[Openswan Users] problem connecting: INVALID_CERTIFICATE
aram price
me at aramprice.com
Thu Dec 15 21:51:25 CET 2005
Paul,
I made all the modifications you suggested aside from updating which
I'll take care of back at the office.
based on the message:
ignoring informational payload, type INVALID_CERTIFICATE
I'm assuming there's an issue with my certs? I did try connecting
with an invalid username:passwd and did not receive an error. I
can't remember if the ppp chap takes place before or after the RSA
cert exchange.
I've tried both with and without iptables and /var/log/secure seemed
to be the same. the ipsec barf included is from the attempt with
iptables off.
thanks again for the help on this.
regards,
aram
On 15 Dec, 2005, at 18:44 , Paul Wouters wrote:
> l2tpd is now a Fedora Extras package. It has appeared in
> "development", but
> I'm waiting for teh branches to appear so I can request builds for
> FC-3 and
> FC-4 as well. You can grab the .src.rpm from "development" and just
> built
> that. It should be easy and painless.
I'll update l2tpd and openswan (2.4.5dr3) as soon as I can.
is there a .spec for openswan that I should crib from?
> Are you using certificates on OSX? How did you configure those for
> X.509?
> You do not need the "me" certificates there.
> and the "me" private key should not be on the server.
I wasn't certain if this were needed for auth.
glad to hear it can stay safely on our CA machine.
> Add:
> * me mysecret *
> Though for the last * I would use a real network/mask notation,
> eg 10.10.1.160/27
done:
aram * mysecret 10.10.1.160/27
* aram mysecret 10.10.1.160/27
> You must enable forwarding in /etc/sysctl.conf
done
> You must exlucde your 10.10.1.0/24 range by adding %v4:!10.10.1.0/24
done.
> You need to remove the subnet. l2tp will get an IP address in the
> subnet,
> and the IPsec SA does not cover the subnet at all. It is a host-
> host connection.
done.
> Using a mix of PSK and RSA will not work right now. auto=ignore one
> of them
> until this issue is addressed.
done. all I really care about is RSA
> Please temporarilly disable teh firewall rules for testing purposes.
done
> I do ot understand this loop. But try comenting out the PSK
> connections
> when trying certificates.
>
> Perhaps the OAKLEY.LOG on the windows side has more information.
I'm testing w/ osx at the moment, if I can get ahold of an xp machine
I'll send that along.
the only info in the logs on my mac is the following:
L2TP connecting to server 'vpnserver.foo.com' (a.b.c.4)...
L2TP sent SCCRQ
L2TP cannot connect to the server
###### ipsec barf ######
vpnserver.foo.com
Thu Dec 15 21:19:28 PST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.14-1.1644_FC4 (bhcompile at hs20-
bc1-1.build.redhat.com) (gcc version 4.0.1 20050727 (Red Hat
4.0.1-5)) #1 Sun Nov 27 03:25:11 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
d.e.f.128 a.b.c.3 255.255.255.192 UG 0
0 0 eth0
10.20.1.0 a.b.c.3 255.255.255.0 UG 0
0 0 eth0
a.b.c.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0
10.10.1.0 0.0.0.0 255.255.255.0 U 0
0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0
0 0 eth1
0.0.0.0 a.b.c.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=211 seq=13 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=195 seq=12 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=179 seq=11 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=163 seq=10 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused: Dec 15 21:17:58 2005
lifetime: 0(s) validtime: 0(s)
spid=147 seq=9 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=131 seq=8 pid=4812
refcnt=1
(per-socket policy)
in none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=115 seq=7 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=220 seq=6 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=204 seq=5 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=188 seq=4 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=172 seq=3 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused: Dec 15 21:19:26 2005
lifetime: 0(s) validtime: 0(s)
spid=156 seq=2 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=140 seq=1 pid=4812
refcnt=1
(per-socket policy)
out none
created: Dec 15 19:24:31 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=124 seq=0 pid=4812
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 a.b.c.4
000 interface eth0/eth0 a.b.c.4
000 interface eth1/eth1 10.10.1.140
000 interface eth1/eth1 10.10.1.140
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-b-cert": a.b.c.4[C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=vpnserver.foo.com, E=noc at foo.com]:17/1701...%virtual:17/%
any===?; unrouted; eroute owner: #0
000 "l2tp-b-cert": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "l2tp-b-cert": CAs: 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=ca.foo.com, E=noc at foo.com'...'%any'
000 "l2tp-b-cert": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-b-cert": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:
32,32; interface: eth0;
000 "l2tp-b-cert": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-b-cert"[4]: a.b.c.4[C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=vpnserver.foo.com, E=noc at foo.com]:17/1701...w.x.y.z[C=US,
ST=California, L=OurCity, O=Foo, Inc., CN=aram.foo.com,
E=aram at foo.com]:17/%any===?; unrouted; eroute owner: #0
000 "l2tp-b-cert"[4]: srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "l2tp-b-cert"[4]: CAs: 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=ca.foo.com, E=noc at foo.com'...'%any'
000 "l2tp-b-cert"[4]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "l2tp-b-cert"[4]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio:
32,32; interface: eth0;
000 "l2tp-b-cert"[4]: newest ISAKMP SA: #5; newest IPsec SA: #0;
000 "l2tp-b-cert"[4]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #4: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 2042s; nodpd
000 #3: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 1779s; nodpd
000 #5: "l2tp-b-cert"[4] w.x.y.z:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 3210s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:C0:F0:56:8B:BF
inet addr:a.b.c.4 Bcast:a.b.c.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:f0ff:fe56:8bbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15386 errors:1 dropped:0 overruns:0 frame:0
TX packets:5569 errors:3 dropped:0 overruns:0 carrier:3
collisions:0 txqueuelen:1000
RX bytes:3729140 (3.5 MiB) TX bytes:1611557 (1.5 MiB)
Interrupt:11 Base address:0x2f00
eth1 Link encap:Ethernet HWaddr 00:0A:E6:5F:89:7B
inet addr:10.10.1.140 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::20a:e6ff:fe5f:897b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5474 errors:0 dropped:0 overruns:0 frame:0
TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:383400 (374.4 KiB) TX bytes:9908 (9.6 KiB)
Interrupt:11 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:f0:56:8b:bf brd ff:ff:ff:ff:ff:ff
inet a.b.c.4/24 brd a.b.c.255 scope global eth0
inet6 fe80::2c0:f0ff:fe56:8bbf/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0a:e6:5f:89:7b brd ff:ff:ff:ff:ff:ff
inet 10.10.1.140/24 brd 10.10.1.255 scope global eth1
inet6 fe80::20a:e6ff:fe5f:897b/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
+ _________________________ ip-route-list
+ ip route list
d.e.f.128/26 via a.b.c.3 dev eth0 proto zebra metric 2 equalize
10.20.1.0/24 via a.b.c.3 dev eth0 proto zebra metric 2 equalize
a.b.c.0/24 dev eth0 proto kernel scope link src a.b.c.4
10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.140
169.254.0.0/16 dev eth1 scope link
default via a.b.c.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.14-1.1644_FC4 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support
[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:c0:b4, model 0 rev 8
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-
control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-
control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnserver.foo.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
a.b.c.4
+ _________________________ uptime
+ uptime
21:19:28 up 2:08, 1 user, load average: 0.08, 0.03, 0.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 4790 3662 16 0 1408 276 wait S+ pts/0
0:00 \_ /usr/sbin/sesh /usr/sbin/ipsec barf
0 0 4791 4790 19 0 4328 1068 - R+ pts/0
0:00 \_ /bin/sh /usr/libexec/ipsec/barf
1 0 2778 1 22 0 2300 400 wait S ? 0:00 /
bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --protostack
auto --force_keepalive --disable_port_floating --virtual_private %
v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16%v4:!10.10.1.0/24 --
crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --
stderrlog --wait no --pre --post --log daemon.error --pid /var/run/
pluto/pluto.pid
1 0 2779 2778 22 0 2300 592 wait S ? 0:00
\_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --
nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --
protostack auto --force_keepalive --disable_port_floating --
virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16%
v4:!10.10.1.0/24 --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --
pid /var/run/pluto/pluto.pid
4 0 2780 2779 15 0 2560 1320 - S ? 0:00
| \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/
ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --
nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16%v4:!10.10.1.0/24
1 0 2781 2780 26 10 2500 412 - SN ? 0:00
| \_ pluto helper # 0
0 0 2806 2780 25 0 1488 232 - S ? 0:00
| \_ _pluto_adns
0 0 2807 2778 19 0 2300 1100 pipe_w S ? 0:00
\_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 2809 1 22 0 1544 372 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation
from below:
# "raw crypt parsing emitting control klips pfkey natt x509
private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:192.168.0.0/16%v4:!10.10.1.0/24
interfaces="ipsec0=eth0"
# Add connections here
conn %default
keyingtries=1
compress=yes
pfs=no
disablearrivalcheck=no
left=a.b.c.4
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
conn l2tp-a-psk
authby=secret
auto=ignore
conn l2tp-b-cert
authby=rsasig
leftcert=vpnserver.foo.com.pem
leftrsasigkey=%cert
rightcert=%any
rightrsasigkey=%cert
auto=add
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop
toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop
toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually
start it,
# # at startup, uncomment this.
# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 65
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA vpnserver.foo.com.key "[sums to 6445...]"
a.b.c.4 %any: PSK "[sums to 29f7...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 15 21:17:28 2005, 1024 RSA Key AwEAAd0zS, until Dec 13
16:15:49 2006 ok
000 ID_DER_ASN1_DN 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=aram.foo.com, E=aram at foo.com'
000 Issuer 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 Dec 15 19:24:31 2005, 1024 RSA Key AwEAAdTPx, until Dec 13
16:21:49 2006 ok
000 ID_DER_ASN1_DN 'C=US, ST=California, L=OurCity, O=Foo,
Inc., CN=vpnserver.foo.com, E=noc at foo.com'
000 Issuer 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000
000 List of X.509 End Certificates:
000
000 Dec 15 19:24:31 2005, count: 2
000 subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=vpnserver.foo.com, E=noc at foo.com'
000 issuer: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 serial: 01
000 pubkey: 1024 RSA Key AwEAAdTPx, has private key
000 validity: not before Dec 13 16:21:49 2005 ok
000 not after Dec 13 16:21:49 2006 ok
000 subjkey: 1f:47:56:86:bd:ec:db:52:be:ab:43:28:1e:
99:1d:f0:9a:77:e0:dd
000 authkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 aserial: 00:ea:d7:fe:7a:0d:9c:50:b0
000
000 List of X.509 CA Certificates:
000
000 Dec 15 19:24:31 2005, count: 1
000 subject: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 issuer: 'C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com'
000 serial: 00:ea:d7:fe:7a:0d:9c:50:b0
000 pubkey: 1024 RSA Key AwEAAe8+d
000 validity: not before Dec 13 16:15:49 2005 ok
000 not after Dec 13 16:15:49 2006 ok
000 subjkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 authkey:
9c:de:b0:cb:a4:a8:8b:a1:42:53:63:9b:b9:81:b5:4e:be:2a:36:02
000 aserial: 00:ea:d7:fe:7a:0d:9c:50:b0
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 164
-rwxr-xr-x 1 root root 15535 Nov 19 00:42 _confread
-rwxr-xr-x 1 root root 14986 Nov 19 00:42 _copyright
-rwxr-xr-x 1 root root 2379 Nov 19 00:42 _include
-rwxr-xr-x 1 root root 1475 Nov 19 00:42 _keycensor
-rwxr-xr-x 1 root root 3586 Nov 19 00:42 _plutoload
-rwxr-xr-x 1 root root 7431 Nov 19 00:42 _plutorun
-rwxr-xr-x 1 root root 12275 Nov 19 00:42 _realsetup
-rwxr-xr-x 1 root root 1975 Nov 19 00:42 _secretcensor
-rwxr-xr-x 1 root root 9778 Nov 19 00:42 _startklips
-rwxr-xr-x 1 root root 13417 Nov 19 00:42 _updown
-rwxr-xr-x 1 root root 15746 Nov 19 00:42 _updown_x509
-rwxr-xr-x 1 root root 1942 Nov 19 00:42 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 3120
-rwxr-xr-x 1 root root 28005 Nov 19 00:42 _pluto_adns
-rwxr-xr-x 1 root root 19081 Nov 19 00:42 auto
-rwxr-xr-x 1 root root 10584 Nov 19 00:42 barf
-rwxr-xr-x 1 root root 816 Nov 19 00:42 calcgoo
-rwxr-xr-x 1 root root 184043 Nov 19 00:42 eroute
-rwxr-xr-x 1 root root 58188 Nov 19 00:42 ikeping
-rwxr-xr-x 1 root root 121204 Nov 19 00:42 klipsdebug
-rwxr-xr-x 1 root root 1836 Nov 19 00:42 livetest
-rwxr-xr-x 1 root root 2605 Nov 19 00:42 look
-rwxr-xr-x 1 root root 7153 Nov 19 00:42 mailkey
-rwxr-xr-x 1 root root 15996 Nov 19 00:42 manual
-rwxr-xr-x 1 root root 1926 Nov 19 00:42 newhostkey
-rwxr-xr-x 1 root root 106773 Nov 19 00:42 pf_key
-rwxr-xr-x 1 root root 1746023 Nov 19 00:42 pluto
-rwxr-xr-x 1 root root 25958 Nov 19 00:42 ranbits
-rwxr-xr-x 1 root root 47954 Nov 19 00:42 rsasigkey
-rwxr-xr-x 1 root root 766 Nov 19 00:42 secrets
-rwxr-xr-x 1 root root 17636 Nov 19 00:42 send-pr
lrwxrwxrwx 1 root root 22 Dec 12 14:26 setup -> /etc/rc.d/
init.d/ipsec
-rwxr-xr-x 1 root root 1054 Nov 19 00:42 showdefaults
-rwxr-xr-x 1 root root 4748 Nov 19 00:42 showhostkey
-rwxr-xr-x 1 root root 290498 Nov 19 00:42 spi
-rwxr-xr-x 1 root root 151233 Nov 19 00:42 spigrp
-rwxr-xr-x 1 root root 25331 Nov 19 00:42 tncfg
-rwxr-xr-x 1 root root 10607 Nov 19 00:42 verify
-rwxr-xr-x 1 root root 126409 Nov 19 00:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|
bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
eth0: 3730178 15401 1 0 0 0 0 0
1657035 5604 3 0 0 0 3 0
eth1: 383844 5478 0 0 0 0 0 0
10181 128 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use
Metric Mask MTU Window IRTT
eth0 806E513F 03F66D43 0003 0 0
2 C0FFFFFF 0 00
eth0 0001140A 03F66D43 0003 0 0
2 00FFFFFF 0 00
eth0 00F66D43 00000000 0001 0 0
0 00FFFFFF 0 00
eth1 00010A0A 00000000 0001 0 0
0 00FFFFFF 0 00
eth1 0000FEA9 00000000 0001 0 0
0 0000FFFF 0 00
eth0 00000000 01F66D43 0003 0 0
0 00000000 0 00
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/
rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux vpnserver.foo.com 2.6.14-1.1644_FC4 #1 Sun Nov 27 03:25:11 EST
2005 i686 athlon i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 4 (Stentz)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.14-1.1644_FC4) support detected '
NETKEY (2.6.14-1.1644_FC4) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 3009 0 - Live 0xe0a21000
iptable_nat 7749 0 - Live 0xe097c000
ip_nat 18773 1 iptable_nat, Live 0xe0968000
ip_conntrack 52081 2 iptable_nat,ip_nat, Live 0xe0a2d000
nfnetlink 6745 2 ip_nat,ip_conntrack, Live 0xe0976000
iptable_filter 3137 0 - Live 0xe0841000
ip_tables 20289 3 iptable_mangle,iptable_nat,iptable_filter, Live
0xe096e000
xfrm4_tunnel 4165 0 - Live 0xe0a42000
af_key 34257 0 - Live 0xe0af4000
deflate 4033 0 - Live 0xe0974000
zlib_deflate 23001 1 deflate, Live 0xe0a5e000
twofish 44225 0 - Live 0xe0ae8000
serpent 25025 0 - Live 0xe0a66000
blowfish 9281 0 - Live 0xe0a3b000
sha256 10817 0 - Live 0xe0a29000
crypto_null 2369 0 - Live 0xe0964000
aes 27777 0 - Live 0xe0a56000
des 16449 0 - Live 0xe0a50000
ipcomp 8137 0 - Live 0xe0a1c000
esp4 8257 0 - Live 0xe097f000
ah4 6337 0 - Live 0xe0979000
autofs4 19781 2 - Live 0xe0a23000
sunrpc 141821 1 - Live 0xe0ac4000
ipv6 249889 14 - Live 0xe0a85000
video 16325 0 - Live 0xe08f7000
button 6737 0 - Live 0xe08e8000
battery 9541 0 - Live 0xe0948000
ac 4933 0 - Live 0xe08eb000
ohci_hcd 22497 0 - Live 0xe0941000
shpchp 93701 0 - Live 0xe0983000
i2c_sis630 7885 0 - Live 0xe08c1000
i2c_sis96x 5829 0 - Live 0xe08e2000
i2c_core 22209 2 i2c_sis630,i2c_sis96x, Live 0xe093a000
snd_intel8x0 32929 0 - Live 0xe0930000
snd_ac97_codec 88893 1 snd_intel8x0, Live 0xe094d000
snd_ac97_bus 2497 1 snd_ac97_codec, Live 0xe08c4000
snd_seq_dummy 3781 0 - Live 0xe08a9000
snd_seq_oss 31937 0 - Live 0xe08ee000
snd_seq_midi_event 7105 1 snd_seq_oss, Live 0xe0854000
snd_seq 49873 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live
0xe0922000
snd_seq_device 9165 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xe08ce000
snd_pcm_oss 51057 0 - Live 0xe0914000
snd_mixer_oss 18113 1 snd_pcm_oss, Live 0xe08c8000
snd_pcm 87749 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss, Live 0xe08fd000
snd_timer 25285 2 snd_seq,snd_pcm, Live 0xe089a000
snd 54949 9
snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_o
ss,snd_mixer_oss,snd_pcm,snd_timer, Live 0xe08d3000
soundcore 9889 1 snd, Live 0xe08bd000
snd_page_alloc 10825 2 snd_intel8x0,snd_pcm, Live 0xe08b9000
sis900 21697 0 - Live 0xe08a2000
mii 5441 1 sis900, Live 0xe0857000
tulip 51041 0 - Live 0xe08ab000
floppy 61957 0 - Live 0xe0867000
dm_snapshot 17901 0 - Live 0xe0861000
dm_zero 2113 0 - Live 0xe081c000
dm_mirror 22549 0 - Live 0xe085a000
ext3 130505 2 - Live 0xe0879000
jbd 57941 1 ext3, Live 0xe0831000
dm_mod 57053 6 dm_snapshot,dm_zero,dm_mirror, Live 0xe0843000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 515724 kB
MemFree: 300556 kB
Buffers: 17844 kB
Cached: 161552 kB
SwapCached: 0 kB
Active: 115872 kB
Inactive: 71760 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515724 kB
LowFree: 300556 kB
SwapTotal: 1048568 kB
SwapFree: 1048568 kB
Dirty: 296 kB
Writeback: 0 kB
Mapped: 14928 kB
Slab: 20880 kB
CommitLimit: 1306428 kB
Committed_AS: 42800 kB
PageTables: 1140 kB
VmallocTotal: 507896 kB
VmallocUsed: 3196 kB
VmallocChunk: 500312 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.14-1.1644_FC4/build/.config
++ uname -r
+ cat /lib/modules/2.6.14-1.1644_FC4/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_DCCP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_CONNBYTES=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_TARGET_NFQUEUE=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_PHYSDEV=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_NFQUEUE=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
CONFIG_IP_DCCP_UNLOAD_HACK=y
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/
messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/
maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/
boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# generated by NetworkManager, do not edit!
search foo.com
nameserver 10.10.1.1
nameserver a.b.c.5
nameserver a.b.c.6
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Dec 12 14:15 2.6.14-1.1644_FC4
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02ae97a T netif_rx
c02aeb29 T netif_rx_ni
c02ae97a U netif_rx [ipv6]
c02ae97a U netif_rx [sis900]
c02ae97a U netif_rx [tulip]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.14-1.1644_FC4:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '2251,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 15 19:24:31 vpnserver ipsec_setup: Starting Openswan IPsec 2.4.4...
Dec 15 19:24:31 vpnserver ipsec_setup: insmod /lib/modules/
2.6.14-1.1644_FC4/kernel/net/key/af_key.ko
Dec 15 19:24:31 vpnserver ipsec_setup: insmod /lib/modules/
2.6.14-1.1644_FC4/kernel/net/ipv4/xfrm4_tunnel.ko
+ _________________________ plog
+ sed -n '4041,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 15 19:24:31 vpnserver ipsec__plutorun: Starting Pluto subsystem...
Dec 15 19:24:31 vpnserver pluto[2780]: Starting Pluto (Openswan
Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEz}FFFfgr_e)
Dec 15 19:24:31 vpnserver pluto[2780]: Setting NAT-Traversal
port-4500 floating to on
Dec 15 19:24:31 vpnserver pluto[2780]: port floating activation
criteria nat_t=1/port_fload=1
Dec 15 19:24:31 vpnserver pluto[2780]: including NAT-Traversal
patch (Version 0.6c)
Dec 15 19:24:31 vpnserver pluto[2780]: 1 bad entries in
virtual_private - none loaded
Dec 15 19:24:31 vpnserver pluto[2780]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 15 19:24:31 vpnserver pluto[2780]: starting up 1 cryptographic
helpers
Dec 15 19:24:31 vpnserver pluto[2780]: started helper pid=2781 (fd:6)
Dec 15 19:24:31 vpnserver pluto[2780]: Using Linux 2.6 IPsec
interface code on 2.6.14-1.1644_FC4
Dec 15 19:24:31 vpnserver pluto[2780]: Changing to directory '/etc/
ipsec.d/cacerts'
Dec 15 19:24:31 vpnserver pluto[2780]: loaded CA cert file
'cacert.pem' (1363 bytes)
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory
'/etc/ipsec.d/aacerts'
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Dec 15 19:24:31 vpnserver pluto[2780]: Could not change to directory
'/etc/ipsec.d/crls'
Dec 15 19:24:31 vpnserver pluto[2780]: loaded host cert file '/etc/
ipsec.d/certs/vpnserver.foo.com.pem' (3815 bytes)
Dec 15 19:24:31 vpnserver pluto[2780]: could not open host cert
file '/etc/ipsec.d/certs/%any'
Dec 15 19:24:31 vpnserver pluto[2780]: added connection description
"l2tp-b-cert"
Dec 15 19:24:31 vpnserver pluto[2780]: listening for IKE messages
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth1/eth1
10.10.1.140:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth1/eth1
10.10.1.140:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth0/eth0
a.b.c.4:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface eth0/eth0
a.b.c.4:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo
127.0.0.1:500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo
127.0.0.1:4500
Dec 15 19:24:31 vpnserver pluto[2780]: adding interface lo/lo ::1:500
Dec 15 19:24:31 vpnserver pluto[2780]: loading secrets from "/etc/
ipsec.secrets"
Dec 15 19:24:31 vpnserver pluto[2780]: loaded private key file '/
etc/ipsec.d/private/vpnserver.foo.com.key' (1692 bytes)
Dec 15 19:24:44 vpnserver pluto[2780]: packet from w.x.y.z:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
responding to Main Mode from unknown peer w.x.y.z
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
ignoring Vendor ID payload [KAME/racoon]
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[1] w.x.y.z #1:
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
deleting connection "l2tp-b-cert" instance with peer w.x.y.z
{isakmp=#0/ipsec=#0}
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1: I
am sending my cert
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 19:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
received and ignored informational message
Dec 15 19:24:47 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 19:24:50 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 19:24:53 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
Dec 15 20:20:14 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #2:
initiating Main Mode to replace #1
Dec 15 20:21:24 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #2:
max number of retransmissions (2) reached STATE_MAIN_I1. No response
(or no acceptable response) to our first IKE message
Dec 15 20:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z #1:
ISAKMP SA expired (LATEST!)
Dec 15 20:24:44 vpnserver pluto[2780]: "l2tp-b-cert"[2] w.x.y.z:
deleting connection "l2tp-b-cert" instance with peer w.x.y.z
{isakmp=#0/ipsec=#0}
Dec 15 20:53:26 vpnserver pluto[2780]: packet from w.x.y.z:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
responding to Main Mode from unknown peer w.x.y.z
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
ignoring Vendor ID payload [KAME/racoon]
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 20:53:26 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 20:53:29 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
discarding duplicate packet; already STATE_MAIN_R2
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[3] w.x.y.z #3:
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
deleting connection "l2tp-b-cert" instance with peer w.x.y.z
{isakmp=#0/ipsec=#0}
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3: I
am sending my cert
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 20:53:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
received and ignored informational message
Dec 15 20:53:40 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:53:43 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:53:46 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #3:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
Dec 15 20:58:00 vpnserver pluto[2780]: packet from w.x.y.z:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
responding to Main Mode from unknown peer w.x.y.z
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
ignoring Vendor ID payload [KAME/racoon]
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4: I
am sending my cert
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 20:58:00 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
received and ignored informational message
Dec 15 20:58:02 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:58:05 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 20:58:08 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #4:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
Dec 15 21:17:28 vpnserver pluto[2780]: packet from w.x.y.z:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set
to=110
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
responding to Main Mode from unknown peer w.x.y.z
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
ignoring Vendor ID payload [KAME/racoon]
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=California, L=OurCity,
O=Foo, Inc., CN=aram.foo.com, E=aram at foo.com'
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
no crl from issuer "C=US, ST=California, L=OurCity, O=Foo, Inc.,
CN=ca.foo.com, E=noc at foo.com" found (strict=no)
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5: I
am sending my cert
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
ignoring informational payload, type INVALID_CERTIFICATE
Dec 15 21:17:28 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
received and ignored informational message
Dec 15 21:17:31 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 21:17:33 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Dec 15 21:17:37 vpnserver pluto[2780]: "l2tp-b-cert"[4] w.x.y.z #5:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
+ _________________________ date
+ date
Thu Dec 15 21:19:29 PST 2005
###### ipsec barf ######
More information about the Users
mailing list