[Openswan Users]
IPsec SA established but traffic doesn't get back to origin
Mariano Aliaga
marianoaliaga at gmail.com
Sat May 13 11:55:55 CEST 2006
Hi,
I've been trying for long to debug this problem and now I don't
know what else can I try. I'd be glad if someone could help.
My setup is as follows:
HostA -------- GwA ===WWW=== GwB ------- HostB
I'm running Debian Sarge on both gateways, and my software versions are:
- GwA: linux-image-2.6.16-1-6 (sarge-backports), openswan
2.4.5-3 (unstable), openswan-modules-source 2.4.5-3 (unstable)
- GwB: kernel-image-2.4.27-2-386, openswan 2.2.0-8,
openswan-modules-source 2.2.0-8
My problem is the following: I can perfectly set up an IPSec tunnel
between both gateways (I get IPsec SA established, ipsec0 interfaces
are setted up, eroutes are added, etc.).
If I ping from HostA to HostB the packet goes through the tunnel,
HostB replies it, the reply goes trhough GwB and I can see the esp
packets on ppp0 interface on GwA, BUT it doesn't pass to ipsec0... it
just dies there.
I have several tunnels on GwB working perfectly, and all of them
are using the same versions as GwB.
The output of ipsec barf on GwA is the following:
gwa
Sat May 13 10:27:02 ART 2006
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.5 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.16-1-686 (Debian 2.6.16-11bpo1)
(nobse at backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #2 Fri
May 5 04:56:53 UTC 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.250.1.0/24 -> 192.168.1.0/24 => tun0x1004 at 200.XXX.XXX.XXX
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
200.123.151.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
200.123.151.254 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
10.250.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 200.123.151.254 0.0.0.0 UG 0 0 0 ppp0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1004 at 200.XXX.XXX.XXX IPIP: dir=out src=200.68.111.227
life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1407
tun0x1003 at 200.68.111.227 IPIP: dir=in src=200.XXX.XXX.XXX
policy=192.168.1.0/24->10.250.1.0/24 flags=0x8<>
life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1402
esp0x1d4652fc at 200.68.111.227 ESP_AES_HMAC_MD5: dir=in
src=200.XXX.XXX.XXX iv_bits=128bits
iv=0x00a46605027e05e59f2263eeca7d8b22 ooowin=64 alen=128 aklen=128
eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1403
esp0xf7a99044 at 200.XXX.XXX.XXX ESP_AES_HMAC_MD5: dir=out
src=200.68.111.227 iv_bits=128bits
iv=0x0f99e1381cd545fe34b85023bbbbee4d ooowin=64 alen=128 aklen=128
eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1408
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1004 at 200.XXX.XXX.XXX esp0xf7a99044 at 200.XXX.XXX.XXX
tun0x1003 at 200.68.111.227 esp0x1d4652fc at 200.68.111.227
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1440) -> 1440
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 200.68.111.227
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,72} attrs={0,2,48}
000
000 "tunnelAB":
10.250.1.0/24===200.68.111.227...200.XXX.XXX.XXX===192.168.1.0/24;
erouted; eroute owner: #4
000 "tunnelAB": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "tunnelAB": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnelAB": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
000 "tunnelAB": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "tunnelAB": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tunnelAB": ESP algorithms wanted: 12_000-1, 12_000-2, flags=strict
000 "tunnelAB": ESP algorithms loaded: 12_000-1, 12_000-2, flags=strict
000 "tunnelAB": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=<N/A>
000
000 #4: "tunnelAB":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3272s; newest IPSEC; eroute owner
000 #4: "tunnelAB" esp.f7a99044 at 200.XXX.XXX.XXX
esp.1d4652fc at 200.68.111.227 tun.1004 at 200.XXX.XXX.XXX
tun.1003 at 200.68.111.227
000 #3: "tunnelAB":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 14071s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:15:F2:E5:77:3E
inet addr:192.168.3.233 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::215:f2ff:fee5:773e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:113210 errors:0 dropped:0 overruns:0 frame:0
TX packets:15884 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15367386 (14.6 MiB) TX bytes:4206684 (4.0 MiB)
Interrupt:185 Base address:0xd400
eth1 Link encap:Ethernet HWaddr 00:60:08:CC:DD:36
inet addr:10.250.1.110 Bcast:10.250.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:153 Base address:0xcc00
ipsec0 Link encap:Point-to-Point Protocol
inet addr:200.68.111.227 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3132 errors:0 dropped:16 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:473376 (462.2 KiB)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:60 errors:0 dropped:0 overruns:0 frame:0
TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6729 (6.5 KiB) TX bytes:6729 (6.5 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:200.68.111.227 P-t-P:200.123.151.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1440 Metric:1
RX packets:208 errors:0 dropped:0 overruns:0 frame:0
TX packets:159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:48265 (47.1 KiB) TX bytes:34036 (33.2 KiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:15:f2:e5:77:3e brd ff:ff:ff:ff:ff:ff
inet 192.168.3.233/24 brd 192.168.3.255 scope global eth0
inet6 fe80::215:f2ff:fee5:773e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:08:cc:dd:36 brd ff:ff:ff:ff:ff:ff
inet 10.250.1.110/24 brd 10.250.1.255 scope global eth1
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
6: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ppp
inet 200.68.111.227 peer 200.123.151.254/32 scope global ipsec0
7: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
8: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
9: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
13: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1440 qdisc pfifo_fast qlen 3
link/ppp
inet 200.68.111.227 peer 200.123.151.254/32 scope global ppp0
+ _________________________ ip-route-list
+ ip route list
200.123.151.254 dev ppp0 proto kernel scope link src 200.68.111.227
200.123.151.254 dev ipsec0 proto kernel scope link src 200.68.111.227
192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.233
192.168.1.0/24 dev ipsec0 scope link
10.250.1.0/24 dev eth1 proto kernel scope link src 10.250.1.110
default via 200.123.151.254 dev ppp0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking tun0x1004 at 200.XXX.XXX.XXX from 10.250.1.0/24 to 192.168.1.0/24 [FAILED]
MASQUERADE from 10.250.1.0/24 to 0.0.0.0/0 kills tunnel
10.250.1.0/24 -> 192.168.1.0/24
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: no link
product info: National DP83840A rev 1
basic mode: autonegotiation enabled
basic status: no link
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gwa.xxxxxxx.xxx
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.250.1.110
+ _________________________ uptime
+ uptime
10:27:03 up 1 day, 19:38, 3 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 10660 9655 16 0 2828 1360 - R+ pts/2 0:00
\_ /bin/sh /usr/lib/ipsec/barf
1 0 10570 1 25 0 2412 448 wait S pts/2 0:00
/bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
1 0 10571 10570 25 0 2412 608 wait S pts/2 0:00 \_
/bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
4 0 10572 10571 15 0 7072 2492 - S pts/2 0:00 |
\_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --use-auto --uniqueids
1 0 10583 10572 25 10 6936 872 - SN pts/2 0:00 |
\_ pluto helper # 0 -nofork
0 0 10584 10572 25 0 1532 292 - S pts/2 0:00 |
\_ _pluto_adns
0 0 10573 10570 16 0 2380 1116 pipe_w S pts/2 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 10575 1 25 0 1584 504 pipe_w S pts/2 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=200.68.111.227
routenexthop=200.123.151.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=0
conn tunnelAB
authby=secret
left=200.XXX.XXX.XXX
leftsubnet=192.168.1.0/24
right=%defaultroute
rightsubnet=10.250.1.0/24
ikelifetime=240m
keylife=60m
pfs=no
esp=aes
compress=no
auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 36
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
200.XXX.XXX.XXX gwa.xxxxx.xxx: PSK "[sums to ccda...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1384
-rwxr-xr-x 1 root root 15859 Apr 23 19:54 _confread
-rwxr-xr-x 1 root root 4428 Apr 23 19:54 _copyright
-rwxr-xr-x 1 root root 2379 Apr 23 19:54 _include
-rwxr-xr-x 1 root root 1475 Apr 23 19:54 _keycensor
-rwxr-xr-x 1 root root 7980 Apr 23 19:54 _pluto_adns
-rwxr-xr-x 1 root root 3586 Apr 23 19:54 _plutoload
-rwxr-xr-x 1 root root 7059 Apr 23 19:54 _plutorun
-rwxr-xr-x 1 root root 12275 Apr 23 19:54 _realsetup
-rwxr-xr-x 1 root root 1975 Apr 23 19:54 _secretcensor
-rwxr-xr-x 1 root root 9952 Apr 23 19:54 _startklips
-rwxr-xr-x 1 root root 13912 Apr 23 19:54 _updown
-rwxr-xr-x 1 root root 15740 Apr 23 19:54 _updown_x509
-rwxr-xr-x 1 root root 18891 Apr 23 19:54 auto
-rwxr-xr-x 1 root root 11331 Apr 23 19:54 barf
-rwxr-xr-x 1 root root 816 Apr 23 19:54 calcgoo
-rwxr-xr-x 1 root root 77348 Apr 23 19:54 eroute
-rwxr-xr-x 1 root root 17108 Apr 23 19:54 ikeping
-rwxr-xr-x 1 root root 1942 Apr 23 19:54 ipsec_pr.template
-rwxr-xr-x 1 root root 60992 Apr 23 19:54 klipsdebug
-rwxr-xr-x 1 root root 1836 Apr 23 19:54 livetest
-rwxr-xr-x 1 root root 2605 Apr 23 19:54 look
-rwxr-xr-x 1 root root 7147 Apr 23 19:54 mailkey
-rwxr-xr-x 1 root root 16015 Apr 23 19:54 manual
-rwxr-xr-x 1 root root 1926 Apr 23 19:54 newhostkey
-rwxr-xr-x 1 root root 52160 Apr 23 19:54 pf_key
-rwxr-xr-x 1 root root 659000 Apr 23 19:54 pluto
-rwxr-xr-x 1 root root 6460 Apr 23 19:54 ranbits
-rwxr-xr-x 1 root root 18588 Apr 23 19:54 rsasigkey
-rwxr-xr-x 1 root root 766 Apr 23 19:54 secrets
-rwxr-xr-x 1 root root 17624 Apr 23 19:54 send-pr
lrwxrwxrwx 1 root root 17 May 9 15:50 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Apr 23 19:54 showdefaults
-rwxr-xr-x 1 root root 4748 Apr 23 19:54 showhostkey
-rwxr-xr-x 1 root root 118448 Apr 23 19:54 spi
-rwxr-xr-x 1 root root 66304 Apr 23 19:54 spigrp
-rwxr-xr-x 1 root root 9796 Apr 23 19:54 tncfg
-rwxr-xr-x 1 root root 11623 Apr 23 19:54 verify
-rwxr-xr-x 1 root root 47092 Apr 23 19:54 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1384
-rwxr-xr-x 1 root root 15859 Apr 23 19:54 _confread
-rwxr-xr-x 1 root root 4428 Apr 23 19:54 _copyright
-rwxr-xr-x 1 root root 2379 Apr 23 19:54 _include
-rwxr-xr-x 1 root root 1475 Apr 23 19:54 _keycensor
-rwxr-xr-x 1 root root 7980 Apr 23 19:54 _pluto_adns
-rwxr-xr-x 1 root root 3586 Apr 23 19:54 _plutoload
-rwxr-xr-x 1 root root 7059 Apr 23 19:54 _plutorun
-rwxr-xr-x 1 root root 12275 Apr 23 19:54 _realsetup
-rwxr-xr-x 1 root root 1975 Apr 23 19:54 _secretcensor
-rwxr-xr-x 1 root root 9952 Apr 23 19:54 _startklips
-rwxr-xr-x 1 root root 13912 Apr 23 19:54 _updown
-rwxr-xr-x 1 root root 15740 Apr 23 19:54 _updown_x509
-rwxr-xr-x 1 root root 18891 Apr 23 19:54 auto
-rwxr-xr-x 1 root root 11331 Apr 23 19:54 barf
-rwxr-xr-x 1 root root 816 Apr 23 19:54 calcgoo
-rwxr-xr-x 1 root root 77348 Apr 23 19:54 eroute
-rwxr-xr-x 1 root root 17108 Apr 23 19:54 ikeping
-rwxr-xr-x 1 root root 1942 Apr 23 19:54 ipsec_pr.template
-rwxr-xr-x 1 root root 60992 Apr 23 19:54 klipsdebug
-rwxr-xr-x 1 root root 1836 Apr 23 19:54 livetest
-rwxr-xr-x 1 root root 2605 Apr 23 19:54 look
-rwxr-xr-x 1 root root 7147 Apr 23 19:54 mailkey
-rwxr-xr-x 1 root root 16015 Apr 23 19:54 manual
-rwxr-xr-x 1 root root 1926 Apr 23 19:54 newhostkey
-rwxr-xr-x 1 root root 52160 Apr 23 19:54 pf_key
-rwxr-xr-x 1 root root 659000 Apr 23 19:54 pluto
-rwxr-xr-x 1 root root 6460 Apr 23 19:54 ranbits
-rwxr-xr-x 1 root root 18588 Apr 23 19:54 rsasigkey
-rwxr-xr-x 1 root root 766 Apr 23 19:54 secrets
-rwxr-xr-x 1 root root 17624 Apr 23 19:54 send-pr
lrwxrwxrwx 1 root root 17 May 9 15:50 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Apr 23 19:54 showdefaults
-rwxr-xr-x 1 root root 4748 Apr 23 19:54 showhostkey
-rwxr-xr-x 1 root root 118448 Apr 23 19:54 spi
-rwxr-xr-x 1 root root 66304 Apr 23 19:54 spigrp
-rwxr-xr-x 1 root root 9796 Apr 23 19:54 tncfg
-rwxr-xr-x 1 root root 11623 Apr 23 19:54 verify
-rwxr-xr-x 1 root root 47092 Apr 23 19:54 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway
# communications is IPv6, then a suffix of -v6 is added
# to the verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
rc=$?
if [ $rc -ne 0 ];
then
changesource
fi
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
# check if given sourceip is local and add as alias if not
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: File exists'*)
# should not happen, but ... ignore if the
# address was already assigned on interface
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
# Change used route source to destination if there is previous
# Route to same PLUTO_PEER_CLIENT. This is basically to fix
# configuration errors where all conns to same destination don't
# have (left/right)sourceip set.
st=0
parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route change $parms"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such file or directory'*)
# Will happen every time first tunnel is activated because
# there is no previous route to PLUTO_PEER_CLIENT. So we
# need to ignore this error.
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev ${PLUTO_INTERFACE%:*}"
parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table '$IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 6729 60 0 0 0 0 0 0
6729 60 0 0 0 0 0 0
eth0:15367386 113210 0 0 0 0 0 0
4206684 15884 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
473376 3132 0 16 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ppp0: 48265 208 0 0 0 0 0 0
34036 159 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway
Flags RefCnt Use Metric Mask MTU Window IRTT
ppp0 FE977BC8 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ipsec0 FE977BC8 00000000 0005 0 0 0 FFFFFFFF 0 0 0
eth0 0003A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0001A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 0001FA0A 00000000 0001 0 0 0 00FFFFFF 0 0 0
ppp0 00000000 FE977BC8 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects
all/send_redirects default/accept_redirects default/secure_redirects
default/send_redirects eth0/accept_redirects eth0/secure_redirects
eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects
ipsec0/send_redirects lo/accept_redirects lo/secure_redirects
lo/send_redirects ppp0/accept_redirects ppp0/secure_redirects
ppp0/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
ipsec0/accept_redirects:1
ipsec0/secure_redirects:1
ipsec0/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
ppp0/accept_redirects:1
ppp0/secure_redirects:1
ppp0/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux gwa 2.6.16-1-686 #2 Fri May 5 04:56:53 UTC 2006 i686 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ test -f /etc/redhat-release
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.5
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 23904 packets, 4626K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 36 packets, 3712 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * ppp0 10.250.1.0/24
!192.168.1.0/24
Chain OUTPUT (policy ACCEPT 36 packets, 3712 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 37360 packets, 7260K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8179 packets, 1381K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2816 0 - Live 0xbfae8000
iptable_filter 2944 0 - Live 0xbf996000
ipt_MASQUERADE 3392 1 - Live 0xbfacc000
iptable_nat 8132 1 - Live 0xbfb00000
ip_nat 17004 2 ipt_MASQUERADE,iptable_nat, Live 0xbfb07000
ip_conntrack 51532 3 ipt_MASQUERADE,iptable_nat,ip_nat, Live 0xbfb17000
nfnetlink 6328 2 ip_nat,ip_conntrack, Live 0xbfaf9000
ip_tables 11928 3 iptable_mangle,iptable_filter,iptable_nat, Live 0xbfae4000
x_tables 11908 3 ipt_MASQUERADE,iptable_nat,ip_tables, Live 0xbfaac000
ipsec 323020 1 - Live 0xbfbbf000
ppp_deflate 5920 0 - Live 0xbfb04000
bsd_comp 5696 0 - Live 0xbfaf6000
ppp_async 10336 1 - Live 0xbfaea000
crc_ccitt 2112 1 ppp_async, Live 0xbface000
ppp_generic 26644 7 ppp_deflate,bsd_comp,ppp_async, Live 0xbfaee000
slhc 6528 1 ppp_generic, Live 0xbfad0000
mousedev 11328 0 - Live 0xbf9bd000
tsdev 7520 0 - Live 0xbfab3000
ipv6 229824 20 - Live 0xbfb28000
ipcomp 7496 0 - Live 0xbfab0000
esp4 7520 0 - Live 0xbf9df000
ah4 6272 0 - Live 0xbf9c8000
deflate 3936 0 - Live 0xbf8e9000
zlib_deflate 19224 2 ppp_deflate,deflate, Live 0xbfac6000
twofish 37440 0 - Live 0xbfad4000
serpent 18048 0 - Live 0xbfac0000
aes 31296 0 - Live 0xbfab7000
blowfish 8160 0 - Live 0xbf9c5000
des 15520 0 - Live 0xbf9cb000
sha256 9152 0 - Live 0xbf9c1000
sha1 2432 0 - Live 0xbf8eb000
crypto_null 2528 0 - Live 0xbf8a4000
dm_mod 53144 0 - Live 0xbfa20000
evdev 9408 0 - Live 0xbf977000
psmouse 36200 0 - Live 0xbfa16000
serio_raw 6820 0 - Live 0xbf8f6000
3c59x 41640 0 - Live 0xbfa0a000
parport_pc 32996 0 - Live 0xbfa00000
parport 33672 1 parport_pc, Live 0xbf99d000
floppy 56804 0 - Live 0xbf9d0000
pcspkr 3140 0 - Live 0xbf8de000
rtc 11828 0 - Live 0xbf973000
snd_hda_intel 16944 0 - Live 0xbf990000
snd_hda_codec 116576 1 snd_hda_intel, Live 0xbf9e2000
snd_pcm 79112 2 snd_hda_intel,snd_hda_codec, Live 0xbf9a8000
snd_timer 22116 1 snd_pcm, Live 0xbf97b000
snd 49092 4 snd_hda_intel,snd_hda_codec,snd_pcm,snd_timer, Live 0xbf983000
soundcore 9216 1 snd, Live 0xbf8f2000
snd_page_alloc 10440 2 snd_hda_intel,snd_pcm, Live 0xbf8ee000
uhci_hcd 29744 0 - Live 0xbf96a000
ehci_hcd 28968 0 - Live 0xbf961000
via_rhine 21956 0 - Live 0xbf8bf000
shpchp 42816 0 - Live 0xbf955000
pci_hotplug 26356 1 shpchp, Live 0xbf94d000
ide_cd 39076 0 - Live 0xbf942000
cdrom 36352 1 ide_cd, Live 0xbf938000
mii 5344 2 3c59x,via_rhine, Live 0xbf8bc000
via_agp 9632 1 - Live 0xbf8b5000
agpgart 33072 1 via_agp, Live 0xbf8d4000
usbcore 119364 3 uhci_hcd,ehci_hcd, Live 0xbf919000
ext3 125800 5 - Live 0xbf8f9000
jbd 50676 1 ext3, Live 0xbf8c6000
mbcache 8164 1 ext3, Live 0xbf897000
ide_disk 15584 7 - Live 0xbf8b0000
ide_generic 1408 0 [permanent], Live 0xbf8a2000
via82cxxx 8900 0 [permanent], Live 0xbf8a6000
trm290 4260 0 [permanent], Live 0xbf89f000
triflex 3872 0 [permanent], Live 0xbf89d000
slc90e66 5568 0 [permanent], Live 0xbf89a000
sis5513 14792 0 [permanent], Live 0xbf882000
siimage 11264 0 [permanent], Live 0xbf893000
serverworks 8680 0 [permanent], Live 0xbf88f000
sc1200 7072 0 [permanent], Live 0xbf834000
rz1000 2784 0 [permanent], Live 0xbf83d000
piix 9956 0 [permanent], Live 0xbf88b000
pdc202xx_old 10336 0 [permanent], Live 0xbf887000
opti621 4324 0 [permanent], Live 0xbf874000
ns87415 4296 0 [permanent], Live 0xbf871000
it821x 8228 0 [permanent], Live 0xbf87e000
hpt366 17696 0 [permanent], Live 0xbf878000
hpt34x 5056 0 [permanent], Live 0xbf84f000
generic 4612 0 [permanent], Live 0xbf84c000
cy82c693 4612 0 [permanent], Live 0xbf849000
cs5535 6368 0 [permanent], Live 0xbf846000
cs5530 5184 0 [permanent], Live 0xbf843000
cs5520 4704 0 [permanent], Live 0xbf83a000
cmd64x 10908 0 [permanent], Live 0xbf83f000
atiixp 5744 0 [permanent], Live 0xbf837000
amd74xx 13660 0 [permanent], Live 0xbf81d000
alim15x3 11276 0 [permanent], Live 0xbf80d000
aec62xx 7136 0 [permanent], Live 0xbf81a000
pdc202xx_new 8160 0 [permanent], Live 0xbf811000
ide_core 116788 30
ide_cd,ide_disk,ide_generic,via82cxxx,trm290,triflex,slc90e66,sis5513,siimage,serverworks,sc1200,rz1000,piix,pdc202xx_old,opti621,ns87415,it821x,hpt366,hpt34x,generic,cy82c693,cs5535,cs5530,cs5520,cmd64x,atiixp,amd74xx,alim15x3,aec62xx,pdc202xx_new,
Live 0xbf853000
raid1 20160 6 - Live 0xbf814000
md_mod 68788 7 raid1, Live 0xbf822000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 240616 kB
MemFree: 11592 kB
Buffers: 66708 kB
Cached: 99500 kB
SwapCached: 0 kB
Active: 91868 kB
Inactive: 85820 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 240616 kB
LowFree: 11592 kB
SwapTotal: 979832 kB
SwapFree: 979724 kB
Dirty: 76 kB
Writeback: 0 kB
Mapped: 18948 kB
Slab: 46684 kB
CommitLimit: 1100140 kB
Committed_AS: 53004 kB
PageTables: 504 kB
VmallocTotal: 1048568 kB
VmallocUsed: 3676 kB
VmallocChunk: 1044412 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 May 13 10:27 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 May 13 10:27 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 May 13 10:27 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.16-1-686/build/.config
++ uname -r
+ cat /lib/modules/2.6.16-1-686/build/.config
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_POLICY=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_IP_DCCP_UNLOAD_HACK is not set
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
# CONFIG_IPW2200_DEBUG is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=m
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# resolv.conf created by pppconfig for internet
nameserver 200.69.193.1
nameserver 200.69.193.2
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 5 root root 4096 May 5 09:48 2.6.8-2-686
drwxr-xr-x 3 root root 4096 May 6 09:56 2.6.16-1-686
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
b02175a7 T netif_rx
b0217705 T netif_rx_ni
b02175a7 U netif_rx [ipsec]
b02175a7 U netif_rx [ppp_generic]
b02175a7 U netif_rx [ipv6]
b02175a7 U netif_rx [3c59x]
b02175a7 U netif_rx [via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.16-1-686:
2.6.8-2-686:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '113,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
May 13 10:25:53 gwa ipsec_setup: Starting Openswan IPsec 2.4.5...
May 13 10:25:54 gwa ipsec__plutorun: 104 "tunnelAB" #1: STATE_MAIN_I1: initiate
May 13 10:25:54 gwa ipsec__plutorun: ...could not start conn "tunnelAB"
+ _________________________ plog
+ sed -n '1121,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
May 13 10:25:53 gwa ipsec__plutorun: Starting Pluto subsystem...
May 13 10:25:53 gwa pluto[10572]: Starting Pluto (Openswan Version
2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEGfuJ[Ye{Ah)
May 13 10:25:53 gwa pluto[10572]: Setting NAT-Traversal port-4500
floating to off
May 13 10:25:53 gwa pluto[10572]: port floating activation criteria
nat_t=0/port_fload=1
May 13 10:25:53 gwa pluto[10572]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 13 10:25:53 gwa pluto[10572]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
May 13 10:25:53 gwa pluto[10572]: starting up 1 cryptographic helpers
May 13 10:25:53 gwa pluto[10572]: started helper pid=10583 (fd:6)
May 13 10:25:53 gwa pluto[10572]: Using KLIPS IPsec interface code on
2.6.16-1-686
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/cacerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/aacerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/ocspcerts'
May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/crls'
May 13 10:25:53 gwa pluto[10572]: Warning: empty directory
May 13 10:25:53 gwa pluto[10572]: added connection description "tunnelAB"
May 13 10:25:53 gwa pluto[10572]: listening for IKE messages
May 13 10:25:53 gwa pluto[10572]: adding interface ipsec0/ppp0
200.68.111.227:500
May 13 10:25:53 gwa pluto[10572]: loading secrets from "/etc/ipsec.secrets"
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: initiating Main Mode
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: I did not send a
certificate because I do not have one.
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: Main mode peer ID is
ID_IPV4_ADDR: '200.XXX.XXX.XXX'
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established {ESP=>0xf7a99043 <0x1d4652fb
xfrm=AES_256-HMAC_MD5 NATD=none DPD=none}
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
payload: replace IPSEC State #2 in 10 seconds
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
informational message
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xf7a99042) not found (maybe expired)
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
informational message
May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
payload: deleting ISAKMP State #1
May 13 10:25:59 gwa pluto[10572]: packet from 200.XXX.XXX.XXX:500:
received and ignored informational message
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: responding to Main Mode
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R2: sent
MR2, expecting MI3
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: Main mode peer ID is
ID_IPV4_ADDR: '200.XXX.XXX.XXX'
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: I did not send a
certificate because I do not have one.
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: responding to Quick
Mode {msgid:305a0c30}
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R2: IPsec
SA established {ESP=>0xf7a99044 <0x1d4652fc xfrm=AES_256-HMAC_MD5
NATD=none DPD=none}
+ _________________________ date
+ date
Sat May 13 10:27:03 ART 2006
Regards,
Mariano
--
"El incremento de la satisfacción profesional y de la unidad familiar
son fatales para un proveedor de sustancias entumecedoras del cerebro."
Moe, 1991.
More information about the Users
mailing list