[Openswan Users]
Re: [SOLVED] IPsec SA established but traffic doesn't get back to
origin
Mariano Aliaga
marianoaliaga at gmail.com
Mon May 15 11:19:31 CEST 2006
Hi,
I could finally make it work. Reading
http://www.openswan.org/docs/local/README.Kernel26 I found the
following:
"* compression seems to be incompatible between KLIPS and the 2.6 ipsec code.
Since we believe the 2.6 ipsec code is wrong, we cannot fix this. If you
get a successful IKE negotiation and can send ESP packets, but never get
replies, compile KLIPS without CONFIG_IPSEC_IPCOMP. There is currently no
runtime switch to disable compression. Note that setting compress=no is not
enough; it just means we do not announce compression, but we'll still do it
if the other end requests it."
Although it says the problem is between KLIPS and 2.6 ipsec (I use
KLIPS on both ends), I tried building openswan-module without
CONFIG_IPSEC_IPCOMP, and that made it work.
Regards,
Mariano
On 5/13/06, Mariano Aliaga <marianoaliaga at gmail.com> wrote:
> Hi,
> I've been trying for long to debug this problem and now I don't
> know what else can I try. I'd be glad if someone could help.
> My setup is as follows:
>
> HostA -------- GwA ===WWW=== GwB ------- HostB
>
> I'm running Debian Sarge on both gateways, and my software versions are:
>
> - GwA: linux-image-2.6.16-1-6 (sarge-backports), openswan
> 2.4.5-3 (unstable), openswan-modules-source 2.4.5-3 (unstable)
> - GwB: kernel-image-2.4.27-2-386, openswan 2.2.0-8,
> openswan-modules-source 2.2.0-8
>
> My problem is the following: I can perfectly set up an IPSec tunnel
> between both gateways (I get IPsec SA established, ipsec0 interfaces
> are setted up, eroutes are added, etc.).
> If I ping from HostA to HostB the packet goes through the tunnel,
> HostB replies it, the reply goes trhough GwB and I can see the esp
> packets on ppp0 interface on GwA, BUT it doesn't pass to ipsec0... it
> just dies there.
> I have several tunnels on GwB working perfectly, and all of them
> are using the same versions as GwB.
>
> The output of ipsec barf on GwA is the following:
>
> gwa
> Sat May 13 10:27:02 ART 2006
> + _________________________ version
> + ipsec --version
> Linux Openswan 2.4.5 (klips)
> See `ipsec --copyright' for copyright information.
> + _________________________ /proc/version
> + cat /proc/version
> Linux version 2.6.16-1-686 (Debian 2.6.16-11bpo1)
> (nobse at backports.org) (gcc version 3.3.5 (Debian 1:3.3.5-13)) #2 Fri
> May 5 04:56:53 UTC 2006
> + _________________________ /proc/net/ipsec_eroute
> + test -r /proc/net/ipsec_eroute
> + sort -sg +3 /proc/net/ipsec_eroute
> 0 10.250.1.0/24 -> 192.168.1.0/24 => tun0x1004 at 200.XXX.XXX.XXX
> + _________________________ netstat-rn
> + netstat -nr
> + head -n 100
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 200.123.151.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 200.123.151.254 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
> 10.250.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 0.0.0.0 200.123.151.254 0.0.0.0 UG 0 0 0 ppp0
> + _________________________ /proc/net/ipsec_spi
> + test -r /proc/net/ipsec_spi
> + cat /proc/net/ipsec_spi
> tun0x1004 at 200.XXX.XXX.XXX IPIP: dir=out src=200.68.111.227
> life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1407
> tun0x1003 at 200.68.111.227 IPIP: dir=in src=200.XXX.XXX.XXX
> policy=192.168.1.0/24->10.250.1.0/24 flags=0x8<>
> life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1402
> esp0x1d4652fc at 200.68.111.227 ESP_AES_HMAC_MD5: dir=in
> src=200.XXX.XXX.XXX iv_bits=128bits
> iv=0x00a46605027e05e59f2263eeca7d8b22 ooowin=64 alen=128 aklen=128
> eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1403
> esp0xf7a99044 at 200.XXX.XXX.XXX ESP_AES_HMAC_MD5: dir=out
> src=200.68.111.227 iv_bits=128bits
> iv=0x0f99e1381cd545fe34b85023bbbbee4d ooowin=64 alen=128 aklen=128
> eklen=256 life(c,s,h)=addtime(58,0,0) natencap=na refcount=4 ref=1408
> + _________________________ /proc/net/ipsec_spigrp
> + test -r /proc/net/ipsec_spigrp
> + cat /proc/net/ipsec_spigrp
> tun0x1004 at 200.XXX.XXX.XXX esp0xf7a99044 at 200.XXX.XXX.XXX
> tun0x1003 at 200.68.111.227 esp0x1d4652fc at 200.68.111.227
> + _________________________ /proc/net/ipsec_tncfg
> + test -r /proc/net/ipsec_tncfg
> + cat /proc/net/ipsec_tncfg
> ipsec0 -> ppp0 mtu=16260(1440) -> 1440
> ipsec1 -> NULL mtu=0(0) -> 0
> ipsec2 -> NULL mtu=0(0) -> 0
> ipsec3 -> NULL mtu=0(0) -> 0
> + _________________________ /proc/net/pfkey
> + test -r /proc/net/pfkey
> + _________________________ /proc/sys/net/ipsec-star
> + test -d /proc/sys/net/ipsec
> + cd /proc/sys/net/ipsec
> + egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
> debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
> debug_xform icmp inbound_policy_check pfkey_lossage tos
> debug_ah:0
> debug_eroute:0
> debug_esp:0
> debug_ipcomp:0
> debug_netlink:0
> debug_pfkey:0
> debug_radij:0
> debug_rcv:0
> debug_spi:0
> debug_tunnel:0
> debug_verbose:0
> debug_xform:0
> icmp:1
> inbound_policy_check:1
> pfkey_lossage:0
> tos:1
> + _________________________ ipsec/status
> + ipsec auto --status
> 000 interface ipsec0/ppp0 200.68.111.227
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
> trans={0,2,72} attrs={0,2,48}
> 000
> 000 "tunnelAB":
> 10.250.1.0/24===200.68.111.227...200.XXX.XXX.XXX===192.168.1.0/24;
> erouted; eroute owner: #4
> 000 "tunnelAB": srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "tunnelAB": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "tunnelAB": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
> 000 "tunnelAB": newest ISAKMP SA: #3; newest IPsec SA: #4;
> 000 "tunnelAB": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "tunnelAB": ESP algorithms wanted: 12_000-1, 12_000-2, flags=strict
> 000 "tunnelAB": ESP algorithms loaded: 12_000-1, 12_000-2, flags=strict
> 000 "tunnelAB": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=<N/A>
> 000
> 000 #4: "tunnelAB":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 3272s; newest IPSEC; eroute owner
> 000 #4: "tunnelAB" esp.f7a99044 at 200.XXX.XXX.XXX
> esp.1d4652fc at 200.68.111.227 tun.1004 at 200.XXX.XXX.XXX
> tun.1003 at 200.68.111.227
> 000 #3: "tunnelAB":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 14071s; newest ISAKMP; nodpd
> 000
> + _________________________ ifconfig-a
> + ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:15:F2:E5:77:3E
> inet addr:192.168.3.233 Bcast:192.168.3.255 Mask:255.255.255.0
> inet6 addr: fe80::215:f2ff:fee5:773e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:113210 errors:0 dropped:0 overruns:0 frame:0
> TX packets:15884 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:15367386 (14.6 MiB) TX bytes:4206684 (4.0 MiB)
> Interrupt:185 Base address:0xd400
>
> eth1 Link encap:Ethernet HWaddr 00:60:08:CC:DD:36
> inet addr:10.250.1.110 Bcast:10.250.1.255 Mask:255.255.255.0
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> Interrupt:153 Base address:0xcc00
>
> ipsec0 Link encap:Point-to-Point Protocol
> inet addr:200.68.111.227 Mask:255.255.255.255
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3132 errors:0 dropped:16 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:473376 (462.2 KiB)
>
> ipsec1 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> ipsec2 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> ipsec3 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> NOARP MTU:0 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:60 errors:0 dropped:0 overruns:0 frame:0
> TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:6729 (6.5 KiB) TX bytes:6729 (6.5 KiB)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:200.68.111.227 P-t-P:200.123.151.254 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1440 Metric:1
> RX packets:208 errors:0 dropped:0 overruns:0 frame:0
> TX packets:159 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:48265 (47.1 KiB) TX bytes:34036 (33.2 KiB)
>
> sit0 Link encap:IPv6-in-IPv4
> NOARP MTU:1480 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> + _________________________ ip-addr-list
> + ip addr list
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:15:f2:e5:77:3e brd ff:ff:ff:ff:ff:ff
> inet 192.168.3.233/24 brd 192.168.3.255 scope global eth0
> inet6 fe80::215:f2ff:fee5:773e/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:60:08:cc:dd:36 brd ff:ff:ff:ff:ff:ff
> inet 10.250.1.110/24 brd 10.250.1.255 scope global eth1
> 4: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
> 6: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
> link/ppp
> inet 200.68.111.227 peer 200.123.151.254/32 scope global ipsec0
> 7: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
> link/void
> 8: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
> link/void
> 9: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
> link/void
> 13: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1440 qdisc pfifo_fast qlen 3
> link/ppp
> inet 200.68.111.227 peer 200.123.151.254/32 scope global ppp0
> + _________________________ ip-route-list
> + ip route list
> 200.123.151.254 dev ppp0 proto kernel scope link src 200.68.111.227
> 200.123.151.254 dev ipsec0 proto kernel scope link src 200.68.111.227
> 192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.233
> 192.168.1.0/24 dev ipsec0 scope link
> 10.250.1.0/24 dev eth1 proto kernel scope link src 10.250.1.110
> default via 200.123.151.254 dev ppp0
> + _________________________ ip-rule-list
> + ip rule list
> 0: from all lookup local
> 32766: from all lookup main
> 32767: from all lookup default
> + _________________________ ipsec_verify
> + ipsec verify --nocolour
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan 2.4.5 (klips)
> Checking for IPsec support in kernel [OK]
> KLIPS detected, checking for NAT Traversal support [FAILED]
> Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking tun0x1004 at 200.XXX.XXX.XXX from 10.250.1.0/24 to 192.168.1.0/24 [FAILED]
> MASQUERADE from 10.250.1.0/24 to 0.0.0.0/0 kills tunnel
> 10.250.1.0/24 -> 192.168.1.0/24
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> + _________________________ mii-tool
> + '[' -x /sbin/mii-tool ']'
> + /sbin/mii-tool -v
> eth0: negotiated 100baseTx-FD, link ok
> product info: vendor 00:00:20, model 32 rev 1
> basic mode: autonegotiation enabled
> basic status: autonegotiation complete, link ok
> capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
> eth1: no link
> product info: National DP83840A rev 1
> basic mode: autonegotiation enabled
> basic status: no link
> capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> + _________________________ ipsec/directory
> + ipsec --directory
> /usr/lib/ipsec
> + _________________________ hostname/fqdn
> + hostname --fqdn
> gwa.xxxxxxx.xxx
> + _________________________ hostname/ipaddress
> + hostname --ip-address
> 10.250.1.110
> + _________________________ uptime
> + uptime
> 10:27:03 up 1 day, 19:38, 3 users, load average: 0.00, 0.00, 0.00
> + _________________________ ps
> + ps alxwf
> + egrep -i 'ppid|pluto|ipsec|klips'
> F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
> 0 0 10660 9655 16 0 2828 1360 - R+ pts/2 0:00
> \_ /bin/sh /usr/lib/ipsec/barf
> 1 0 10570 1 25 0 2412 448 wait S pts/2 0:00
> /bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
> --nocrsend --strictcrlpolicy --nat_traversal --keep_alive
> --protostack auto --force_keepalive --disable_port_floating
> --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
> --opts --stderrlog --wait no --pre --post --log daemon.error --pid
> /var/run/pluto/pluto.pid
> 1 0 10571 10570 25 0 2412 608 wait S pts/2 0:00 \_
> /bin/bash /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
> --nocrsend --strictcrlpolicy --nat_traversal --keep_alive
> --protostack auto --force_keepalive --disable_port_floating
> --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
> --opts --stderrlog --wait no --pre --post --log daemon.error --pid
> /var/run/pluto/pluto.pid
> 4 0 10572 10571 15 0 7072 2492 - S pts/2 0:00 |
> \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
> --ipsecdir /etc/ipsec.d --debug-none --use-auto --uniqueids
> 1 0 10583 10572 25 10 6936 872 - SN pts/2 0:00 |
> \_ pluto helper # 0 -nofork
> 0 0 10584 10572 25 0 1532 292 - S pts/2 0:00 |
> \_ _pluto_adns
> 0 0 10573 10570 16 0 2380 1116 pipe_w S pts/2 0:00 \_
> /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
> 0 0 10575 1 25 0 1584 504 pipe_w S pts/2 0:00
> logger -s -p daemon.error -t ipsec__plutorun
> + _________________________ ipsec/showdefaults
> + ipsec showdefaults
> routephys=ppp0
> routevirt=ipsec0
> routeaddr=200.68.111.227
> routenexthop=200.123.151.254
> + _________________________ ipsec/conf
> + ipsec _include /etc/ipsec.conf
> + ipsec _keycensor
>
> #< /etc/ipsec.conf 1
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> uniqueids=yes
>
> conn %default
> keyingtries=0
>
> conn tunnelAB
> authby=secret
> left=200.XXX.XXX.XXX
> leftsubnet=192.168.1.0/24
> right=%defaultroute
> rightsubnet=10.250.1.0/24
> ikelifetime=240m
> keylife=60m
> pfs=no
> esp=aes
> compress=no
> auto=start
>
>
> #Disable Opportunistic Encryption
>
> #< /etc/ipsec.d/examples/no_oe.conf 1
> # 'include' this file to disable Opportunistic Encryption.
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> #> /etc/ipsec.conf 36
> + _________________________ ipsec/secrets
> + ipsec _include /etc/ipsec.secrets
> + ipsec _secretcensor
>
> #< /etc/ipsec.secrets 1
> # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
> # This file holds shared secrets or RSA private keys for inter-Pluto
> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
> # or configuration of other implementations, can be extracted conveniently
> # with "[sums to ef67...]".
> 200.XXX.XXX.XXX gwa.xxxxx.xxx: PSK "[sums to ccda...]"
> + _________________________ ipsec/listall
> + ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> + '[' /etc/ipsec.d/policies ']'
> ++ basename /etc/ipsec.d/policies/block
> + base=block
> + _________________________ ipsec/policies/block
> + cat /etc/ipsec.d/policies/block
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should never be allowed.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
>
> ++ basename /etc/ipsec.d/policies/clear
> + base=clear
> + _________________________ ipsec/policies/clear
> + cat /etc/ipsec.d/policies/clear
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be in the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> ++ basename /etc/ipsec.d/policies/clear-or-private
> + base=clear-or-private
> + _________________________ ipsec/policies/clear-or-private
> + cat /etc/ipsec.d/policies/clear-or-private
> # This file defines the set of CIDRs (network/mask-length) to which
> # we will communicate in the clear, or, if the other side initiates IPSEC,
> # using encryption. This behaviour is also called "Opportunistic Responder".
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> ++ basename /etc/ipsec.d/policies/private
> + base=private
> + _________________________ ipsec/policies/private
> + cat /etc/ipsec.d/policies/private
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be private (i.e. encrypted).
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> ++ basename /etc/ipsec.d/policies/private-or-clear
> + base=private-or-clear
> + _________________________ ipsec/policies/private-or-clear
> + cat /etc/ipsec.d/policies/private-or-clear
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should be private, if possible, but in the clear otherwise.
> #
> # If the target has a TXT (later IPSECKEY) record that specifies
> # authentication material, we will require private (i.e. encrypted)
> # communications. If no such record is found, communications will be
> # in the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
> #
>
> 0.0.0.0/0
> + _________________________ ipsec/ls-libdir
> + ls -l /usr/lib/ipsec
> total 1384
> -rwxr-xr-x 1 root root 15859 Apr 23 19:54 _confread
> -rwxr-xr-x 1 root root 4428 Apr 23 19:54 _copyright
> -rwxr-xr-x 1 root root 2379 Apr 23 19:54 _include
> -rwxr-xr-x 1 root root 1475 Apr 23 19:54 _keycensor
> -rwxr-xr-x 1 root root 7980 Apr 23 19:54 _pluto_adns
> -rwxr-xr-x 1 root root 3586 Apr 23 19:54 _plutoload
> -rwxr-xr-x 1 root root 7059 Apr 23 19:54 _plutorun
> -rwxr-xr-x 1 root root 12275 Apr 23 19:54 _realsetup
> -rwxr-xr-x 1 root root 1975 Apr 23 19:54 _secretcensor
> -rwxr-xr-x 1 root root 9952 Apr 23 19:54 _startklips
> -rwxr-xr-x 1 root root 13912 Apr 23 19:54 _updown
> -rwxr-xr-x 1 root root 15740 Apr 23 19:54 _updown_x509
> -rwxr-xr-x 1 root root 18891 Apr 23 19:54 auto
> -rwxr-xr-x 1 root root 11331 Apr 23 19:54 barf
> -rwxr-xr-x 1 root root 816 Apr 23 19:54 calcgoo
> -rwxr-xr-x 1 root root 77348 Apr 23 19:54 eroute
> -rwxr-xr-x 1 root root 17108 Apr 23 19:54 ikeping
> -rwxr-xr-x 1 root root 1942 Apr 23 19:54 ipsec_pr.template
> -rwxr-xr-x 1 root root 60992 Apr 23 19:54 klipsdebug
> -rwxr-xr-x 1 root root 1836 Apr 23 19:54 livetest
> -rwxr-xr-x 1 root root 2605 Apr 23 19:54 look
> -rwxr-xr-x 1 root root 7147 Apr 23 19:54 mailkey
> -rwxr-xr-x 1 root root 16015 Apr 23 19:54 manual
> -rwxr-xr-x 1 root root 1926 Apr 23 19:54 newhostkey
> -rwxr-xr-x 1 root root 52160 Apr 23 19:54 pf_key
> -rwxr-xr-x 1 root root 659000 Apr 23 19:54 pluto
> -rwxr-xr-x 1 root root 6460 Apr 23 19:54 ranbits
> -rwxr-xr-x 1 root root 18588 Apr 23 19:54 rsasigkey
> -rwxr-xr-x 1 root root 766 Apr 23 19:54 secrets
> -rwxr-xr-x 1 root root 17624 Apr 23 19:54 send-pr
> lrwxrwxrwx 1 root root 17 May 9 15:50 setup -> /etc/init.d/ipsec
> -rwxr-xr-x 1 root root 1054 Apr 23 19:54 showdefaults
> -rwxr-xr-x 1 root root 4748 Apr 23 19:54 showhostkey
> -rwxr-xr-x 1 root root 118448 Apr 23 19:54 spi
> -rwxr-xr-x 1 root root 66304 Apr 23 19:54 spigrp
> -rwxr-xr-x 1 root root 9796 Apr 23 19:54 tncfg
> -rwxr-xr-x 1 root root 11623 Apr 23 19:54 verify
> -rwxr-xr-x 1 root root 47092 Apr 23 19:54 whack
> + _________________________ ipsec/ls-execdir
> + ls -l /usr/lib/ipsec
> total 1384
> -rwxr-xr-x 1 root root 15859 Apr 23 19:54 _confread
> -rwxr-xr-x 1 root root 4428 Apr 23 19:54 _copyright
> -rwxr-xr-x 1 root root 2379 Apr 23 19:54 _include
> -rwxr-xr-x 1 root root 1475 Apr 23 19:54 _keycensor
> -rwxr-xr-x 1 root root 7980 Apr 23 19:54 _pluto_adns
> -rwxr-xr-x 1 root root 3586 Apr 23 19:54 _plutoload
> -rwxr-xr-x 1 root root 7059 Apr 23 19:54 _plutorun
> -rwxr-xr-x 1 root root 12275 Apr 23 19:54 _realsetup
> -rwxr-xr-x 1 root root 1975 Apr 23 19:54 _secretcensor
> -rwxr-xr-x 1 root root 9952 Apr 23 19:54 _startklips
> -rwxr-xr-x 1 root root 13912 Apr 23 19:54 _updown
> -rwxr-xr-x 1 root root 15740 Apr 23 19:54 _updown_x509
> -rwxr-xr-x 1 root root 18891 Apr 23 19:54 auto
> -rwxr-xr-x 1 root root 11331 Apr 23 19:54 barf
> -rwxr-xr-x 1 root root 816 Apr 23 19:54 calcgoo
> -rwxr-xr-x 1 root root 77348 Apr 23 19:54 eroute
> -rwxr-xr-x 1 root root 17108 Apr 23 19:54 ikeping
> -rwxr-xr-x 1 root root 1942 Apr 23 19:54 ipsec_pr.template
> -rwxr-xr-x 1 root root 60992 Apr 23 19:54 klipsdebug
> -rwxr-xr-x 1 root root 1836 Apr 23 19:54 livetest
> -rwxr-xr-x 1 root root 2605 Apr 23 19:54 look
> -rwxr-xr-x 1 root root 7147 Apr 23 19:54 mailkey
> -rwxr-xr-x 1 root root 16015 Apr 23 19:54 manual
> -rwxr-xr-x 1 root root 1926 Apr 23 19:54 newhostkey
> -rwxr-xr-x 1 root root 52160 Apr 23 19:54 pf_key
> -rwxr-xr-x 1 root root 659000 Apr 23 19:54 pluto
> -rwxr-xr-x 1 root root 6460 Apr 23 19:54 ranbits
> -rwxr-xr-x 1 root root 18588 Apr 23 19:54 rsasigkey
> -rwxr-xr-x 1 root root 766 Apr 23 19:54 secrets
> -rwxr-xr-x 1 root root 17624 Apr 23 19:54 send-pr
> lrwxrwxrwx 1 root root 17 May 9 15:50 setup -> /etc/init.d/ipsec
> -rwxr-xr-x 1 root root 1054 Apr 23 19:54 showdefaults
> -rwxr-xr-x 1 root root 4748 Apr 23 19:54 showhostkey
> -rwxr-xr-x 1 root root 118448 Apr 23 19:54 spi
> -rwxr-xr-x 1 root root 66304 Apr 23 19:54 spigrp
> -rwxr-xr-x 1 root root 9796 Apr 23 19:54 tncfg
> -rwxr-xr-x 1 root root 11623 Apr 23 19:54 verify
> -rwxr-xr-x 1 root root 47092 Apr 23 19:54 whack
> + _________________________ ipsec/updowns
> ++ ls /usr/lib/ipsec
> ++ egrep updown
> + cat /usr/lib/ipsec/_updown
> #! /bin/sh
> # iproute2 version, default updown script
> #
> # Copyright (C) 2003-2004 Nigel Metheringham
> # Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
> # Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
> #
> # This program is free software; you can redistribute it and/or modify it
> # under the terms of the GNU General Public License as published by the
> # Free Software Foundation; either version 2 of the License, or (at your
> # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
> #
> # This program is distributed in the hope that it will be useful, but
> # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
> # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> # for more details.
> #
> # RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $
>
>
>
> # CAUTION: Installing a new version of Openswan will install a new
> # copy of this script, wiping out any custom changes you make. If
> # you need changes, make a copy of this under another name, and customize
> # that, and use the (left/right)updown parameters in ipsec.conf to make
> # Openswan use yours instead of this default one.
>
> LC_ALL=C export LC_ALL
>
> # things that this script gets (from ipsec_pluto(8) man page)
> #
> #
> # PLUTO_VERSION
> # indicates what version of this interface is being
> # used. This document describes version 1.1. This
> # is upwardly compatible with version 1.0.
> #
> # PLUTO_VERB
> # specifies the name of the operation to be performed
> # (prepare-host, prepare-client, up-host, up-client,
> # down-host, or down-client). If the address family
> # for security gateway to security gateway
> # communications is IPv6, then a suffix of -v6 is added
> # to the verb.
> #
> # PLUTO_CONNECTION
> # is the name of the connection for which we are
> # routing.
> #
> # PLUTO_CONN_POLICY
> # the policy of the connection, as in:
> # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
> #
> # PLUTO_NEXT_HOP
> # is the next hop to which packets bound for the peer
> # must be sent.
> #
> # PLUTO_INTERFACE
> # is the name of the ipsec interface to be used.
> #
> # PLUTO_ME
> # is the IP address of our host.
> #
> # PLUTO_MY_CLIENT
> # is the IP address / count of our client subnet. If
> # the client is just the host, this will be the
> # host's own IP address / max (where max is 32 for
> # IPv4 and 128 for IPv6).
> #
> # PLUTO_MY_CLIENT_NET
> # is the IP address of our client net. If the client
> # is just the host, this will be the host's own IP
> # address.
> #
> # PLUTO_MY_CLIENT_MASK
> # is the mask for our client net. If the client is
> # just the host, this will be 255.255.255.255.
> #
> # PLUTO_MY_SOURCEIP
> # if non-empty, then the source address for the route will be
> # set to this IP address.
> #
> # PLUTO_MY_PROTOCOL
> # is the protocol for this connection. Useful for
> # firewalling.
> #
> # PLUTO_MY_PORT
> # is the port. Useful for firewalling.
> #
> # PLUTO_PEER
> # is the IP address of our peer.
> #
> # PLUTO_PEER_CLIENT
> # is the IP address / count of the peer's client sub
> # net. If the client is just the peer, this will be
> # the peer's own IP address / max (where max is 32
> # for IPv4 and 128 for IPv6).
> #
> # PLUTO_PEER_CLIENT_NET
> # is the IP address of the peer's client net. If the
> # client is just the peer, this will be the peer's
> # own IP address.
> #
> # PLUTO_PEER_CLIENT_MASK
> # is the mask for the peer's client net. If the
> # client is just the peer, this will be
> # 255.255.255.255.
> #
> # PLUTO_PEER_PROTOCOL
> # is the protocol set for remote end with port
> # selector.
> #
> # PLUTO_PEER_PORT
> # is the peer's port. Useful for firewalling.
> #
> # PLUTO_CONNECTION_TYPE
> #
>
> # Import default _updown configs from the /etc/default/pluto_updown file
> #
> # Two variables can be set in this file:
> #
> # DEFAULTSOURCE
> # is the default value for PLUTO_MY_SOURCEIP
> #
> # IPROUTETABLE
> # is the default value for IPROUTETABLE
> #
> # IPROUTEARGS
> # is the extra argument list for ip route command
> #
> # IPRULEARGS
> # is the extra argument list for ip rule command
> #
> if [ -f /etc/default/pluto_updown ]
> then
> . /etc/default/pluto_updown
> fi
>
> # check interface version
> case "$PLUTO_VERSION" in
> 1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
> echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
> echo "$0: called by obsolete Pluto?" >&2
> exit 2
> ;;
> 1.*) ;;
> *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
> exit 2
> ;;
> esac
>
> # check parameter(s)
> case "$1:$*" in
> ':') # no parameters
> ;;
> ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
> ;;
> custom:*) # custom parameters (see above CAUTION comment)
> ;;
> *) echo "$0: unknown parameters \`$*'" >&2
> exit 2
> ;;
> esac
>
> # utility functions for route manipulation
> # Meddling with this stuff should not be necessary and requires great care.
> uproute() {
> doroute add
> ip route flush cache
> }
>
> downroute() {
> doroute delete
> ip route flush cache
> }
>
> uprule() {
> # policy based advanced routing
> if [ -n "$IPROUTETABLE" ]
> then
> dorule delete
> dorule add
> fi
> # virtual sourceip support
> if [ -n "$PLUTO_MY_SOURCEIP" ]
> then
> addsource
> rc=$?
> if [ $rc -ne 0 ];
> then
> changesource
> fi
> fi
> ip route flush cache
> }
>
> downrule() {
> if [ -n "$IPROUTETABLE" ]
> then
> dorule delete
> ip route flush cache
> fi
> }
>
> addsource() {
> st=0
> # check if given sourceip is local and add as alias if not
> if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
> then
> it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev
> ${PLUTO_INTERFACE%:*}"
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: File exists'*)
> # should not happen, but ... ignore if the
> # address was already assigned on interface
> oops=""
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: addsource \`$it' failed ($oops)" >&2
> fi
> fi
> return $st
> }
>
> changesource() {
> # Change used route source to destination if there is previous
> # Route to same PLUTO_PEER_CLIENT. This is basically to fix
> # configuration errors where all conns to same destination don't
> # have (left/right)sourceip set.
> st=0
> parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
> parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms="$parms table $IPROUTETABLE"
> fi
> it="ip route change $parms"
> case "$PLUTO_PEER_CLIENT" in
> "0.0.0.0/0")
> # opportunistic encryption work around
> it=
> ;;
> esac
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: No such file or directory'*)
> # Will happen every time first tunnel is activated because
> # there is no previous route to PLUTO_PEER_CLIENT. So we
> # need to ignore this error.
> oops=""
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: changesource \`$it' failed ($oops)" >&2
> fi
> return $st
> }
>
> dorule() {
> st=0
> it2=
> iprule="from $PLUTO_MY_CLIENT"
> iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
> case "$PLUTO_PEER_CLIENT" in
> "0.0.0.0/0")
> # opportunistic encryption work around
> st=0
> ;;
> *)
> if [ -z "$PLUTO_MY_SOURCEIP" ]
> then
> if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
> then
> it="ip rule $1 iif lo $iprule2"
> else
> it="ip rule $1 $iprule $iprule2"
> fi
> else
> if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
> then
> it="ip rule $1 iif lo $iprule2"
> else
> it="ip rule $1 $iprule $iprule2"
> it2="ip rule $1 iif lo $iprule2"
> fi
> fi
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: No such process'*)
> # This is what ip rule gives
> # for "could not find such a rule"
> oops=
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: dorule \`$it' failed ($oops)" >&2
> fi
> if test "$st" = "0" -a -n "$it2"
> then
> oops="`eval $it2 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: No such process'*)
> # This is what ip rule gives
> # for "could not find such a rule"
> oops=
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: dorule \`$it2' failed ($oops)" >&2
> fi
> fi
> ;;
> esac
> return $st
> }
>
>
> doroute() {
> st=0
> parms="$PLUTO_PEER_CLIENT"
> parms2=
> if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
> then
> parms2="via $PLUTO_NEXT_HOP"
> fi
> parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
> parms3="$IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms3="$parms3 table $IPROUTETABLE"
> fi
>
> if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
> then
> PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
> fi
>
> if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
> then
> addsource
> parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
> fi
>
> case "$PLUTO_PEER_CLIENT" in
> "0.0.0.0/0")
> # opportunistic encryption work around
> # need to provide route that eclipses default, without
> # replacing it.
> it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
> ip route $1 128.0.0.0/1 $parms2 $parms3"
> ;;
> *) it="ip route $1 $parms $parms2 $parms3"
> ;;
> esac
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: doroute \`$it' failed ($oops)" >&2
> fi
> return $st
> }
>
>
> # the big choice
> case "$PLUTO_VERB:$1" in
> prepare-host:*|prepare-client:*)
> # delete possibly-existing route (preliminary to adding a route)
> case "$PLUTO_PEER_CLIENT" in
> "0.0.0.0/0")
> # need to provide route that eclipses default, without
> # replacing it.
> parms1="0.0.0.0/1"
> parms2="128.0.0.0/1"
> it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
> $parms2 $IPROUTEARGS 2>&1"
> oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip
> route delete
> $parms2 $IPROUTEARGS 2>&1`"
> ;;
> *)
> parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms="$parms table $IPROUTETABLE"
> fi
> it="ip route delete $parms 2>&1"
> oops="`ip route delete $parms 2>&1`"
> ;;
> esac
> status="$?"
> if test " $oops" = " " -a " $status" != " 0"
> then
> oops="silent error, exit status $status"
> fi
> case "$oops" in
> *'RTNETLINK answers: No such process'*)
> # This is what route (currently -- not documented!) gives
> # for "could not find such a route".
> oops=
> status=0
> ;;
> esac
> if test " $oops" != " " -o " $status" != " 0"
> then
> echo "$0: \`$it' failed ($oops)" >&2
> fi
> exit $status
> ;;
> route-host:*|route-client:*)
> # connection to me or my client subnet being routed
> uproute
> ;;
> unroute-host:*|unroute-client:*)
> # connection to me or my client subnet being unrouted
> downroute
> ;;
> up-host:*)
> # connection to me coming up
> uprule
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-host:*)
> # connection to me going down
> downrule
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client:)
> # connection to my client subnet coming up
> uprule
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-client:)
> # connection to my client subnet going down
> downrule
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, coming up
> uprule
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> down-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, going down
> downrule
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> #
> # IPv6
> #
> prepare-host-v6:*|prepare-client-v6:*)
> ;;
> route-host-v6:*|route-client-v6:*)
> # connection to me or my client subnet being routed
> #uproute_v6
> ;;
> unroute-host-v6:*|unroute-client-v6:*)
> # connection to me or my client subnet being unrouted
> #downroute_v6
> ;;
> up-host-v6:*)
> # connection to me coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-host-v6:*)
> # connection to me going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client-v6:)
> # connection to my client subnet coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-client-v6:)
> # connection to my client subnet going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
> exit 1
> ;;
> esac
> + cat /usr/lib/ipsec/_updown_x509
> #! /bin/sh
> #
> # customized updown script
> #
>
> # logging of VPN connections
> #
> # tag put in front of each log entry:
> TAG=vpn
> #
> # syslog facility and priority used:
> FAC_PRIO=local0.notice
> #
> # to create a special vpn logging file, put the following line into
> # the syslog configuration file /etc/syslog.conf:
> #
> # local0.notice -/var/log/vpn
> #
> # are there port numbers?
> if [ "$PLUTO_MY_PORT" != 0 ]
> then
> S_MY_PORT="--sport $PLUTO_MY_PORT"
> D_MY_PORT="--dport $PLUTO_MY_PORT"
> fi
> if [ "$PLUTO_PEER_PORT" != 0 ]
> then
> S_PEER_PORT="--sport $PLUTO_PEER_PORT"
> D_PEER_PORT="--dport $PLUTO_PEER_PORT"
> fi
>
> # CAUTION: Installing a new version of Openswan will install a new
> # copy of this script, wiping out any custom changes you make. If
> # you need changes, make a copy of this under another name, and customize
> # that, and use the (left/right)updown parameters in ipsec.conf to make
> # Openswan use yours instead of this default one.
>
> LC_ALL=C export LC_ALL
>
> # things that this script gets (from ipsec_pluto(8) man page)
> #
> #
> # PLUTO_VERSION
> # indicates what version of this interface is being
> # used. This document describes version 1.1. This
> # is upwardly compatible with version 1.0.
> #
> # PLUTO_VERB
> # specifies the name of the operation to be performed
> # (prepare-host, prepare-client, up-host, up-client,
> # down-host, or down-client). If the address family
> # for security gateway to security gateway communica
> # tions is IPv6, then a suffix of -v6 is added to the
> # verb.
> #
> # PLUTO_CONNECTION
> # is the name of the connection for which we are
> # routing.
> #
> # PLUTO_CONN_POLICY
> # the policy of the connection, as in:
> # RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
> #
> # PLUTO_NEXT_HOP
> # is the next hop to which packets bound for the peer
> # must be sent.
> #
> # PLUTO_INTERFACE
> # is the name of the ipsec interface to be used.
> #
> # PLUTO_ME
> # is the IP address of our host.
> #
> # PLUTO_MY_CLIENT
> # is the IP address / count of our client subnet. If
> # the client is just the host, this will be the
> # host's own IP address / max (where max is 32 for
> # IPv4 and 128 for IPv6).
> #
> # PLUTO_MY_CLIENT_NET
> # is the IP address of our client net. If the client
> # is just the host, this will be the host's own IP
> # address.
> #
> # PLUTO_MY_CLIENT_MASK
> # is the mask for our client net. If the client is
> # just the host, this will be 255.255.255.255.
> #
> # PLUTO_MY_SOURCEIP
> # if non-empty, then the source address for the route will be
> # set to this IP address.
> #
> # PLUTO_MY_PROTOCOL
> # is the protocol for this connection. Useful for
> # firewalling.
> #
> # PLUTO_MY_PORT
> # is the port. Useful for firewalling.
> #
> # PLUTO_PEER
> # is the IP address of our peer.
> #
> # PLUTO_PEER_CLIENT
> # is the IP address / count of the peer's client sub
> # net. If the client is just the peer, this will be
> # the peer's own IP address / max (where max is 32
> # for IPv4 and 128 for IPv6).
> #
> # PLUTO_PEER_CLIENT_NET
> # is the IP address of the peer's client net. If the
> # client is just the peer, this will be the peer's
> # own IP address.
> #
> # PLUTO_PEER_CLIENT_MASK
> # is the mask for the peer's client net. If the
> # client is just the peer, this will be
> # 255.255.255.255.
> #
> # PLUTO_PEER_PROTOCOL
> # is the protocol set for remote end with port
> # selector.
> #
> # PLUTO_PEER_PORT
> # is the peer's port. Useful for firewalling.
> #
> # PLUTO_CONNECTION_TYPE
> #
>
> # Import default _updown configs from the /etc/default/pluto_updown file
> #
> # Two variables can be set in this file:
> #
> # DEFAULTSOURCE
> # is the default value for PLUTO_MY_SOURCEIP
> #
> # IPROUTETABLE
> # is the default value for IPROUTETABLE
> #
> # IPROUTEARGS
> # is the extra argument list for ip route command
> #
> # IPRULEARGS
> # is the extra argument list for ip rule command
> #
> if [ -f /etc/default/pluto_updown ]
> then
> . /etc/default/pluto_updown
> fi
>
> # check interface version
> case "$PLUTO_VERSION" in
> 1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
> echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
> echo "$0: called by obsolete Pluto?" >&2
> exit 2
> ;;
> 1.*) ;;
> *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
> exit 2
> ;;
> esac
>
> # check parameter(s)
> case "$1:$*" in
> ':') # no parameters
> ;;
> ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
> ;;
> custom:*) # custom parameters (see above CAUTION comment)
> ;;
> *) echo "$0: unknown parameters \`$*'" >&2
> exit 2
> ;;
> esac
>
> # utility functions for route manipulation
> # Meddling with this stuff should not be necessary and requires great care.
> uproute() {
> doroute add
> ip route flush cache
> }
>
> downroute() {
> doroute delete
> ip route flush cache
> }
>
> uprule() {
> # policy based advanced routing
> if [ -n "$IPROUTETABLE" ]
> then
> dorule delete
> dorule add
> fi
> # virtual sourceip support
> if [ -n "$PLUTO_MY_SOURCEIP" ]
> then
> addsource
> changesource
> fi
> ip route flush cache
> }
>
> downrule() {
> if [ -n "$IPROUTETABLE" ]
> then
> dorule delete
> ip route flush cache
> fi
> }
>
> addsource() {
> st=0
> if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
> then
> it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev
> ${PLUTO_INTERFACE%:*}"
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: addsource \`$it' failed ($oops)" >&2
> fi
> fi
> return $st
> }
>
> changesource() {
> st=0
> parms="$PLUTO_PEER_CLIENT"
> parms2="dev ${PLUTO_INTERFACE%:*}"
> parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms3="$parms3 table '$IPROUTETABLE'"
> fi
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # opportunistic encryption work around
> it=
> ;;
> esac
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: changesource \`$it' failed ($oops)" >&2
> fi
> return $st
> }
>
> dorule() {
> st=0
> it2=
> iprule="from $PLUTO_MY_CLIENT"
> iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # opportunistic encryption work around
> st=0
> ;;
> *)
> if [ -z "$PLUTO_MY_SOURCEIP" ]
> then
> if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
> then
> it="ip rule $1 iif lo $iprule2"
> else
> it="ip rule $1 $iprule $iprule2"
> fi
> else
> if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
> then
> it="ip rule $1 iif lo $iprule2"
> else
> it="ip rule $1 $iprule $iprule2"
> it2="ip rule $1 iif lo $iprule2"
> fi
> fi
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: No such process'*)
> # This is what ip rule gives
> # for "could not find such a rule"
> oops=
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: dorule \`$it' failed ($oops)" >&2
> fi
> if test "$st" = "0" -a -n "$it2"
> then
> oops="`eval $it2 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> case "$oops" in
> 'RTNETLINK answers: No such process'*)
> # This is what ip rule gives
> # for "could not find such a rule"
> oops=
> st=0
> ;;
> esac
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: dorule \`$it2' failed ($oops)" >&2
> fi
> fi
> ;;
> esac
> return $st
> }
>
>
> doroute() {
> st=0
> parms="$PLUTO_PEER_CLIENT"
> parms2=
> if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
> then
> parms2="via $PLUTO_NEXT_HOP"
> fi
> parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
> parms3="$IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms3="$parms3 table $IPROUTETABLE"
> fi
>
> if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
> then
> PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
> fi
>
> if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
> then
> addsource
> parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
> fi
>
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # opportunistic encryption work around
> # need to provide route that eclipses default, without
> # replacing it.
> it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
> ip route $1 128.0.0.0/1 $parms2 $parms3"
> ;;
> *) it="ip route $1 $parms $parms2 $parms3"
> ;;
> esac
> oops="`eval $it 2>&1`"
> st=$?
> if test " $oops" = " " -a " $st" != " 0"
> then
> oops="silent error, exit status $st"
> fi
> if test " $oops" != " " -o " $st" != " 0"
> then
> echo "$0: doroute \`$it' failed ($oops)" >&2
> fi
> return $st
> }
>
>
> # the big choice
> case "$PLUTO_VERB:$1" in
> prepare-host:*|prepare-client:*)
> # delete possibly-existing route (preliminary to adding a route)
> case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
> "0.0.0.0/0.0.0.0")
> # need to provide route that eclipses default, without
> # replacing it.
> parms1="0.0.0.0/1"
> parms2="128.0.0.0/1"
> it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
> $parms2 $IPROUTEARGS 2>&1"
> oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip
> route delete
> $parms2 $IPROUTEARGS 2>&1`"
> ;;
> *)
> parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
> if [ -n "$IPROUTETABLE" ]
> then
> parms="$parms table $IPROUTETABLE"
> fi
> it="ip route delete $parms 2>&1"
> oops="`ip route delete $parms 2>&1`"
> ;;
> esac
> status="$?"
> if test " $oops" = " " -a " $status" != " 0"
> then
> oops="silent error, exit status $status"
> fi
> case "$oops" in
> *'RTNETLINK answers: No such process'*)
> # This is what route (currently -- not documented!) gives
> # for "could not find such a route".
> oops=
> status=0
> ;;
> esac
> if test " $oops" != " " -o " $status" != " 0"
> then
> echo "$0: \`$it' failed ($oops)" >&2
> fi
> exit $status
> ;;
> route-host:*|route-client:*)
> # connection to me or my client subnet being routed
> uproute
> ;;
> unroute-host:*|unroute-client:*)
> # connection to me or my client subnet being unrouted
> downroute
> ;;
> up-host:*)
> # connection to me coming up
> uprule
> # If you are doing a custom version, firewall commands go here.
> iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
> -d $PLUTO_ME $D_MY_PORT -j ACCEPT
> iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
> -s $PLUTO_ME $S_MY_PORT \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> $D_PEER_PORT -j ACCEPT
> #
> if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
> then
> logger -t $TAG -p $FAC_PRIO \
> "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
> else
> logger -t $TAG -p $FAC_PRIO \
> "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT ==
> $PLUTO_PEER -- $PLUTO_ME"
> fi
> ;;
> down-host:*)
> # connection to me going down
> downrule
> # If you are doing a custom version, firewall commands go here.
> iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
> -d $PLUTO_ME $D_MY_PORT -j ACCEPT
> iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
> -s $PLUTO_ME $S_MY_PORT \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> $D_PEER_PORT -j ACCEPT
> #
> if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
> then
> logger -t $TAG -p $FAC_PRIO -- \
> "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
> else
> logger -t $TAG -p $FAC_PRIO -- \
> "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT ==
> $PLUTO_PEER -- $PLUTO_ME"
> fi
> ;;
> up-client:)
> # connection to my client subnet coming up
> uprule
> # If you are doing a custom version, firewall commands go here.
> iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
> -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> $D_PEER_PORT -j ACCEPT
> iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
> -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
> #
> if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
> then
> logger -t $TAG -p $FAC_PRIO \
> "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
> $PLUTO_MY_CLIENT"
> else
> logger -t $TAG -p $FAC_PRIO \
> "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
> $PLUTO_ME == $PLUTO_MY_CLIENT"
> fi
> ;;
> down-client:)
> # connection to my client subnet going down
> downrule
> # If you are doing a custom version, firewall commands go here.
> iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
> -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> $D_PEER_PORT -j ACCEPT
> iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
> -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
> #
> if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
> then
> logger -t $TAG -p $FAC_PRIO -- \
> "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
> $PLUTO_MY_CLIENT"
> else
> logger -t $TAG -p $FAC_PRIO -- \
> "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
> $PLUTO_ME == $PLUTO_MY_CLIENT"
> fi
> ;;
> up-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, coming up
> uprule
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> down-client:ipfwadm)
> # connection to client subnet, with (left/right)firewall=yes, going down
> downrule
> # This is used only by the default updown script, not by your custom
> # ones, so do not mess with it; see CAUTION comment up at top.
> ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
> ;;
> #
> # IPv6
> #
> prepare-host-v6:*|prepare-client-v6:*)
> ;;
> route-host-v6:*|route-client-v6:*)
> # connection to me or my client subnet being routed
> #uproute_v6
> ;;
> unroute-host-v6:*|unroute-client-v6:*)
> # connection to me or my client subnet being unrouted
> #downroute_v6
> ;;
> up-host-v6:*)
> # connection to me coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-host-v6:*)
> # connection to me going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> up-client-v6:)
> # connection to my client subnet coming up
> # If you are doing a custom version, firewall commands go here.
> ;;
> down-client-v6:)
> # connection to my client subnet going down
> # If you are doing a custom version, firewall commands go here.
> ;;
> *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
> exit 1
> ;;
> esac
> + _________________________ /proc/net/dev
> + cat /proc/net/dev
> Inter-| Receive | Transmit
> face |bytes packets errs drop fifo frame compressed
> multicast|bytes packets errs drop fifo colls carrier compressed
> lo: 6729 60 0 0 0 0 0 0
> 6729 60 0 0 0 0 0 0
> eth0:15367386 113210 0 0 0 0 0 0
> 4206684 15884 0 0 0 0 0 0
> eth1: 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0
> sit0: 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0
> ipsec0: 0 0 0 0 0 0 0 0
> 473376 3132 0 16 0 0 0 0
> ipsec1: 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0
> ipsec2: 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0
> ipsec3: 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0
> ppp0: 48265 208 0 0 0 0 0 0
> 34036 159 0 0 0 0 0 0
> + _________________________ /proc/net/route
> + cat /proc/net/route
> Iface Destination Gateway
> Flags RefCnt Use Metric Mask MTU Window IRTT
> ppp0 FE977BC8 00000000 0005 0 0 0
> FFFFFFFF 0 0 0
> ipsec0 FE977BC8 00000000 0005 0 0 0
> FFFFFFFF 0 0 0
> eth0 0003A8C0 00000000 0001 0 0 0
> 00FFFFFF 0 0 0
> ipsec0 0001A8C0 00000000 0001 0 0 0
> 00FFFFFF 0 0 0
> eth1 0001FA0A 00000000 0001 0 0 0
> 00FFFFFF 0 0 0
> ppp0 00000000 FE977BC8 0003 0 0 0
> 00000000 0 0 0
> + _________________________ /proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
> 1
> + _________________________ /proc/sys/net/ipv4/tcp_ecn
> + cat /proc/sys/net/ipv4/tcp_ecn
> 0
> + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
> eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
> all/rp_filter:1
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
> ipsec0/rp_filter:1
> lo/rp_filter:1
> ppp0/rp_filter:0
> + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
> eth1/rp_filter ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
> all/rp_filter:1
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
> ipsec0/rp_filter:1
> lo/rp_filter:1
> ppp0/rp_filter:0
> + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/accept_redirects all/secure_redirects
> all/send_redirects default/accept_redirects default/secure_redirects
> default/send_redirects eth0/accept_redirects eth0/secure_redirects
> eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
> eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects
> ipsec0/send_redirects lo/accept_redirects lo/secure_redirects
> lo/send_redirects ppp0/accept_redirects ppp0/secure_redirects
> ppp0/send_redirects
> all/accept_redirects:0
> all/secure_redirects:1
> all/send_redirects:1
> default/accept_redirects:1
> default/secure_redirects:1
> default/send_redirects:1
> eth0/accept_redirects:1
> eth0/secure_redirects:1
> eth0/send_redirects:1
> eth1/accept_redirects:1
> eth1/secure_redirects:1
> eth1/send_redirects:1
> ipsec0/accept_redirects:1
> ipsec0/secure_redirects:1
> ipsec0/send_redirects:1
> lo/accept_redirects:1
> lo/secure_redirects:1
> lo/send_redirects:1
> ppp0/accept_redirects:1
> ppp0/secure_redirects:1
> ppp0/send_redirects:1
> + _________________________ /proc/sys/net/ipv4/tcp_window_scaling
> + cat /proc/sys/net/ipv4/tcp_window_scaling
> 1
> + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
> + cat /proc/sys/net/ipv4/tcp_adv_win_scale
> 2
> + _________________________ uname-a
> + uname -a
> Linux gwa 2.6.16-1-686 #2 Fri May 5 04:56:53 UTC 2006 i686 GNU/Linux
> + _________________________ config-built-with
> + test -r /proc/config_built_with
> + _________________________ distro-release
> + test -f /etc/redhat-release
> + test -f /etc/debian-release
> + test -f /etc/SuSE-release
> + test -f /etc/mandrake-release
> + test -f /etc/mandriva-release
> + test -f /etc/gentoo-release
> + _________________________ /proc/net/ipsec_version
> + test -r /proc/net/ipsec_version
> + cat /proc/net/ipsec_version
> Openswan version: 2.4.5
> + _________________________ ipfwadm
> + test -r /sbin/ipfwadm
> + ipfwadm -F -l -n -e
> Generic IP Firewall Chains not in this kernel
> + _________________________
> + ipfwadm -I -l -n -e
> Generic IP Firewall Chains not in this kernel
> + _________________________
> + ipfwadm -O -l -n -e
> Generic IP Firewall Chains not in this kernel
> + _________________________
> + ipfwadm -M -l -n -e
> Generic IP Firewall Chains not in this kernel
> + _________________________ ipchains
> + test -r /sbin/ipchains
> + ipchains -L -v -n
> ipchains: Incompatible with this kernel
> + _________________________
> + ipchains -M -L -v -n
> ipchains: cannot open file `/proc/net/ip_masquerade'
> + _________________________ iptables
> + test -r /sbin/iptables
> + iptables -L -v -n
> Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
> pkts bytes target prot opt in out source
> destination
> + _________________________ iptables-nat
> + iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 23904 packets, 4626K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 36 packets, 3712 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MASQUERADE all -- * ppp0 10.250.1.0/24
> !192.168.1.0/24
>
> Chain OUTPUT (policy ACCEPT 36 packets, 3712 bytes)
> pkts bytes target prot opt in out source
> destination
> + _________________________ iptables-mangle
> + iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 37360 packets, 7260K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 15975 packets, 3424K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 8179 packets, 1381K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 8179 packets, 1381K bytes)
> pkts bytes target prot opt in out source
> destination
> + _________________________ /proc/modules
> + test -f /proc/modules
> + cat /proc/modules
> iptable_mangle 2816 0 - Live 0xbfae8000
> iptable_filter 2944 0 - Live 0xbf996000
> ipt_MASQUERADE 3392 1 - Live 0xbfacc000
> iptable_nat 8132 1 - Live 0xbfb00000
> ip_nat 17004 2 ipt_MASQUERADE,iptable_nat, Live 0xbfb07000
> ip_conntrack 51532 3 ipt_MASQUERADE,iptable_nat,ip_nat, Live 0xbfb17000
> nfnetlink 6328 2 ip_nat,ip_conntrack, Live 0xbfaf9000
> ip_tables 11928 3 iptable_mangle,iptable_filter,iptable_nat, Live 0xbfae4000
> x_tables 11908 3 ipt_MASQUERADE,iptable_nat,ip_tables, Live 0xbfaac000
> ipsec 323020 1 - Live 0xbfbbf000
> ppp_deflate 5920 0 - Live 0xbfb04000
> bsd_comp 5696 0 - Live 0xbfaf6000
> ppp_async 10336 1 - Live 0xbfaea000
> crc_ccitt 2112 1 ppp_async, Live 0xbface000
> ppp_generic 26644 7 ppp_deflate,bsd_comp,ppp_async, Live 0xbfaee000
> slhc 6528 1 ppp_generic, Live 0xbfad0000
> mousedev 11328 0 - Live 0xbf9bd000
> tsdev 7520 0 - Live 0xbfab3000
> ipv6 229824 20 - Live 0xbfb28000
> ipcomp 7496 0 - Live 0xbfab0000
> esp4 7520 0 - Live 0xbf9df000
> ah4 6272 0 - Live 0xbf9c8000
> deflate 3936 0 - Live 0xbf8e9000
> zlib_deflate 19224 2 ppp_deflate,deflate, Live 0xbfac6000
> twofish 37440 0 - Live 0xbfad4000
> serpent 18048 0 - Live 0xbfac0000
> aes 31296 0 - Live 0xbfab7000
> blowfish 8160 0 - Live 0xbf9c5000
> des 15520 0 - Live 0xbf9cb000
> sha256 9152 0 - Live 0xbf9c1000
> sha1 2432 0 - Live 0xbf8eb000
> crypto_null 2528 0 - Live 0xbf8a4000
> dm_mod 53144 0 - Live 0xbfa20000
> evdev 9408 0 - Live 0xbf977000
> psmouse 36200 0 - Live 0xbfa16000
> serio_raw 6820 0 - Live 0xbf8f6000
> 3c59x 41640 0 - Live 0xbfa0a000
> parport_pc 32996 0 - Live 0xbfa00000
> parport 33672 1 parport_pc, Live 0xbf99d000
> floppy 56804 0 - Live 0xbf9d0000
> pcspkr 3140 0 - Live 0xbf8de000
> rtc 11828 0 - Live 0xbf973000
> snd_hda_intel 16944 0 - Live 0xbf990000
> snd_hda_codec 116576 1 snd_hda_intel, Live 0xbf9e2000
> snd_pcm 79112 2 snd_hda_intel,snd_hda_codec, Live 0xbf9a8000
> snd_timer 22116 1 snd_pcm, Live 0xbf97b000
> snd 49092 4 snd_hda_intel,snd_hda_codec,snd_pcm,snd_timer, Live 0xbf983000
> soundcore 9216 1 snd, Live 0xbf8f2000
> snd_page_alloc 10440 2 snd_hda_intel,snd_pcm, Live 0xbf8ee000
> uhci_hcd 29744 0 - Live 0xbf96a000
> ehci_hcd 28968 0 - Live 0xbf961000
> via_rhine 21956 0 - Live 0xbf8bf000
> shpchp 42816 0 - Live 0xbf955000
> pci_hotplug 26356 1 shpchp, Live 0xbf94d000
> ide_cd 39076 0 - Live 0xbf942000
> cdrom 36352 1 ide_cd, Live 0xbf938000
> mii 5344 2 3c59x,via_rhine, Live 0xbf8bc000
> via_agp 9632 1 - Live 0xbf8b5000
> agpgart 33072 1 via_agp, Live 0xbf8d4000
> usbcore 119364 3 uhci_hcd,ehci_hcd, Live 0xbf919000
> ext3 125800 5 - Live 0xbf8f9000
> jbd 50676 1 ext3, Live 0xbf8c6000
> mbcache 8164 1 ext3, Live 0xbf897000
> ide_disk 15584 7 - Live 0xbf8b0000
> ide_generic 1408 0 [permanent], Live 0xbf8a2000
> via82cxxx 8900 0 [permanent], Live 0xbf8a6000
> trm290 4260 0 [permanent], Live 0xbf89f000
> triflex 3872 0 [permanent], Live 0xbf89d000
> slc90e66 5568 0 [permanent], Live 0xbf89a000
> sis5513 14792 0 [permanent], Live 0xbf882000
> siimage 11264 0 [permanent], Live 0xbf893000
> serverworks 8680 0 [permanent], Live 0xbf88f000
> sc1200 7072 0 [permanent], Live 0xbf834000
> rz1000 2784 0 [permanent], Live 0xbf83d000
> piix 9956 0 [permanent], Live 0xbf88b000
> pdc202xx_old 10336 0 [permanent], Live 0xbf887000
> opti621 4324 0 [permanent], Live 0xbf874000
> ns87415 4296 0 [permanent], Live 0xbf871000
> it821x 8228 0 [permanent], Live 0xbf87e000
> hpt366 17696 0 [permanent], Live 0xbf878000
> hpt34x 5056 0 [permanent], Live 0xbf84f000
> generic 4612 0 [permanent], Live 0xbf84c000
> cy82c693 4612 0 [permanent], Live 0xbf849000
> cs5535 6368 0 [permanent], Live 0xbf846000
> cs5530 5184 0 [permanent], Live 0xbf843000
> cs5520 4704 0 [permanent], Live 0xbf83a000
> cmd64x 10908 0 [permanent], Live 0xbf83f000
> atiixp 5744 0 [permanent], Live 0xbf837000
> amd74xx 13660 0 [permanent], Live 0xbf81d000
> alim15x3 11276 0 [permanent], Live 0xbf80d000
> aec62xx 7136 0 [permanent], Live 0xbf81a000
> pdc202xx_new 8160 0 [permanent], Live 0xbf811000
> ide_core 116788 30
> ide_cd,ide_disk,ide_generic,via82cxxx,trm290,triflex,slc90e66,sis5513,siimage,serverworks,sc1200,rz1000,piix,pdc202xx_old,opti621,ns87415,it821x,hpt366,hpt34x,generic,cy82c693,cs5535,cs5530,cs5520,cmd64x,atiixp,amd74xx,alim15x3,aec62xx,pdc202xx_new,
> Live 0xbf853000
> raid1 20160 6 - Live 0xbf814000
> md_mod 68788 7 raid1, Live 0xbf822000
> + _________________________ /proc/meminfo
> + cat /proc/meminfo
> MemTotal: 240616 kB
> MemFree: 11592 kB
> Buffers: 66708 kB
> Cached: 99500 kB
> SwapCached: 0 kB
> Active: 91868 kB
> Inactive: 85820 kB
> HighTotal: 0 kB
> HighFree: 0 kB
> LowTotal: 240616 kB
> LowFree: 11592 kB
> SwapTotal: 979832 kB
> SwapFree: 979724 kB
> Dirty: 76 kB
> Writeback: 0 kB
> Mapped: 18948 kB
> Slab: 46684 kB
> CommitLimit: 1100140 kB
> Committed_AS: 53004 kB
> PageTables: 504 kB
> VmallocTotal: 1048568 kB
> VmallocUsed: 3676 kB
> VmallocChunk: 1044412 kB
> + _________________________ /proc/net/ipsec-ls
> + test -f /proc/net/ipsec_version
> + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
> /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
> /proc/net/ipsec_version
> lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_eroute ->
> ipsec/eroute/all
> lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_klipsdebug ->
> ipsec/klipsdebug
> lrwxrwxrwx 1 root root 13 May 13 10:27 /proc/net/ipsec_spi -> ipsec/spi/all
> lrwxrwxrwx 1 root root 16 May 13 10:27 /proc/net/ipsec_spigrp ->
> ipsec/spigrp/all
> lrwxrwxrwx 1 root root 11 May 13 10:27 /proc/net/ipsec_tncfg -> ipsec/tncfg
> lrwxrwxrwx 1 root root 13 May 13 10:27 /proc/net/ipsec_version -> ipsec/version
> + _________________________ usr/src/linux/.config
> + test -f /proc/config.gz
> ++ uname -r
> + test -f /lib/modules/2.6.16-1-686/build/.config
> ++ uname -r
> + cat /lib/modules/2.6.16-1-686/build/.config
> + egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV'
> CONFIG_NET_KEY=m
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> # CONFIG_IP_FIB_TRIE is not set
> CONFIG_IP_FIB_HASH=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
> CONFIG_IP_ROUTE_MULTIPATH_RR=m
> CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
> CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
> CONFIG_IP_ROUTE_MULTIPATH_DRR=m
> CONFIG_IP_ROUTE_VERBOSE=y
> # CONFIG_IP_PNP is not set
> CONFIG_IP_MROUTE=y
> CONFIG_IP_PIMSM_V1=y
> CONFIG_IP_PIMSM_V2=y
> CONFIG_INET_AH=m
> CONFIG_INET_ESP=m
> CONFIG_INET_IPCOMP=m
> CONFIG_INET_TUNNEL=m
> CONFIG_INET_DIAG=m
> CONFIG_INET_TCP_DIAG=m
> CONFIG_IP_VS=m
> # CONFIG_IP_VS_DEBUG is not set
> CONFIG_IP_VS_TAB_BITS=12
> CONFIG_IP_VS_PROTO_TCP=y
> CONFIG_IP_VS_PROTO_UDP=y
> CONFIG_IP_VS_PROTO_ESP=y
> CONFIG_IP_VS_PROTO_AH=y
> CONFIG_IP_VS_RR=m
> CONFIG_IP_VS_WRR=m
> CONFIG_IP_VS_LC=m
> CONFIG_IP_VS_WLC=m
> CONFIG_IP_VS_LBLC=m
> CONFIG_IP_VS_LBLCR=m
> CONFIG_IP_VS_DH=m
> CONFIG_IP_VS_SH=m
> CONFIG_IP_VS_SED=m
> CONFIG_IP_VS_NQ=m
> CONFIG_IP_VS_FTP=m
> CONFIG_IPV6=m
> CONFIG_IPV6_PRIVACY=y
> CONFIG_INET6_AH=m
> CONFIG_INET6_ESP=m
> CONFIG_INET6_IPCOMP=m
> CONFIG_INET6_TUNNEL=m
> CONFIG_IPV6_TUNNEL=m
> CONFIG_IP_NF_CONNTRACK=m
> CONFIG_IP_NF_CT_ACCT=y
> CONFIG_IP_NF_CONNTRACK_MARK=y
> CONFIG_IP_NF_CONNTRACK_EVENTS=y
> CONFIG_IP_NF_CONNTRACK_NETLINK=m
> CONFIG_IP_NF_CT_PROTO_SCTP=m
> CONFIG_IP_NF_FTP=m
> CONFIG_IP_NF_IRC=m
> CONFIG_IP_NF_NETBIOS_NS=m
> CONFIG_IP_NF_TFTP=m
> CONFIG_IP_NF_AMANDA=m
> CONFIG_IP_NF_PPTP=m
> CONFIG_IP_NF_QUEUE=m
> CONFIG_IP_NF_IPTABLES=m
> CONFIG_IP_NF_MATCH_IPRANGE=m
> CONFIG_IP_NF_MATCH_MULTIPORT=m
> CONFIG_IP_NF_MATCH_TOS=m
> CONFIG_IP_NF_MATCH_RECENT=m
> CONFIG_IP_NF_MATCH_ECN=m
> CONFIG_IP_NF_MATCH_DSCP=m
> CONFIG_IP_NF_MATCH_AH_ESP=m
> CONFIG_IP_NF_MATCH_TTL=m
> CONFIG_IP_NF_MATCH_OWNER=m
> CONFIG_IP_NF_MATCH_ADDRTYPE=m
> CONFIG_IP_NF_MATCH_HASHLIMIT=m
> CONFIG_IP_NF_MATCH_POLICY=m
> CONFIG_IP_NF_FILTER=m
> CONFIG_IP_NF_TARGET_REJECT=m
> CONFIG_IP_NF_TARGET_LOG=m
> CONFIG_IP_NF_TARGET_ULOG=m
> CONFIG_IP_NF_TARGET_TCPMSS=m
> CONFIG_IP_NF_NAT=m
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=m
> CONFIG_IP_NF_TARGET_REDIRECT=m
> CONFIG_IP_NF_TARGET_NETMAP=m
> CONFIG_IP_NF_TARGET_SAME=m
> CONFIG_IP_NF_NAT_SNMP_BASIC=m
> CONFIG_IP_NF_NAT_IRC=m
> CONFIG_IP_NF_NAT_FTP=m
> CONFIG_IP_NF_NAT_TFTP=m
> CONFIG_IP_NF_NAT_AMANDA=m
> CONFIG_IP_NF_NAT_PPTP=m
> CONFIG_IP_NF_MANGLE=m
> CONFIG_IP_NF_TARGET_TOS=m
> CONFIG_IP_NF_TARGET_ECN=m
> CONFIG_IP_NF_TARGET_DSCP=m
> CONFIG_IP_NF_TARGET_TTL=m
> CONFIG_IP_NF_TARGET_CLUSTERIP=m
> CONFIG_IP_NF_RAW=m
> CONFIG_IP_NF_ARPTABLES=m
> CONFIG_IP_NF_ARPFILTER=m
> CONFIG_IP_NF_ARP_MANGLE=m
> CONFIG_IP6_NF_QUEUE=m
> CONFIG_IP6_NF_IPTABLES=m
> CONFIG_IP6_NF_MATCH_RT=m
> CONFIG_IP6_NF_MATCH_OPTS=m
> CONFIG_IP6_NF_MATCH_FRAG=m
> CONFIG_IP6_NF_MATCH_HL=m
> CONFIG_IP6_NF_MATCH_MULTIPORT=m
> CONFIG_IP6_NF_MATCH_OWNER=m
> CONFIG_IP6_NF_MATCH_IPV6HEADER=m
> CONFIG_IP6_NF_MATCH_AHESP=m
> CONFIG_IP6_NF_MATCH_EUI64=m
> CONFIG_IP6_NF_MATCH_POLICY=m
> CONFIG_IP6_NF_FILTER=m
> CONFIG_IP6_NF_TARGET_LOG=m
> CONFIG_IP6_NF_TARGET_REJECT=m
> CONFIG_IP6_NF_MANGLE=m
> CONFIG_IP6_NF_TARGET_HL=m
> CONFIG_IP6_NF_RAW=m
> CONFIG_IP_DCCP=m
> CONFIG_INET_DCCP_DIAG=m
> CONFIG_IP_DCCP_CCID3=m
> CONFIG_IP_DCCP_TFRC_LIB=m
> # CONFIG_IP_DCCP_DEBUG is not set
> # CONFIG_IP_DCCP_UNLOAD_HACK is not set
> CONFIG_IP_SCTP=m
> CONFIG_IPX=m
> # CONFIG_IPX_INTERN is not set
> CONFIG_IPDDP=m
> CONFIG_IPDDP_ENCAP=y
> CONFIG_IPDDP_DECAP=y
> CONFIG_IPW2100=m
> CONFIG_IPW2100_MONITOR=y
> # CONFIG_IPW2100_DEBUG is not set
> CONFIG_IPW2200=m
> # CONFIG_IPW2200_DEBUG is not set
> CONFIG_IPPP_FILTER=y
> CONFIG_IPMI_HANDLER=m
> # CONFIG_IPMI_PANIC_EVENT is not set
> CONFIG_IPMI_DEVICE_INTERFACE=m
> CONFIG_IPMI_SI=m
> CONFIG_IPMI_WATCHDOG=m
> CONFIG_IPMI_POWEROFF=m
> CONFIG_HW_RANDOM=m
> CONFIG_CRYPTO_DEV_PADLOCK=m
> CONFIG_CRYPTO_DEV_PADLOCK_AES=y
> + _________________________ etc/syslog.conf
> + cat /etc/syslog.conf
> # /etc/syslog.conf Configuration file for syslogd.
> #
> # For more information see syslog.conf(5)
> # manpage.
>
> #
> # First some standard logfiles. Log by facility.
> #
>
> auth,authpriv.* /var/log/auth.log
> *.*;auth,authpriv.none -/var/log/syslog
> #cron.* /var/log/cron.log
> daemon.* -/var/log/daemon.log
> kern.* -/var/log/kern.log
> lpr.* -/var/log/lpr.log
> mail.* -/var/log/mail.log
> user.* -/var/log/user.log
> uucp.* /var/log/uucp.log
>
> #
> # Logging for the mail system. Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info -/var/log/mail.info
> mail.warn -/var/log/mail.warn
> mail.err /var/log/mail.err
>
> # Logging for INN news system
> #
> news.crit /var/log/news/news.crit
> news.err /var/log/news/news.err
> news.notice -/var/log/news/news.notice
>
> #
> # Some `catch-all' logfiles.
> #
> *.=debug;\
> auth,authpriv.none;\
> news.none;mail.none -/var/log/debug
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,news.none -/var/log/messages
>
> #
> # Emergencies are sent to everybody logged in.
> #
> *.emerg *
>
> #
> # I like to have messages displayed on the console, but only on a virtual
> # console I usually leave idle.
> #
> #daemon,mail.*;\
> # news.=crit;news.=err;news.=notice;\
> # *.=debug;*.=info;\
> # *.=notice;*.=warn /dev/tty8
>
> # The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
> # you must invoke `xconsole' with the `-file' option:
> #
> # $ xconsole -file /dev/xconsole [...]
> #
> # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
> # busy site..
> #
> daemon.*;mail.*;\
> news.crit;news.err;news.notice;\
> *.=debug;*.=info;\
> *.=notice;*.=warn |/dev/xconsole
>
> + _________________________ etc/syslog-ng/syslog-ng.conf
> + cat /etc/syslog-ng/syslog-ng.conf
> cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
> + _________________________ etc/resolv.conf
> + cat /etc/resolv.conf
> # resolv.conf created by pppconfig for internet
>
> nameserver 200.69.193.1
>
> nameserver 200.69.193.2
> + _________________________ lib/modules-ls
> + ls -ltr /lib/modules
> total 8
> drwxr-xr-x 5 root root 4096 May 5 09:48 2.6.8-2-686
> drwxr-xr-x 3 root root 4096 May 6 09:56 2.6.16-1-686
> + _________________________ /proc/ksyms-netif_rx
> + test -r /proc/ksyms
> + test -r /proc/kallsyms
> + egrep netif_rx /proc/kallsyms
> b02175a7 T netif_rx
> b0217705 T netif_rx_ni
> b02175a7 U netif_rx [ipsec]
> b02175a7 U netif_rx [ppp_generic]
> b02175a7 U netif_rx [ipv6]
> b02175a7 U netif_rx [3c59x]
> b02175a7 U netif_rx [via_rhine]
> + _________________________ lib/modules-netif_rx
> + modulegoo kernel/net/ipv4/ipip.o netif_rx
> + set +x
> 2.6.16-1-686:
> 2.6.8-2-686:
> + _________________________ kern.debug
> + test -f /var/log/kern.debug
> + _________________________ klog
> + sed -n '113,$p' /var/log/syslog
> + egrep -i 'ipsec|klips|pluto'
> + cat
> May 13 10:25:53 gwa ipsec_setup: Starting Openswan IPsec 2.4.5...
> May 13 10:25:54 gwa ipsec__plutorun: 104 "tunnelAB" #1: STATE_MAIN_I1: initiate
> May 13 10:25:54 gwa ipsec__plutorun: ...could not start conn "tunnelAB"
> + _________________________ plog
> + sed -n '1121,$p' /var/log/auth.log
> + egrep -i pluto
> + cat
> May 13 10:25:53 gwa ipsec__plutorun: Starting Pluto subsystem...
> May 13 10:25:53 gwa pluto[10572]: Starting Pluto (Openswan Version
> 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
> Vendor ID OEGfuJ[Ye{Ah)
> May 13 10:25:53 gwa pluto[10572]: Setting NAT-Traversal port-4500
> floating to off
> May 13 10:25:53 gwa pluto[10572]: port floating activation criteria
> nat_t=0/port_fload=1
> May 13 10:25:53 gwa pluto[10572]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> May 13 10:25:53 gwa pluto[10572]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> May 13 10:25:53 gwa pluto[10572]: starting up 1 cryptographic helpers
> May 13 10:25:53 gwa pluto[10572]: started helper pid=10583 (fd:6)
> May 13 10:25:53 gwa pluto[10572]: Using KLIPS IPsec interface code on
> 2.6.16-1-686
> May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/cacerts'
> May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/aacerts'
> May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/ocspcerts'
> May 13 10:25:53 gwa pluto[10572]: Changing to directory '/etc/ipsec.d/crls'
> May 13 10:25:53 gwa pluto[10572]: Warning: empty directory
> May 13 10:25:53 gwa pluto[10572]: added connection description "tunnelAB"
> May 13 10:25:53 gwa pluto[10572]: listening for IKE messages
> May 13 10:25:53 gwa pluto[10572]: adding interface ipsec0/ppp0
> 200.68.111.227:500
> May 13 10:25:53 gwa pluto[10572]: loading secrets from "/etc/ipsec.secrets"
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: initiating Main Mode
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: I did not send a
> certificate because I do not have one.
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> May 13 10:25:54 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: Main mode peer ID is
> ID_IPV4_ADDR: '200.XXX.XXX.XXX'
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #1: STATE_MAIN_I4: ISAKMP
> SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1536}
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> May 13 10:25:55 gwa pluto[10572]: "tunnelAB" #2: STATE_QUICK_I2: sent
> QI2, IPsec SA established {ESP=>0xf7a99043 <0x1d4652fb
> xfrm=AES_256-HMAC_MD5 NATD=none DPD=none}
> May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
> payload: replace IPSEC State #2 in 10 seconds
> May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
> informational message
> May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: ignoring Delete SA
> payload: PROTO_IPSEC_ESP SA(0xf7a99042) not found (maybe expired)
> May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received and ignored
> informational message
> May 13 10:25:59 gwa pluto[10572]: "tunnelAB" #1: received Delete SA
> payload: deleting ISAKMP State #1
> May 13 10:25:59 gwa pluto[10572]: packet from 200.XXX.XXX.XXX:500:
> received and ignored informational message
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: responding to Main Mode
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R1: sent
> MR1, expecting MI2
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R2: sent
> MR2, expecting MI3
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: Main mode peer ID is
> ID_IPV4_ADDR: '200.XXX.XXX.XXX'
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: I did not send a
> certificate because I do not have one.
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> May 13 10:26:03 gwa pluto[10572]: "tunnelAB" #3: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: responding to Quick
> Mode {msgid:305a0c30}
> May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
> STATE_QUICK_R0 to state STATE_QUICK_R1
> May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2
> May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> May 13 10:26:04 gwa pluto[10572]: "tunnelAB" #4: STATE_QUICK_R2: IPsec
> SA established {ESP=>0xf7a99044 <0x1d4652fc xfrm=AES_256-HMAC_MD5
> NATD=none DPD=none}
> + _________________________ date
> + date
> Sat May 13 10:27:03 ART 2006
>
> Regards,
> Mariano
>
> --
> "El incremento de la satisfacción profesional y de la unidad familiar
> son fatales para un proveedor de sustancias entumecedoras del cerebro."
> Moe, 1991.
>
--
"El incremento de la satisfacción profesional y de la unidad familiar
son fatales para un proveedor de sustancias entumecedoras del cerebro."
Moe, 1991.
More information about the Users
mailing list