[Openswan Users] AH only?
Xiuduan Fang
xf4c at cs.virginia.edu
Thu Mar 10 22:19:38 CET 2005
Has anyone succeeded in setting up a tunnel protected only by AH from
openswan to openswan?
----- Original Message -----
From: "Xiuduan Fang" <xf4c at cs.virginia.edu>
To: "Paul Wouters" <paul at xelerance.com>
Sent: Thursday, March 03, 2005 6:20 PM
Subject: Re: [Openswan Users] AH only
> It is openswan-openswan. The connection configuration is as follows
>
> conn mvstu2-mvstu3
> right=128.143.137.167 #mvstu3
> rightrsasigkey=0sAQNq.....
> left=128.143.137.155 #mvstu2
> leftrsasigkey=0sAQNv0
> authby=rsasig|secret
> auth=ah
> auto=add
> Then I set up the tunnel on mvstu3,
> [root at MVSTU3 root]# ipsec auto --verbose --up mvstu2-mvstu3
> 002 "mvstu2-mvstu3" #1: initiating Main Mode
> 104 "mvstu2-mvstu3" #1: STATE_MAIN_I1: initiate
> 003 "mvstu2-mvstu3" #1: received Vendor ID payload [Dead Peer Detection]
> 002 "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> 106 "mvstu2-mvstu3" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 002 "mvstu2-mvstu3" #1: I did not send a certificate because I do not have
> one.
> 002 "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> 108 "mvstu2-mvstu3" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "mvstu2-mvstu3" #1: Main mode peer ID is ID_IPV4_ADDR:
> '128.143.137.155'
> 002 "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> 002 "mvstu2-mvstu3" #1: ISAKMP SA established
> 004 "mvstu2-mvstu3" #1: STATE_MAIN_I4: ISAKMP SA established
> 002 "mvstu2-mvstu3" #2: initiating Quick Mode
> PSK+RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP {using isakmp#1}
> 117 "mvstu2-mvstu3" #2: STATE_QUICK_I1: initiate
> 002 "mvstu2-mvstu3" #2: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> 002 "mvstu2-mvstu3" #2: sent QI2, IPsec SA established {ESP=>0xcfc61bbd
> <0x3211efca AH=>0xcfc61bbc <0x3211efc9}
> 004 "mvstu2-mvstu3" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0xcfc61bbd <0x3211efca AH=>0xcfc61bbc <0x3211efc9}
>
> After I set up the tunnel, on mvstu3 I use ping mvstu2 and on mvstu2
> [root at MVSTU2 root]# tcpdump host mvstu3
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
> 18:09:24.386735 IP mvstu3 > mvstu2.cs.virginia.edu:
> AH(spi=0xcfc61bbc,seq=0x15): ESP(spi=0xcfc61bbd,seq=0x15)
> 18:09:24.386963 IP mvstu2.cs.virginia.edu > mvstu3:
> AH(spi=0x3211efc9,seq=0x15): ESP(spi=0x3211efca,seq=0x15)
> 18:09:25.386792 IP mvstu3 > mvstu2.cs.virginia.edu:
> AH(spi=0xcfc61bbc,seq=0x16): ESP(spi=0xcfc61bbd,seq=0x16)
> 18:09:25.386976 IP mvstu2.cs.virginia.edu > mvstu3:
> AH(spi=0x3211efc9,seq=0x16): ESP(spi=0x3211efca,seq=0x16)
> 18:09:26.386827 IP mvstu3 > mvstu2.cs.virginia.edu:
> AH(spi=0xcfc61bbc,seq=0x17): ESP(spi=0xcfc61bbd,seq=0x17)
> 18:09:26.387014 IP mvstu2.cs.virginia.edu > mvstu3:
> AH(spi=0x3211efc9,seq=0x17): ESP(spi=0x3211efca,seq=0x17)
> 18:09:27.386876 IP mvstu3 > mvstu2.cs.virginia.edu:
> AH(spi=0xcfc61bbc,seq=0x18): ESP(spi=0xcfc61bbd,seq=0x18)
> 18:09:27.387092 IP mvstu2.cs.virginia.edu > mvstu3:
> AH(spi=0x3211efc9,seq=0x18): ESP(spi=0x3211efca,seq=0x18)
> 18:09:28.386918 IP mvstu3 > mvstu2.cs.virginia.edu:
> AH(spi=0xcfc61bbc,seq=0x19): ESP(spi=0xcfc61bbd,seq=0x19)
> 18:09:28.387104 IP mvstu2.cs.virginia.edu > mvstu3:
> AH(spi=0x3211efc9,seq=0x19): ESP(spi=0x3211efca,seq=0x19)
>
> From the above messages, we can see that ESP protocol is also used. You
> can
> also see the detail in the attached ipsec barf file. Thank you for your
> help.
>
> ----- Original Message -----
> From: "Paul Wouters" <paul at xelerance.com>
> To: "Xiuduan Fang" <xf4c at cs.virginia.edu>
> Cc: <USERS at openswan.org>
> Sent: Thursday, March 03, 2005 4:20 PM
> Subject: Re: [Openswan Users] AH only
>
>
>> On Wed, 2 Mar 2005, Xiuduan Fang wrote:
>>
>>> I tried to set up a tunnel with AH only. I set "auth=ah" and found the
>>> tunnel was protected by both AH and ESP. I am wondering if I can set up
>>> a
>>> tunnel without ESP. Also, is AH being discarded? Why? Thank you for any
>>> input.
>>
>> Was this openswan-openswan, or an interop with racoon?
>> can you provide the config file, some tcpdumps and an ipsec barf?
>> (without plutodebug, klipsdebug please)
>>
>> Paul
>> --
>>
>> "At best it is a theory, at worst a fantasy" -- Michael Crichton
>>
>
-------------- next part --------------
MVSTU3
Thu Mar 3 18:17:41 EST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan 2.3.0 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.4.20-8smp (bhcompile at porky.devel.redhat.com) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 SMP Thu Mar 13 17:45:54 EST 2003
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
50 128.143.137.167/32 -> 128.143.137.155/32 => tun0x1002 at 128.143.137.155
+ _________________________ netstat-rn
+ netstat -nr
+ head -100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
128.143.137.155 128.143.137.155 255.255.255.255 UGH 0 0 0 ipsec0
192.168.0.31 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
192.168.0.21 192.168.0.2 255.255.255.255 UGH 0 0 0 veth0_100
192.168.0.22 0.0.0.0 255.255.255.255 UH 0 0 0 veth0_100
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 veth0_100
128.143.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
128.143.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ipsec0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0x3211efca at 128.143.137.167 ESP_3DES: dir=in src=128.143.137.155 iv_bits=64bits iv=0xa78c7d974a151dd3 ooowin=64 eklen=192 life(c,s,h)=bytes(2600,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=30 ref=8
ah0x3211efc9 at 128.143.137.167 AH_HMAC_SHA1: dir=in src=128.143.137.155 ooowin=64 seq=25 bit=0x1ffffff alen=160 aklen=160 life(c,s,h)=bytes(3100,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=4 ref=9
esp0xcfc61bbd at 128.143.137.155 ESP_3DES: dir=out src=128.143.137.167 iv_bits=64bits iv=0x6ec871e7e00c5b71 ooowin=64 seq=25 eklen=192 life(c,s,h)=bytes(3100,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=5 ref=16
ah0xcfc61bbc at 128.143.137.155 AH_HMAC_SHA1: dir=out src=128.143.137.167 ooowin=64 seq=25 alen=160 aklen=160 life(c,s,h)=bytes(3700,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=4 ref=17
tun0x1001 at 128.143.137.167 IPIP: dir=in src=128.143.137.155 policy=128.143.137.155/32->128.143.137.167/32 flags=0x8<> life(c,s,h)=bytes(2600,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=4 ref=7
tun0x1002 at 128.143.137.155 IPIP: dir=out src=128.143.137.167 life(c,s,h)=bytes(2600,0,0)addtime(522,0,0)usetime(517,0,0)packets(25,0,0) idle=493 refcount=4 ref=15
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1001 at 128.143.137.167 esp0x3211efca at 128.143.137.167 ah0x3211efc9 at 128.143.137.167
tun0x1002 at 128.143.137.155 esp0xcfc61bbd at 128.143.137.155 ah0xcfc61bbc at 128.143.137.155
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1435) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 128.143.137.167
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "mvstu2-mvstu3": 128.143.137.167...128.143.137.155; erouted; eroute owner: #2
000 "mvstu2-mvstu3": srcip=unset; dstip=unset
000 "mvstu2-mvstu3": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mvstu2-mvstu3": policy: PSK+RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
000 "mvstu2-mvstu3": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "mvstu2-mvstu3": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "mvstu2-mvstu3" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27603s; newest IPSEC; eroute owner
000 #2: "mvstu2-mvstu3" used 390s ago; ah.cfc61bbc at 128.143.137.155 ah.3211efc9 at 128.143.137.167 esp.cfc61bbd at 128.143.137.155 esp.3211efca at 128.143.137.167 tun.1002 at 128.143.137.155 tun.1001 at 128.143.137.167
000 #1: "mvstu2-mvstu3" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2291s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:EE:51:3D
inet addr:128.143.137.167 Bcast:128.143.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:333837 errors:0 dropped:0 overruns:0 frame:0
TX packets:14356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:50293483 (47.9 Mb) TX bytes:11988407 (11.4 Mb)
Base address:0xdce0 Memory:ff6e0000-ff700000
eth1 Link encap:Ethernet HWaddr 00:0B:DB:5C:50:88
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1621 errors:0 dropped:0 overruns:0 frame:0
TX packets:1452 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:633931 (619.0 Kb) TX bytes:173179 (169.1 Kb)
Base address:0xdc80 Memory:ff680000-ff6a0000
eth2 Link encap:Ethernet HWaddr 00:09:5B:1C:2D:88
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2066 (2.0 Kb) TX bytes:1929 (1.8 Kb)
ians Link encap:Ethernet HWaddr 00:00:00:00:00:00
[NO FLAGS] MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec0 Link encap:Ethernet HWaddr 00:02:B3:EE:51:3D
inet addr:128.143.137.167 Mask:255.255.0.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:2100 (2.0 Kb) TX bytes:4050 (3.9 Kb)
ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1203 errors:0 dropped:0 overruns:0 frame:0
TX packets:1203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:90851 (88.7 Kb) TX bytes:90851 (88.7 Kb)
veth0_100 Link encap:Ethernet HWaddr 00:02:B3:EE:51:3D
inet addr:192.168.0.32 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:333837 errors:0 dropped:0 overruns:0 frame:0
TX packets:14356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:50293483 (47.9 Mb) TX bytes:11988407 (11.4 Mb)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:b3:ee:51:3d brd ff:ff:ff:ff:ff:ff
inet 128.143.137.167/16 brd 128.143.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0b:db:5c:50:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:5b:1c:2d:88 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global eth2
9: ians: <> mtu 0 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
10: veth0_100: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:02:b3:ee:51:3d brd ff:ff:ff:ff:ff:ff
inet 192.168.0.32/24 brd 192.168.0.255 scope global veth0_100
15: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:02:b3:ee:51:3d brd ff:ff:ff:ff:ff:ff
inet 128.143.137.167/16 brd 128.143.255.255 scope global ipsec0
16: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
17: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
18: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
+ _________________________ ip-route-list
+ ip route list
128.143.137.155 via 128.143.137.155 dev ipsec0
192.168.0.31 dev eth1 scope link
192.168.0.21 via 192.168.0.2 dev veth0_100
192.168.0.22 dev veth0_100 scope link
10.0.0.0/24 dev eth2 scope link
192.168.0.0/24 dev veth0_100 scope link
128.143.0.0/16 dev eth0 proto kernel scope link src 128.143.137.167
128.143.0.0/16 dev ipsec0 proto kernel scope link src 128.143.137.167
169.254.0.0/16 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default dev eth0 scope link
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup 253
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.3.0 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: MVSTU3 [OK]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 167.137.143.128.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth2' failed: Operation not supported
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:50:43, model 3 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:50:43, model 2 rev 3
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
mvstu3.cs.virginia.edu
+ _________________________ hostname/ipaddress
+ hostname --ip-address
128.143.137.167
+ _________________________ uptime
+ uptime
18:17:42 up 4:26, 1 user, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 6666 5970 25 0 4140 1088 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
0 0 6744 6666 25 0 1496 456 pipe_w S pts/0 0:00 \_ grep -E -i ppid|pluto|ipsec|klips
1 0 6556 1 25 0 2120 1044 wait4 S pts/0 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --st
1 0 6557 6556 25 0 2120 1056 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts
4 0 6558 6557 15 0 2380 1216 schedu S pts/0 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids
1 0 6559 6558 25 10 2312 820 schedu SN pts/0 0:00 | \_ pluto helper # 0
0 0 6560 6558 25 0 1420 256 schedu S pts/0 0:00 | \_ _pluto_adns
0 0 6561 6556 25 0 2092 1024 pipe_w S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 6563 1 25 0 1352 364 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#interfaces=
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug="control parsing"
# Add connections here
conn mvstu2-mvstu3
right=128.143.137.167
# right=192.168.0.3
rightrsasigkey=[keyid AQNqXi2P/]
# left=192.168.0.2
left=128.143.137.155
leftrsasigkey=[keyid AQNv0nHz8]
authby=rsasig|secret
auth=ah
auto=add
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 48
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits MVSTU3 Sat Feb 19 17:06:10 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNqXi2P/]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Mar 03 18:07:48 2005, 2192 RSA Key AQNqXi2P/, until --- -- --:--:-- ---- ok (expires never)
000 ID_IPV4_ADDR '128.143.137.167'
000 Mar 03 18:07:48 2005, 2192 RSA Key AQNv0nHz8, until --- -- --:--:-- ---- ok (expires never)
000 ID_IPV4_ADDR '128.143.137.155'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15468 Feb 19 17:04 _confread
-rwxr-xr-x 1 root root 48923 Feb 19 17:05 _copyright
-rwxr-xr-x 1 root root 2379 Feb 19 17:05 _include
-rwxr-xr-x 1 root root 1475 Feb 19 17:05 _keycensor
-rwxr-xr-x 1 root root 3586 Feb 19 17:05 _plutoload
-rwxr-xr-x 1 root root 7307 Feb 19 17:05 _plutorun
-rwxr-xr-x 1 root root 11409 Feb 19 17:05 _realsetup
-rwxr-xr-x 1 root root 1975 Feb 19 17:05 _secretcensor
-rwxr-xr-x 1 root root 9265 Feb 19 17:05 _startklips
-rwxr-xr-x 1 root root 12329 Feb 19 17:05 _updown
-rwxr-xr-x 1 root root 7572 Feb 19 17:05 _updown_x509
-rwxr-xr-x 1 root root 1942 Feb 19 17:05 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 4544
-rwxr-xr-x 1 root root 71493 Feb 19 17:04 _pluto_adns
-rwxr-xr-x 1 root root 18840 Feb 19 17:05 auto
-rwxr-xr-x 1 root root 10585 Feb 19 17:05 barf
-rwxr-xr-x 1 root root 816 Feb 19 17:05 calcgoo
-rwxr-xr-x 1 root root 318673 Feb 19 17:04 eroute
-rwxr-xr-x 1 root root 126189 Feb 19 17:05 ikeping
-rwxr-xr-x 1 root root 190006 Feb 19 17:04 klipsdebug
-rwxr-xr-x 1 root root 1664 Feb 19 17:05 livetest
-rwxr-xr-x 1 root root 2461 Feb 19 17:05 look
-rwxr-xr-x 1 root root 7130 Feb 19 17:05 mailkey
-rwxr-xr-x 1 root root 15931 Feb 19 17:05 manual
-rwxr-xr-x 1 root root 1874 Feb 19 17:05 newhostkey
-rwxr-xr-x 1 root root 171435 Feb 19 17:04 pf_key
-rwxr-xr-x 1 root root 2363735 Feb 19 17:04 pluto
-rwxr-xr-x 1 root root 52761 Feb 19 17:05 ranbits
-rwxr-xr-x 1 root root 83079 Feb 19 17:05 rsasigkey
-rwxr-xr-x 1 root root 766 Feb 19 17:05 secrets
-rwxr-xr-x 1 root root 17602 Feb 19 17:05 send-pr
lrwxrwxrwx 1 root root 22 Feb 19 17:05 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Feb 19 17:05 showdefaults
-rwxr-xr-x 1 root root 4748 Feb 19 17:05 showhostkey
-rwxr-xr-x 1 root root 514245 Feb 19 17:04 spi
-rwxr-xr-x 1 root root 257602 Feb 19 17:04 spigrp
-rwxr-xr-x 1 root root 52253 Feb 19 17:04 tncfg
-rwxr-xr-x 1 root root 10201 Feb 19 17:05 verify
-rwxr-xr-x 1 root root 259712 Feb 19 17:04 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 90851 1203 0 0 0 0 0 0 90851 1203 0 0 0 0 0 0
eth0:50294937 333855 0 0 0 0 0 1671 11988747 14360 0 0 0 0 0 0
eth1: 633931 1621 0 0 0 0 0 0 173179 1452 0 0 0 0 0 0
eth2: 2066 20 0 0 0 0 0 10 1929 13 0 0 0 0 0 0
ians: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
veth0_100:50294937 333855 0 0 0 0 0 1671 11988747 14360 0 0 0 0 0 0
ipsec0: 2100 25 0 0 0 0 0 0 4050 25 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ipsec0 9B898F80 9B898F80 0007 0 0 0 FFFFFFFF 0 0 0
eth1 1F00A8C0 00000000 0005 0 0 0 FFFFFFFF 0 0 0
veth0_100 1500A8C0 0200A8C0 0007 0 0 0 FFFFFFFF 0 0 0
veth0_100 1600A8C0 00000000 0005 0 0 0 FFFFFFFF 0 0 0
eth2 0000000A 00000000 0001 0 0 0 00FFFFFF 0 0 0
veth0_100 0000A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00008F80 00000000 0001 0 0 0 0000FFFF 0 0 0
ipsec0 00008F80 00000000 0001 0 0 0 0000FFFF 0 0 0
eth2 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth0 00000000 00000000 0001 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter eth2/rp_filter ipsec0/rp_filter lo/rp_filter veth0_100/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
eth2/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
veth0_100/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux MVSTU3 2.4.20-8smp #1 SMP Thu Mar 13 17:45:54 EST 2003 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.3.0
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 41556 packets, 9656K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1142 packets, 95832 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15602 packets, 12M bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2776 0 (autoclean) (unused)
iptable_nat 22904 0 (autoclean) (unused)
ip_conntrack 29696 1 (autoclean) [iptable_nat]
ipsec 329888 2
i810_audio 28968 0 (autoclean)
ac97_codec 13768 0 (autoclean) [i810_audio]
soundcore 7044 2 (autoclean) [i810_audio]
ians 134116 1 (autoclean)
sr_mod 18168 0 (autoclean)
radeon 117892 0
iptable_filter 2412 0 (autoclean) (unused)
ip_tables 15864 5 [iptable_mangle iptable_nat iptable_filter]
ns83820 16400 1
e1000 84232 2
ide-scsi 12432 0
scsi_mod 110520 2 [sr_mod ide-scsi]
ide-cd 35772 0
cdrom 34176 0 [sr_mod ide-cd]
ohci1394 20904 0 (unused)
ieee1394 52044 0 [ohci1394]
keybdev 2976 0 (unused)
mousedev 5656 0
hid 22308 0 (unused)
input 6208 0 [keybdev mousedev hid]
usb-uhci 27404 0 (unused)
ehci-hcd 20456 0 (unused)
usbcore 82592 1 [hid usb-uhci ehci-hcd]
ext3 73376 2
jbd 56336 2 [ext3]
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 525029376 269074432 255954944 0 29204480 182161408
Swap: 1044570112 0 1044570112
MemTotal: 512724 kB
MemFree: 249956 kB
MemShared: 0 kB
Buffers: 28520 kB
Cached: 177892 kB
SwapCached: 0 kB
Active: 188408 kB
ActiveAnon: 27384 kB
ActiveCache: 161024 kB
Inact_dirty: 1888 kB
Inact_laundry: 0 kB
Inact_clean: 43500 kB
Inact_target: 46756 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 512724 kB
LowFree: 249956 kB
SwapTotal: 1020088 kB
SwapFree: 1020088 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Mar 3 18:17 /proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Mar 3 18:17 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Mar 3 18:17 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Mar 3 18:17 /proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Mar 3 18:17 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Mar 3 18:17 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.4.20-8smp/build/.config
++ uname -r
+ cat /lib/modules/2.4.20-8smp/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_INET_ECN is not set
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_LOCAL=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IPV6=m
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPHASE5526=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.debug;*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search cs.virginia.edu
nameserver 128.143.136.15
nameserver 128.143.2.7
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 3 root root 4096 Oct 19 08:51 2.4.20-8
drwxr-xr-x 3 root root 4096 Oct 19 08:51 2.4.20-8smp
drwxr-xr-x 4 root root 4096 Oct 20 19:43 2.4.20
drwxr-xr-x 3 root root 4096 Feb 19 17:05 2.4.20-8custom
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ egrep netif_rx /proc/ksyms
c020dac0 netif_rx_Rsmp_72a4855f
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20: U netif_rx_R187dee02
2.4.20-8: U netif_rx_R8d84bcda
2.4.20-8custom:
2.4.20-8smp: U netif_rx_Rsmp_72a4855f
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '142673,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Mar 3 18:01:11 mvstu3 ipsec_setup: Starting Openswan IPsec 2.3.0...
Mar 3 18:01:11 mvstu3 ipsec_setup: Using /lib/modules/2.4.20-8smp/kernel/ipsec.o
+ _________________________ plog
+ sed -n '572,$p' /var/log/secure
+ egrep -i pluto
+ cat
Mar 3 18:01:11 mvstu3 ipsec__plutorun: Starting Pluto subsystem...
Mar 3 18:01:11 mvstu3 pluto[6558]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 3 18:01:11 mvstu3 pluto[6558]: Setting port floating to off
Mar 3 18:01:11 mvstu3 pluto[6558]: port floating activate 0/1
Mar 3 18:01:11 mvstu3 pluto[6558]: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 3 18:01:11 mvstu3 pluto[6558]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 3 18:01:11 mvstu3 pluto[6558]: starting up 1 cryptographic helpers
Mar 3 18:01:11 mvstu3 pluto[6558]: started helper pid=6559 (fd:6)
Mar 3 18:01:11 mvstu3 pluto[6558]: Using KLIPS IPsec interface code
Mar 3 18:01:11 mvstu3 pluto[6558]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 3 18:01:11 mvstu3 pluto[6558]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 3 18:01:11 mvstu3 pluto[6558]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 3 18:01:11 mvstu3 pluto[6558]: Changing to directory '/etc/ipsec.d/crls'
Mar 3 18:01:11 mvstu3 pluto[6558]: Warning: empty directory
Mar 3 18:01:11 mvstu3 pluto[6558]: added connection description "mvstu2-mvstu3"
Mar 3 18:01:12 mvstu3 pluto[6558]: listening for IKE messages
Mar 3 18:01:12 mvstu3 pluto[6558]: adding interface ipsec0/eth0 128.143.137.167
Mar 3 18:01:12 mvstu3 pluto[6558]: loading secrets from "/etc/ipsec.secrets"
Mar 3 18:07:48 mvstu3 pluto[6558]: "mvstu2-mvstu3": deleting connection
Mar 3 18:07:48 mvstu3 pluto[6558]: added connection description "mvstu2-mvstu3"
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: initiating Main Mode
Mar 3 18:08:59 mvstu3 pluto[6558]: | no IKE algorithms for this connection
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: received Vendor ID payload [Dead Peer Detection]
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: I did not send a certificate because I do not have one.
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: Main mode peer ID is ID_IPV4_ADDR: '128.143.137.155'
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #1: ISAKMP SA established
Mar 3 18:08:59 mvstu3 pluto[6558]: "mvstu2-mvstu3" #2: initiating Quick Mode PSK+RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP {using isakmp#1}
Mar 3 18:09:00 mvstu3 pluto[6558]: "mvstu2-mvstu3" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 3 18:09:00 mvstu3 pluto[6558]: "mvstu2-mvstu3" #2: sent QI2, IPsec SA established {ESP=>0xcfc61bbd <0x3211efca AH=>0xcfc61bbc <0x3211efc9}
+ _________________________ date
+ date
Thu Mar 3 18:17:42 EST 2005
More information about the Users
mailing list