[Openswan Users] Shaky VPN connections
Xunhua Wang
wangxx at jmu.edu
Wed Apr 12 12:19:29 CEST 2006
Hi all,
I have a VPN server running Linux Openswan U2.3.0/K2.6.9-
5.ELsmp (netkey). This server has a direct Internet
connection and is _not_ behind a NAT.
>From a MS Windows 2000/XP client, we can connect to the VPN
server using IPsec/L2TP combination. It works no matter the
client box is behind a NAT or not.
Our problem is that the VPN connections are pretty shaky and
are dropped from time to time. When there is
large amount of traffic from the VPN client to an internal
host (behind the VPN server), the VPN connection is dropped
faster.
I checked the /var/log/messages and got the following
---------- /var/log/messages BEGINS ---------
Apr 11 19:47:27 localhost pppd[4144]: LCP terminated by peer
(g5 ^]^@<M-Mt^@^@^@^@)
Apr 11 19:47:27 localhost kernel: device ppp0 left
promiscuous mode
Apr 11 19:47:30 localhost pppd[4144]: Connection terminated.
Apr 11 19:47:30 localhost pppd[4144]: Connect time 24.1
minutes.
Apr 11 19:47:30 localhost pppd[4144]: Sent 2729378 bytes,
received 3226369 bytes.
Apr 11 19:47:31 localhost pppd[4144]: Connect time 24.1
minutes.
---------- /var/log/messages BEGINS ---------
Also, in /var/log/secure, we found the following items:
---------- /var/log/secure BEGINS ---------
Apr 11 19:47:27 localhost pluto[2900]: "roadwarrior-l2tp"[3]
134.126.34.71 #4: received Delete SA(0x32cd04f2) payload:
deleting IPSEC State #5
Apr 11 19:47:27 localhost pluto [2900]: "roadwarrior-l2tp"[3]
134.126.34.71 #4: received and ignored informational message
Apr 11 19:47:27 localhost pluto [2900]: "roadwarrior-l2tp"[3]
134.126.34.71 #4: received Delete SA payload: deleting
ISAKMP State #4
Apr 11 19:47:27 localhost pluto[2900]: "roadwarrior-l2tp"[3]
134.126.34.71: deleting connection "roadwarrior-l2tp"
instance with peer 134.126.34.71 {isakmp=#0/ipsec=#0}
Apr 11 19:47:27 localhost pluto[2900]: packet from
134.126.34.71:500: received and ignored informational message
---------- /var/log/secure ENDS ---------
Attached is what "ipsec barf" produces on the server.
Does anyone have the same experience? Any clue how to improve
it?
Thanks,
Steve
-------------- next part --------------
crypto
Fri Apr 7 09:14:07 EDT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.3.0/K2.6.9-5.ELsmp (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.9-5.ELsmp (bhcompile at decompose.build.redhat.com) (gcc version 3.4.3 20041212 (Red Hat 3.4.3-9.EL4)) #1 SMP Wed Jan 5 19:30:39 EST 2005
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
69.251.186.224 134.126.20.1 255.255.255.255 UGH 0 0 0 eth0
192.168.100.128 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
134.126.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 134.126.20.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
69.251.186.224[33700] 134.126.20.79[4500]
esp-udp mode=transport spi=1206237635(0x47e5b9c3) reqid=16401(0x00004011)
E: 3des-cbc 071cb754 292a29ed 616b52f0 81496725 bb117ef1 571b1a82
A: hmac-md5 4b5b380f 310cb36f 89649e4c 537c01ee
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Apr 7 09:04:03 2006 current: Apr 7 09:14:07 2006
diff: 604(s) hard: 0(s) soft: 0(s)
last: Apr 7 09:04:03 2006 hard: 0(s) soft: 0(s)
current: 156990(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1090 hard: 0 soft: 0
sadb_seq=1 pid=4011 refcnt=0
134.126.20.79[4500] 69.251.186.224[33700]
esp-udp mode=transport spi=767876595(0x2dc4ddf3) reqid=16401(0x00004011)
E: 3des-cbc 43ea60e1 fe4d1348 8d72ce3d 8188e7ff 939e1d9a 06681ead
A: hmac-md5 44c64760 10bd6d29 5d09a3eb cb7eba0a
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Apr 7 09:04:03 2006 current: Apr 7 09:14:07 2006
diff: 604(s) hard: 0(s) soft: 0(s)
last: Apr 7 09:04:03 2006 hard: 0(s) soft: 0(s)
current: 1017512(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1230 hard: 0 soft: 0
sadb_seq=0 pid=4011 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
69.251.186.224[1701] 134.126.20.79[any] udp
in ipsec
esp/transport//unique#16401
created: Apr 7 09:04:03 2006 lastused: Apr 7 09:14:04 2006
lifetime: 0(s) validtime: 0(s)
spid=80 seq=11 pid=4012
refcnt=2
134.126.20.79[any] 69.251.186.224[1701] udp
out ipsec
esp/transport//unique#16401
created: Apr 7 09:04:03 2006 lastused: Apr 7 09:14:03 2006
lifetime: 0(s) validtime: 0(s)
spid=89 seq=10 pid=4012
refcnt=2
::/0[any] ::/0[any] any
in none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=67 seq=9 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=51 seq=8 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=35 seq=7 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 7 09:01:22 2006 lastused: Apr 7 09:14:04 2006
lifetime: 0(s) validtime: 0(s)
spid=19 seq=6 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Apr 7 09:01:22 2006 lastused: Apr 7 09:04:02 2006
lifetime: 0(s) validtime: 0(s)
spid=3 seq=5 pid=4012
refcnt=1
::/0[any] ::/0[any] any
out none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=76 seq=4 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=60 seq=3 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 7 09:01:22 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=44 seq=2 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 7 09:01:22 2006 lastused: Apr 7 09:04:03 2006
lifetime: 0(s) validtime: 0(s)
spid=28 seq=1 pid=4012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Apr 7 09:01:22 2006 lastused: Apr 7 09:04:02 2006
lifetime: 0(s) validtime: 0(s)
spid=12 seq=0 pid=4012
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 134.126.20.79
000 interface eth0/eth0 134.126.20.79
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 134.126.20.79[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1]---134.126.20.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior": srcip=unset; dstip=unset
000 "roadwarrior": CAs: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'...'%any'
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth0;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-l2tp": 134.126.20.79[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1]:17/0---134.126.20.1...%virtual:17/1701===?; unrouted; eroute owner: #0
000 "roadwarrior-l2tp": srcip=unset; dstip=unset
000 "roadwarrior-l2tp": CAs: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'...'%any'
000 "roadwarrior-l2tp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-l2tp": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth0;
000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-l2tp"[2]: 134.126.20.79:4500[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1]:17/0---134.126.20.1...69.251.186.224:33700[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.200]:17/1701; erouted; eroute owner: #2
000 "roadwarrior-l2tp"[2]: srcip=unset; dstip=unset
000 "roadwarrior-l2tp"[2]: CAs: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'...'%any'
000 "roadwarrior-l2tp"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-l2tp"[2]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth0;
000 "roadwarrior-l2tp"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "roadwarrior-l2tp"[2]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP2048
000 "roadwarrior-l2tp-updatedwin": 134.126.20.79[C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1]:17/1701---134.126.20.1...%virtual:17/1701===?; unrouted; eroute owner: #0
000 "roadwarrior-l2tp-updatedwin": srcip=unset; dstip=unset
000 "roadwarrior-l2tp-updatedwin": CAs: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'...'%any'
000 "roadwarrior-l2tp-updatedwin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-l2tp-updatedwin": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32; interface: eth0;
000 "roadwarrior-l2tp-updatedwin": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "roadwarrior-l2tp"[2] 69.251.186.224:33700 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2726s; newest IPSEC; eroute owner
000 #2: "roadwarrior-l2tp"[2] 69.251.186.224:33700 esp.2dc4ddf3 at 69.251.186.224 esp.47e5b9c3 at 134.126.20.79
000 #1: "roadwarrior-l2tp"[2] 69.251.186.224:33700 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2726s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:12:3F:83:19:70
inet addr:134.126.20.79 Bcast:134.126.20.255 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe83:1970/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15394 errors:0 dropped:0 overruns:0 frame:0
TX packets:2465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3026612 (2.8 MiB) TX bytes:1233726 (1.1 MiB)
Interrupt:169
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1890 errors:0 dropped:0 overruns:0 frame:0
TX packets:1890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2396720 (2.2 MiB) TX bytes:2396720 (2.2 MiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.100.99 P-t-P:192.168.100.128 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:1056 errors:0 dropped:0 overruns:0 frame:0
TX packets:1196 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:137882 (134.6 KiB) TX bytes:921386 (899.7 KiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr 00:90:4B:FF:B8:2D
inet addr:192.168.100.103 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::290:4bff:feff:b82d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:396 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:98612 (96.3 KiB) TX bytes:1100 (1.0 KiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:12:3f:83:19:70 brd ff:ff:ff:ff:ff:ff
inet 134.126.20.79/24 brd 134.126.20.255 scope global eth0
inet6 fe80::212:3fff:fe83:1970/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
4: wlan0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:90:4b:ff:b8:2d brd ff:ff:ff:ff:ff:ff
inet 192.168.100.103/24 brd 192.168.100.255 scope global wlan0
inet6 fe80::290:4bff:feff:b82d/64 scope link
valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1410 qdisc pfifo_fast qlen 3
link/ppp
inet 192.168.100.99 peer 192.168.100.128/32 scope global ppp0
+ _________________________ ip-route-list
+ ip route list
69.251.186.224 via 134.126.20.1 dev eth0
192.168.100.128 dev ppp0 proto kernel scope link src 192.168.100.99
192.168.100.0/24 dev wlan0 proto kernel scope link src 192.168.100.103
134.126.20.0/24 dev eth0 proto kernel scope link src 134.126.20.79
169.254.0.0/16 dev eth0 scope link
default via 134.126.20.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0/K2.6.9-5.ELsmp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: crypto [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 79.20.126.134.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:08:18, model 24 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
localhost.localdomain
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
09:14:08 up 13 min, 0 users, load average: 0.00, 0.02, 0.02
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 3991 3895 19 0 5724 1056 wait S+ pts/1 0:00 \_ /bin/sh /usr/libexec/ipsec/barf
0 0 4076 3991 19 0 2280 460 pipe_w S+ pts/1 0:00 \_ egrep -i ppid|pluto|ipsec|klips
1 0 2901 1 19 0 2628 1088 wait S ? 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 2902 2901 19 0 2628 1096 wait S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 2903 2902 15 0 3276 1288 - S ? 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
1 0 3002 2903 25 10 3220 836 - SN ? 0:00 | \_ pluto helper # 0
0 0 3044 2903 16 0 1716 200 - S ? 0:00 | \_ _pluto_adns
0 0 2904 2901 17 0 2908 1068 pipe_w S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 2905 1 19 0 2804 348 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=134.126.20.79
routenexthop=134.126.20.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
version 2.0
## plutodebug="control controlmore"
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
##left=192.168.1.100 % defaultroute
##leftsubnet=134.126.14.22/32
conn roadwarrior
left=%defaultroute
leftcert=ipsec-server.crt
right=%any
rightsubnet=vhost:%no,%priv
pfs=no
auto=add
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 38
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
: RSA /etc/ipsec.d/private/ipsec-server-encrypted.key "[sums to 77a3...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Apr 07 09:04:03 2006, 1024 RSA Key AwEAAbYYg, until Jul 12 15:03:24 2006 ok
000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.200'
000 Issuer 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000 Apr 07 09:01:22 2006, 1024 RSA Key AwEAAbbRJ, until Jul 12 15:49:51 2006 ok
000 ID_DER_ASN1_DN 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1'
000 Issuer 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000
000 List of X.509 End Certificates:
000
000 Apr 07 09:01:22 2006, count: 4
000 subject: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.1'
000 issuer: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000 serial: 02
000 pubkey: 1024 RSA Key AwEAAbbRJ, has private key
000 validity: not before Jul 12 15:49:51 2005 ok
000 not after Jul 12 15:49:51 2006 ok
000 subjkey: 84:9b:0f:1b:be:22:93:48:38:ab:68:63:15:05:86:33:d3:f3:c2:4d
000 authkey: 86:b4:60:78:9c:1f:ca:68:92:5e:93:85:6a:20:37:f3:1e:4a:03:9f
000 aserial: 00
000
000 List of X.509 CA Certificates:
000
000 Apr 07 09:01:22 2006, count: 1
000 subject: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000 issuer: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAcQaQ
000 validity: not before Jul 12 15:03:24 2005 ok
000 not after Jul 12 15:03:24 2006 ok
000 subjkey: 86:b4:60:78:9c:1f:ca:68:92:5e:93:85:6a:20:37:f3:1e:4a:03:9f
000 authkey: 86:b4:60:78:9c:1f:ca:68:92:5e:93:85:6a:20:37:f3:1e:4a:03:9f
000 aserial: 00
000
000 List of X.509 CRLs:
000
000 Apr 07 09:01:22 2006, revoked certs: 0
000 issuer: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA'
000 updates: this Dec 09 15:33:06 2005
000 next Jan 08 15:33:06 2006 warning (expired)
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 156
-rwxr-xr-x 1 root root 15468 Jan 11 2005 _confread
-rwxr-xr-x 1 root root 14807 Jan 11 2005 _copyright
-rwxr-xr-x 1 root root 2379 Jan 11 2005 _include
-rwxr-xr-x 1 root root 1475 Jan 11 2005 _keycensor
-rwxr-xr-x 1 root root 3586 Jan 11 2005 _plutoload
-rwxr-xr-x 1 root root 7295 Jan 11 2005 _plutorun
-rwxr-xr-x 1 root root 11409 Jan 11 2005 _realsetup
-rwxr-xr-x 1 root root 1975 Jan 11 2005 _secretcensor
-rwxr-xr-x 1 root root 9385 Jan 11 2005 _startklips
-rwxr-xr-x 1 root root 12329 Jan 11 2005 _updown
-rwxr-xr-x 1 root root 7572 Jan 11 2005 _updown_x509
-rwxr-xr-x 1 root root 1942 Jan 11 2005 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 2612
-rwxr-xr-x 1 root root 25973 Jan 11 2005 _pluto_adns
-rwxr-xr-x 1 root root 18840 Jan 11 2005 auto
-rwxr-xr-x 1 root root 10585 Jan 11 2005 barf
-rwxr-xr-x 1 root root 816 Jan 11 2005 calcgoo
-rwxr-xr-x 1 root root 159538 Jan 11 2005 eroute
-rwxr-xr-x 1 root root 48689 Jan 11 2005 ikeping
-rwxr-xr-x 1 root root 107598 Jan 11 2005 klipsdebug
-rwxr-xr-x 1 root root 1664 Jan 11 2005 livetest
-rwxr-xr-x 1 root root 2461 Jan 11 2005 look
-rwxr-xr-x 1 root root 7124 Jan 11 2005 mailkey
-rwxr-xr-x 1 root root 15931 Jan 11 2005 manual
-rwxr-xr-x 1 root root 1874 Jan 11 2005 newhostkey
-rwxr-xr-x 1 root root 94473 Jan 11 2005 pf_key
-rwxr-xr-x 1 root root 1370185 Jan 11 2005 pluto
-rwxr-xr-x 1 root root 23567 Jan 11 2005 ranbits
-rwxr-xr-x 1 root root 40585 Jan 11 2005 rsasigkey
-rwxr-xr-x 1 root root 766 Jan 11 2005 secrets
-rwxr-xr-x 1 root root 17578 Jan 11 2005 send-pr
lrwxrwxrwx 1 root root 22 Aug 8 2005 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jan 11 2005 showdefaults
-rwxr-xr-x 1 root root 4748 Jan 11 2005 showhostkey
-rwxr-xr-x 1 root root 256635 Jan 11 2005 spi
-rwxr-xr-x 1 root root 131394 Jan 11 2005 spigrp
-rwxr-xr-x 1 root root 22757 Jan 11 2005 tncfg
-rwxr-xr-x 1 root root 10195 Jan 11 2005 verify
-rwxr-xr-x 1 root root 111476 Jan 11 2005 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 2396720 1890 0 0 0 0 0 0 2396720 1890 0 0 0 0 0 0
eth0: 3027466 15402 0 0 0 0 0 3420 1233956 2468 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
wlan0: 98612 396 0 0 0 0 0 0 1100 12 0 0 0 0 0 0
ppp0: 137882 1056 0 0 0 0 0 0 921386 1196 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 E0BAFB45 01147E86 0007 0 0 0 FFFFFFFF 0 0 0
ppp0 8064A8C0 00000000 0005 0 0 0 FFFFFFFF 0 0 0
wlan0 0064A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00147E86 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
eth0 00000000 01147E86 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter ppp0/rp_filter wlan0/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:0
ppp0/rp_filter:1
wlan0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux crypto 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.9-5.ELsmp) support detected '
NETKEY (2.6.9-5.ELsmp) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3605 2146K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2240 1059K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2694 packets, 2765K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
1290 1768K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
1050 138K ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp3 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp4 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp5 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp6 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp7 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp8 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp9 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp10 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp11 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp12 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp13 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp14 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp15 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp16 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp17 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp18 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp19 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp20 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp21 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
11 984 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
2 708 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
1781 320K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
1366 942K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:135
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1188
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1188
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1025
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1042
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1042
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1033
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1033
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1164
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1164
344 36154 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1697 packets, 333K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 1152 bytes)
pkts bytes target prot opt in out source destination
102 5885 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12 packets, 1514 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 6721 0 - Live 0xf88c1000
ppp_async 15809 1 - Live 0xf8dc3000
crc_ccitt 6081 1 ppp_async, Live 0xf8a33000
ppp_generic 32085 5 ppp_async, Live 0xf8de9000
slhc 11073 1 ppp_generic, Live 0xf8dbf000
n_hdlc 13253 1 - Live 0xf8a97000
i915 81669 2 - Live 0xf8dc9000
deflate 7489 0 - Live 0xf8ccb000
zlib_deflate 24665 1 deflate, Live 0xf8d53000
twofish 40897 0 - Live 0xf8d48000
serpent 17217 0 - Live 0xf8d33000
blowfish 14145 0 - Live 0xf8d2e000
sha256 13249 0 - Live 0xf8d29000
crypto_null 6209 0 - Live 0xf8cce000
ndiswrapper 147452 0 - Live 0xf8ea4000
aes_i586 42421 0 - Live 0xf8d1d000
des 15681 2 - Live 0xf8d11000
xfrm4_tunnel 7877 0 - Live 0xf8d0e000
ipcomp 12489 0 - Live 0xf8d09000
esp4 11713 2 - Live 0xf8cc3000
ah4 10177 0 - Live 0xf8cc7000
af_key 34257 0 - Live 0xf8cff000
parport_pc 27905 1 - Live 0xf8cab000
lp 15405 0 - Live 0xf8aa4000
parport 37641 2 parport_pc,lp, Live 0xf8cf4000
autofs4 22085 0 - Live 0xf8cbc000
i2c_dev 14273 0 - Live 0xf8abd000
i2c_core 25921 1 i2c_dev, Live 0xf8cb4000
sunrpc 137637 1 - Live 0xf8cd1000
ipt_MASQUERADE 7873 1 - Live 0xf8ad5000
iptable_nat 27237 2 ipt_MASQUERADE, Live 0xf8c82000
ipt_REJECT 10561 1 - Live 0xf8c75000
ipt_state 5825 3 - Live 0xf8ab1000
ip_conntrack 45957 3 ipt_MASQUERADE,iptable_nat,ipt_state, Live 0xf8c68000
iptable_filter 6721 1 - Live 0xf8aae000
ip_tables 21441 6 iptable_mangle,ipt_MASQUERADE,iptable_nat,ipt_REJECT,ipt_state,iptable_filter, Live 0xf8ab6000
button 10449 0 - Live 0xf8a9c000
battery 12869 0 - Live 0xf8aa9000
ac 8773 0 - Live 0xf8aa0000
md5 8001 3 - Live 0xf8a1f000
ipv6 238817 14 - Live 0xf8ad8000
joydev 14209 0 - Live 0xf8a8c000
uhci_hcd 32729 0 - Live 0xf8a79000
ehci_hcd 31813 0 - Live 0xf8a83000
hw_random 9557 0 - Live 0xf8a17000
snd_intel8x0 34793 0 - Live 0xf8a6f000
snd_ac97_codec 65297 1 snd_intel8x0, Live 0xf8a22000
snd_pcm_oss 52345 0 - Live 0xf89cc000
snd_mixer_oss 21825 1 snd_pcm_oss, Live 0xf8a06000
snd_pcm 92101 2 snd_intel8x0,snd_pcm_oss, Live 0xf8a57000
snd_timer 27973 1 snd_pcm, Live 0xf89fe000
snd_page_alloc 13641 2 snd_intel8x0,snd_pcm, Live 0xf89c3000
snd_mpu401_uart 11329 1 snd_intel8x0, Live 0xf89c8000
snd_rawmidi 27749 1 snd_mpu401_uart, Live 0xf88c7000
snd_seq_device 11849 1 snd_rawmidi, Live 0xf88fc000
snd 56485 9 snd_intel8x0,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device, Live 0xf89ef000
soundcore 12961 1 snd, Live 0xf88f7000
tg3 79173 0 - Live 0xf89da000
floppy 58065 0 - Live 0xf89b3000
dm_snapshot 20837 0 - Live 0xf88cf000
dm_zero 6337 0 - Live 0xf88c4000
dm_mirror 24989 2 - Live 0xf881f000
ext3 118473 2 - Live 0xf8981000
jbd 59481 1 ext3, Live 0xf886e000
dm_mod 57157 6 dm_snapshot,dm_zero,dm_mirror, Live 0xf8833000
ata_piix 12357 2 - Live 0xf882e000
libata 44229 1 ata_piix, Live 0xf8862000
sd_mod 20545 3 - Live 0xf8827000
scsi_mod 116557 2 libata,sd_mod, Live 0xf8844000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1025112 kB
MemFree: 772280 kB
Buffers: 13932 kB
Cached: 127508 kB
SwapCached: 0 kB
Active: 67236 kB
Inactive: 98368 kB
HighTotal: 121368 kB
HighFree: 252 kB
LowTotal: 903744 kB
LowFree: 772028 kB
SwapTotal: 2031608 kB
SwapFree: 2031608 kB
Dirty: 152 kB
Writeback: 0 kB
Mapped: 37792 kB
Slab: 18476 kB
Committed_AS: 96872 kB
PageTables: 1928 kB
VmallocTotal: 106488 kB
VmallocUsed: 6816 kB
VmallocChunk: 99188 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 2048 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.9-5.ELsmp/build/.config
++ uname -r
+ cat /lib/modules/2.6.9-5.ELsmp/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_PHYSDEV=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
# CONFIG_IPX is not set
CONFIG_IPW2100=m
# CONFIG_IPW_DEBUG is not set
CONFIG_IPW2100_PROMISC=y
# CONFIG_IPW2100_LEGACY_FW_LOAD is not set
CONFIG_IPW2200=m
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 134.126.64.11
nameserver 134.126.13.11
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 40
drwxr-xr-x 2 root root 4096 Jan 5 2005 kabi-4.0-0
drwxr-xr-x 2 root root 4096 Jan 5 2005 kabi-4.0-0smp
drwxr-xr-x 3 root root 4096 Jul 7 2005 2.6.9-5.EL
drwxr-xr-x 2 root root 4096 Jul 7 2005 2.6.9-5.ELhugemem
drwxr-xr-x 4 root root 4096 Jul 7 2005 2.6.9-5.ELsmp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c027319e T netif_rx
c027319e U netif_rx [ppp_generic]
c027319e U netif_rx [ndiswrapper]
c027319e U netif_rx [ipv6]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.9-5.EL:
2.6.9-5.ELhugemem:
2.6.9-5.ELsmp:
kabi-4.0-0:
kabi-4.0-0smp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '3131,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Apr 7 09:01:19 localhost ipsec_setup: Starting Openswan IPsec 2.3.0...
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/net/key/af_key.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/net/ipv4/ah4.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/net/ipv4/esp4.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/net/ipv4/ipcomp.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/net/ipv4/xfrm4_tunnel.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/crypto/des.ko
Apr 7 09:01:19 localhost ipsec_setup: insmod /lib/modules/2.6.9-5.ELsmp/kernel/arch/i386/crypto/aes-i586.ko
+ _________________________ plog
+ sed -n '32407,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Apr 7 09:01:19 localhost ipsec__plutorun: Starting Pluto subsystem...
Apr 7 09:01:20 localhost pluto[2903]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Apr 7 09:01:21 localhost pluto[2903]: Setting port floating to on
Apr 7 09:01:21 localhost pluto[2903]: port floating activate 1/1
Apr 7 09:01:21 localhost pluto[2903]: including NAT-Traversal patch (Version 0.6c)
Apr 7 09:01:21 localhost pluto[2903]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 7 09:01:21 localhost pluto[2903]: starting up 1 cryptographic helpers
Apr 7 09:01:21 localhost pluto[2903]: started helper pid=3002 (fd:6)
Apr 7 09:01:21 localhost pluto[2903]: Using Linux 2.6 IPsec interface code
Apr 7 09:01:21 localhost pluto[2903]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 7 09:01:22 localhost pluto[2903]: loaded CA cert file 'cacert.pem' (1111 bytes)
Apr 7 09:01:22 localhost pluto[2903]: Could not change to directory '/etc/ipsec.d/aacerts'
Apr 7 09:01:22 localhost pluto[2903]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Apr 7 09:01:22 localhost pluto[2903]: Changing to directory '/etc/ipsec.d/crls'
Apr 7 09:01:22 localhost pluto[2903]: loaded crl file 'old-crl.pem' (459 bytes)
Apr 7 09:01:22 localhost pluto[2903]: loaded crl file 'crl.pem' (459 bytes)
Apr 7 09:01:22 localhost pluto[2903]: loaded host cert file '/etc/ipsec.d/certs/ipsec-server.crt' (3350 bytes)
Apr 7 09:01:22 localhost pluto[2903]: added connection description "roadwarrior-l2tp"
Apr 7 09:01:22 localhost pluto[2903]: loaded host cert file '/etc/ipsec.d/certs/ipsec-server.crt' (3350 bytes)
Apr 7 09:01:22 localhost pluto[2903]: added connection description "roadwarrior"
Apr 7 09:01:22 localhost pluto[2903]: loaded host cert file '/etc/ipsec.d/certs/ipsec-server.crt' (3350 bytes)
Apr 7 09:01:22 localhost pluto[2903]: added connection description "roadwarrior-l2tp-updatedwin"
Apr 7 09:01:22 localhost pluto[2903]: listening for IKE messages
Apr 7 09:01:22 localhost pluto[2903]: adding interface eth0/eth0 134.126.20.79
Apr 7 09:01:22 localhost pluto[2903]: adding interface eth0/eth0 134.126.20.79:4500
Apr 7 09:01:22 localhost pluto[2903]: adding interface lo/lo 127.0.0.1
Apr 7 09:01:22 localhost pluto[2903]: adding interface lo/lo 127.0.0.1:4500
Apr 7 09:01:22 localhost pluto[2903]: adding interface lo/lo ::1
Apr 7 09:01:22 localhost pluto[2903]: loading secrets from "/etc/ipsec.secrets"
Apr 7 09:01:22 localhost pluto[2903]: loaded private key file '/etc/ipsec.d/private/ipsec-server-encrypted.key' (963 bytes)
Apr 7 09:02:03 localhost pluto[2903]: packet from 69.168.0.106:4500: Informational Exchange is for an unknown (expired?) SA
Apr 7 09:02:03 localhost pluto[2903]: packet from 69.168.0.106:4500: Informational Exchange is for an unknown (expired?) SA
Apr 7 09:04:02 localhost pluto[2903]: packet from 69.251.186.224:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Apr 7 09:04:02 localhost pluto[2903]: packet from 69.251.186.224:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 7 09:04:02 localhost pluto[2903]: packet from 69.251.186.224:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 7 09:04:02 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: responding to Main Mode from unknown peer 69.251.186.224
Apr 7 09:04:02 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 7 09:04:02 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Apr 7 09:04:02 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=192.168.2.200'
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[1] 69.251.186.224 #1: crl update for "C=US, ST=Virginia, L=Harrisonburg, O=JMU, OU=CS, CN=Crypto CA" is overdue since Jan 08 20:33:06 UTC 2006
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224 #1: deleting connection "roadwarrior-l2tp" instance with peer 69.251.186.224 {isakmp=#0/ipsec=#0}
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224 #1: I am sending my cert
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 7 09:04:03 localhost pluto[2903]: | NAT-T: new mapping 69.251.186.224:500/33700)
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224:33700 #1: sent MR3, ISAKMP SA established
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224:33700 #2: responding to Quick Mode
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224:33700 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224:33700 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 7 09:04:03 localhost pluto[2903]: "roadwarrior-l2tp"[2] 69.251.186.224:33700 #2: IPsec SA established {ESP/NAT=>0x2dc4ddf3 <0x47e5b9c3 NATOA=192.168.0.7}
+ _________________________ date
+ date
Fri Apr 7 09:14:09 EDT 2006
More information about the Users
mailing list