pluto helper  #  0
0     0  2806  2780  25   0   1488   232 -      S    ?          0:00   
|       \_ _pluto_adns
0     0  2807  2778  19   0   2300  1100 pipe_w S    ?          0:00   
\_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0     0  2809     1  22   0   1544   372 pipe_w S    ?          0:00  
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
         # plutodebug / klipsdebug = "all", "none" or a combation  
from below:
         # "raw crypt parsing emitting control klips pfkey natt x509  
private"
         # eg:
         # plutodebug="control parsing"
         #
         # Only enable klipsdebug=all if you are a developer
         #
         # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,% 
v4:192.168.0.0/16%v4:!10.10.1.0/24
         interfaces="ipsec0=eth0"
# Add connections here
conn %default
         keyingtries=1
         compress=yes
         pfs=no
         disablearrivalcheck=no
         left=a.b.c.4
         leftprotoport=17/1701
         right=%any
         rightsubnet=vhost:%no,%priv
         rightprotoport=17/%any
conn l2tp-a-psk
         authby=secret
         auto=ignore
conn l2tp-b-cert
         authby=rsasig
         leftcert=vpnserver.foo.com.pem
         leftrsasigkey=%cert
         rightcert=%any
         rightrsasigkey=%cert
         auto=add
# sample VPN connection
#conn sample
#               # Left security gateway, subnet behind it, nexthop  
toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop  
toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually  
start it,
#               # at startup, uncomment this.
#               #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
     auto=ignore
conn private
     auto=ignore
conn private-or-clear
     auto=ignore
conn clear-or-private
     auto=ignore
conn clear
     auto=ignore
conn packetdefault
     auto=ignore
#> /etc/ipsec.conf 65
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA vpnserver.foo.com.key "[sums to 6445...]"
a.b.c.4 %any: PSK "[sums to 29f7...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 15 21:17:28 2005, 1024 RSA Key AwEAAd0zS, until Dec 13  
16:15:49 2006 ok
000        ID_DER_ASN1_DN 'C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=aram.foo.com, E=aram at foo.com'
000        Issuer 'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com'
000 Dec 15 19:24:31 2005, 1024 RSA Key AwEAAdTPx, until Dec 13  
16:21:49 2006 ok
000        ID_DER_ASN1_DN 'C=US, ST=California, L=OurCity, O=Foo,  
Inc., CN=vpnserver.foo.com, E=noc at foo.com'
000        Issuer 'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com'
000
000 List of X.509 End Certificates:
000
000 Dec 15 19:24:31 2005, count: 2
000        subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=vpnserver.foo.com, E=noc at foo.com'
000        issuer:  'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com'
000        serial:   01
000        pubkey:   1024 RSA Key AwEAAdTPx, has private key
000        validity: not before Dec 13 16:21:49 2005 ok
000                  not after  Dec 13 16:21:49 2006 ok
000        subjkey:  1f:47:56:86:bd:ec:db:52:be:ab:43:28:1e: 
99:1d:f0:9a:77:e0:dd
000        authkey:   
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000        aserial:  00:ea:d7:fe:7a:0d:9c:50:b0
000
000 List of X.509 CA Certificates:
000
000 Dec 15 19:24:31 2005, count: 1
000        subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com'
000        issuer:  'C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com'
000        serial:   00:ea:d7:fe:7a:0d:9c:50:b0
000        pubkey:   1024 RSA Key AwEAAe8+d
000        validity: not before Dec 13 16:15:49 2005 ok
000                  not after  Dec 13 16:15:49 2006 ok
000        subjkey:   
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000        authkey:   
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000        aserial:  00:ea:d7:fe:7a:0d:9c:50:b0
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates  
IPSEC,
# using encryption.  This behaviour is also called "Opportunistic  
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear  
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 164
-rwxr-xr-x  1 root root 15535 Nov 19 00:42 _confread
-rwxr-xr-x  1 root root 14986 Nov 19 00:42 _copyright
-rwxr-xr-x  1 root root  2379 Nov 19 00:42 _include
-rwxr-xr-x  1 root root  1475 Nov 19 00:42 _keycensor
-rwxr-xr-x  1 root root  3586 Nov 19 00:42 _plutoload
-rwxr-xr-x  1 root root  7431 Nov 19 00:42 _plutorun
-rwxr-xr-x  1 root root 12275 Nov 19 00:42 _realsetup
-rwxr-xr-x  1 root root  1975 Nov 19 00:42 _secretcensor
-rwxr-xr-x  1 root root  9778 Nov 19 00:42 _startklips
-rwxr-xr-x  1 root root 13417 Nov 19 00:42 _updown
-rwxr-xr-x  1 root root 15746 Nov 19 00:42 _updown_x509
-rwxr-xr-x  1 root root  1942 Nov 19 00:42 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 3120
-rwxr-xr-x  1 root root   28005 Nov 19 00:42 _pluto_adns
-rwxr-xr-x  1 root root   19081 Nov 19 00:42 auto
-rwxr-xr-x  1 root root   10584 Nov 19 00:42 barf
-rwxr-xr-x  1 root root     816 Nov 19 00:42 calcgoo
-rwxr-xr-x  1 root root  184043 Nov 19 00:42 eroute
-rwxr-xr-x  1 root root   58188 Nov 19 00:42 ikeping
-rwxr-xr-x  1 root root  121204 Nov 19 00:42 klipsdebug
-rwxr-xr-x  1 root root    1836 Nov 19 00:42 livetest
-rwxr-xr-x  1 root root    2605 Nov 19 00:42 look
-rwxr-xr-x  1 root root    7153 Nov 19 00:42 mailkey
-rwxr-xr-x  1 root root   15996 Nov 19 00:42 manual
-rwxr-xr-x  1 root root    1926 Nov 19 00:42 newhostkey
-rwxr-xr-x  1 root root  106773 Nov 19 00:42 pf_key
-rwxr-xr-x  1 root root 1746023 Nov 19 00:42 pluto
-rwxr-xr-x  1 root root   25958 Nov 19 00:42 ranbits
-rwxr-xr-x  1 root root   47954 Nov 19 00:42 rsasigkey
-rwxr-xr-x  1 root root     766 Nov 19 00:42 secrets
-rwxr-xr-x  1 root root   17636 Nov 19 00:42 send-pr
lrwxrwxrwx  1 root root      22 Dec 12 14:26 setup -> /etc/rc.d/ 
init.d/ipsec
-rwxr-xr-x  1 root root    1054 Nov 19 00:42 showdefaults
-rwxr-xr-x  1 root root    4748 Nov 19 00:42 showhostkey
-rwxr-xr-x  1 root root  290498 Nov 19 00:42 spi
-rwxr-xr-x  1 root root  151233 Nov 19 00:42 spigrp
-rwxr-xr-x  1 root root   25331 Nov 19 00:42 tncfg
-rwxr-xr-x  1 root root   10607 Nov 19 00:42 verify
-rwxr-xr-x  1 root root  126409 Nov 19 00:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |   
Transmit
face |bytes    packets errs drop fifo frame compressed multicast| 
bytes    packets errs drop fifo colls carrier compressed
     lo:       0       0    0    0    0     0          0          
0        0       0    0    0    0     0       0          0
   eth0: 3730178   15401    1    0    0     0          0         0   
1657035    5604    3    0    0     0       3          0
   eth1:  383844    5478    0    0    0     0          0         0     
10181     128    0    0    0     0       0          0
   sit0:       0       0    0    0    0     0          0          
0        0       0    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface   Destination     Gateway         Flags   RefCnt  Use      
Metric  Mask            MTU     Window    IRTT
eth0    806E513F        03F66D43        0003    0       0        
2       C0FFFFFF        0       00
eth0    0001140A        03F66D43        0003    0       0        
2       00FFFFFF        0       00
eth0    00F66D43        00000000        0001    0       0        
0       00FFFFFF        0       00
eth1    00010A0A        00000000        0001    0       0        
0       00FFFFFF        0       00
eth1    0000FEA9        00000000        0001    0       0        
0       0000FFFF        0       00
eth0    00000000        01F66D43        0003    0       0        
0       00000000        0       00
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/ 
rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux vpnserver.foo.com 2.6.14-1.1644_FC4 #1 Sun Nov 27 03:25:11 EST  
2005 i686 athlon i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 4 (Stentz)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.14-1.1644_FC4) support detected '
NETKEY (2.6.14-1.1644_FC4) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm  
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source                
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 3009 0 - Live 0xe0a21000
iptable_nat 7749 0 - Live 0xe097c000
ip_nat 18773 1 iptable_nat, Live 0xe0968000
ip_conntrack 52081 2 iptable_nat,ip_nat, Live 0xe0a2d000
nfnetlink 6745 2 ip_nat,ip_conntrack, Live 0xe0976000
iptable_filter 3137 0 - Live 0xe0841000
ip_tables 20289 3 iptable_mangle,iptable_nat,iptable_filter, Live  
0xe096e000
xfrm4_tunnel 4165 0 - Live 0xe0a42000
af_key 34257 0 - Live 0xe0af4000
deflate 4033 0 - Live 0xe0974000
zlib_deflate 23001 1 deflate, Live 0xe0a5e000
twofish 44225 0 - Live 0xe0ae8000
serpent 25025 0 - Live 0xe0a66000
blowfish 9281 0 - Live 0xe0a3b000
sha256 10817 0 - Live 0xe0a29000
crypto_null 2369 0 - Live 0xe0964000
aes 27777 0 - Live 0xe0a56000
des 16449 0 - Live 0xe0a50000
ipcomp 8137 0 - Live 0xe0a1c000
esp4 8257 0 - Live 0xe097f000
ah4 6337 0 - Live 0xe0979000
autofs4 19781 2 - Live 0xe0a23000
sunrpc 141821 1 - Live 0xe0ac4000
ipv6 249889 14 - Live 0xe0a85000
video 16325 0 - Live 0xe08f7000
button 6737 0 - Live 0xe08e8000
battery 9541 0 - Live 0xe0948000
ac 4933 0 - Live 0xe08eb000
ohci_hcd 22497 0 - Live 0xe0941000
shpchp 93701 0 - Live 0xe0983000
i2c_sis630 7885 0 - Live 0xe08c1000
i2c_sis96x 5829 0 - Live 0xe08e2000
i2c_core 22209 2 i2c_sis630,i2c_sis96x, Live 0xe093a000
snd_intel8x0 32929 0 - Live 0xe0930000
snd_ac97_codec 88893 1 snd_intel8x0, Live 0xe094d000
snd_ac97_bus 2497 1 snd_ac97_codec, Live 0xe08c4000
snd_seq_dummy 3781 0 - Live 0xe08a9000
snd_seq_oss 31937 0 - Live 0xe08ee000
snd_seq_midi_event 7105 1 snd_seq_oss, Live 0xe0854000
snd_seq 49873 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live  
0xe0922000
snd_seq_device 9165 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xe08ce000
snd_pcm_oss 51057 0 - Live 0xe0914000
snd_mixer_oss 18113 1 snd_pcm_oss, Live 0xe08c8000
snd_pcm 87749 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss, Live 0xe08fd000
snd_timer 25285 2 snd_seq,snd_pcm, Live 0xe089a000
snd 54949 9  
snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_o 
ss,snd_mixer_oss,snd_pcm,snd_timer, Live 0xe08d3000
soundcore 9889 1 snd, Live 0xe08bd000
snd_page_alloc 10825 2 snd_intel8x0,snd_pcm, Live 0xe08b9000
sis900 21697 0 - Live 0xe08a2000
mii 5441 1 sis900, Live 0xe0857000
tulip 51041 0 - Live 0xe08ab000
floppy 61957 0 - Live 0xe0867000
dm_snapshot 17901 0 - Live 0xe0861000
dm_zero 2113 0 - Live 0xe081c000
dm_mirror 22549 0 - Live 0xe085a000
ext3 130505 2 - Live 0xe0879000
jbd 57941 1 ext3, Live 0xe0831000
dm_mod 57053 6 dm_snapshot,dm_zero,dm_mirror, Live 0xe0843000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:       515724 kB
MemFree:        300556 kB
Buffers:         17844 kB
Cached:         161552 kB
SwapCached:          0 kB
Active:         115872 kB
Inactive:        71760 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       515724 kB
LowFree:        300556 kB
SwapTotal:     1048568 kB
SwapFree:      1048568 kB
Dirty:             296 kB
Writeback:           0 kB
Mapped:          14928 kB
Slab:            20880 kB
CommitLimit:   1306428 kB
Committed_AS:    42800 kB
PageTables:       1140 kB
VmallocTotal:   507896 kB
VmallocUsed:      3196 kB
VmallocChunk:   500312 kB
HugePages_Total:     0
HugePages_Free:      0
Hugepagesize:     4096 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.14-1.1644_FC4/build/.config
++ uname -r
+ cat /lib/modules/2.6.14-1.1644_FC4/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_DCCP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_CONNBYTES=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_TARGET_NFQUEUE=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_PHYSDEV=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_NFQUEUE=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
CONFIG_IP_DCCP_UNLOAD_HACK=y
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/ 
messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/ 
maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/ 
boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# generated by NetworkManager, do not edit!
search foo.com
nameserver 10.10.1.1
nameserver a.b.c.5
nameserver a.b.c.6
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x  3 root root 4096 Dec 12 14:15 2.6.14-1.1644_FC4
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02ae97a T netif_rx
c02aeb29 T netif_rx_ni
c02ae97a U netif_rx     [ipv6]
c02ae97a U netif_rx     [sis900]
c02ae97a U netif_rx     [tulip]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.14-1.1644_FC4:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '2251,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 15 19:24:31 vpnserver ipsec_setup: Starting Openswan IPsec 2.4.4...
Dec 15 19:24:31 vpnserver ipsec_setup: insmod /lib/modules/ 
2.6.14-1.1644_FC4/kernel/net/key/af_key.ko
Dec 15 19:24:31 vpnserver ipsec_setup: insmod /lib/modules/ 
2.6.14-1.1644_FC4/kernel/net/ipv4/xfrm4_tunnel.ko
+ _________________________ plog
+ sed -n '4041,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 15 19:24:31 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Dec 15 19:24:31 vpnserver pluto[2780]: Starting Pluto (Openswan  
Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;  
Vendor ID OEz}FFFfgr_e)
Dec 15 19:24:31 vpnserver pluto[2780]: Setting NAT-Traversal  
port-4500 floating to on
Dec 15 19:24:31 vpnserver pluto[2780]:    port floating activation  
criteria nat_t=1/port_fload=1
Dec 15 19:24:31 vpnserver pluto[2780]:   including NAT-Traversal  
patch (Version 0.6c)
Dec 15 19:24:31 vpnserver pluto[2780]: 1 bad entries in  
virtual_private - none loaded
Dec 15 19:24:31 vpnserver pluto[2780]: ike_alg_register_enc():  
Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 15 19:24:31 vpnserver pluto[2780]: starting up 1 cryptographic  
helpers
Dec 15 19:24:31 vpnserver pluto[2780]: started helper pid=2781 (fd:6)
Dec 15 19:24:31 vpnserver pluto[2780]: Using Linux 2.6 IPsec  
interface code on 2.6.14-1.1644_FC4
Dec 15 19:24:31 vpnserver pluto[2780]: Changing to directory '/etc/ 
ipsec.d/cacerts'
Dec 15 19:24:31 vpnserver pluto[2780]:   loaded CA cert file  
'cacert.pem' (1363 bytes)
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory  
'/etc/ipsec.d/aacerts'
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory  
'/etc/ipsec.d/ocspcerts'
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory  
'/etc/ipsec.d/crls'
Dec 15 19:24:31 vpnserver pluto[2780]:   loaded host cert file '/etc/ 
ipsec.d/certs/vpnserver.foo.com.pem' (3815 bytes)
Dec 15 19:24:31 vpnserver pluto[2780]:   could not open host cert  
file '/etc/ipsec.d/certs/%any'
Dec 15 19:24:31 vpnserver pluto[2780]: added connection description  
"l2tp-b-cert"
Dec 15 19:24:31 vpnserver pluto[2780]: listening for IKE messages
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth1/eth1  
10.10.1.140:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth1/eth1  
10.10.1.140:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth0/eth0  
a.b.c.4:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth0/eth0  
a.b.c.4:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo  
127.0.0.1:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo  
127.0.0.1:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo ::1:500
Dec 15 19:24:31 vpnserver pluto[2780]: loading secrets from "/etc/ 
ipsec.secrets"
Dec 15 19:24:31 vpnserver pluto[2780]:   loaded private key file '/ 
etc/ipsec.d/private/vpnserver.foo.com.key' (1692 bytes)
Dec 15 19:24:44 vpnserver pluto[2780]: packet from w.x.y.z:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set  
to=110
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
responding to Main Mode from unknown peer w.x.y.z
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
ignoring Vendor ID payload [KAME/racoon]
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,  
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:  
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
deleting connection "l2tp-b-cert" instance with peer w.x.y.z  
{isakmp=#0/ipsec=#0}
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1: I  
am sending my cert
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
received and ignored informational message
Dec 15 19:24:47 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 19:24:50 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 19:24:53 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
discarding duplicate packet -- exhausted retransmission; already  
STATE_MAIN_R3
Dec 15 20:20:14 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #2:  
initiating Main Mode to replace #1
Dec 15 20:21:24 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #2:  
max number of retransmissions (2) reached STATE_MAIN_I1.  No response  
(or no acceptable response) to our first IKE message
Dec 15 20:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:  
ISAKMP SA expired (LATEST!)
Dec 15 20:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z:  
deleting connection "l2tp-b-cert" instance with peer w.x.y.z  
{isakmp=#0/ipsec=#0}
Dec 15 20:53:26 vpnserver pluto[2780]: packet from w.x.y.z:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set  
to=110
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
responding to Main Mode from unknown peer w.x.y.z
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
ignoring Vendor ID payload [KAME/racoon]
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 20:53:29 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
discarding duplicate packet; already STATE_MAIN_R2
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,  
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:  
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
deleting connection "l2tp-b-cert" instance with peer w.x.y.z  
{isakmp=#0/ipsec=#0}
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3: I  
am sending my cert
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
received and ignored informational message
Dec 15 20:53:40 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:53:43 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:53:46 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:  
discarding duplicate packet -- exhausted retransmission; already  
STATE_MAIN_R3
Dec 15 20:58:00 vpnserver pluto[2780]: packet from w.x.y.z:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set  
to=110
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
responding to Main Mode from unknown peer w.x.y.z
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
ignoring Vendor ID payload [KAME/racoon]
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,  
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4: I  
am sending my cert
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
received and ignored informational message
Dec 15 20:58:02 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:58:05 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:58:08 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:  
discarding duplicate packet -- exhausted retransmission; already  
STATE_MAIN_R3
Dec 15 21:17:28 vpnserver pluto[2780]: packet from w.x.y.z:500:  
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set  
to=110
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
responding to Main Mode from unknown peer w.x.y.z
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
ignoring Vendor ID payload [KAME/racoon]
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,  
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,  
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5: I  
am sending my cert
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG  
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
received and ignored informational message
Dec 15 21:17:31 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 21:17:33 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 21:17:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:  
discarding duplicate packet -- exhausted retransmission; already  
STATE_MAIN_R3
+ _________________________ date
+ date
Thu Dec 15 21:19:29 PST 2005
###### ipsec barf ######



More information about the Users mailing list