[Openswan Users] pfkey write failed
saltzman at comcast.net
saltzman at comcast.net
Tue Mar 7 14:52:01 CET 2006
I'm getting this error on startup and shutdown of my tunnel (which is not working yet):
/usr/local/libexec/ipsec/spi: pfkey write failed (errno=1): Unknown socket write error 1 (Operation not permitted). Please report as much detail as possible to development team.
I'm trying to simply encrypt data across a linux and windows machine. Here is my barf output (it was run after the tunnel was 'un-assigned' from windows):
-firstrep10.navsys.com
Tue Mar 7 09:11:34 MST 2006
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.5rc5 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.4.25-rtl (root at firstrep10.navsys.com) (gcc version 3.3.2) #4 Tue Feb 28 17:37:50 MST 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.200.100.152/32 -> 10.200.100.14/32 => %trap
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
172.16.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth1
0.0.0.0 172.16.4.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:-1
debug_eroute:-1
debug_esp:-1
debug_ipcomp:-1
debug_netlink:2147483647
debug_pfkey:-1
debug_radij:-1
debug_rcv:-1
debug_spi:-1
debug_tunnel:-1
debug_verbose:0
debug_xform:-1
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 10.200.100.152
000 %myid = (none)
000 debug none
000
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 10.200.100.152...10.200.100.14; unrouted; eroute owner: #0
000 "roadwarrior": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
000 "roadwarrior": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,32; interface: eth1;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:D6:00:BC:A7
inet addr:172.16.4.119 Bcast:172.16.7.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:1176 (1.1 Kb)
Interrupt:20 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:D0:59:C8:8F:2B
inet addr:10.200.100.152 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:330105 errors:441806 dropped:0 overruns:0 frame:441806
TX packets:479737 errors:21 dropped:0 overruns:0 carrier:0
collisions:11955 txqueuelen:1000
RX bytes:28786586 (27.4 Mb) TX bytes:55429016 (52.8 Mb)
Interrupt:17 Base address:0xd400
ipsec0 Link encap:Ethernet HWaddr 00:D0:59:C8:8F:2B
inet addr:10.200.100.152 Mask:255.0.0.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:118480 errors:0 dropped:0 overruns:0 frame:0
TX packets:118480 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18614148 (17.7 Mb) TX bytes:18614148 (17.7 Mb)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:d6:00:bc:a7 brd ff:ff:ff:ff:ff:ff
inet 172.16.4.119/22 brd 172.16.7.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:d0:59:c8:8f:2b brd ff:ff:ff:ff:ff:ff
inet 10.200.100.152/8 brd 10.255.255.255 scope global eth1
4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:d0:59:c8:8f:2b brd ff:ff:ff:ff:ff:ff
inet 10.200.100.152/8 brd 10.255.255.255 scope global ipsec0
5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
+ _________________________ ip-route-list
+ ip route list
255.255.255.255 dev eth1 scope link
172.16.4.0/22 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
10.0.0.0/8 dev eth1 scope link
10.0.0.0/8 dev ipsec0 proto kernel scope link src 10.200.100.152
127.0.0.0/8 dev lo scope link
224.0.0.0/4 dev eth1 scope link
default via 172.16.4.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
RTNETLINK answers: Invalid argument
Dump terminated
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
No MII transceiver present!.
SIOCGMIIPHY on 'eth1' failed: Operation not supported
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
pc104
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.200.100.152
+ _________________________ uptime
+ uptime
09:11:34 up 4 days, 17:06, 2 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 12469 29923 16 0 4164 1116 wait4 S /tmp/barf.txt 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 1622 1 9 0 2096 1008 wait4 S pts/0 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal no --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers
1 0 1626 1622 9 0 2096 1016 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal no --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpe
4 0 1628 1626 9 0 2408 1292 do_sel S pts/0 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids --stderrlog
1 0 1633 1628 15 10 2300 828 unix_s SN pts/0 0:00 | \_ pluto helper # 0
0 0 1635 1628 9 0 1436 256 do_sel S pts/0 0:00 | \_ _pluto_adns
0 0 1627 1622 8 0 2064 980 pipe_w S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 1623 1 9 0 1380 488 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
version 2.0
config setup
interfaces="ipsec0=eth1"
nat_traversal=no
klipsdebug=all
plutostderrlog=/tmp/ipsec.log
conn %default
keyingtries=10
compress=no
authby=secret
#authby=rsasig
#leftcert=frc.pem
#rightcert=roc.pem
#leftrsasigkey=%cert
#rightrsasigkey=%cert
#conn roadwarrior-net
#leftsubnet=10.0.0.0/8
#auto=ignore
#also=roadwarrior
conn roadwarrior
left=10.200.100.152
right=10.200.100.14
pfs=no
#pfs=yes
# manual start (add)
#auto=add
# service (start)
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: PSK "[sums to 5d5d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000
000 List of X.509 CA Certificates:
000
000 Mar 06 16:36:54 2006, count: 1
000 subject: 'C=US, ST=NJ, O=cerdec, OU=stcd, CN=netops'
000 issuer: 'C=US, ST=NJ, O=cerdec, OU=stcd, CN=netops'
000 serial: 00:9f:59:f9:51:e3:6c:a5:df
000 pubkey: 1024 RSA Key AwEAAcDYK
000 validity: not before Feb 23 12:45:44 2006 ok
000 not after Feb 21 12:45:44 2016 ok
000 subjkey: 9f:11:56:f5:5d:17:da:b3:da:48:4b:cd:7e:6e:c1:b2:cb:0a:0f:2d
000 authkey: 9f:11:56:f5:5d:17:da:b3:da:48:4b:cd:7e:6e:c1:b2:cb:0a:0f:2d
000
000 List of X.509 CRLs:
000
000 Mar 06 16:36:54 2006, revoked certs: 0
000 issuer: 'C=US, ST=NJ, O=cerdec, OU=stcd, CN=netops'
000 updates: this Feb 23 13:03:08 2006
000 next Mar 25 13:03:08 2006 ok
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 292
-rwxr-xr-x 1 root root 15849 Mar 1 09:08 _confread
-rwxr-xr-x 1 root root 15849 Dec 23 2004 _confread.old
-rwxr-xr-x 1 root root 48991 Mar 1 09:08 _copyright
-rwxr-xr-x 1 root root 48991 Dec 23 2004 _copyright.old
-rwxr-xr-x 1 root root 2379 Mar 1 09:08 _include
-rwxr-xr-x 1 root root 2379 Dec 23 2004 _include.old
-rwxr-xr-x 1 root root 1475 Mar 1 09:08 _keycensor
-rwxr-xr-x 1 root root 1475 Dec 23 2004 _keycensor.old
-rwxr-xr-x 1 root root 3586 Mar 1 09:08 _plutoload
-rwxr-xr-x 1 root root 3586 Dec 23 2004 _plutoload.old
-rwxr-xr-x 1 root root 7073 Mar 1 09:08 _plutorun
-rwxr-xr-x 1 root root 7073 Dec 23 2004 _plutorun.old
-rwxr-xr-x 1 root root 12275 Mar 1 09:08 _realsetup
-rwxr-xr-x 1 root root 12275 Dec 23 2004 _realsetup.old
-rwxr-xr-x 1 root root 1975 Mar 1 09:08 _secretcensor
-rwxr-xr-x 1 root root 1975 Dec 23 2004 _secretcensor.old
-rwxr-xr-x 1 root root 9958 Mar 1 09:08 _startklips
-rwxr-xr-x 1 root root 9958 Dec 23 2004 _startklips.old
-rwxr-xr-x 1 root root 13887 Mar 1 09:08 _updown
-rwxr-xr-x 1 root root 13887 Dec 23 2004 _updown.old
-rwxr-xr-x 1 root root 15746 Mar 1 09:08 _updown_x509
-rwxr-xr-x 1 root root 15746 Dec 23 2004 _updown_x509.old
-rwxr-xr-x 1 root root 1942 Mar 1 09:08 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 10016
-rwxr-xr-x 1 root root 73288 Mar 1 09:08 _pluto_adns
-rwxr-xr-x 1 root root 73288 Dec 23 2004 _pluto_adns.old
-rwxr-xr-x 1 root root 18891 Mar 1 09:08 auto
-rwxr-xr-x 1 root root 18891 Dec 23 2004 auto.old
-rwxr-xr-x 1 root root 11355 Mar 1 09:08 barf
-rwxr-xr-x 1 root root 11355 Dec 23 2004 barf.old
-rwxr-xr-x 1 root root 816 Mar 1 09:08 calcgoo
-rwxr-xr-x 1 root root 816 Dec 23 2004 calcgoo.old
-rwxr-xr-x 1 root root 321925 Mar 1 09:08 eroute
-rwxr-xr-x 1 root root 321925 Dec 23 2004 eroute.old
-rwxr-xr-x 1 root root 133163 Mar 1 09:08 ikeping
-rwxr-xr-x 1 root root 133163 Dec 23 2004 ikeping.old
-rwxr-xr-x 1 root root 192778 Mar 1 09:08 klipsdebug
-rwxr-xr-x 1 root root 192778 Dec 23 2004 klipsdebug.old
-rwxr-xr-x 1 root root 1836 Mar 1 09:08 livetest
-rwxr-xr-x 1 root root 1836 Dec 23 2004 livetest.old
-rwxr-xr-x 1 root root 2605 Mar 1 09:08 look
-rwxr-xr-x 1 root root 2605 Dec 23 2004 look.old
-rwxr-xr-x 1 root root 7159 Mar 1 09:08 mailkey
-rwxr-xr-x 1 root root 7159 Dec 23 2004 mailkey.old
-rwxr-xr-x 1 root root 15996 Mar 1 09:08 manual
-rwxr-xr-x 1 root root 15996 Dec 23 2004 manual.old
-rwxr-xr-x 1 root root 1926 Mar 1 09:08 newhostkey
-rwxr-xr-x 1 root root 1926 Dec 23 2004 newhostkey.old
-rwxr-xr-x 1 root root 172639 Mar 1 09:08 pf_key
-rwxr-xr-x 1 root root 172639 Dec 23 2004 pf_key.old
-rwxr-xr-x 1 root root 2782795 Mar 1 09:08 pluto
-rwxr-xr-x 1 root root 2782795 Dec 23 2004 pluto.old
-rwxr-xr-x 1 root root 52901 Mar 1 09:08 ranbits
-rwxr-xr-x 1 root root 52901 Dec 23 2004 ranbits.old
-rwxr-xr-x 1 root root 83239 Mar 1 09:08 rsasigkey
-rwxr-xr-x 1 root root 83239 Dec 23 2004 rsasigkey.old
-rwxr-xr-x 1 root root 766 Mar 1 09:08 secrets
-rwxr-xr-x 1 root root 766 Dec 23 2004 secrets.old
-rwxr-xr-x 1 root root 17660 Mar 1 09:08 send-pr
-rwxr-xr-x 1 root root 17660 Dec 23 2004 send-pr.old
lrwxrwxrwx 1 root root 22 Mar 1 09:08 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Mar 1 09:08 showdefaults
-rwxr-xr-x 1 root root 1054 Dec 23 2004 showdefaults.old
-rwxr-xr-x 1 root root 4748 Mar 1 09:08 showhostkey
-rwxr-xr-x 1 root root 4748 Dec 23 2004 showhostkey.old
-rwxr-xr-x 1 root root 521603 Mar 1 09:08 spi
-rwxr-xr-x 1 root root 521603 Dec 23 2004 spi.old
-rwxr-xr-x 1 root root 260722 Mar 1 09:08 spigrp
-rwxr-xr-x 1 root root 260722 Dec 23 2004 spigrp.old
-rwxr-xr-x 1 root root 57549 Mar 1 09:08 tncfg
-rwxr-xr-x 1 root root 57549 Dec 23 2004 tncfg.old
-rwxr-xr-x 1 root root 11635 Mar 1 09:08 verify
-rwxr-xr-x 1 root root 11635 Dec 23 2004 verify.old
-rwxr-xr-x 1 root root 276913 Mar 1 09:08 whack
-rwxr-xr-x 1 root root 276913 Dec 23 2004 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:18614384 118481 0 0 0 0 0 0 18614384 118481 0 0 0 0 0 0
eth0: 0 0 0 0 0 0 0 0 1176 28 0 0 0 0 0 0
eth1:28786628 330106 441806 0 0 441806 0 291 55429016 479737 21 0 0 11955 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 FFFFFFFF 00000000 0005 0 0 0 FFFFFFFF 0 0 0
eth0 000410AC 00000000 0001 0 0 0 00FCFFFF 0 0 0
eth1 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
eth1 0000000A 00000000 0001 0 0 0 000000FF 0 0 0
ipsec0 0000000A 00000000 0001 0 0 0 000000FF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth1 000000E0 00000000 0001 0 0 0 000000F0 0 0 0
eth0 00000000 010410AC 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:0
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
ipsec0/accept_redirects:1
ipsec0/secure_redirects:1
ipsec0/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux firstrep10.navsys.com 2.4.25-rtl #4 Tue Feb 28 17:37:50 MST 2006 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ test -f /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.5rc5
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
modprobe: Can't locate module ip_tables
iptables v1.2.7a: can't initialize iptables table `mangle': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
soundcore 3396 0 (autoclean)
mcci_usb 5732 1
usbserial 17436 0 [mcci_usb]
ipsec 312384 36
apm 10124 2
tun 4288 0 (unused)
airo 48968 1
microcode 5120 0 (autoclean)
pwc 42736 1
videodev 6048 2 [pwc]
hid 20644 0 (unused)
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 1040633856 768249856 272384000 0 174657536 238673920
Swap: 2146787328 0 2146787328
MemTotal: 1016244 kB
MemFree: 266000 kB
MemShared: 0 kB
Buffers: 170564 kB
Cached: 233080 kB
SwapCached: 0 kB
Active: 340972 kB
Inactive: 133452 kB
HighTotal: 114624 kB
HighFree: 1788 kB
LowTotal: 901620 kB
LowFree: 264212 kB
SwapTotal: 2096472 kB
SwapFree: 2096472 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Mar 7 09:11 /proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Mar 7 09:11 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Mar 7 09:11 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Mar 7 09:11 /proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Mar 7 09:11 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Mar 7 09:11 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.4.25-rtl/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV'
++ uname -r
+ cat /lib/modules/2.4.25-rtl/build/.config
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
# CONFIG_IP_PNP_RARP is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
# CONFIG_IP_NF_CONNTRACK is not set
# CONFIG_IP_NF_QUEUE is not set
# CONFIG_IP_NF_IPTABLES is not set
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IPV6_SCTP__=y
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
# CONFIG_IPMI_PANIC_EVENT is not set
# CONFIG_IPMI_DEVICE_INTERFACE is not set
# CONFIG_IPMI_KCS is not set
# CONFIG_IPMI_WATCHDOG is not set
# CONFIG_HW_RANDOM is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search firstresponder.com
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 May 31 2005 2.4.20-8
drwxr-xr-x 4 root root 4096 Feb 28 17:37 2.4.25-rtl
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ egrep netif_rx /proc/ksyms
c02d5380 netif_rx
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20-8: U netif_rx_R8d84bcda
2.4.25-rtl: U netif_rx
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '21571,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Mar 6 16:36:54 firstrep10 ipsec_setup: Starting Openswan IPsec 2.4.5rc5...
Mar 6 16:36:54 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf5686560.
Mar 6 16:36:55 firstrep10 ipsec_setup: /usr/local/libexec/ipsec/spi: pfkey write failed (errno=1): Unknown socket write error 1 (Operation not permitted). Please report as much detail as possible to development team.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd89cbce0 failed with error=-1.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd89cbce0 succeeded.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229980 to socket=0pf6749700.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 ipsec__plutorun: 003 ERROR: "roadwarrior": pfkey write() of SADB_X_ADDFLOW message 5 for flow %trap failed. Errno 1: Operation not permitted
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf5686560.
Mar 6 16:36:55 firstrep10 ipsec__plutorun: 025 "roadwarrior": could not route
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf568-1.
Mar 6 16:36:55 firstrep10 ipsec__plutorun: ...could not route conn "roadwarrior"
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229760 to socket=0pf3900ae0.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 ipsec__plutorun: 104 "roadwarrior" #1: STATE_MAIN_I1: initiate
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf57e6460.
Mar 6 16:36:55 firstrep10 ipsec__plutorun: ...could not start conn "roadwarrior"
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pf3900ae0 failed with error=-1.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pf3900ae0 succeeded.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229760 to socket=0pd12bc8e0.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd12bc8e0 failed with error=-1.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd12bc8e0 succeeded.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229760 to socket=0pf65d0ae0.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pf65d0ae0 failed with error=-1.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pf65d0ae0 succeeded.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229760 to socket=0pd89cbb00.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: error=-1 calling sock_queue_rcv_skb with skb=0pf57e6460.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd89cbb00 failed with error=-1.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error message to socket=0pd89cbb00 succeeded.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_sendmsg: sending up error=-1 message=0pd1229760 to socket=0pd12bce80.
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: allocating 16 bytes...
Mar 6 16:36:55 firstrep10 kernel: klips_debug:pfkey_upmsg: ...allocated at 0pf57e6460.
More information about the Users
mailing list