[Openswan Users] IPsec SA established but traffic doesn't get back to origin

Mariano Aliaga marianoaliaga at gmail.com
Sat May 13 11:55:55 CEST 2006


Hi,
   I've been trying for long to debug this problem and now I don't
know what else can I try. I'd be glad if someone could help.
   My setup is as follows:

             HostA -------- GwA ===WWW=== GwB ------- HostB

   I'm running Debian Sarge on both gateways, and my software versions are:

      - GwA: linux-image-2.6.16-1-6 (sarge-backports), openswan
2.4.5-3 (unstable), openswan-modules-source 2.4.5-3 (unstable)
      - GwB: kernel-image-2.4.27-2-386, openswan 2.2.0-8,
openswan-modules-source 2.2.0-8

   My problem is the following: I can perfectly set up an IPSec tunnel
between both gateways (I get IPsec SA established, ipsec0 interfaces
are setted up, eroutes are added, etc.).
   If I ping from HostA to HostB the packet goes through the tunnel,
HostB  replies it, the reply goes trhough GwB and I can see the esp
packets on ppp0 interface on GwA, BUT it doesn't pass to ipsec0... it
just dies there.
   I have several tunnels on GwB working perfectly, and all of them
are using the same versions as GwB.

    The output of ipsec barf on GwA is the following:

gwa
Sat May 13 10:27:02 ART 2006
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.5 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.16-1-686 (Debian 2.6.16-11bpo1)
(nobse at backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #2 Fri
May 5 04:56:53 UTC 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0          10.250.1.0/24      -> 192.168.1.0/24     => tun0x1004 at 200.XXX.XXX.XXX
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
200.123.151.254 0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
200.123.151.254 0.0.0.0         255.255.255.255 UH        0 0          0 ipsec0
192.168.3.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ipsec0
10.250.1.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
0.0.0.0         200.123.151.254 0.0.0.0         UG        0 0          0 ppp0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1004 at 200.XXX.XXX.XXX IPIP: dir=out src=200.68.111.227
life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1407
tun0x1003 at 200.68.111.227 IPIP: dir=in  src=200.XXX.XXX.XXX
policy=192.168.1.0/24->10.250.1.0/24 flags=0x8<>
life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1402
esp0x1d4652fc at 200.68.111.227 ESP_AES_HMAC_MD5: dir=in
src=200.XXX.XXX.XXX iv_bits=128bits
iv=0x00a46605027e05e59f2263eeca7d8b22 ooowin=64 alen=128 aklen=128
eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1403
esp0xf7a99044 at 200.XXX.XXX.XXX ESP_AES_HMAC_MD5: dir=out
src=200.68.111.227 iv_bits=128bits
iv=0x0f99e1381cd545fe34b85023bbbbee4d ooowin=64 alen=128 aklen=128
eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1408
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1004 at 200.XXX.XXX.XXX esp0xf7a99044 at 200.XXX.XXX.XXX
tun0x1003 at 200.68.111.227 esp0x1d4652fc at 200.68.111.227
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1440) -> 1440
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 200.68.111.227
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,72} attrs={0,2,48}
000
000 "tunnelAB":
10.250.1.0/24===200.68.111.227...200.XXX.XXX.XXX===192.168.1.0/24;
erouted; eroute owner: #4
000 "tunnelAB":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "tunnelAB":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnelAB":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
000 "tunnelAB":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "tunnelAB":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tunnelAB":   ESP algorithms wanted: 12_000-1, 12_000-2, flags=strict
000 "tunnelAB":   ESP algorithms loaded: 12_000-1, 12_000-2, flags=strict
000 "tunnelAB":   ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=<N/A>
000
000 #4: "tunnelAB":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3272s; newest IPSEC; eroute owner
000 #4: "tunnelAB" esp.f7a99044 at 200.XXX.XXX.XXX
esp.1d4652fc at 200.68.111.227 tun.1004 at 200.XXX.XXX.XXX
tun.1003 at 200.68.111.227
000 #3: "tunnelAB":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 14071s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:15:F2:E5:77:3E
          inet addr:192.168.3.233  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::215:f2ff:fee5:773e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:113210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15884 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15367386 (14.6 MiB)  TX bytes:4206684 (4.0 MiB)
          Interrupt:185 Base address:0xd400

eth1      Link encap:Ethernet  HWaddr 00:60:08:CC:DD:36
          inet addr:10.250.1.110  Bcast:10.250.1.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:153 Base address:0xcc00

ipsec0    Link encap:Point-to-Point Protocol
          inet addr:200.68.111.227  Mask:255.255.255.255
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3132 errors:0 dropped:16 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:473376 (462.2 KiB)

ipsec1    Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ipsec2    Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ipsec3    Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:60 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6729 (6.5 KiB)  TX bytes:6729 (6.5 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:200.68.111.227  P-t-P:200.123.151.254  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1440  Metric:1
          RX packets:208 errors:0 dropped:0 overruns:0 frame:0
          TX packets:159 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:48265 (47.1 KiB)  TX bytes:34036 (33.2 KiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:15:f2:e5:77:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.233/24 brd 192.168.3.255 scope global eth0
    inet6 fe80::215:f2ff:fee5:773e/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:08:cc:dd:36 brd ff:ff:ff:ff:ff:ff
    inet 10.250.1.110/24 brd 10.250.1.255 scope global eth1
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
6: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ppp
    inet 200.68.111.227 peer 200.123.151.254/32 scope global ipsec0
7: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
8: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
9: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
13: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1440 qdisc pfifo_fast qlen 3
    link/ppp
    inet 200.68.111.227 peer 200.123.151.254/32 scope global ppp0
+ _________________________ ip-route-list
+ ip route list
200.123.151.254 dev ppp0  proto kernel  scope link  src 200.68.111.227
200.123.151.254 dev ipsec0  proto kernel  scope link  src 200.68.111.227
192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.233
192.168.1.0/24 dev ipsec0  scope link
10.250.1.0/24 dev eth1  proto kernel  scope link  src 10.250.1.110
default via 200.123.151.254 dev ppp0
+ _________________________ ip-rule-list
+ ip rule list
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan 2.4.5 (klips)
Checking for IPsec support in kernel                        	[OK]
KLIPS detected, checking for NAT Traversal support          	[FAILED]
Checking for RSA private key (/etc/ipsec.secrets)           	[DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing
Checking tun0x1004 at 200.XXX.XXX.XXX from 10.250.1.0/24 to 192.168.1.0/24	[FAILED]
  MASQUERADE from 10.250.1.0/24 to 0.0.0.0/0 kills tunnel
10.250.1.0/24 -> 192.168.1.0/24
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
  product info: vendor 00:00:20, model 32 rev 1
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: no link
  product info: National DP83840A rev 1
  basic mode:   autonegotiation enabled
  basic status: no link
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gwa.xxxxxxx.xxx
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.250.1.110
+ _________________________ uptime
+ uptime
 10:27:03 up 1 day, 19:38,  3 users,  load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
0     0 10660  9655  16   0  2828 1360 -      R+   pts/2      0:00
     \_ /bin/sh /usr/lib/ipsec/barf
1     0 10570     1  25   0  2412  448 wait   S    pts/2      0:00
/bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive
--protostack auto --force_keepalive  --disable_port_floating
--virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump
--opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid
/var/run/pluto/pluto.pid
1     0 10571 10570  25   0  2412  608 wait   S    pts/2      0:00  \_
/bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive
--protostack auto --force_keepalive  --disable_port_floating
--virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump
--opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid
/var/run/pluto/pluto.pid
4     0 10572 10571  15   0  7072 2492 -      S    pts/2      0:00  |
 \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --use-auto --uniqueids
1     0 10583 10572  25  10  6936  872 -      SN   pts/2      0:00  |
     \_ pluto helper  #  0    -nofork
0     0 10584 10572  25   0  1532  292 -      S    pts/2      0:00  |
     \_ _pluto_adns
0     0 10573 10570  16   0  2380 1116 pipe_w S    pts/2      0:00  \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0     0 10575     1  25   0  1584  504 pipe_w S    pts/2      0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=200.68.111.227
routenexthop=200.123.151.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

conn %default
        keyingtries=0

conn tunnelAB
        authby=secret
        left=200.XXX.XXX.XXX
        leftsubnet=192.168.1.0/24
        right=%defaultroute
        rightsubnet=10.250.1.0/24
        ikelifetime=240m
        keylife=60m
        pfs=no
	esp=aes
        compress=no
        auto=start


#Disable Opportunistic Encryption

#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

#> /etc/ipsec.conf 36
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
200.XXX.XXX.XXX gwa.xxxxx.xxx: PSK "[sums to ccda...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1384
-rwxr-xr-x  1 root root  15859 Apr 23 19:54 _confread
-rwxr-xr-x  1 root root   4428 Apr 23 19:54 _copyright
-rwxr-xr-x  1 root root   2379 Apr 23 19:54 _include
-rwxr-xr-x  1 root root   1475 Apr 23 19:54 _keycensor
-rwxr-xr-x  1 root root   7980 Apr 23 19:54 _pluto_adns
-rwxr-xr-x  1 root root   3586 Apr 23 19:54 _plutoload
-rwxr-xr-x  1 root root   7059 Apr 23 19:54 _plutorun
-rwxr-xr-x  1 root root  12275 Apr 23 19:54 _realsetup
-rwxr-xr-x  1 root root   1975 Apr 23 19:54 _secretcensor
-rwxr-xr-x  1 root root   9952 Apr 23 19:54 _startklips
-rwxr-xr-x  1 root root  13912 Apr 23 19:54 _updown
-rwxr-xr-x  1 root root  15740 Apr 23 19:54 _updown_x509
-rwxr-xr-x  1 root root  18891 Apr 23 19:54 auto
-rwxr-xr-x  1 root root  11331 Apr 23 19:54 barf
-rwxr-xr-x  1 root root    816 Apr 23 19:54 calcgoo
-rwxr-xr-x  1 root root  77348 Apr 23 19:54 eroute
-rwxr-xr-x  1 root root  17108 Apr 23 19:54 ikeping
-rwxr-xr-x  1 root root   1942 Apr 23 19:54 ipsec_pr.template
-rwxr-xr-x  1 root root  60992 Apr 23 19:54 klipsdebug
-rwxr-xr-x  1 root root   1836 Apr 23 19:54 livetest
-rwxr-xr-x  1 root root   2605 Apr 23 19:54 look
-rwxr-xr-x  1 root root   7147 Apr 23 19:54 mailkey
-rwxr-xr-x  1 root root  16015 Apr 23 19:54 manual
-rwxr-xr-x  1 root root   1926 Apr 23 19:54 newhostkey
-rwxr-xr-x  1 root root  52160 Apr 23 19:54 pf_key
-rwxr-xr-x  1 root root 659000 Apr 23 19:54 pluto
-rwxr-xr-x  1 root root   6460 Apr 23 19:54 ranbits
-rwxr-xr-x  1 root root  18588 Apr 23 19:54 rsasigkey
-rwxr-xr-x  1 root root    766 Apr 23 19:54 secrets
-rwxr-xr-x  1 root root  17624 Apr 23 19:54 send-pr
lrwxrwxrwx  1 root root     17 May  9 15:50 setup -> /etc/init.d/ipsec
-rwxr-xr-x  1 root root   1054 Apr 23 19:54 showdefaults
-rwxr-xr-x  1 root root   4748 Apr 23 19:54 showhostkey
-rwxr-xr-x  1 root root 118448 Apr 23 19:54 spi
-rwxr-xr-x  1 root root  66304 Apr 23 19:54 spigrp
-rwxr-xr-x  1 root root   9796 Apr 23 19:54 tncfg
-rwxr-xr-x  1 root root  11623 Apr 23 19:54 verify
-rwxr-xr-x  1 root root  47092 Apr 23 19:54 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1384
-rwxr-xr-x  1 root root  15859 Apr 23 19:54 _confread
-rwxr-xr-x  1 root root   4428 Apr 23 19:54 _copyright
-rwxr-xr-x  1 root root   2379 Apr 23 19:54 _include
-rwxr-xr-x  1 root root   1475 Apr 23 19:54 _keycensor
-rwxr-xr-x  1 root root   7980 Apr 23 19:54 _pluto_adns
-rwxr-xr-x  1 root root   3586 Apr 23 19:54 _plutoload
-rwxr-xr-x  1 root root   7059 Apr 23 19:54 _plutorun
-rwxr-xr-x  1 root root  12275 Apr 23 19:54 _realsetup
-rwxr-xr-x  1 root root   1975 Apr 23 19:54 _secretcensor
-rwxr-xr-x  1 root root   9952 Apr 23 19:54 _startklips
-rwxr-xr-x  1 root root  13912 Apr 23 19:54 _updown
-rwxr-xr-x  1 root root  15740 Apr 23 19:54 _updown_x509
-rwxr-xr-x  1 root root  18891 Apr 23 19:54 auto
-rwxr-xr-x  1 root root  11331 Apr 23 19:54 barf
-rwxr-xr-x  1 root root    816 Apr 23 19:54 calcgoo
-rwxr-xr-x  1 root root  77348 Apr 23 19:54 eroute
-rwxr-xr-x  1 root root  17108 Apr 23 19:54 ikeping
-rwxr-xr-x  1 root root   1942 Apr 23 19:54 ipsec_pr.template
-rwxr-xr-x  1 root root  60992 Apr 23 19:54 klipsdebug
-rwxr-xr-x  1 root root   1836 Apr 23 19:54 livetest
-rwxr-xr-x  1 root root   2605 Apr 23 19:54 look
-rwxr-xr-x  1 root root   7147 Apr 23 19:54 mailkey
-rwxr-xr-x  1 root root  16015 Apr 23 19:54 manual
-rwxr-xr-x  1 root root   1926 Apr 23 19:54 newhostkey
-rwxr-xr-x  1 root root  52160 Apr 23 19:54 pf_key
-rwxr-xr-x  1 root root 659000 Apr 23 19:54 pluto
-rwxr-xr-x  1 root root   6460 Apr 23 19:54 ranbits
-rwxr-xr-x  1 root root  18588 Apr 23 19:54 rsasigkey
-rwxr-xr-x  1 root root    766 Apr 23 19:54 secrets
-rwxr-xr-x  1 root root  17624 Apr 23 19:54 send-pr
lrwxrwxrwx  1 root root     17 May  9 15:50 setup -> /etc/init.d/ipsec
-rwxr-xr-x  1 root root   1054 Apr 23 19:54 showdefaults
-rwxr-xr-x  1 root root   4748 Apr 23 19:54 showhostkey
-rwxr-xr-x  1 root root 118448 Apr 23 19:54 spi
-rwxr-xr-x  1 root root  66304 Apr 23 19:54 spigrp
-rwxr-xr-x  1 root root   9796 Apr 23 19:54 tncfg
-rwxr-xr-x  1 root root  11623 Apr 23 19:54 verify
-rwxr-xr-x  1 root root  47092 Apr 23 19:54 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $



# CAUTION:  Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.

LC_ALL=C export LC_ALL

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#      PLUTO_VERSION
#              indicates  what  version of this interface is being
#              used.  This document describes version  1.1.   This
#              is upwardly compatible with version 1.0.
#
#       PLUTO_VERB
#              specifies the name of the operation to be performed
#              (prepare-host, prepare-client, up-host, up-client,
#              down-host, or down-client).  If the address family
#              for security gateway to security gateway
#              communications is IPv6, then a suffix of -v6 is added
#              to the verb.
#
#       PLUTO_CONNECTION
#              is the name of the  connection  for  which  we  are
#              routing.
#
#       PLUTO_CONN_POLICY
#              the policy of the connection, as in:
#     RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
#       PLUTO_NEXT_HOP
#              is the next hop to which packets bound for the peer
#              must be sent.
#
#       PLUTO_INTERFACE
#              is the name of the ipsec interface to be used.
#
#       PLUTO_ME
#              is the IP address of our host.
#
#       PLUTO_MY_CLIENT
#              is the IP address / count of our client subnet.  If
#              the  client  is  just  the  host,  this will be the
#              host's own IP address / max (where max  is  32  for
#              IPv4 and 128 for IPv6).
#
#       PLUTO_MY_CLIENT_NET
#              is the IP address of our client net.  If the client
#              is just the host, this will be the  host's  own  IP
#              address.
#
#       PLUTO_MY_CLIENT_MASK
#              is  the  mask for our client net.  If the client is
#              just the host, this will be 255.255.255.255.
#
#       PLUTO_MY_SOURCEIP
#              if non-empty, then the source address for the route will be
#              set to this IP address.
#
#       PLUTO_MY_PROTOCOL
#              is the protocol  for this  connection.  Useful  for
#              firewalling.
#
#       PLUTO_MY_PORT
#              is the port. Useful for firewalling.
#
#       PLUTO_PEER
#              is the IP address of our peer.
#
#       PLUTO_PEER_CLIENT
#              is the IP address / count of the peer's client sub­
#              net.   If the client is just the peer, this will be
#              the peer's own IP address / max (where  max  is  32
#              for IPv4 and 128 for IPv6).
#
#       PLUTO_PEER_CLIENT_NET
#              is the IP address of the peer's client net.  If the
#              client is just the peer, this will  be  the  peer's
#              own IP address.
#
#       PLUTO_PEER_CLIENT_MASK
#              is  the  mask  for  the  peer's client net.  If the
#              client   is   just   the   peer,   this   will   be
#              255.255.255.255.
#
#       PLUTO_PEER_PROTOCOL
#              is  the  protocol  set  for  remote  end  with port
#              selector.
#
#       PLUTO_PEER_PORT
#              is the peer's port. Useful for firewalling.
#
#       PLUTO_CONNECTION_TYPE
#

# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
#       DEFAULTSOURCE
#              is the default value for PLUTO_MY_SOURCEIP
#
#       IPROUTETABLE
#              is the default value for IPROUTETABLE
#
#       IPROUTEARGS
#              is the extra argument list for ip route command
#
#       IPRULEARGS
#              is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
    . /etc/default/pluto_updown
fi

# check interface version
case "$PLUTO_VERSION" in
1.[0])	# Older Pluto?!?  Play it safe, script may be using new features.
	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
	echo "$0: 	called by obsolete Pluto?" >&2
	exit 2
	;;
1.*)	;;
*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
	exit 2
	;;
esac

# check parameter(s)
case "$1:$*" in
':')			# no parameters
	;;
ipfwadm:ipfwadm)	# due to (left/right)firewall; for default script only
	;;
custom:*)		# custom parameters (see above CAUTION comment)
	;;
*)	echo "$0: unknown parameters \`$*'" >&2
	exit 2
	;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
	doroute add
	ip route flush cache
}

downroute() {
	doroute delete
	ip route flush cache
}

uprule() {
	# policy based advanced routing
	if [ -n "$IPROUTETABLE" ]
	then
	    dorule delete
	    dorule add
	fi
	# virtual sourceip support
	if [ -n "$PLUTO_MY_SOURCEIP" ]
	then
	    addsource
	    rc=$?
	    if [ $rc -ne 0 ];
	    then
		changesource
	    fi
	fi
	ip route flush cache
}

downrule() {
	if [ -n "$IPROUTETABLE" ]
	then
	    dorule delete
	    ip route flush cache
	fi
}

addsource() {
	st=0
	# check if given sourceip is local and add as alias if not
	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
	then
	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
	    oops="`eval $it 2>&1`"
	    st=$?
	    if test " $oops" = " " -a " $st" != " 0"
	    then
		oops="silent error, exit status $st"
	    fi
	    case "$oops" in
		    'RTNETLINK answers: File exists'*)
		    # should not happen, but ... ignore if the
		    # address was already assigned on interface
		    oops=""
		    st=0
		    ;;
	    esac
	    if test " $oops" != " " -o " $st" != " 0"
	    then
		echo "$0: addsource \`$it' failed ($oops)" >&2
	    fi
	fi
	return $st
}

changesource() {
	# Change used route source to destination if there is previous
	# Route to same PLUTO_PEER_CLIENT. This is basically to fix
	# configuration errors where all conns to same destination don't
	#  have (left/right)sourceip set.
	st=0
	parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
	parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
	if [ -n "$IPROUTETABLE" ]
	then
	    parms="$parms table $IPROUTETABLE"
	fi
	it="ip route change $parms"
 	case "$PLUTO_PEER_CLIENT" in
 	"0.0.0.0/0")
		# opportunistic encryption work around
		it=
 		;;
 	esac
	oops="`eval $it 2>&1`"
 	st=$?
	if test " $oops" = " " -a " $st" != " 0"
 	then
	    oops="silent error, exit status $st"
	fi
	case "$oops" in
		'RTNETLINK answers: No such file or directory'*)
		# Will happen every time first tunnel is activated because
		# there is no previous route to PLUTO_PEER_CLIENT. So we
		# need to ignore this error.
		oops=""
		st=0
		;;
	esac
	if test " $oops" != " " -o " $st" != " 0"
	then
	    echo "$0: changesource \`$it' failed ($oops)" >&2
 	fi
 	return $st
}

dorule() {
	st=0
	it2=
	iprule="from $PLUTO_MY_CLIENT"
	iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
	case "$PLUTO_PEER_CLIENT" in
	"0.0.0.0/0")
		# opportunistic encryption work around
		st=0
		;;
	*)
		if [ -z "$PLUTO_MY_SOURCEIP" ]
		then
		    if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
		    then
			it="ip rule $1 iif lo $iprule2"
		    else
			it="ip rule $1 $iprule $iprule2"
		    fi
		else
		    if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
		    then
			it="ip rule $1 iif lo $iprule2"
		    else
			it="ip rule $1 $iprule $iprule2"
			it2="ip rule $1 iif lo $iprule2"
		    fi
		fi
		oops="`eval $it 2>&1`"
		st=$?
		if test " $oops" = " " -a " $st" != " 0"
		then
		    oops="silent error, exit status $st"
		fi
		case "$oops" in
		'RTNETLINK answers: No such process'*)
			# This is what ip rule gives
			# for "could not find such a rule"
			oops=
			st=0
			;;
		esac
		if test " $oops" != " " -o " $st" != " 0"
		then
		    echo "$0: dorule \`$it' failed ($oops)" >&2
		fi
		if test "$st" = "0" -a -n "$it2"
		then
		    oops="`eval $it2 2>&1`"
		    st=$?
		    if test " $oops" = " " -a " $st" != " 0"
		    then
			oops="silent error, exit status $st"
		    fi
		    case "$oops" in
		    'RTNETLINK answers: No such process'*)
			    # This is what ip rule gives
			    # for "could not find such a rule"
			    oops=
			    st=0
			    ;;
		    esac
		    if test " $oops" != " " -o " $st" != " 0"
		    then
			echo "$0: dorule \`$it2' failed ($oops)" >&2
		    fi
		fi
		;;
	    esac
	return $st
}


doroute() {
	st=0
	parms="$PLUTO_PEER_CLIENT"
	parms2=
	if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
	then
	   parms2="via $PLUTO_NEXT_HOP"
	fi
	parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
	parms3="$IPROUTEARGS"
	if [ -n "$IPROUTETABLE" ]
	then
	    parms3="$parms3 table $IPROUTETABLE"
	fi

	if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
	then
	    PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
        fi

	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
	then
	    addsource
	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
	fi

	case "$PLUTO_PEER_CLIENT" in
	"0.0.0.0/0")
		# opportunistic encryption work around
		# need to provide route that eclipses default, without
		# replacing it.
		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
			ip route $1 128.0.0.0/1 $parms2 $parms3"
		;;
	*)	it="ip route $1 $parms $parms2 $parms3"
		;;
	esac
	oops="`eval $it 2>&1`"
	st=$?
	if test " $oops" = " " -a " $st" != " 0"
	then
	    oops="silent error, exit status $st"
	fi
	if test " $oops" != " " -o " $st" != " 0"
	then
	    echo "$0: doroute \`$it' failed ($oops)" >&2
	fi
	return $st
}


# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
	# delete possibly-existing route (preliminary to adding a route)
	case "$PLUTO_PEER_CLIENT" in
	"0.0.0.0/0")
		# need to provide route that eclipses default, without
		# replacing it.
		parms1="0.0.0.0/1"
		parms2="128.0.0.0/1"
		it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
		oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1`"
		;;
	*)
		parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
		if [ -n "$IPROUTETABLE" ]
		then
		    parms="$parms table $IPROUTETABLE"
		fi
		it="ip route delete $parms 2>&1"
		oops="`ip route delete $parms 2>&1`"
		;;
	esac
	status="$?"
	if test " $oops" = " " -a " $status" != " 0"
	then
		oops="silent error, exit status $status"
	fi
	case "$oops" in
	*'RTNETLINK answers: No such process'*)	
		# This is what route (currently -- not documented!) gives
		# for "could not find such a route".
		oops=
		status=0
		;;
	esac
	if test " $oops" != " " -o " $status" != " 0"
	then
		echo "$0: \`$it' failed ($oops)" >&2
	fi
	exit $status
	;;
route-host:*|route-client:*)
	# connection to me or my client subnet being routed
	uproute
	;;
unroute-host:*|unroute-client:*)
	# connection to me or my client subnet being unrouted
	downroute
	;;
up-host:*)
	# connection to me coming up
	uprule
	# If you are doing a custom version, firewall commands go here.
	;;
down-host:*)
	# connection to me going down
	downrule
	# If you are doing a custom version, firewall commands go here.
	;;
up-client:)
	# connection to my client subnet coming up
	uprule
	# If you are doing a custom version, firewall commands go here.
	;;
down-client:)
	# connection to my client subnet going down
	downrule
	# If you are doing a custom version, firewall commands go here.
	;;
up-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, coming up
	uprule
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
down-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, going down
	downrule
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
	;;
route-host-v6:*|route-client-v6:*)
	# connection to me or my client subnet being routed
	#uproute_v6
	;;
unroute-host-v6:*|unroute-client-v6:*)
	# connection to me or my client subnet being unrouted
	#downroute_v6
	;;
up-host-v6:*)
	# connection to me coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-host-v6:*)
	# connection to me going down
	# If you are doing a custom version, firewall commands go here.
	;;
up-client-v6:)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-client-v6:)
	# connection to my client subnet going down
	# If you are doing a custom version, firewall commands go here.
	;;
*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
	exit 1
	;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#

# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice                   -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
	S_MY_PORT="--sport $PLUTO_MY_PORT"
	D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi

# CAUTION:  Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.

LC_ALL=C export LC_ALL

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#      PLUTO_VERSION
#              indicates  what  version of this interface is being
#              used.  This document describes version  1.1.   This
#              is upwardly compatible with version 1.0.
#
#       PLUTO_VERB
#              specifies the name of the operation to be performed
#              (prepare-host, prepare-client, up-host, up-client,
#              down-host, or down-client).  If the address family
#              for security gateway to security gateway communica­
#              tions is IPv6, then a suffix of -v6 is added to the
#              verb.
#
#       PLUTO_CONNECTION
#              is the name of the  connection  for  which  we  are
#              routing.
#
#       PLUTO_CONN_POLICY
#              the policy of the connection, as in:
#     RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
#       PLUTO_NEXT_HOP
#              is the next hop to which packets bound for the peer
#              must be sent.
#
#       PLUTO_INTERFACE
#              is the name of the ipsec interface to be used.
#
#       PLUTO_ME
#              is the IP address of our host.
#
#       PLUTO_MY_CLIENT
#              is the IP address / count of our client subnet.  If
#              the  client  is  just  the  host,  this will be the
#              host's own IP address / max (where max  is  32  for
#              IPv4 and 128 for IPv6).
#
#       PLUTO_MY_CLIENT_NET
#              is the IP address of our client net.  If the client
#              is just the host, this will be the  host's  own  IP
#              address.
#
#       PLUTO_MY_CLIENT_MASK
#              is  the  mask for our client net.  If the client is
#              just the host, this will be 255.255.255.255.
#
#       PLUTO_MY_SOURCEIP
#              if non-empty, then the source address for the route will be
#              set to this IP address.
#
#       PLUTO_MY_PROTOCOL
#              is the protocol  for this  connection.  Useful  for
#              firewalling.
#
#       PLUTO_MY_PORT
#              is the port. Useful for firewalling.
#
#       PLUTO_PEER
#              is the IP address of our peer.
#
#       PLUTO_PEER_CLIENT
#              is the IP address / count of the peer's client sub­
#              net.   If the client is just the peer, this will be
#              the peer's own IP address / max (where  max  is  32
#              for IPv4 and 128 for IPv6).
#
#       PLUTO_PEER_CLIENT_NET
#              is the IP address of the peer's client net.  If the
#              client is just the peer, this will  be  the  peer's
#              own IP address.
#
#       PLUTO_PEER_CLIENT_MASK
#              is  the  mask  for  the  peer's client net.  If the
#              client   is   just   the   peer,   this   will   be
#              255.255.255.255.
#
#       PLUTO_PEER_PROTOCOL
#              is  the  protocol  set  for  remote  end  with port
#              selector.
#
#       PLUTO_PEER_PORT
#              is the peer's port. Useful for firewalling.
#
#       PLUTO_CONNECTION_TYPE
#

# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
#       DEFAULTSOURCE
#              is the default value for PLUTO_MY_SOURCEIP
#
#       IPROUTETABLE
#              is the default value for IPROUTETABLE
#
#       IPROUTEARGS
#              is the extra argument list for ip route command
#
#       IPRULEARGS
#              is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
    . /etc/default/pluto_updown
fi

# check interface version
case "$PLUTO_VERSION" in
1.[0])	# Older Pluto?!?  Play it safe, script may be using new features.
	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
	echo "$0: 	called by obsolete Pluto?" >&2
	exit 2
	;;
1.*)	;;
*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
	exit 2
	;;
esac

# check parameter(s)
case "$1:$*" in
':')			# no parameters
	;;
ipfwadm:ipfwadm)	# due to (left/right)firewall; for default script only
	;;
custom:*)		# custom parameters (see above CAUTION comment)
	;;
*)	echo "$0: unknown parameters \`$*'" >&2
	exit 2
	;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
	doroute add
	ip route flush cache
}

downroute() {
	doroute delete
	ip route flush cache
}

uprule() {
	# policy based advanced routing
	if [ -n "$IPROUTETABLE" ]
	then
	    dorule delete
	    dorule add
	fi
	# virtual sourceip support
	if [ -n "$PLUTO_MY_SOURCEIP" ]
	then
	    addsource
	    changesource
	fi
	ip route flush cache
}

downrule() {
	if [ -n "$IPROUTETABLE" ]
	then
	    dorule delete
	    ip route flush cache
	fi
}

addsource() {
	st=0
	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
	then
	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
	    oops="`eval $it 2>&1`"
	    st=$?
	    if test " $oops" = " " -a " $st" != " 0"
	    then
		oops="silent error, exit status $st"
	    fi
	    if test " $oops" != " " -o " $st" != " 0"
	    then
		echo "$0: addsource \`$it' failed ($oops)" >&2
	    fi
	fi
	return $st
}

changesource() {
	st=0
	parms="$PLUTO_PEER_CLIENT"
	parms2="dev ${PLUTO_INTERFACE%:*}"
	parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
	if [ -n "$IPROUTETABLE" ]
	then
	    parms3="$parms3 table '$IPROUTETABLE'"
	fi
 	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
 	"0.0.0.0/0.0.0.0")
		# opportunistic encryption work around
		it=
 		;;
 	esac
	oops="`eval $it 2>&1`"
 	st=$?
	if test " $oops" = " " -a " $st" != " 0"
 	then
	    oops="silent error, exit status $st"
	fi
	if test " $oops" != " " -o " $st" != " 0"
	then
	    echo "$0: changesource \`$it' failed ($oops)" >&2
 	fi
 	return $st
}

dorule() {
	st=0
	it2=
	iprule="from $PLUTO_MY_CLIENT"
	iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
	"0.0.0.0/0.0.0.0")
		# opportunistic encryption work around
		st=0
		;;
	*)
		if [ -z "$PLUTO_MY_SOURCEIP" ]
		then
		    if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
		    then
			it="ip rule $1 iif lo $iprule2"
		    else
			it="ip rule $1 $iprule $iprule2"
		    fi
		else
		    if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
		    then
			it="ip rule $1 iif lo $iprule2"
		    else
			it="ip rule $1 $iprule $iprule2"
			it2="ip rule $1 iif lo $iprule2"
		    fi
		fi
		oops="`eval $it 2>&1`"
		st=$?
		if test " $oops" = " " -a " $st" != " 0"
		then
		    oops="silent error, exit status $st"
		fi
		case "$oops" in
		'RTNETLINK answers: No such process'*)
			# This is what ip rule gives
			# for "could not find such a rule"
			oops=
			st=0
			;;
		esac
		if test " $oops" != " " -o " $st" != " 0"
		then
		    echo "$0: dorule \`$it' failed ($oops)" >&2
		fi
		if test "$st" = "0" -a -n "$it2"
		then
		    oops="`eval $it2 2>&1`"
		    st=$?
		    if test " $oops" = " " -a " $st" != " 0"
		    then
			oops="silent error, exit status $st"
		    fi
		    case "$oops" in
		    'RTNETLINK answers: No such process'*)
			    # This is what ip rule gives
			    # for "could not find such a rule"
			    oops=
			    st=0
			    ;;
		    esac
		    if test " $oops" != " " -o " $st" != " 0"
		    then
			echo "$0: dorule \`$it2' failed ($oops)" >&2
		    fi
		fi
		;;
	    esac
	return $st
}


doroute() {
	st=0
	parms="$PLUTO_PEER_CLIENT"
	parms2=
	if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
	then
	   parms2="via $PLUTO_NEXT_HOP"
	fi
	parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
	parms3="$IPROUTEARGS"
	if [ -n "$IPROUTETABLE" ]
	then
	    parms3="$parms3 table $IPROUTETABLE"
	fi

	if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
	then
	    PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
        fi

	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
	then
	    addsource
	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
	fi

	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
	"0.0.0.0/0.0.0.0")
		# opportunistic encryption work around
		# need to provide route that eclipses default, without
		# replacing it.
		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
			ip route $1 128.0.0.0/1 $parms2 $parms3"
		;;
	*)	it="ip route $1 $parms $parms2 $parms3"
		;;
	esac
	oops="`eval $it 2>&1`"
	st=$?
	if test " $oops" = " " -a " $st" != " 0"
	then
	    oops="silent error, exit status $st"
	fi
	if test " $oops" != " " -o " $st" != " 0"
	then
	    echo "$0: doroute \`$it' failed ($oops)" >&2
	fi
	return $st
}


# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
	# delete possibly-existing route (preliminary to adding a route)
	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
	"0.0.0.0/0.0.0.0")
		# need to provide route that eclipses default, without
		# replacing it.
		parms1="0.0.0.0/1"
		parms2="128.0.0.0/1"
		it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
		oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1`"
		;;
	*)
		parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
		if [ -n "$IPROUTETABLE" ]
		then
		    parms="$parms table $IPROUTETABLE"
		fi
		it="ip route delete $parms 2>&1"
		oops="`ip route delete $parms 2>&1`"
		;;
	esac
	status="$?"
	if test " $oops" = " " -a " $status" != " 0"
	then
		oops="silent error, exit status $status"
	fi
	case "$oops" in
	*'RTNETLINK answers: No such process'*)	
		# This is what route (currently -- not documented!) gives
		# for "could not find such a route".
		oops=
		status=0
		;;
	esac
	if test " $oops" != " " -o " $status" != " 0"
	then
		echo "$0: \`$it' failed ($oops)" >&2
	fi
	exit $status
	;;
route-host:*|route-client:*)
	# connection to me or my client subnet being routed
	uproute
	;;
unroute-host:*|unroute-client:*)
	# connection to me or my client subnet being unrouted
	downroute
	;;
up-host:*)
	# connection to me coming up
	uprule
	# If you are doing a custom version, firewall commands go here.
	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	    -s $PLUTO_ME $S_MY_PORT \
	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
	#
	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
	then
	  logger -t $TAG -p $FAC_PRIO \
	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
	else
	  logger -t $TAG -p $FAC_PRIO \
	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	fi
	;;
down-host:*)
	# connection to me going down
	downrule
	# If you are doing a custom version, firewall commands go here.
	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	    -s $PLUTO_ME $S_MY_PORT \
	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
	#
	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
	then
	  logger -t $TAG -p $FAC_PRIO -- \
	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
	else
	  logger -t $TAG -p $FAC_PRIO -- \
	  "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	fi
	;;
up-client:)
	# connection to my client subnet coming up
	uprule
	# If you are doing a custom version, firewall commands go here.
	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
	#
	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
	then
	  logger -t $TAG -p $FAC_PRIO \
	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	else
	  logger -t $TAG -p $FAC_PRIO \
	    "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
	fi
	;;
down-client:)
	# connection to my client subnet going down
	downrule
	# If you are doing a custom version, firewall commands go here.
	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
	#
	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
	then
	  logger -t $TAG -p $FAC_PRIO -- \
	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	else
	  logger -t $TAG -p $FAC_PRIO -- \
	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
	fi
	;;
up-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, coming up
	uprule
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
down-client:ipfwadm)
	# connection to client subnet, with (left/right)firewall=yes, going down
	downrule
	# This is used only by the default updown script, not by your custom
	# ones, so do not mess with it; see CAUTION comment up at top.
	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
	;;
route-host-v6:*|route-client-v6:*)
	# connection to me or my client subnet being routed
	#uproute_v6
	;;
unroute-host-v6:*|unroute-client-v6:*)
	# connection to me or my client subnet being unrouted
	#downroute_v6
	;;
up-host-v6:*)
	# connection to me coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-host-v6:*)
	# connection to me going down
	# If you are doing a custom version, firewall commands go here.
	;;
up-client-v6:)
	# connection to my client subnet coming up
	# If you are doing a custom version, firewall commands go here.
	;;
down-client-v6:)
	# connection to my client subnet going down
	# If you are doing a custom version, firewall commands go here.
	;;
*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
	exit 1
	;;
esac
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed
multicast|bytes    packets errs drop fifo colls carrier compressed
    lo:    6729      60    0    0    0     0          0         0
6729      60    0    0    0     0       0          0
  eth0:15367386  113210    0    0    0     0          0         0
4206684   15884    0    0    0     0       0          0
  eth1:       0       0    0    0    0     0          0         0
  0       0    0    0    0     0       0          0
  sit0:       0       0    0    0    0     0          0         0
  0       0    0    0    0     0       0          0
ipsec0:       0       0    0    0    0     0          0         0
473376    3132    0   16    0     0       0          0
ipsec1:       0       0    0    0    0     0          0         0
  0       0    0    0    0     0       0          0
ipsec2:       0       0    0    0    0     0          0         0
  0       0    0    0    0     0       0          0
ipsec3:       0       0    0    0    0     0          0         0
  0       0    0    0    0     0       0          0
  ppp0:   48265     208    0    0    0     0          0         0
34036     159    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface	Destination	Gateway
	Flags	RefCnt	Use	Metric	Mask		MTU	Window	IRTT
ppp0	FE977BC8	00000000	0005	0	0	0	FFFFFFFF	0	0	0
ipsec0	FE977BC8	00000000	0005	0	0	0	FFFFFFFF	0	0	0
eth0	0003A8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0
ipsec0	0001A8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0
eth1	0001FA0A	00000000	0001	0	0	0	00FFFFFF	0	0	0
ppp0	00000000	FE977BC8	0003	0	0	0	00000000	0	0	0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects
all/send_redirects default/accept_redirects default/secure_redirects
default/send_redirects eth0/accept_redirects eth0/secure_redirects
eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects
ipsec0/send_redirects lo/accept_redirects lo/secure_redirects
lo/send_redirects ppp0/accept_redirects ppp0/secure_redirects
ppp0/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
ipsec0/accept_redirects:1
ipsec0/secure_redirects:1
ipsec0/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
ppp0/accept_redirects:1
ppp0/secure_redirects:1
ppp0/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux gwa 2.6.16-1-686 #2 Fri May 5 04:56:53 UTC 2006 i686 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ test -f /etc/redhat-release
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.5
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
 pkts bytes target     prot opt in     out     source
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 23904 packets, 4626K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 36 packets, 3712 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      ppp0    10.250.1.0/24
!192.168.1.0/24

Chain OUTPUT (policy ACCEPT 36 packets, 3712 bytes)
 pkts bytes target     prot opt in     out     source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 37360 packets, 7260K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 8179 packets, 1381K bytes)
 pkts bytes target     prot opt in     out     source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2816 0 - Live 0xbfae8000
iptable_filter 2944 0 - Live 0xbf996000
ipt_MASQUERADE 3392 1 - Live 0xbfacc000
iptable_nat 8132 1 - Live 0xbfb00000
ip_nat 17004 2 ipt_MASQUERADE,iptable_nat, Live 0xbfb07000
ip_conntrack 51532 3 ipt_MASQUERADE,iptable_nat,ip_nat, Live 0xbfb17000
nfnetlink 6328 2 ip_nat,ip_conntrack, Live 0xbfaf9000
ip_tables 11928 3 iptable_mangle,iptable_filter,iptable_nat, Live 0xbfae4000
x_tables 11908 3 ipt_MASQUERADE,iptable_nat,ip_tables, Live 0xbfaac000
ipsec 323020 1 - Live 0xbfbbf000
ppp_deflate 5920 0 - Live 0xbfb04000
bsd_comp 5696 0 - Live 0xbfaf6000
ppp_async 10336 1 - Live 0xbfaea000
crc_ccitt 2112 1 ppp_async, Live 0xbface000
ppp_generic 26644 7 ppp_deflate,bsd_comp,ppp_async, Live 0xbfaee000
slhc 6528 1 ppp_generic, Live 0xbfad0000
mousedev 11328 0 - Live 0xbf9bd000
tsdev 7520 0 - Live 0xbfab3000
ipv6 229824 20 - Live 0xbfb28000
ipcomp 7496 0 - Live 0xbfab0000
esp4 7520 0 - Live 0xbf9df000
ah4 6272 0 - Live 0xbf9c8000
deflate 3936 0 - Live 0xbf8e9000
zlib_deflate 19224 2 ppp_deflate,deflate, Live 0xbfac6000
twofish 37440 0 - Live 0xbfad4000
serpent 18048 0 - Live 0xbfac0000
aes 31296 0 - Live 0xbfab7000
blowfish 8160 0 - Live 0xbf9c5000
des 15520 0 - Live 0xbf9cb000
sha256 9152 0 - Live 0xbf9c1000
sha1 2432 0 - Live 0xbf8eb000
crypto_null 2528 0 - Live 0xbf8a4000
dm_mod 53144 0 - Live 0xbfa20000
evdev 9408 0 - Live 0xbf977000
psmouse 36200 0 - Live 0xbfa16000
serio_raw 6820 0 - Live 0xbf8f6000
3c59x 41640 0 - Live 0xbfa0a000
parport_pc 32996 0 - Live 0xbfa00000
parport 33672 1 parport_pc, Live 0xbf99d000
floppy 56804 0 - Live 0xbf9d0000
pcspkr 3140 0 - Live 0xbf8de000
rtc 11828 0 - Live 0xbf973000
snd_hda_intel 16944 0 - Live 0xbf990000
snd_hda_codec 116576 1 snd_hda_intel, Live 0xbf9e2000
snd_pcm 79112 2 snd_hda_intel,snd_hda_codec, Live 0xbf9a8000
snd_timer 22116 1 snd_pcm, Live 0xbf97b000
snd 49092 4 snd_hda_intel,snd_hda_codec,snd_pcm,snd_timer, Live 0xbf983000
soundcore 9216 1 snd, Live 0xbf8f2000
snd_page_alloc 10440 2 snd_hda_intel,snd_pcm, Live 0xbf8ee000
uhci_hcd 29744 0 - Live 0xbf96a000
ehci_hcd 28968 0 - Live 0xbf961000
via_rhine 21956 0 - Live 0xbf8bf000
shpchp 42816 0 - Live 0xbf955000
pci_hotplug 26356 1 shpchp, Live 0xbf94d000
ide_cd 39076 0 - Live 0xbf942000
cdrom 36352 1 ide_cd, Live 0xbf938000
mii 5344 2 3c59x,via_rhine, Live 0xbf8bc000
via_agp 9632 1 - Live 0xbf8b5000
agpgart 33072 1 via_agp, Live 0xbf8d4000
usbcore 119364 3 uhci_hcd,ehci_hcd, Live 0xbf919000
ext3 125800 5 - Live 0xbf8f9000
jbd 50676 1 ext3, Live 0xbf8c6000
mbcache 8164 1 ext3, Live 0xbf897000
ide_disk 15584 7 - Live 0xbf8b0000
ide_generic 1408 0 [permanent], Live 0xbf8a2000
via82cxxx 8900 0 [permanent], Live 0xbf8a6000
trm290 4260 0 [permanent], Live 0xbf89f000
triflex 3872 0 [permanent], Live 0xbf89d000
slc90e66 5568 0 [permanent], Live 0xbf89a000
sis5513 14792 0 [permanent], Live 0xbf882000
siimage 11264 0 [permanent], Live 0xbf893000
serverworks 8680 0 [permanent], Live 0xbf88f000
sc1200 7072 0 [permanent], Live 0xbf834000
rz1000 2784 0 [permanent], Live 0xbf83d000
piix 9956 0 [permanent], Live 0xbf88b000
pdc202xx_old 10336 0 [permanent], Live 0xbf887000
opti621 4324 0 [permanent], Live 0xbf874000
ns87415 4296 0 [permanent], Live 0xbf871000
it821x 8228 0 [permanent], Live 0xbf87e000
hpt366 17696 0 [permanent], Live 0xbf878000
hpt34x 5056 0 [permanent], Live 0xbf84f000
generic 4612 0 [permanent], Live 0xbf84c000
cy82c693 4612 0 [permanent], Live 0xbf849000
cs5535 6368 0 [permanent], Live 0xbf846000
cs5530 5184 0 [permanent], Live 0xbf843000
cs5520 4704 0 [permanent], Live 0xbf83a000
cmd64x 10908 0 [permanent], Live 0xbf83f000
atiixp 5744 0 [permanent], Live 0xbf837000
amd74xx 13660 0 [permanent], Live 0xbf81d000
alim15x3 11276 0 [permanent], Live 0xbf80d000
aec62xx 7136 0 [permanent], Live 0xbf81a000
pdc202xx_new 8160 0 [permanent], Live 0xbf811000
ide_core 116788 30
ide_cd,ide_disk,ide_generic,via82cxxx,trm290,triflex,slc90e66,sis5513,siimage,serverworks,sc1200,rz1000,piix,pdc202xx_old,opti621,ns87415,it821x,hpt366,hpt34x,generic,cy82c693,cs5535,cs5530,cs5520,cmd64x,atiixp,amd74xx,alim15x3,aec62xx,pdc202xx_new,
Live 0xbf853000
raid1 20160 6 - Live 0xbf814000
md_mod 68788 7 raid1, Live 0xbf822000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:       240616 kB
MemFree:         11592 kB
Buffers:         66708 kB
Cached:          99500 kB
SwapCached:          0 kB
Active:          91868 kB
Inactive:        85820 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       240616 kB
LowFree:         11592 kB
SwapTotal:      979832 kB
SwapFree:       979724 kB
Dirty:              76 kB
Writeback:           0 kB
Mapped:          18948 kB
Slab:            46684 kB
CommitLimit:   1100140 kB
Committed_AS:    53004 kB
PageTables:        504 kB
VmallocTotal:  1048568 kB
VmallocUsed:      3676 kB
VmallocChunk:  1044412 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx  1 root root 16 May 13 10:27 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx  1 root root 16 May 13 10:27 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx  1 root root 13 May 13 10:27 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx  1 root root 16 May 13 10:27 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx  1 root root 11 May 13 10:27 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx  1 root root 13 May 13 10:27 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.16-1-686/build/.config
++ uname -r
+ cat /lib/modules/2.6.16-1-686/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_POLICY=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_IP_DCCP_UNLOAD_HACK is not set
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
# CONFIG_IPW2200_DEBUG is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=m
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
#  /etc/syslog.conf	Configuration file for syslogd.
#
#			For more information see syslog.conf(5)
#			manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
user.*				-/var/log/user.log
uucp.*				/var/log/uucp.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info			-/var/log/mail.info
mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

# Logging for INN news system
#
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
	auth,authpriv.none;\
	news.none;mail.none	-/var/log/debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg				*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#	news.=crit;news.=err;news.=notice;\
#	*.=debug;*.=info;\
#	*.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.crit;news.err;news.notice;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# resolv.conf created by pppconfig for internet

nameserver 200.69.193.1

nameserver 200.69.193.2
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x  5 root root 4096 May  5 09:48 2.6.8-2-686
drwxr-xr-x  3 root root 4096 May  6 09:56 2.6.16-1-686
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
b02175a7 T netif_rx
b0217705 T netif_rx_ni
b02175a7 U netif_rx	[ipsec]
b02175a7 U netif_rx	[ppp_generic]
b02175a7 U netif_rx	[ipv6]
b02175a7 U netif_rx	[3c59x]
b02175a7 U netif_rx	[via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.16-1-686:
2.6.8-2-686:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '113,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
May 13 10:25:53 gwa ipsec_setup: Starting Openswan IPsec 2.4.5...
May 13 10:25:54 gwa ipsec__plutorun: 104 "tunnelAB" #1: STATE_MAIN_I1: initiate
May 13 10:25:54 gwa ipsec__plutorun: ...could not start conn "tunnelAB"
+ _________________________ plog
+ sed -n '1121,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
May 13 10:25:53 gwa ipsec__plutorun: Starting Pluto subsystem...
May 13 10:25:53 gwa pluto[10572]: Starting Pluto (Openswan Version
2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEGfuJ[Ye{Ah)
May 13 10:25:53 gwa pluto[10572]: Setting NAT-Traversal port-4500
floating to off
May 13 10:25:53 gwa pluto[10572]:    port floating activation criteria
nat_t=0/port_fload=1
May 13 10:25:53 gwa pluto[10572]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
May 13 10:25:53 gwa pluto[10572]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
May 13 10:25:53 gwa pluto[10572]: starting up 1 cryptographic helpers
May 13 10:25:53 gwa pluto[10572]: started helper pid=10583 (fd:6)
May 13 10:25:53 gwa pluto[10572]: Using KLIPS IPsec interface code on
2.6.16-1-686
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/cacerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/aacerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/crls'
May 13 10:25:53 gwa pluto[10572]:   Warning: empty directory
May 13 10:25:53 gwa pluto[10572]: added connection description "tunnelAB"
May 13 10:25:53 gwa pluto[10572]: listening for IKE messages
May 13 10:25:53 gwa pluto[10572]: adding interface ipsec0/ppp0
200.68.111.227:500
May 13 10:25:53 gwa pluto[10572]: loading secrets from "/etc/ipsec.secrets"
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: initiating Main Mode
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: I did not send a
certificate because I do not have one.
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: Main mode peer ID is
ID_IPV4_ADDR: '200.XXX.XXX.XXX'
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established {ESP=>0xf7a99043 <0x1d4652fb
xfrm=AES_256-HMAC_MD5 NATD=none DPD=none}
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
payload: replace IPSEC State #2 in 10 seconds
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
informational message
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xf7a99042) not found (maybe expired)
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
informational message
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
payload: deleting ISAKMP State #1
May 13 10:25:59 gwa pluto[10572]: packet from 200.XXX.XXX.XXX:500:
received and ignored informational message
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: responding to Main Mode
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R2: sent
MR2, expecting MI3
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: Main mode peer ID is
ID_IPV4_ADDR: '200.XXX.XXX.XXX'
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: I did not send a
certificate because I do not have one.
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: responding to Quick
Mode {msgid:305a0c30}
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R2: IPsec
SA established {ESP=>0xf7a99044 <0x1d4652fc xfrm=AES_256-HMAC_MD5
NATD=none DPD=none}
+ _________________________ date
+ date
Sat May 13 10:27:03 ART 2006

Regards,
Mariano

-- 
"El incremento de la satisfacción profesional y de la unidad familiar
son fatales para un proveedor de sustancias entumecedoras del cerebro."
Moe, 1991.


More information about the Users mailing list