[Openswan Users] Ipsec newbie - trying to connect to sonicwall
Yannick Warnier
ywarnier at beeznest.org
Tue May 17 17:43:28 CEST 2005
Hi there,
I am trying to setup an OpenSwan config to connect to a SonicWall server
but I am having a lot of problems. I'll try to state things as clearly
as I can, in addition to putting the "barf" output below.
Basically, the SonicWall is configured so that I can connect to it
through the Windows SonicWall client.
Let's have a look at my ipsec.conf so you can have an quick idea:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug="control"
uniqueids=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn MyGroup
left=%defaultroute
right=192.152.172.132
rightsubnet=192.168.254.0/24
keyingtries=0
auto=route
authby=secret
auth=esp
esp=des-hmac_md5
keyexchange=ike
ike=des-sha1
I've slightly changed the IP address of the right side for security
reasons ;-)
So as you can imagine, I am trying to connect from a linux client
version 2.3.0 to a server at 192.152.172.132 in the example.
The SonicWall configuration uses
Phase 1: Group 2 - des - sha1
Phase 2: Group 2 = des - hmac_md5
I have a pre-shared key which is configured in /etc/ipsec.secrets
When I start ipsec, I get no errors and 'barf' doesn't output much info
(see output below), but when I try to load the "MyGroup" connection, I
get things like this in /var/log/auth.log
May 17 16:44:43 localhost ipsec__plutorun: Starting Pluto subsystem...
May 17 16:44:43 localhost pluto[14311]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
May 17 16:44:43 localhost pluto[14311]: Setting port floating to off
May 17 16:44:43 localhost pluto[14311]: port floating activate 0/1
May 17 16:44:43 localhost pluto[14311]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 17 16:44:43 localhost pluto[14311]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
May 17 16:44:43 localhost pluto[14311]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
May 17 16:44:43 localhost pluto[14311]: starting up 1 cryptographic
helpers
May 17 16:44:43 localhost pluto[14311]: started helper pid=14319 (fd:6)
May 17 16:44:43 localhost pluto[14311]: Using Linux 2.6 IPsec interface
code
May 17 16:44:44 localhost pluto[14319]: ! helper 0 waiting on fd: 7
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/cacerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/aacerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/ocspcerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/crls'
May 17 16:44:44 localhost pluto[14311]: Warning: empty directory
May 17 16:44:44 localhost pluto[14311]: | inserting event
EVENT_LOG_DAILY, timeout in 26116 seconds
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: | Added new connection MyGroup
with policy PSK+ENCRYPT+TUNNEL+PFS
May 17 16:44:44 localhost pluto[14311]: | from whack: got
--esp=des-hmac_md5
May 17 16:44:44 localhost pluto[14311]: | esp string values: 2_000-1,
flags=-strict
May 17 16:44:44 localhost pluto[14311]: | from whack: got --ike=des-sha1
May 17 16:44:44 localhost pluto[14311]: | ike string values: 1_000-2-5,
1_000-2-2, flags=-strict
May 17 16:44:44 localhost pluto[14311]: | counting wild cards for (none)
is 15
May 17 16:44:44 localhost pluto[14311]: | sendcert is 3
May 17 16:44:44 localhost pluto[14311]: | counting wild cards for (none)
is 15
May 17 16:44:44 localhost pluto[14311]: | sendcert is 3
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=1
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=1
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=2
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=2
May 17 16:44:44 localhost pluto[14311]: added connection description
"GroupVPN"
May 17 16:44:44 localhost pluto[14311]: |
192.168.2.63---192.168.2.1...192.152.172.132===192.168.254.0/24
May 17 16:44:44 localhost pluto[14311]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:
PSK+ENCRYPT+TUNNEL+PFS
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: listening for IKE messages
May 17 16:44:44 localhost pluto[14311]: | found lo with address
127.0.0.1
May 17 16:44:44 localhost pluto[14311]: | found eth0 with address
192.168.2.63
May 17 16:44:44 localhost pluto[14311]: adding interface eth0/eth0
192.168.2.63
May 17 16:44:44 localhost pluto[14311]: adding interface lo/lo 127.0.0.1
May 17 16:44:44 localhost pluto[14311]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
May 17 16:44:44 localhost pluto[14311]: adding interface lo/lo ::1
May 17 16:44:44 localhost pluto[14311]: loading secrets from
"/etc/ipsec.secrets"
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: | route owner of "MyGroup"
unrouted: NULL; eroute owner: NULL
May 17 16:44:44 localhost pluto[14311]: | could_route called for MyGroup
(kind=CK_PERMANENT)
May 17 16:44:44 localhost pluto[14311]: | route owner of "MyGroup"
unrouted: NULL; eroute owner: NULL
May 17 16:44:44 localhost pluto[14311]: | add eroute 192.168.254.0/24:0
--0-> 192.168.2.63/32:0 => %trap (raw_eroute)
May 17 16:44:44 localhost pluto[14311]: | eroute_connection add eroute
192.168.2.63/32:0 --0-> 192.168.254.0/24:0 => %trap (raw_eroute)
May 17 16:44:44 localhost pluto[14311]: | route_and_eroute:
firewall_notified: true
May 17 16:44:44 localhost pluto[14311]: | executing prepare-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host' PLUTO_CONNECTION='MyGroup'
PLUTO_NEXT_HOP='192.168.2.1' PLUTO_INTERFACE='eth0'
PLUTO_ME='192.168.2.63' PLUTO_MY_ID='192.168.2.63'
PLUTO_MY_CLIENT='192.168.2.63/32' PLUTO_MY_CLIENT_NET='192.168.2.63'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.152.172.132'
PLUTO_PEER_ID='192.152.172.132' PLUTO_PEER_CLIENT='192.168.254.0/24'
PLUTO_PEER_CLIENT_NET='192.168.254.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
May 17 16:44:44 localhost pluto[14311]: | executing route-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-host' PLUTO_CONNECTION='GroupVPN'
PLUTO_NEXT_HOP='192.168.2.1' PLUTO_INTERFACE='eth0'
PLUTO_ME='192.168.2.63' PLUTO_MY_ID='192.168.2.63'
PLUTO_MY_CLIENT='192.168.2.63/32' PLUTO_MY_CLIENT_NET='192.168.2.63'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.152.172.132'
PLUTO_PEER_ID='192.152.172.132' PLUTO_PEER_CLIENT='192.168.254.0/24'
PLUTO_PEER_CLIENT_NET='192.168.254.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 17:30:22 localhost pluto[14311]: | *received whack message
May 17 17:30:22 localhost pluto[14311]: | creating state object #1 at
0x8101928
May 17 17:30:22 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:22 localhost pluto[14311]: | RCOOKIE: 00 00 00 00 00 00
00 00
May 17 17:30:22 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:22 localhost pluto[14311]: | state hash entry 7
May 17 17:30:22 localhost pluto[14311]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
May 17 17:30:22 localhost pluto[14311]: | Queuing pending Quick Mode
with 194.154.176.134 "GroupVPN"
May 17 17:30:22 localhost pluto[14311]: "MyGroup" #1: initiating Main
Mode
May 17 17:30:22 localhost pluto[14311]: | ike_alg_db_new() ike enc
ealg=1 not present
May 17 17:30:22 localhost pluto[14311]: | ike_alg_db_new() ike enc
ealg=1 not present
May 17 17:30:22 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
May 17 17:30:22 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
10 seconds for #1
May 17 17:30:22 localhost pluto[14311]: |
May 17 17:30:22 localhost pluto[14311]: | *received 92 bytes from
194.154.176.134:500 on eth0
May 17 17:30:22 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:23 localhost pluto[14311]: | RCOOKIE: ae 01 b1 c7 ba 4a
ea 88
May 17 17:30:23 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:23 localhost pluto[14311]: | state hash entry 6
May 17 17:30:23 localhost pluto[14311]: | state object not found
May 17 17:30:23 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:30:23 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:30:23 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:30:23 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
10 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
+ _________________________ date
+ date
Tue May 17 16:44:46 BST 2005
So what appears to me is it's got something wrong, but I don't know
what. I would say it got some problem with the IKE encryption algorithm,
but I'm feeling overflown by the complexity of all this now.
Could somebody give me a hand on how I am supposed to configure this
client?
After the IKE is exchanged, I should also authenticate with a username
and a password, but it seems I never got this far yet. But if OpenSwan
doesn't support this, maybe I should give up straight away (and try
finding another client or give up completely).
I've looked for information on configuration on openswan.org but I feel
like there is not enough doc at all (I couldn't find a list of the
available encryption and authentication algorithms for example).
Yannick
Output of ipsec barf:
kakashi
Tue May 17 17:36:19 BST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.3.0/K2.6.11-1-686-smp (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.11-1-686-smp (dilinger at mouth) (gcc version 3.3.5
(Debian 1:3.3.5-12)) #1 SMP Mon Apr 25 00:40:53 UTC 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.254.0 192.168.2.1 255.255.255.0 UG 0 0 0
eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.2.63[any] 192.168.254.0/24[any] any
out ipsec
esp/transport//require
created: May 17 16:44:44 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=817 seq=6 pid=15461
refcnt=1
(per-socket policy)
in none
created: May 17 16:44:44 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=803 seq=5 pid=15461
refcnt=1
(per-socket policy)
in none
created: May 17 16:44:44 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=787 seq=4 pid=15461
refcnt=1
(per-socket policy)
in none
created: May 17 16:44:44 2005 lastused: May 17 17:36:12 2005
lifetime: 0(s) validtime: 0(s)
spid=771 seq=3 pid=15461
refcnt=1
(per-socket policy)
out none
created: May 17 16:44:44 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=812 seq=2 pid=15461
refcnt=1
(per-socket policy)
out none
created: May 17 16:44:44 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=796 seq=1 pid=15461
refcnt=1
(per-socket policy)
out none
created: May 17 16:44:44 2005 lastused: May 17 17:36:12 2005
lifetime: 0(s) validtime: 0(s)
spid=780 seq=0 pid=15461
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.2.63
000 %myid = (none)
000 debug control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "MyGroup":
192.168.2.63---192.168.2.1...192.152.172.132===192.168.254.0/24;
prospective erouted; eroute owner: #0
000 "MyGroup": srcip=unset; dstip=unset
000 "MyGroup": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "MyGroup": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24;
interface: eth0;
000 "MyGroup": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "MyGroup": IKE algorithms wanted: 1_000-2-5, 1_000-2-2,
flags=-strict
000 "MyGroup": IKE algorithms found: 1_000-2-5, 1_000-2-2,
flags=-strict
000 "MyGroup": ESP algorithms wanted: 2_000-1, flags=-strict
000 "MyGroup": ESP algorithms loaded: 2_000-1, flags=-strict
000
000 #1: "MyGroup" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 33s; nodpd
000 #1: pending Phase 2 for "MyGroup" replacing #0
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0F:B0:3B:95:32
inet addr:192.168.2.63 Bcast:192.168.2.255
Mask:255.255.255.0
inet6 addr: fe80::20f:b0ff:fe3b:9532/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15256 errors:0 dropped:0 overruns:0 frame:0
TX packets:1824 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3130896 (2.9 MiB) TX bytes:194649 (190.0 KiB)
Interrupt:193 Base address:0xa000
eth1 Link encap:UNSPEC HWaddr
00-02-3F-4C-5B-40-00-89-00-00-00-00-00-00-00-00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:128851 errors:0 dropped:0 overruns:0 frame:0
TX packets:128851 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9399750 (8.9 MiB) TX bytes:9399750 (8.9 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0f:b0:3b:95:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.63/24 brd 192.168.2.255 scope global eth0
inet6 fe80::20f:b0ff:fe3b:9532/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ieee1394 00:02:3f:4c:5b:40:00:89 brd ff:ff:ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
+ _________________________ ip-route-list
+ ip route list
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.63
192.168.254.0/24 via 192.168.2.1 dev eth0
default via 192.168.2.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0/K2.6.11-1-686-smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: kakashi
[MISSING]
kakashi.kommunicate.co.uk has no TXT record (Authoritative answer)
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
SIOCGMIIPHY on 'eth1' failed: Operation not supported
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
localhost.localdomain
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
17:36:19 up 1:34, 6 users, load average: 0.07, 0.06, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 15199 7114 17 0 2852 1232 wait S+ pts/0 0:00 |
\_ /bin/sh /usr/lib/ipsec/auto --up MyGroup
1 0 15201 15199 19 0 2852 1232 wait S+ pts/0 0:00 |
\_ /bin/sh /usr/lib/ipsec/auto --up MyGroup
0 0 15207 15206 16 0 1468 332 - S+ pts/0 0:00 |
| \_ /usr/lib/ipsec/whack --name MyGroup --initiate
0 0 15439 7468 20 0 2848 1236 wait S+ pts/1 0:00 |
\_ /bin/sh /usr/lib/ipsec/barf
0 0 15513 15439 21 0 1628 420 pipe_w S+ pts/1 0:00 |
\_ grep -E -i ppid|pluto|ipsec|klips
0 0 9180 9175 16 0 4336 2576 - S+ pts/3 0:00
\_ vi /etc/ipsec.secrets
1 0 14307 1 25 0 2396 916 wait S pts/0
0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
1 0 14309 14307 25 0 2396 924 wait S pts/0 0:00
\_ /bin/bash /usr/lib/ipsec/_plutorun --debug control --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog
--wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 14311 14309 16 0 2540 1104 - S pts/0 0:00 |
\_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-control --uniqueids
1 0 14319 14311 28 10 2540 780 - SN pts/0 0:00 |
\_ pluto helper # 0
-nofork
0 0 14381 14311 18 0 1504 276 - S pts/0 0:00 |
\_ _pluto_adns
0 0 14310 14307 15 0 2372 900 pipe_w S pts/0 0:00
\_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 14308 1 25 0 1568 336 pipe_w S pts/0 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.2.63
routenexthop=192.168.2.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
interfaces=%defaultroute
klipsdebug=none
plutodebug="control"
#plutodebug=none
#plutoload=%search
#plutostart=%search
uniqueids=yes
forwardcontrol=yes
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 26
conn MyGroup
#left="ipsec0=eth0"
left=%defaultroute
#left=192.168.2.63
#leftsubnet=192.168.2.63/31
#leftnexthop=%defaultroute
right=192.152.172.132
rightsubnet=192.168.254.0/24
#rightnexthop=%defaultroute
keyingtries=0
auto=route
authby=secret
auth=esp
esp=des-hmac_md5
#pfs=yes
keyexchange=ike
ike=des-sha1
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# RCSID $Id: ipsec.secrets.proto,v 1.2 2004/03/13 17:13:47 rene Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,
# or configuration of other implementations, can be extracted
conveniently
# with "[sums to ef67...]".
192.168.2.63 192.152.172.132 @00401016C58B : PSK "[sums to d231...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root 15469 Jan 27 17:45 _confread
-rwxr-xr-x 1 root root 4544 Jan 27 17:45 _copyright
-rwxr-xr-x 1 root root 2380 Jan 27 17:45 _include
-rwxr-xr-x 1 root root 1476 Jan 27 17:45 _keycensor
-rwxr-xr-x 1 root root 9784 Jan 27 17:45 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jan 27 17:45 _plutoload
-rwxr-xr-x 1 root root 7293 Jan 27 17:45 _plutorun
-rwxr-xr-x 1 root root 11410 Jan 27 17:45 _realsetup
-rwxr-xr-x 1 root root 1976 Jan 27 17:45 _secretcensor
-rwxr-xr-x 1 root root 9262 Jan 27 17:45 _startklips
-rwxr-xr-x 1 root root 12329 Jan 27 17:45 _updown
-rwxr-xr-x 1 root root 7572 Jan 27 17:45 _updown_x509
-rwxr-xr-x 1 root root 18842 Jan 27 17:45 auto
-rwxr-xr-x 1 root root 10561 Jan 27 17:45 barf
-rwxr-xr-x 1 root root 816 Jan 27 17:45 calcgoo
-rwxr-xr-x 1 root root 80792 Jan 27 17:45 eroute
-rwxr-xr-x 1 root root 16044 Jan 27 17:45 ikeping
-rwxr-xr-x 1 root root 1942 Jan 27 17:45 ipsec_pr.template
-rwxr-xr-x 1 root root 60664 Jan 27 17:45 klipsdebug
-rwxr-xr-x 1 root root 1664 Jan 27 17:45 livetest
-rwxr-xr-x 1 root root 2462 Jan 27 17:45 look
-rwxr-xr-x 1 root root 7118 Jan 27 17:45 mailkey
-rwxr-xr-x 1 root root 15933 Jan 27 17:45 manual
-rwxr-xr-x 1 root root 1874 Jan 27 17:45 newhostkey
-rwxr-xr-x 1 root root 53132 Jan 27 17:45 pf_key
-rwxr-xr-x 1 root root 665112 Jan 27 17:45 pluto
-rwxr-xr-x 1 root root 6584 Jan 27 17:45 ranbits
-rwxr-xr-x 1 root root 18584 Jan 27 17:45 rsasigkey
-rwxr-xr-x 1 root root 766 Jan 27 17:45 secrets
-rwxr-xr-x 1 root root 17570 Jan 27 17:45 send-pr
lrwxrwxrwx 1 root root 17 May 11 12:59 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 27 17:45 showdefaults
-rwxr-xr-x 1 root root 4749 Jan 27 17:45 showhostkey
-rwxr-xr-x 1 root root 118232 Jan 27 17:45 spi
-rwxr-xr-x 1 root root 68408 Jan 27 17:45 spigrp
-rwxr-xr-x 1 root root 9744 Jan 27 17:45 tncfg
-rwxr-xr-x 1 root root 10189 Jan 27 17:45 verify
-rwxr-xr-x 1 root root 47032 Jan 27 17:45 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root 15469 Jan 27 17:45 _confread
-rwxr-xr-x 1 root root 4544 Jan 27 17:45 _copyright
-rwxr-xr-x 1 root root 2380 Jan 27 17:45 _include
-rwxr-xr-x 1 root root 1476 Jan 27 17:45 _keycensor
-rwxr-xr-x 1 root root 9784 Jan 27 17:45 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jan 27 17:45 _plutoload
-rwxr-xr-x 1 root root 7293 Jan 27 17:45 _plutorun
-rwxr-xr-x 1 root root 11410 Jan 27 17:45 _realsetup
-rwxr-xr-x 1 root root 1976 Jan 27 17:45 _secretcensor
-rwxr-xr-x 1 root root 9262 Jan 27 17:45 _startklips
-rwxr-xr-x 1 root root 12329 Jan 27 17:45 _updown
-rwxr-xr-x 1 root root 7572 Jan 27 17:45 _updown_x509
-rwxr-xr-x 1 root root 18842 Jan 27 17:45 auto
-rwxr-xr-x 1 root root 10561 Jan 27 17:45 barf
-rwxr-xr-x 1 root root 816 Jan 27 17:45 calcgoo
-rwxr-xr-x 1 root root 80792 Jan 27 17:45 eroute
-rwxr-xr-x 1 root root 16044 Jan 27 17:45 ikeping
-rwxr-xr-x 1 root root 1942 Jan 27 17:45 ipsec_pr.template
-rwxr-xr-x 1 root root 60664 Jan 27 17:45 klipsdebug
-rwxr-xr-x 1 root root 1664 Jan 27 17:45 livetest
-rwxr-xr-x 1 root root 2462 Jan 27 17:45 look
-rwxr-xr-x 1 root root 7118 Jan 27 17:45 mailkey
-rwxr-xr-x 1 root root 15933 Jan 27 17:45 manual
-rwxr-xr-x 1 root root 1874 Jan 27 17:45 newhostkey
-rwxr-xr-x 1 root root 53132 Jan 27 17:45 pf_key
-rwxr-xr-x 1 root root 665112 Jan 27 17:45 pluto
-rwxr-xr-x 1 root root 6584 Jan 27 17:45 ranbits
-rwxr-xr-x 1 root root 18584 Jan 27 17:45 rsasigkey
-rwxr-xr-x 1 root root 766 Jan 27 17:45 secrets
-rwxr-xr-x 1 root root 17570 Jan 27 17:45 send-pr
lrwxrwxrwx 1 root root 17 May 11 12:59 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 27 17:45 showdefaults
-rwxr-xr-x 1 root root 4749 Jan 27 17:45 showhostkey
-rwxr-xr-x 1 root root 118232 Jan 27 17:45 spi
-rwxr-xr-x 1 root root 68408 Jan 27 17:45 spigrp
-rwxr-xr-x 1 root root 9744 Jan 27 17:45 tncfg
-rwxr-xr-x 1 root root 10189 Jan 27 17:45 verify
-rwxr-xr-x 1 root root 47032 Jan 27 17:45 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
#
# This program is free software; you can redistribute it and/or modify
it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License
# for more details.
#
# RCSID $Id: _updown.ip2.in,v 1.12 2004/07/09 03:54:26 ken Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and
customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD
+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will
be
# set to this IP address.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_CONNECTION_TYPE
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great
care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ] && ["$PLUTO_MY_SOURCEIP" != "no" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$PLUTO_MY_SOURCEIP" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev $PLUTO_INTERFACE"
parms3="src ${PLUTO_MY_SOURCEIP%/*}"
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
parms3="$parms3 table '$PLUTO_IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $PLUTO_IPROUTETABLE"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if test "$PLUTO_MY_SOURCEIP" = "no"
then
if test "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}"
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if test "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}"
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev $PLUTO_INTERFACE"
parms3=
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
parms3="table $PLUTO_IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ -f /etc/sysconfig/defaultsource ]
then
. /etc/sysconfig/defaultsource
if [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
fi
fi
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT"
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great
care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j
ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j
ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j
ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j
ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 9399750 128851 0 0 0 0 0 0
9399750 128851 0 0 0 0 0 0
eth0: 3131260 15259 0 0 0 0 0 0
194879 1827 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window
IRTT
eth0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0
0
eth0 00FEA8C0 0102A8C0 0003 0 0 0 00FFFFFF 0 0
0
eth0 00000000 0102A8C0 0003 0 0 0 00000000 0 0
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux kakashi 2.6.11-1-686-smp #1 SMP Mon Apr 25 00:40:53 UTC 2005 i686
GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.11-1-686-smp) support detected '
NETKEY (2.6.11-1-686-smp) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/lib/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm
firewall support: Aucun fichier ou répertoire de ce type
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 131K packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 125K packets, 9173K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1550 packets, 283K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1177 packets, 71593 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1177 packets, 71593 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 131K packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 131K packets, 11M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 125K packets, 9173K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 125K packets, 9173K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 16964 0 - Live 0xe0c43000
xfrm4_tunnel 4164 0 - Live 0xe0c0f000
af_key 34736 0 - Live 0xe0b93000
iptable_mangle 3008 0 - Live 0xe0b61000
iptable_nat 23964 0 - Live 0xe0c27000
ip_conntrack 45864 1 iptable_nat, Live 0xe0c36000
iptable_filter 3168 0 - Live 0xe0b58000
ip_tables 22080 3 iptable_mangle,iptable_nat,iptable_filter, Live
0xe0c15000
ipv6 267136 12 - Live 0xe0c75000
parport_pc 37060 0 - Live 0xe0c1c000
lp 12068 0 - Live 0xe0bf7000
parport 38280 2 parport_pc,lp, Live 0xe0c04000
thermal 13672 0 - Live 0xe0bf2000
fan 4612 0 - Live 0xe0be9000
button 6736 0 - Live 0xe0bb5000
processor 23432 1 thermal, Live 0xe0bd3000
ac 4932 0 - Live 0xe0bb8000
battery 10244 0 - Live 0xe0bad000
deflate 3936 0 - Live 0xe0b52000
zlib_deflate 22872 1 deflate, Live 0xe0bcc000
twofish 38880 0 - Live 0xe0bdb000
serpent 14464 0 - Live 0xe0bc7000
aes_i586 39360 0 - Live 0xe0bbc000
blowfish 8384 0 - Live 0xe0bb1000
des 11872 0 - Live 0xe0b8f000
sha256 9792 0 - Live 0xe0ba9000
sha1 8736 0 - Live 0xe0b9d000
crypto_null 2464 0 - Live 0xe0b56000
ipcomp 9288 0 - Live 0xe0b88000
esp4 8672 0 - Live 0xe0b7c000
ah4 7040 0 - Live 0xe0b79000
af_packet 23208 2 - Live 0xe0b81000
pcspkr 3816 0 - Live 0xe0b54000
rtc 13064 0 - Live 0xe0b74000
eth1394 22216 0 - Live 0xe0b5a000
yenta_socket 23464 0 - Live 0xe0b1f000
rsrc_nonstatic 11200 1 yenta_socket, Live 0xe0b1b000
pcmcia_core 51216 2 yenta_socket,rsrc_nonstatic, Live 0xe0b44000
8139too 27648 0 - Live 0xe0b0e000
mii 5216 1 8139too, Live 0xe0af5000
ohci1394 35780 0 - Live 0xe0afa000
snd_atiixp_modem 18020 1 - Live 0xe0ae8000
snd_atiixp 21792 1 - Live 0xe0ae1000
snd_ac97_codec 78904 2 snd_atiixp_modem,snd_atiixp, Live 0xe0aa2000
snd_pcm_oss 54496 0 - Live 0xe0ad2000
snd_mixer_oss 20416 1 snd_pcm_oss, Live 0xe0a9c000
snd_pcm 96612 4 snd_atiixp_modem,snd_atiixp,snd_ac97_codec,snd_pcm_oss,
Live 0xe0ab9000
snd_timer 26468 1 snd_pcm, Live 0xe0a82000
snd 58084 11
snd_atiixp_modem,snd_atiixp,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,
Live 0xe0a8c000
soundcore 10336 1 snd, Live 0xe0a75000
snd_page_alloc 10244 3 snd_atiixp_modem,snd_atiixp,snd_pcm, Live
0xe0a5a000
ehci_hcd 35496 0 - Live 0xe0a6b000
tsdev 8000 0 - Live 0xe0a04000
usbhid 35040 0 - Live 0xe0a61000
ohci_hcd 22312 0 - Live 0xe0a4e000
usbcore 123000 4 ehci_hcd,usbhid,ohci_hcd, Live 0xe0a12000
shpchp 102852 0 - Live 0xe0a33000
pci_hotplug 34300 1 shpchp, Live 0xe0a08000
ati_agp 8972 1 - Live 0xe099a000
agpgart 35436 1 ati_agp, Live 0xe09db000
nls_iso8859_1 4192 1 - Live 0xe096b000
nls_cp437 5856 1 - Live 0xe0968000
vfat 14304 1 - Live 0xe0991000
fat 41980 1 vfat, Live 0xe099f000
evdev 9792 0 - Live 0xe098d000
capability 4936 0 - Live 0xe0965000
commoncap 7104 1 capability, Live 0xe094f000
p4_clockmod 5988 1 - Live 0xe095f000
speedstep_lib 4484 1 p4_clockmod, Live 0xe095c000
freq_table 4736 1 p4_clockmod, Live 0xe0952000
sr_mod 17988 0 - Live 0xe0956000
sbp2 24776 0 - Live 0xe0922000
scsi_mod 139208 2 sr_mod,sbp2, Live 0xe09b8000
ieee1394 112280 3 eth1394,ohci1394,sbp2, Live 0xe0970000
mousedev 12220 2 - Live 0xe08da000
psmouse 29832 0 - Live 0xe08e4000
ide_cd 42500 0 - Live 0xe090c000
cdrom 41664 2 sr_mod,ide_cd, Live 0xe0900000
ext3 146120 1 - Live 0xe092a000
jbd 63512 1 ext3, Live 0xe08ef000
mbcache 10276 1 ext3, Live 0xe08c4000
ide_disk 18464 3 - Live 0xe08d4000
ide_generic 1440 0 [permanent], Live 0xe08c2000
via82cxxx 14076 0 [permanent], Live 0xe08c8000
trm290 4516 0 [permanent], Live 0xe08b8000
triflex 3968 0 [permanent], Live 0xe087b000
slc90e66 6336 0 [permanent], Live 0xe08b5000
sis5513 16680 0 [permanent], Live 0xe08bc000
siimage 12832 0 [permanent], Live 0xe08b0000
serverworks 9448 0 [permanent], Live 0xe08ac000
sc1200 7552 0 [permanent], Live 0xe08a9000
rz1000 2752 0 [permanent], Live 0xe082c000
piix 10852 0 [permanent], Live 0xe08a5000
pdc202xx_old 11552 0 [permanent], Live 0xe0841000
opti621 4996 0 [permanent], Live 0xe0875000
ns87415 4520 0 [permanent], Live 0xe0872000
hpt366 20320 0 [permanent], Live 0xe089f000
hpt34x 5472 0 [permanent], Live 0xe086f000
generic 4160 0 [permanent], Live 0xe086c000
cy82c693 4964 0 [permanent], Live 0xe0869000
cs5530 5792 0 [permanent], Live 0xe0866000
cs5520 4896 0 [permanent], Live 0xe0863000
cmd64x 12284 0 [permanent], Live 0xe0832000
atiixp 6448 0 [permanent], Live 0xe083e000
amd74xx 14588 0 [permanent], Live 0xe085e000
alim15x3 12396 0 [permanent], Live 0xe0859000
aec62xx 7744 0 [permanent], Live 0xe081f000
pdc202xx_new 9280 0 [permanent], Live 0xe083a000
ide_core 132476 28
ide_cd,ide_disk,ide_generic,via82cxxx,trm290,triflex,slc90e66,sis5513,siimage,serverworks,sc1200,rz1000,piix,pdc202xx_old,opti621,ns87415,hpt366,hpt34x,generic,cy82c693,cs5530,cs5520,cmd64x,atiixp,amd74xx,alim15x3,aec62xx,pdc202xx_new,
Live 0xe087d000
unix 29652 766 - Live 0xe0850000
fbcon 39008 0 - Live 0xe0845000
font 8416 1 fbcon, Live 0xe0836000
bitblit 5888 1 fbcon, Live 0xe0829000
vesafb 8312 0 - Live 0xe082e000
cfbcopyarea 4224 1 vesafb, Live 0xe0826000
cfbimgblt 3168 1 vesafb, Live 0xe0824000
cfbfillrect 3872 1 vesafb, Live 0xe0822000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 515468 kB
MemFree: 132696 kB
Buffers: 34024 kB
Cached: 191532 kB
SwapCached: 0 kB
Active: 220092 kB
Inactive: 128532 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515468 kB
LowFree: 132696 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 364 kB
Writeback: 0 kB
Mapped: 176224 kB
Slab: 25092 kB
CommitLimit: 257732 kB
Committed_AS: 543824 kB
PageTables: 2928 kB
VmallocTotal: 507896 kB
VmallocUsed: 4512 kB
VmallocChunk: 503064 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.11-1-686-smp/build/.config
++ uname -r
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
+ cat /lib/modules/2.6.11-1-686-smp/build/.config
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_IP_TCPDIAG=m
CONFIG_IP_TCPDIAG_IPV6=y
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_PHYSDEV=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
# CONFIG_IPHASE5526 is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a
virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use
it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a
reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search kommunicate.co.uk
nameserver 192.168.2.11
nameserver 192.168.2.18
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 5 root root 4096 May 12 23:17 2.6.8-2-686
drwxr-xr-x 3 root root 4096 May 14 23:28 fglrx
drwxr-xr-x 3 root root 4096 May 14 23:35 2.6.10-1-686
drwxr-xr-x 5 root root 4096 May 14 23:36 2.6.11-1-686-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0248470 T netif_rx
c0248680 T netif_rx_ni
c0248470 U netif_rx [ipv6]
c0248470 U netif_rx [eth1394]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-1-686:
2.6.11-1-686-smp:
2.6.8-2-686:
fglrx:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '17678,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
May 17 16:44:43 localhost ipsec_setup: Starting Openswan IPsec 2.3.0...
May 17 16:44:43 localhost ipsec_setup:
insmod /lib/modules/2.6.11-1-686-smp/kernel/net/key/af_key.ko
May 17 16:44:43 localhost ipsec_setup:
insmod /lib/modules/2.6.11-1-686-smp/kernel/net/ipv4/xfrm4_tunnel.ko
May 17 16:44:43 localhost ipsec_setup:
insmod /lib/modules/2.6.11-1-686-smp/kernel/net/xfrm/xfrm_user.ko
+ _________________________ plog
+ sed -n '10745,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
May 17 16:44:43 localhost ipsec__plutorun: Starting Pluto subsystem...
May 17 16:44:43 localhost pluto[14311]: Starting Pluto (Openswan Version
2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
May 17 16:44:43 localhost pluto[14311]: Setting port floating to off
May 17 16:44:43 localhost pluto[14311]: port floating activate 0/1
May 17 16:44:43 localhost pluto[14311]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 17 16:44:43 localhost pluto[14311]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
May 17 16:44:43 localhost pluto[14311]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
May 17 16:44:43 localhost pluto[14311]: starting up 1 cryptographic
helpers
May 17 16:44:43 localhost pluto[14311]: started helper pid=14319 (fd:6)
May 17 16:44:43 localhost pluto[14311]: Using Linux 2.6 IPsec interface
code
May 17 16:44:44 localhost pluto[14319]: ! helper 0 waiting on fd: 7
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/cacerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/aacerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/ocspcerts'
May 17 16:44:44 localhost pluto[14311]: Changing to directory
'/etc/ipsec.d/crls'
May 17 16:44:44 localhost pluto[14311]: Warning: empty directory
May 17 16:44:44 localhost pluto[14311]: | inserting event
EVENT_LOG_DAILY, timeout in 26116 seconds
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: | Added new connection MyGroup
with policy PSK+ENCRYPT+TUNNEL+PFS
May 17 16:44:44 localhost pluto[14311]: | from whack: got
--esp=des-hmac_md5
May 17 16:44:44 localhost pluto[14311]: | esp string values: 2_000-1,
flags=-strict
May 17 16:44:44 localhost pluto[14311]: | from whack: got --ike=des-sha1
May 17 16:44:44 localhost pluto[14311]: | ike string values: 1_000-2-5,
1_000-2-2, flags=-strict
May 17 16:44:44 localhost pluto[14311]: | counting wild cards for (none)
is 15
May 17 16:44:44 localhost pluto[14311]: | sendcert is 3
May 17 16:44:44 localhost pluto[14311]: | counting wild cards for (none)
is 15
May 17 16:44:44 localhost pluto[14311]: | sendcert is 3
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=1
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=1
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=2
May 17 16:44:44 localhost pluto[14311]: | alg_info_addref()
alg_info->ref_cnt=2
May 17 16:44:44 localhost pluto[14311]: added connection description
"MyGroup"
May 17 16:44:44 localhost pluto[14311]: |
192.168.2.63---192.168.2.1...192.152.172.132===192.168.254.0/24
May 17 16:44:44 localhost pluto[14311]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:
PSK+ENCRYPT+TUNNEL+PFS
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: listening for IKE messages
May 17 16:44:44 localhost pluto[14311]: | found lo with address
127.0.0.1
May 17 16:44:44 localhost pluto[14311]: | found eth0 with address
192.168.2.63
May 17 16:44:44 localhost pluto[14311]: adding interface eth0/eth0
192.168.2.63
May 17 16:44:44 localhost pluto[14311]: adding interface lo/lo 127.0.0.1
May 17 16:44:44 localhost pluto[14311]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
May 17 16:44:44 localhost pluto[14311]: adding interface lo/lo ::1
May 17 16:44:44 localhost pluto[14311]: loading secrets from
"/etc/ipsec.secrets"
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:44 localhost pluto[14311]: |
May 17 16:44:44 localhost pluto[14311]: | *received whack message
May 17 16:44:44 localhost pluto[14311]: | route owner of "MyGroup"
unrouted: NULL; eroute owner: NULL
May 17 16:44:44 localhost pluto[14311]: | could_route called for MyGroup
(kind=CK_PERMANENT)
May 17 16:44:44 localhost pluto[14311]: | route owner of "MyGroup"
unrouted: NULL; eroute owner: NULL
May 17 16:44:44 localhost pluto[14311]: | add eroute 192.168.254.0/24:0
--0-> 192.168.2.63/32:0 => %trap (raw_eroute)
May 17 16:44:44 localhost pluto[14311]: | eroute_connection add eroute
192.168.2.63/32:0 --0-> 192.168.254.0/24:0 => %trap (raw_eroute)
May 17 16:44:44 localhost pluto[14311]: | route_and_eroute:
firewall_notified: true
May 17 16:44:44 localhost pluto[14311]: | executing prepare-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host' PLUTO_CONNECTION='MyGroup'
PLUTO_NEXT_HOP='192.168.2.1' PLUTO_INTERFACE='eth0'
PLUTO_ME='192.168.2.63' PLUTO_MY_ID='192.168.2.63'
PLUTO_MY_CLIENT='192.168.2.63/32' PLUTO_MY_CLIENT_NET='192.168.2.63'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.152.172.132'
PLUTO_PEER_ID='192.152.172.132' PLUTO_PEER_CLIENT='192.168.254.0/24'
PLUTO_PEER_CLIENT_NET='192.168.254.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
May 17 16:44:44 localhost pluto[14311]: | executing route-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-host' PLUTO_CONNECTION='MyGroup'
PLUTO_NEXT_HOP='192.168.2.1' PLUTO_INTERFACE='eth0'
PLUTO_ME='192.168.2.63' PLUTO_MY_ID='192.168.2.63'
PLUTO_MY_CLIENT='192.168.2.63/32' PLUTO_MY_CLIENT_NET='192.168.2.63'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.152.172.132'
PLUTO_PEER_ID='192.152.172.132' PLUTO_PEER_CLIENT='192.168.254.0/24'
PLUTO_PEER_CLIENT_NET='192.168.254.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT
+TUNNEL+PFS' ipsec _updown
May 17 16:44:44 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3599 seconds
May 17 16:44:45 localhost pluto[14311]: |
May 17 16:44:45 localhost pluto[14311]: | *received whack message
May 17 16:44:45 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3598 seconds
May 17 16:44:45 localhost pluto[14311]: |
May 17 16:44:45 localhost pluto[14311]: | *received whack message
May 17 16:44:45 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3598 seconds
May 17 16:44:45 localhost pluto[14311]: |
May 17 16:44:45 localhost pluto[14311]: | *received whack message
May 17 16:44:45 localhost pluto[14311]: | next event EVENT_REINIT_SECRET
in 3598 seconds
May 17 17:30:22 localhost pluto[14311]: |
May 17 17:30:22 localhost pluto[14311]: | *received whack message
May 17 17:30:22 localhost pluto[14311]: | creating state object #1 at
0x8101928
May 17 17:30:22 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:22 localhost pluto[14311]: | RCOOKIE: 00 00 00 00 00 00
00 00
May 17 17:30:22 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:22 localhost pluto[14311]: | state hash entry 7
May 17 17:30:22 localhost pluto[14311]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
May 17 17:30:22 localhost pluto[14311]: | Queuing pending Quick Mode
with 192.152.172.132 "MyGroup"
May 17 17:30:22 localhost pluto[14311]: "MyGroup" #1: initiating Main
Mode
May 17 17:30:22 localhost pluto[14311]: | ike_alg_db_new() ike enc
ealg=1 not present
May 17 17:30:22 localhost pluto[14311]: | ike_alg_db_new() ike enc
ealg=1 not present
May 17 17:30:22 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
May 17 17:30:22 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
10 seconds for #1
May 17 17:30:22 localhost pluto[14311]: |
May 17 17:30:22 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:30:22 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:23 localhost pluto[14311]: | RCOOKIE: ae 01 b1 c7 ba 4a
ea 88
May 17 17:30:23 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:23 localhost pluto[14311]: | state hash entry 6
May 17 17:30:23 localhost pluto[14311]: | state object not found
May 17 17:30:23 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:30:23 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:30:23 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:30:23 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
10 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
May 17 17:30:27 localhost pluto[14311]: |
May 17 17:30:27 localhost pluto[14311]: | *received whack message
May 17 17:30:27 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
5 seconds for #1
May 17 17:30:32 localhost pluto[14311]: |
May 17 17:30:32 localhost pluto[14311]: | *time to handle event
May 17 17:30:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:30:32 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 851 seconds
May 17 17:30:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:30:32 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 20 seconds for #1
May 17 17:30:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
20 seconds for #1
May 17 17:30:32 localhost pluto[14311]: |
May 17 17:30:32 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:30:32 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:32 localhost pluto[14311]: | RCOOKIE: 6a 95 b9 e0 0e da
96 bf
May 17 17:30:32 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:32 localhost pluto[14311]: | state hash entry 22
May 17 17:30:32 localhost pluto[14311]: | state object not found
May 17 17:30:32 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:30:33 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:30:33 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:30:33 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
20 seconds for #1
May 17 17:30:52 localhost pluto[14311]: |
May 17 17:30:52 localhost pluto[14311]: | *time to handle event
May 17 17:30:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:30:52 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 831 seconds
May 17 17:30:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:30:52 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:30:52 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:30:52 localhost pluto[14311]: |
May 17 17:30:52 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:30:52 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:30:52 localhost pluto[14311]: | RCOOKIE: 79 31 c0 81 7c ee
30 7c
May 17 17:30:53 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:30:53 localhost pluto[14311]: | state hash entry 6
May 17 17:30:53 localhost pluto[14311]: | state object not found
May 17 17:30:53 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:30:53 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:30:53 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:30:53 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:31:32 localhost pluto[14311]: |
May 17 17:31:32 localhost pluto[14311]: | *time to handle event
May 17 17:31:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:31:32 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 791 seconds
May 17 17:31:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:31:32 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:31:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:31:32 localhost pluto[14311]: |
May 17 17:31:33 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:31:33 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:31:33 localhost pluto[14311]: | RCOOKIE: 92 10 7b e1 8a 0c
ca f5
May 17 17:31:33 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:31:33 localhost pluto[14311]: | state hash entry 0
May 17 17:31:33 localhost pluto[14311]: | state object not found
May 17 17:31:33 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:31:33 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:31:33 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:31:33 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:32:12 localhost pluto[14311]: |
May 17 17:32:12 localhost pluto[14311]: | *time to handle event
May 17 17:32:12 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:32:12 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 751 seconds
May 17 17:32:13 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:32:13 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:32:13 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:32:13 localhost pluto[14311]: |
May 17 17:32:13 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:32:13 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:32:13 localhost pluto[14311]: | RCOOKIE: c8 08 a7 00 20 00
db 3a
May 17 17:32:13 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:32:13 localhost pluto[14311]: | state hash entry 15
May 17 17:32:13 localhost pluto[14311]: | state object not found
May 17 17:32:13 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:32:13 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:32:13 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:32:13 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
39 seconds for #1
May 17 17:32:52 localhost pluto[14311]: |
May 17 17:32:52 localhost pluto[14311]: | *time to handle event
May 17 17:32:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:32:52 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 711 seconds
May 17 17:32:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:32:52 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:32:52 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:32:52 localhost pluto[14311]: |
May 17 17:32:52 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:32:52 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:32:52 localhost pluto[14311]: | RCOOKIE: 9a e5 e8 db 24 ad
8b 73
May 17 17:32:52 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:32:52 localhost pluto[14311]: | state hash entry 30
May 17 17:32:52 localhost pluto[14311]: | state object not found
May 17 17:32:52 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:32:52 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:32:52 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:32:52 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:33:32 localhost pluto[14311]: |
May 17 17:33:32 localhost pluto[14311]: | *time to handle event
May 17 17:33:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:33:32 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 671 seconds
May 17 17:33:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:33:32 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:33:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:33:32 localhost pluto[14311]: |
May 17 17:33:32 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:33:32 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:33:32 localhost pluto[14311]: | RCOOKIE: 2e ce 48 90 7b d2
78 08
May 17 17:33:32 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:33:32 localhost pluto[14311]: | state hash entry 14
May 17 17:33:32 localhost pluto[14311]: | state object not found
May 17 17:33:32 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:33:32 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:33:32 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:33:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:34:12 localhost pluto[14311]: |
May 17 17:34:12 localhost pluto[14311]: | *time to handle event
May 17 17:34:12 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:34:12 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 631 seconds
May 17 17:34:12 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:34:12 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:34:12 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:34:12 localhost pluto[14311]: |
May 17 17:34:12 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:34:12 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:34:12 localhost pluto[14311]: | RCOOKIE: ef f7 21 d9 a2 45
80 67
May 17 17:34:12 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:34:12 localhost pluto[14311]: | state hash entry 17
May 17 17:34:12 localhost pluto[14311]: | state object not found
May 17 17:34:12 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:34:12 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:34:12 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:34:12 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:34:52 localhost pluto[14311]: |
May 17 17:34:52 localhost pluto[14311]: | *time to handle event
May 17 17:34:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:34:52 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 591 seconds
May 17 17:34:52 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:34:52 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:34:52 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:34:52 localhost pluto[14311]: |
May 17 17:34:52 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:34:52 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:34:52 localhost pluto[14311]: | RCOOKIE: 5e 67 d9 98 cd 60
08 dc
May 17 17:34:52 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:34:52 localhost pluto[14311]: | state hash entry 6
May 17 17:34:52 localhost pluto[14311]: | state object not found
May 17 17:34:52 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:34:52 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:34:52 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:34:52 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:35:32 localhost pluto[14311]: |
May 17 17:35:32 localhost pluto[14311]: | *time to handle event
May 17 17:35:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:35:32 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 551 seconds
May 17 17:35:32 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:35:32 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:35:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:35:32 localhost pluto[14311]: |
May 17 17:35:32 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:35:32 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:35:32 localhost pluto[14311]: | RCOOKIE: d3 53 33 9d 59 e1
a8 5b
May 17 17:35:32 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:35:32 localhost pluto[14311]: | state hash entry 4
May 17 17:35:32 localhost pluto[14311]: | state object not found
May 17 17:35:32 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:35:32 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:35:32 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:35:32 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:36:12 localhost pluto[14311]: |
May 17 17:36:12 localhost pluto[14311]: | *time to handle event
May 17 17:36:12 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT
May 17 17:36:12 localhost pluto[14311]: | event after this is
EVENT_REINIT_SECRET in 511 seconds
May 17 17:36:12 localhost pluto[14311]: | handling event
EVENT_RETRANSMIT for 192.152.172.132 "MyGroup" #1
May 17 17:36:12 localhost pluto[14311]: | inserting event
EVENT_RETRANSMIT, timeout in 40 seconds for #1
May 17 17:36:12 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:36:12 localhost pluto[14311]: |
May 17 17:36:12 localhost pluto[14311]: | *received 92 bytes from
192.152.172.132:500 on eth0
May 17 17:36:12 localhost pluto[14311]: | ICOOKIE: c2 66 97 56 db 1d
93 43
May 17 17:36:12 localhost pluto[14311]: | RCOOKIE: 87 2b 53 c0 eb 07
af ce
May 17 17:36:12 localhost pluto[14311]: | peer: c2 9a b0 86
May 17 17:36:12 localhost pluto[14311]: | state hash entry 19
May 17 17:36:12 localhost pluto[14311]: | state object not found
May 17 17:36:12 localhost pluto[14311]: packet from 192.152.172.132:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
May 17 17:36:12 localhost pluto[14311]: packet from 192.152.172.132:500:
received and ignored informational message
May 17 17:36:12 localhost pluto[14311]: | complete state transition with
STF_IGNORE
May 17 17:36:12 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
40 seconds for #1
May 17 17:36:19 localhost pluto[14311]: |
May 17 17:36:19 localhost pluto[14311]: | *received whack message
May 17 17:36:19 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
33 seconds for #1
May 17 17:36:19 localhost pluto[14311]: |
May 17 17:36:19 localhost pluto[14311]: | *received whack message
May 17 17:36:19 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
33 seconds for #1
May 17 17:36:19 localhost pluto[14311]: |
May 17 17:36:19 localhost pluto[14311]: | *received whack message
May 17 17:36:19 localhost pluto[14311]: | next event EVENT_RETRANSMIT in
33 seconds for #1
+ _________________________ date
+ date
Tue May 17 17:36:19 BST 2005
More information about the Users
mailing list