[Openswan Users] Routing problem (with barfs)
Da Shen
dshen19 at yahoo.com
Sat Feb 26 23:03:14 CET 2005
Hi, all:
I am a newbie for openswan. I am trying setup a vpn
connecting two segments as
192.168.10.0===24.91.72.14<--->221.219.4.251===192.168.8.0
Here is the conn section included in ipsec.conf(they
are the same in both ends)
conn w-b
left=24.91.72.14
leftsubnet=192.168.10.0/24
leftid=@w.netgenco.com
leftrsasigkey=0sAQOTnxk5o8wdADEXERry8B4xUVSPSt6ln7D9xIItwW7Sup1GC83WzS6nLU2asDQqwb7zBkpc3IlkD+BCOtQaSjo+S6Tf2SAnwk5qXDBLg/pAqIji9kguA6l7gKfjdiXaFg4O0bv51aSvA6cqqFTaSf32YgVEaxiGnsviyVi9KxkD8oW+PE9xe7I7T0f1u/IOStkM0AprQEN1l5qWMIowWTIU1BMzHbSOhwzXsmfLcNWXTYhko7g94anUn3NkCuxCCYidjjb56NLLjyl18yNF3Kaq1YkMYdG/vdIgVWTVRnkJYNy+5w4uEECCgEUOXEbCVI2izq02TF4yvtYGacjP4WzH
leftnexthop=24.91.72.1
right=221.219.4.251
rightsubnet=192.168.8.0/24
rightid=@b.netgenco.com
rightrsasigkey=0sAQO26/NgpIcS6pkqg6INiShzxP9a2xtptpkGqldZy0Wtc+LGVIrv5IY6HrX5sNeg8unBvQ83Zk8/3H6QjExddnoVF+aqLu8zymj8Z9ae+8e06CqcS97JOsjW8zcR5pK5dZKvPUN4RoINw6/N4A+l3UxEPW2OdKVBueQcLCi+uQ12mPSznvPo6nkLvKlAcROhh/XOY9yYieKK/fSdKa/DUu0mrK8EwauoRqlJUJ8oQ2Kp55AC1Y5WvhKaLOQKo1Qd4H7tGk5JGsXGuC2Q48Si8vdkZmkcp9vZ4j6itxgr2wS83lZPTLU2kgir7L9g7QO4YuMVoLwW6+5rwvIXDYzof/UF
rightnexthop=61.51.120.1
authby=rsasig
auto=start
from ipsec auto --status:
000 "w-b":
192.168.8.0/24===221.219.4.251[@b.netgenco.com]---61.51.120.1...24.91.72.1---24.91.72.14[@w.netgenco.com]===192.168.10.0/24;
erouted; erowner: #5
000 #5: "w-b" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 20568s; newest
IPSEC; eroute owner
000 #5: "w-b" esp.620dde4a at 24.91.72.14
esp.a4c32704 at 221.219.4.251 tun.0 at 24.91.72.14
tun.0 at 221.219.4.251
000 #4: "w-b" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 21160s
000 #4: "w-b" esp.c42a79c5 at 24.91.72.14
esp.b7035b97 at 221.219.4.251 tun.0 at 24.91.72.14
tun.0 at 221.219.4.251
000 #8: "w-b" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 1330s; newest ISAKMP
it seems that the tunnel has been setup, but I can't
ping through and connect by any means from either
side.
and the routing table are:
for w:
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags
MSS Window irtt Iface
192.168.10.0 0.0.0.0 255.255.255.0 U
0 0 0 eth1
192.168.8.0 24.91.72.1 255.255.255.0 UG
0 0 0 eth0
24.91.72.0 0.0.0.0 255.255.254.0 U
0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG
0 0 0 lo
0.0.0.0 24.91.72.1 0.0.0.0 UG
0 0 0 eth0
for b:
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags
MSS Window irtt Iface
61.51.120.1 0.0.0.0 255.255.255.255 UH
0 0 0 ppp0
192.168.10.0 61.51.120.1 255.255.255.0 UG
0 0 0 ppp0
192.168.8.0 0.0.0.0 255.255.255.0 U
0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG
0 0 0 lo
0.0.0.0 61.51.120.1 0.0.0.0 UG
0 0 0 ppp0
My question is: Does my problem come from routing? if
so, how can I correct it? I have browsed many posts
related to routing in this list and can't figure out a
solution.
I also attached barf files with this post, if you
can't read it, I can repost them into the text.
BTW, how the kernel(2.6) ipsec engine know where the
packets should be sent to(I mean whether a packet
should go into a ipsec tunnel or just follow a general
route to outside)? as I need try some more advanced
configs(for real working situation) if I can go
through this step, I feel the additional knowledge
will help me a lot then. In fact, I really love the
original freeswan/openswan design that with ipsec
devices, which is much more clear in concept for
newbies as me to understand it.
Thanks in advance!
Da
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
-------------- next part --------------
Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
b
Sun Feb 27 13:57:14 CST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.10-gentoo-r6 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.10-gentoo-r6 (root at b) (gcc version 3.3.5 (Gentoo Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1)) #7 SMP Sat Feb 26 11:28:01 CST 2005
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
61.51.120.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.10.0 61.51.120.1 255.255.255.0 UG 0 0 0 ppp0
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 61.51.120.1 0.0.0.0 UG 0 0 0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
221.219.4.251 24.91.72.14
esp mode=tunnel spi=1645076042(0x620dde4a) reqid=16385(0x00004001)
E: 3des-cbc 17da869f 93110b3e ce99f07b 55a55a2b 6f903f80 3afc765e
A: hmac-md5 2517f1e4 b8b042ce a8d9be37 1030cb07
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 27 12:30:17 2005 current: Feb 27 13:57:14 2005
diff: 5217(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=8837 refcnt=0
221.219.4.251 24.91.72.14
esp mode=tunnel spi=3291118021(0xc42a79c5) reqid=16385(0x00004001)
E: 3des-cbc 24355d63 f02bb404 c8e27f1b a84ccc44 5c34d599 ec7c9ed4
A: hmac-md5 acf20a4b 6328254e 4de49f76 24941c2e
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 27 12:28:56 2005 current: Feb 27 13:57:14 2005
diff: 5298(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=8837 refcnt=0
24.91.72.14 221.219.4.251
esp mode=tunnel spi=2764252932(0xa4c32704) reqid=16385(0x00004001)
E: 3des-cbc ec75d484 79f2ed08 25ac37fb 7b4a92c8 47a4207f 7175cc7b
A: hmac-md5 0b99cf2d 21be6b9b 2f6aa87e 4a675f2c
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 27 12:30:17 2005 current: Feb 27 13:57:14 2005
diff: 5217(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=8837 refcnt=0
24.91.72.14 221.219.4.251
esp mode=tunnel spi=3070450583(0xb7035b97) reqid=16385(0x00004001)
E: 3des-cbc 171a7655 1dfea400 3d485dae 861e49ea 7a040610 757c6c7d
A: hmac-md5 685479d0 fcf29d8a ba3256a6 66e00e56
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 27 12:28:56 2005 current: Feb 27 13:57:14 2005
diff: 5298(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8837 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.10.0/24[any] 192.168.8.0/24[any] any
in ipsec
esp/tunnel/24.91.72.14-221.219.4.251/unique#16385
created: Feb 27 12:28:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=776 seq=12 pid=8838
refcnt=1
192.168.8.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/221.219.4.251-24.91.72.14/unique#16385
created: Feb 27 12:30:17 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=769 seq=11 pid=8838
refcnt=1
192.168.10.0/24[any] 192.168.8.0/24[any] any
fwd ipsec
esp/tunnel/24.91.72.14-221.219.4.251/unique#16385
created: Feb 27 12:28:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=786 seq=10 pid=8838
refcnt=1
::/0[any] ::/0[any] any
in none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=755 seq=9 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=739 seq=8 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=723 seq=7 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=707 seq=6 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 27 12:28:26 2005 lastused: Feb 27 13:28:55 2005
lifetime: 0(s) validtime: 0(s)
spid=691 seq=5 pid=8838
refcnt=1
::/0[any] ::/0[any] any
out none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=764 seq=4 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=748 seq=3 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=732 seq=2 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 27 12:28:26 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=716 seq=1 pid=8838
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 27 12:28:26 2005 lastused: Feb 27 13:28:55 2005
lifetime: 0(s) validtime: 0(s)
spid=700 seq=0 pid=8838
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface eth0:1/eth0:1 192.168.8.3
000 interface eth0:2/eth0:2 192.168.8.4
000 interface lo/lo 127.0.0.1
000 interface ppp0/ppp0 221.219.4.251
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,336} attrs={0,6,224}
000
000 "w-b": 192.168.8.0/24===221.219.4.251[@b.netgenco.com]---61.51.120.1...24.91.72.1---24.91.72.14[@w.netgenco.com]===192.168.10.0/24; erouted; eroute owner: #5
000 "w-b": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "w-b": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: ppp0;
000 "w-b": newest ISAKMP SA: #6; newest IPsec SA: #5;
000 "w-b": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "w-b": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "w-b": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "w-b": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "w-b": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "w-b": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #6: "w-b" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 727s; newest ISAKMP
000 #5: "w-b" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 22640s; newest IPSEC; eroute owner
000 #5: "w-b" esp.620dde4a at 24.91.72.14 esp.a4c32704 at 221.219.4.251 tun.0 at 24.91.72.14 tun.0 at 221.219.4.251
000 #4: "w-b" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 23232s
000 #4: "w-b" esp.c42a79c5 at 24.91.72.14 esp.b7035b97 at 221.219.4.251 tun.0 at 24.91.72.14 tun.0 at 221.219.4.251
000
+ _________________________ ifconfig-a
+ ifconfig -a
bond0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MASTER MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
dummy0 Link encap:Ethernet HWaddr 5E:CD:45:88:A3:93
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:0C:76:60:BA:8F
inet6 addr: fe80::20c:76ff:fe60:ba8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122468 errors:0 dropped:0 overruns:0 frame:0
TX packets:116542 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:132338801 (126.2 Mb) TX bytes:10530366 (10.0 Mb)
Interrupt:177 Base address:0xa000
eth0:1 Link encap:Ethernet HWaddr 00:0C:76:60:BA:8F
inet addr:192.168.8.3 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115400 errors:0 dropped:0 overruns:0 frame:0
TX packets:109453 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129347509 (123.3 Mb) TX bytes:7907846 (7.5 Mb)
Interrupt:177 Base address:0xa000
eth0:2 Link encap:Ethernet HWaddr 00:0C:76:60:BA:8F
inet addr:192.168.8.4 Bcast:192.168.8.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115400 errors:0 dropped:0 overruns:0 frame:0
TX packets:109453 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129347509 (123.3 Mb) TX bytes:7907846 (7.5 Mb)
Interrupt:177 Base address:0xa000
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-FF-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:45471 errors:0 dropped:0 overruns:0 frame:0
TX packets:45471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2275300 (2.1 Mb) TX bytes:2275300 (2.1 Mb)
plip0 Link encap:Ethernet HWaddr FC:FC:FC:FC:FC:FC
POINTOPOINT NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:7 Base address:0x378
ppp0 Link encap:Point-to-Point Protocol
inet addr:221.219.4.251 P-t-P:61.51.120.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:115400 errors:0 dropped:0 overruns:0 frame:0
TX packets:109453 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:129347509 (123.3 Mb) TX bytes:7907846 (7.5 Mb)
shaper0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
[NO FLAGS] MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tap0 Link encap:Ethernet HWaddr FE:FD:00:00:00:00
BROADCAST NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.10-gentoo-r6 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: b [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 251.4.219.221.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:40:63, model 50 rev 8
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
localhost
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
13:57:15 up 1 day, 2:09, 5 users, load average: 0.01, 0.03, 0.08
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 8766 11231 16 0 1864 964 wait S+ pts/1 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
4 0 8888 8766 16 0 1376 440 - S+ pts/1 0:00 \_ egrep -i ppid|pluto|ipsec|klips
5 0 7235 1 17 0 1856 940 wait S pts/1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 7236 7235 17 0 1856 948 wait S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 7237 7236 15 0 2264 1200 select S pts/1 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-all --uniqueids
4 0 7273 7237 24 0 1264 272 select S pts/1 0:00 | \_ _pluto_adns -d
4 0 7246 7235 15 0 1860 944 pipe_w S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 7248 1 16 0 1328 456 pipe_w S pts/1 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=221.219.4.251
routenexthop=61.51.120.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# Add connections here
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec/ipsec.conf 38
#< /etc/ipsec/w-b.conf 1
conn w-b
left=24.91.72.14
leftsubnet=192.168.10.0/24
leftid=@w.netgenco.com
leftrsasigkey=[keyid AQOTnxk5o]
leftnexthop=24.91.72.1
right=221.219.4.251
rightsubnet=192.168.8.0/24
rightid=@b.netgenco.com
rightrsasigkey=[keyid AQO26/Ngp]
rightnexthop=61.51.120.1
authby=rsasig
auto=start
#> /etc/ipsec/ipsec.conf 39
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec/ipsec.secrets
#< /etc/ipsec/ipsec.secrets 1
: RSA {
# RSA 2048 bits b Sat Feb 26 14:04:34 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQO26/Ngp]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Feb 27 12:28:25 2005, 2048 RSA Key AQO26/Ngp, until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@b.netgenco.com'
000 Feb 27 12:28:25 2005, 2048 RSA Key AQOTnxk5o, until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@w.netgenco.com'
+ '[' /etc/ipsec/ipsec.d/policies ']'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15409 Feb 26 14:02 _confread
-rwxr-xr-x 1 root root 5224 Feb 26 14:02 _copyright
-rwxr-xr-x 1 root root 2391 Feb 26 14:02 _include
-rwxr-xr-x 1 root root 1475 Feb 26 14:02 _keycensor
-rwxr-xr-x 1 root root 3586 Feb 26 14:02 _plutoload
-rwxr-xr-x 1 root root 7167 Feb 26 14:02 _plutorun
-rwxr-xr-x 1 root root 10493 Feb 26 14:02 _realsetup
-rwxr-xr-x 1 root root 1975 Feb 26 14:02 _secretcensor
-rwxr-xr-x 1 root root 9016 Feb 26 14:02 _startklips
-rwxr-xr-x 1 root root 12313 Feb 26 14:02 _updown
-rwxr-xr-x 1 root root 7572 Feb 26 14:02 _updown_x509
-rwxr-xr-x 1 root root 1942 Feb 26 14:02 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1268
-rwxr-xr-x 1 root root 10472 Feb 26 14:02 _pluto_adns
-rwxr-xr-x 1 root root 19220 Feb 26 14:02 auto
-rwxr-xr-x 1 root root 10230 Feb 26 14:02 barf
-rwxr-xr-x 1 root root 816 Feb 26 14:02 calcgoo
-rwxr-xr-x 1 root root 79504 Feb 26 14:02 eroute
-rwxr-xr-x 1 root root 58524 Feb 26 14:02 klipsdebug
-rwxr-xr-x 1 root root 2461 Feb 26 14:02 look
-rwxr-xr-x 1 root root 7130 Feb 26 14:02 mailkey
-rwxr-xr-x 1 root root 16188 Feb 26 14:02 manual
-rwxr-xr-x 1 root root 1874 Feb 26 14:02 newhostkey
-rwxr-xr-x 1 root root 53100 Feb 26 14:02 pf_key
-rwxr-xr-x 1 root root 564468 Feb 26 14:02 pluto
-rwxr-xr-x 1 root root 7208 Feb 26 14:02 ranbits
-rwxr-xr-x 1 root root 19376 Feb 26 14:02 rsasigkey
-rwxr-xr-x 1 root root 766 Feb 26 14:02 secrets
-rwxr-xr-x 1 root root 17578 Feb 26 14:02 send-pr
lrwxrwxrwx 1 root root 17 Feb 26 14:02 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Feb 26 14:02 showdefaults
-rwxr-xr-x 1 root root 4370 Feb 26 14:02 showhostkey
-rwxr-xr-x 1 root root 116748 Feb 26 14:02 spi
-rwxr-xr-x 1 root root 67572 Feb 26 14:02 spigrp
-rwxr-xr-x 1 root root 80256 Feb 26 14:02 starter
-rwxr-xr-x 1 root root 10392 Feb 26 14:02 tncfg
-rwxr-xr-x 1 root root 10195 Feb 26 14:02 verify
-rwxr-xr-x 1 root root 60932 Feb 26 14:02 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
bond0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
plip0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:132339282 122471 0 0 0 0 0 0 10530608 116545 0 0 0 0 0 0
lo: 2275300 45471 0 0 0 0 0 0 2275300 45471 0 0 0 0 0 0
tap0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
shaper0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
teql0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
gre0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ip6tnl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ppp0:129347924 115403 0 0 0 0 0 0 7908022 109456 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ppp0 0178333D 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ppp0 000AA8C0 0178333D 0003 0 0 0 00FFFFFF 0 0 0
eth0 0008A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
lo 0000007F 0100007F 0003 0 0 0 000000FF 0 0 0
ppp0 00000000 0178333D 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:1
lo/rp_filter:0
ppp0/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux b 2.6.10-gentoo-r6 #7 SMP Sat Feb 26 11:28:01 CST 2005 i686 Intel(R) Celeron(R) CPU 2.40GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.10-gentoo-r6) support detected '
native PFKEY (2.6.10-gentoo-r6) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 161K packets, 132M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 155K packets, 10M bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 6098 packets, 313K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 25067 packets, 1516K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 161K packets, 132M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 161K packets, 132M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 155K packets, 10M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 155K packets, 10M bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
shfs 50448 0 - Live 0xe0be2000
snd_via82xx 24960 2 - Live 0xe09dc000
snd_ac97_codec 76640 1 snd_via82xx, Live 0xe0981000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 478356 kB
MemFree: 6896 kB
Buffers: 13772 kB
Cached: 107792 kB
SwapCached: 42588 kB
Active: 234372 kB
Inactive: 57684 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 478356 kB
LowFree: 6896 kB
SwapTotal: 939792 kB
SwapFree: 861256 kB
Dirty: 36 kB
Writeback: 0 kB
Mapped: 209468 kB
Slab: 174104 kB
CommitLimit: 1178968 kB
Committed_AS: 367084 kB
PageTables: 1716 kB
VmallocTotal: 548788 kB
VmallocUsed: 35776 kB
VmallocChunk: 511988 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NETLINK_DEV=y
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
CONFIG_IP_TCPDIAG=y
CONFIG_IP_TCPDIAG_IPV6=y
# CONFIG_IP_VS is not set
CONFIG_IPV6=y
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=y
CONFIG_INET6_TUNNEL=y
CONFIG_IPV6_TUNNEL=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CT_PROTO_SCTP=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_PHYSDEV=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_REALM=y
CONFIG_IP_NF_MATCH_SCTP=y
CONFIG_IP_NF_MATCH_COMMENT=y
CONFIG_IP_NF_MATCH_CONNMARK=y
CONFIG_IP_NF_MATCH_HASHLIMIT=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_TARGET_CONNMARK=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP6_NF_QUEUE=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_LIMIT=y
CONFIG_IP6_NF_MATCH_MAC=y
CONFIG_IP6_NF_MATCH_RT=y
CONFIG_IP6_NF_MATCH_OPTS=y
CONFIG_IP6_NF_MATCH_FRAG=y
CONFIG_IP6_NF_MATCH_HL=y
CONFIG_IP6_NF_MATCH_MULTIPORT=y
CONFIG_IP6_NF_MATCH_OWNER=y
CONFIG_IP6_NF_MATCH_MARK=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_MATCH_AHESP=y
CONFIG_IP6_NF_MATCH_LENGTH=y
CONFIG_IP6_NF_MATCH_EUI64=y
CONFIG_IP6_NF_MATCH_PHYSDEV=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_LOG=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_TARGET_MARK=y
CONFIG_IP6_NF_RAW=y
CONFIG_IP_SCTP=y
# CONFIG_IPX is not set
CONFIG_IPMI_HANDLER=y
CONFIG_IPMI_PANIC_EVENT=y
CONFIG_IPMI_PANIC_STRING=y
CONFIG_IPMI_DEVICE_INTERFACE=y
CONFIG_IPMI_SI=y
CONFIG_IPMI_WATCHDOG=y
CONFIG_IPMI_POWEROFF=y
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 202.106.46.151
nameserver 202.106.0.20
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 4
drwxr-xr-x 4 root root 4096 Feb 26 11:54 2.6.10-gentoo-r6
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c049bb40 T netif_rx
c049bd40 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-gentoo-r6:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1,$p' /dev/null
+ egrep -i 'ipsec|klips|pluto'
+ cat
+ _________________________ plog
+ sed -n '1,$p' /dev/null
+ egrep -i pluto
+ cat
+ _________________________ date
+ date
Sun Feb 27 13:57:16 CST 2005
-------------- next part --------------
Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
sushi
Sun Feb 27 00:54:06 EST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.10-gentoo-r6 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.10-gentoo-r6 (root at sushi) (gcc version 3.3.5 (Gentoo Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1)) #1 SMP Sat Feb 26 01:32:16 EST 2005
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.8.0 24.91.72.1 255.255.255.0 UG 0 0 0 eth0
24.91.72.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 24.91.72.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
221.219.4.251 24.91.72.14
esp mode=tunnel spi=1645076042(0x620dde4a) reqid=16385(0x00004001)
E: 3des-cbc 17da869f 93110b3e ce99f07b 55a55a2b 6f903f80 3afc765e
A: hmac-md5 2517f1e4 b8b042ce a8d9be37 1030cb07
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 23:30:20 2005 current: Feb 27 00:54:06 2005
diff: 5026(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=14893 refcnt=0
221.219.4.251 24.91.72.14
esp mode=tunnel spi=3291118021(0xc42a79c5) reqid=16385(0x00004001)
E: 3des-cbc 24355d63 f02bb404 c8e27f1b a84ccc44 5c34d599 ec7c9ed4
A: hmac-md5 acf20a4b 6328254e 4de49f76 24941c2e
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 23:28:59 2005 current: Feb 27 00:54:06 2005
diff: 5107(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=14893 refcnt=0
24.91.72.14 221.219.4.251
esp mode=tunnel spi=2764252932(0xa4c32704) reqid=16385(0x00004001)
E: 3des-cbc ec75d484 79f2ed08 25ac37fb 7b4a92c8 47a4207f 7175cc7b
A: hmac-md5 0b99cf2d 21be6b9b 2f6aa87e 4a675f2c
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 23:30:20 2005 current: Feb 27 00:54:06 2005
diff: 5026(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=14893 refcnt=0
24.91.72.14 221.219.4.251
esp mode=tunnel spi=3070450583(0xb7035b97) reqid=16385(0x00004001)
E: 3des-cbc 171a7655 1dfea400 3d485dae 861e49ea 7a040610 757c6c7d
A: hmac-md5 685479d0 fcf29d8a ba3256a6 66e00e56
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 23:28:59 2005 current: Feb 27 00:54:06 2005
diff: 5107(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=14893 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.8.0/24[any] 192.168.10.0/24[any] any
in ipsec
esp/tunnel/221.219.4.251-24.91.72.14/unique#16385
created: Feb 26 23:28:59 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=312 seq=10 pid=14894
refcnt=1
192.168.10.0/24[any] 192.168.8.0/24[any] any
out ipsec
esp/tunnel/24.91.72.14-221.219.4.251/unique#16385
created: Feb 26 23:30:20 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=305 seq=9 pid=14894
refcnt=1
192.168.8.0/24[any] 192.168.10.0/24[any] any
fwd ipsec
esp/tunnel/221.219.4.251-24.91.72.14/unique#16385
created: Feb 26 23:28:59 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=322 seq=8 pid=14894
refcnt=1
::/0[any] ::/0[any] any
in none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=291 seq=7 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 26 23:28:56 2005 lastused: Feb 27 00:28:58 2005
lifetime: 0(s) validtime: 0(s)
spid=275 seq=6 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=259 seq=5 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=243 seq=4 pid=14894
refcnt=1
::/0[any] ::/0[any] any
out none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=300 seq=3 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 26 23:28:56 2005 lastused: Feb 27 00:28:58 2005
lifetime: 0(s) validtime: 0(s)
spid=284 seq=2 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=268 seq=1 pid=14894
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Feb 26 23:28:56 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=252 seq=0 pid=14894
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface eth0/eth0 24.91.72.14
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.10.1
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36} trans={0,6,336} attrs={0,6,224}
000
000 "w-b": 192.168.10.0/24===24.91.72.14[@w.netgenco.com]---24.91.72.1...61.51.120.1---221.219.4.251[@b.netgenco.com]===192.168.8.0/24; erouted; eroute owner: #3
000 "w-b": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "w-b": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "w-b": newest ISAKMP SA: #4; newest IPsec SA: #3;
000 "w-b": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "w-b": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "w-b": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "w-b": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "w-b": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "w-b": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #4: "w-b" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 252s; newest ISAKMP
000 #3: "w-b" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 23504s; newest IPSEC; eroute owner
000 #3: "w-b" esp.a4c32704 at 221.219.4.251 esp.620dde4a at 24.91.72.14 tun.0 at 221.219.4.251 tun.0 at 24.91.72.14
000 #2: "w-b" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23118s
000 #2: "w-b" esp.b7035b97 at 221.219.4.251 esp.c42a79c5 at 24.91.72.14 tun.0 at 221.219.4.251 tun.0 at 24.91.72.14
000
+ _________________________ ifconfig-a
+ ifconfig -a
bond0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MASTER MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
dummy0 Link encap:Ethernet HWaddr AE:DD:6C:8C:CE:86
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:02:E3:06:4D:6A
inet addr:24.91.72.14 Bcast:255.255.255.255 Mask:255.255.254.0
inet6 addr: fe80::202:e3ff:fe06:4d6a/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:447467 errors:0 dropped:0 overruns:0 frame:0
TX packets:49601 errors:1 dropped:0 overruns:1 carrier:1
collisions:0 txqueuelen:1000
RX bytes:38822741 (37.0 Mb) TX bytes:39165020 (37.3 Mb)
Interrupt:18 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:30:BD:28:64:23
inet addr:192.168.10.1 Bcast:255.255.255.255 Mask:255.255.255.0
inet6 addr: fe80::230:bdff:fe28:6423/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14410 errors:0 dropped:0 overruns:0 frame:0
TX packets:15227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2571681 (2.4 Mb) TX bytes:11791217 (11.2 Mb)
Interrupt:19 Base address:0xb400
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-33-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1041 errors:0 dropped:0 overruns:0 frame:0
TX packets:1041 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:120466 (117.6 Kb) TX bytes:120466 (117.6 Kb)
plip0 Link encap:Ethernet HWaddr FC:FC:FC:FC:FC:FC
POINTOPOINT NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:255 Base address:0x378
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tap0 Link encap:Ethernet HWaddr FE:FD:00:00:00:00
BROADCAST NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.10-gentoo-r6 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: sushi [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 14.72.91.24.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 08:00:17, model 2 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
sushi.netgenco.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.10.1
+ _________________________ uptime
+ uptime
00:54:07 up 22:59, 1 user, load average: 0.08, 0.02, 0.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 14816 10465 19 0 1996 976 wait S+ pts/0 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
0 0 14942 14816 22 0 1420 460 pipe_w S+ pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips
1 0 14531 1 19 0 1988 948 wait S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
1 0 14532 14531 19 0 1988 956 wait S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 14534 14532 16 0 2320 1212 - S pts/0 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-all --uniqueids
0 0 14575 14534 22 0 1296 276 - S pts/0 0:00 | \_ _pluto_adns -d
0 0 14535 14531 15 0 1992 948 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 14533 1 16 0 1360 468 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=24.91.72.14
routenexthop=24.91.72.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# Add connections here
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec/ipsec.conf 38
#< /etc/ipsec/w-b.conf 1
conn w-b
left=24.91.72.14
leftsubnet=192.168.10.0/24
leftid=@w.netgenco.com
leftrsasigkey=[keyid AQOTnxk5o]
leftnexthop=24.91.72.1
right=221.219.4.251
rightsubnet=192.168.8.0/24
rightid=@b.netgenco.com
rightrsasigkey=[keyid AQO26/Ngp]
rightnexthop=61.51.120.1
authby=rsasig
auto=start
#> /etc/ipsec/ipsec.conf 39
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec/ipsec.secrets 1
: RSA {
# RSA 2048 bits sushi Sat Feb 26 11:51:31 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOTnxk5o]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Feb 26 23:28:56 2005, 2048 RSA Key AQO26/Ngp, until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@b.netgenco.com'
000 Feb 26 23:28:56 2005, 2048 RSA Key AQOTnxk5o, until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@w.netgenco.com'
+ '[' /etc/ipsec/ipsec.d/policies ']'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15409 Feb 26 00:07 _confread
-rwxr-xr-x 1 root root 5344 Feb 26 00:07 _copyright
-rwxr-xr-x 1 root root 2391 Feb 26 00:07 _include
-rwxr-xr-x 1 root root 1475 Feb 26 00:07 _keycensor
-rwxr-xr-x 1 root root 3586 Feb 26 00:07 _plutoload
-rwxr-xr-x 1 root root 7167 Feb 26 00:07 _plutorun
-rwxr-xr-x 1 root root 10493 Feb 26 00:07 _realsetup
-rwxr-xr-x 1 root root 1975 Feb 26 00:07 _secretcensor
-rwxr-xr-x 1 root root 9016 Feb 26 00:07 _startklips
-rwxr-xr-x 1 root root 12313 Feb 26 00:07 _updown
-rwxr-xr-x 1 root root 7572 Feb 26 00:07 _updown_x509
-rwxr-xr-x 1 root root 1942 Feb 26 00:07 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1308
-rwxr-xr-x 1 root root 10496 Feb 26 00:07 _pluto_adns
-rwxr-xr-x 1 root root 19220 Feb 26 00:07 auto
-rwxr-xr-x 1 root root 10230 Feb 26 00:07 barf
-rwxr-xr-x 1 root root 816 Feb 26 00:07 calcgoo
-rwxr-xr-x 1 root root 82632 Feb 26 00:07 eroute
-rwxr-xr-x 1 root root 61684 Feb 26 00:07 klipsdebug
-rwxr-xr-x 1 root root 2461 Feb 26 00:07 look
-rwxr-xr-x 1 root root 7130 Feb 26 00:07 mailkey
-rwxr-xr-x 1 root root 16188 Feb 26 00:07 manual
-rwxr-xr-x 1 root root 1874 Feb 26 00:07 newhostkey
-rwxr-xr-x 1 root root 54788 Feb 26 00:07 pf_key
-rwxr-xr-x 1 root root 580876 Feb 26 00:07 pluto
-rwxr-xr-x 1 root root 7424 Feb 26 00:07 ranbits
-rwxr-xr-x 1 root root 19400 Feb 26 00:07 rsasigkey
-rwxr-xr-x 1 root root 766 Feb 26 00:07 secrets
-rwxr-xr-x 1 root root 17578 Feb 26 00:07 send-pr
lrwxrwxrwx 1 root root 17 Feb 26 00:07 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Feb 26 00:07 showdefaults
-rwxr-xr-x 1 root root 4370 Feb 26 00:07 showhostkey
-rwxr-xr-x 1 root root 120644 Feb 26 00:07 spi
-rwxr-xr-x 1 root root 69932 Feb 26 00:07 spigrp
-rwxr-xr-x 1 root root 84216 Feb 26 00:07 starter
-rwxr-xr-x 1 root root 10416 Feb 26 00:07 tncfg
-rwxr-xr-x 1 root root 10195 Feb 26 00:07 verify
-rwxr-xr-x 1 root root 61404 Feb 26 00:07 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
bond0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
plip0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:38823694 447475 0 0 0 0 0 0 39165404 49606 1 0 1 0 1 0
lo: 120466 1041 0 0 0 0 0 0 120466 1041 0 0 0 0 0 0
tap0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth1: 2571681 14410 0 0 0 0 0 0 11791217 15227 0 0 0 0 0 0
teql0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
gre0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ip6tnl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 000AA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0008A8C0 01485B18 0003 0 0 0 00FFFFFF 0 0 0
eth0 00485B18 00000000 0001 0 0 0 00FEFFFF 0 0 0
lo 0000007F 0100007F 0003 0 0 0 000000FF 0 0 0
eth0 00000000 01485B18 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux sushi 2.6.10-gentoo-r6 #1 SMP Sat Feb 26 01:32:16 EST 2005 i686 Celeron (Mendocino) GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.10-gentoo-r6) support detected '
native PFKEY (2.6.10-gentoo-r6) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
73 14181 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 288 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5325 788K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
867 146K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2623 2999K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2785 422K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
73 14181 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
5531 1293K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
732 130K fw2masq all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
172 64948 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
1 48 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
Chain all2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 48 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
1 48 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
2623 2999K net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
699 160K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
215 77678 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
5110 711K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
682 33296 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
2785 422K masq2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
670 132K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
867 146K masq2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2masq (1 references)
pkts bytes target prot opt in out source destination
621 104K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,631,515,137,138,139,80,443
110 26510 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,631,515,137,138,139,80,443
1 48 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
4316 1213K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1215 80862 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source destination
Chain masq2fw (1 references)
pkts bytes target prot opt in out source destination
197 14324 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:220
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
288 20194 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
151 69421 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
80 6816 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
151 35716 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:220
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:993
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain masq2net (1 references)
pkts bytes target prot opt in out source destination
2103 388K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
682 33296 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
2623 2999K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
172 64948 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
172 64948 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
172 64948 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
4626 628K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
287 13996 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
6 288 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:220
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6901
18 3236 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,137,138,139,631,6901,23,500
172 64948 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1 48 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1507K packets, 204M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 654K packets, 44M bytes)
pkts bytes target prot opt in out source destination
1356 80902 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
681 33248 MASQUERADE all -- * * 192.168.10.0/24 0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 96M packets, 71G bytes)
pkts bytes target prot opt in out source destination
11680 4370K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 75M packets, 60G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 21M packets, 11G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 46M packets, 23G bytes)
pkts bytes target prot opt in out source destination
6336 1438K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 67M packets, 34G bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
1558 552K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
1747 141K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
snd_ens1371 20388 0 - Live 0xf28d5000
snd_ac97_codec 73440 1 snd_ens1371, Live 0xf28ec000
snd_rawmidi 20896 1 snd_ens1371, Live 0xf28ce000
reiserfs 240848 0 - Live 0xf29d9000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 772084 kB
MemFree: 11812 kB
Buffers: 290956 kB
Cached: 123980 kB
SwapCached: 0 kB
Active: 268764 kB
Inactive: 271652 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 772084 kB
LowFree: 11812 kB
SwapTotal: 538136 kB
SwapFree: 538136 kB
Dirty: 52 kB
Writeback: 0 kB
Mapped: 156508 kB
Slab: 204192 kB
CommitLimit: 924176 kB
Committed_AS: 377720 kB
PageTables: 1932 kB
VmallocTotal: 253876 kB
VmallocUsed: 37992 kB
VmallocChunk: 214960 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NETLINK_DEV=y
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
CONFIG_IP_TCPDIAG=y
CONFIG_IP_TCPDIAG_IPV6=y
# CONFIG_IP_VS is not set
CONFIG_IPV6=y
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=y
CONFIG_INET6_TUNNEL=y
CONFIG_IPV6_TUNNEL=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_TFTP=y
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_PHYSDEV=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_REALM=y
CONFIG_IP_NF_MATCH_SCTP=y
CONFIG_IP_NF_MATCH_COMMENT=y
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP6_NF_QUEUE=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_LIMIT=y
CONFIG_IP6_NF_MATCH_MAC=y
CONFIG_IP6_NF_MATCH_RT=y
CONFIG_IP6_NF_MATCH_OPTS=y
CONFIG_IP6_NF_MATCH_FRAG=y
CONFIG_IP6_NF_MATCH_HL=y
CONFIG_IP6_NF_MATCH_MULTIPORT=y
CONFIG_IP6_NF_MATCH_OWNER=y
CONFIG_IP6_NF_MATCH_MARK=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_MATCH_AHESP=y
CONFIG_IP6_NF_MATCH_LENGTH=y
CONFIG_IP6_NF_MATCH_EUI64=y
CONFIG_IP6_NF_MATCH_PHYSDEV=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_LOG=y
CONFIG_IP6_NF_MANGLE=y
# CONFIG_IP6_NF_TARGET_MARK is not set
CONFIG_IP6_NF_RAW=y
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
domain netgenco.com
nameserver 204.127.202.19
nameserver 216.148.227.204
search hsd1.ma.comcast.net.
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 12
drwxr-xr-x 3 root root 4096 Dec 8 22:56 2.6.9-gentoo-r1
drwxr-xr-x 3 root root 4096 Feb 25 10:24 2.6.9-gentoo-r9
drwxr-xr-x 3 root root 4096 Feb 26 01:56 2.6.10-gentoo-r6
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0428c50 T netif_rx
c0428e30 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-gentoo-r6:
2.6.9-gentoo-r1:
2.6.9-gentoo-r9:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1,$p' /dev/null
+ egrep -i 'ipsec|klips|pluto'
+ cat
+ _________________________ plog
+ sed -n '1,$p' /dev/null
+ egrep -i pluto
+ cat
+ _________________________ date
+ date
Sun Feb 27 00:54:08 EST 2005
More information about the Users
mailing list