[Openswan Users] Xen, Amazon EC2, and the art of OpenSWAN

Michael Nguyen michaeln at twentyten.org
Wed Sep 13 12:23:01 EDT 2006


From: "Paul Wouters" <paul at xelerance.com>
> On Wed, 13 Sep 2006, Michael Nguyen wrote:

[snip]

> That is not the output of "ipsec barf"

Michael misunderstood...  This is a lot of text...

domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com
Wed Sep 13 12:18:39 EDT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.16-xenU (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.16-xenU (builder at patchbat.amazonsa) (gcc version 4.0.1 
20050727 (Red Hat 4.0.1-5)) #1 SMP Mon Aug 14 19:11:10 SAST 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
216.182.228.0   0.0.0.0         255.255.255.128 U         0 0          0 
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth0
0.0.0.0         216.182.228.1   0.0.0.0         UG        0 0          0 
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
No SPD entries.
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ _________________________ ifconfig-a
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 12:31:33:00:01:A3
          inet addr:216.182.228.41  Bcast:216.182.228.127 
Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:21805924 (20.7 MiB)  TX bytes:5450257 (5.1 MiB)

eth0:1    Link encap:Ethernet  HWaddr 12:31:33:00:01:A3
          inet addr:10.1.4.1  Bcast:10.1.4.1  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:38 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4691 (4.5 KiB)  TX bytes:4691 (4.5 KiB)

+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 12:31:33:00:01:a3 brd ff:ff:ff:ff:ff:ff
    inet 216.182.228.41/25 brd 216.182.228.127 scope global eth0
    inet 10.1.4.1/32 brd 10.1.4.1 scope global eth0:1
+ _________________________ ip-route-list
+ ip route list
216.182.228.0/25 dev eth0  proto kernel  scope link  src 216.182.228.41
169.254.0.0/16 dev eth0  scope link
default via 216.182.228.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                              [OK]
Linux Openswan U2.4.4/K2.6.16-xenU (netkey)
Checking for IPsec support in kernel                         [OK]
Checking for RSA private key (/etc/ipsec.secrets)            [OK]
Checking that pluto is running                               [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command                                    [OK]
Checking for 'iptables' command                              [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support                             [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Operation not supported
no MII interfaces found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
216.182.228.41
+ _________________________ uptime
+ uptime
 12:18:39 up 23:30,  1 user,  load average: 0.55, 0.46, 0.42
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
4     0  4671  1580  20   0   2260   984 -      R+   pts/0      0:00 
\_ /bin/sh /usr/libexec/ipsec/barf
1     0  4669     1  17   0   2256   428 wait   S    ?          0:00 /bin/sh 
/usr/lib/ipsec/_plutorun --re --debug all --uniqueids 
es --nocrsend  --strictcrlpolicy  --nat_traversal 
es --keep_alive  --protostack 
uto --force_keepalive  --disable_port_floating  --virtual_private 
%v4:10.1.4.0/24 --crlcheckinterval 
 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait 
o --pre  --post  --log daemon.error --pid /var/run/pluto/pluto.pid
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=216.182.228.41
routenexthop=216.182.228.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
 plutodebug="all"
 nat_traversal=yes
 virtual_private=%v4:10.1.4.0/24

 # plutodebug / klipsdebug = "all", "none" or a combation from below:
 # "raw crypt parsing emitting control klips pfkey natt x509 private"
 # eg:
 # plutodebug="control parsing"
 #
 # Only enable klipsdebug=all if you are a developer
 #
 # NAT-TRAVERSAL support, see README.NAT-Traversal
 # nat_traversal=yes
 # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

# sample VPN connection
#conn sample
#  # Left security gateway, subnet behind it, nexthop toward right.
#  left=10.0.0.1
#  leftsubnet=172.16.0.0/24
#  leftnexthop=10.22.33.44
#  # Right security gateway, subnet behind it, nexthop toward left.
#  right=10.12.12.1
#  rightsubnet=192.168.0.0/24
#  rightnexthop=10.101.102.103
#  # To authorize this connection, but not actually start it,
#  # at startup, uncomment this.
#  #auto=start

conn officevpn
     left=216.182.228.41
     leftsubnet=216.182.228.0/25
     leftid=@AmazonEC2
     leftxauthclient=yes
     right=207.115.74.31
     rightsubnet=10.1.1.0/24
     rightxauthserver=yes
     rightid=@ABCDEABCDE01
     keyingtries=0
     pfs=yes
     aggrmode=yes
     auto=add
     auth=esp
     esp=3des-md5-96
     ike=3des-md5-96
     authby=secret
     xauth=yes

#Disable Opportunistic Encryption

#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

#> /etc/ipsec.conf 65
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
: RSA {
 # RSA 2192 bits   domu-12-31-33-00-01-a3.usma1.compute.amazonaws.com   Tue 
Sep 12 14:05:00 2006
 # for signatures only, UNSAFE FOR ENCRYPTION
 #pubkey=[keyid AQNd6efde]
 Modulus: [...]
 PublicExponent: [...]
 # everything after this point is secret
 PrivateExponent: [...]
 Prime1: [...]
 Prime2: [...]
 Exponent1: [...]
 Exponent2: [...]
 Coefficient: [...]
 }
# do not change the indenting of that "[sums to 7d9d...]"

@AmazonEC2 @0006B10CC118 : PSK "[sums to 2263...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic 
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 116
-rwxr-xr-x  1 root root 15535 Sep 12 14:42 _confread
-rwxr-xr-x  1 root root 15554 Sep 12 14:42 _copyright
-rwxr-xr-x  1 root root  2379 Sep 12 14:42 _include
-rwxr-xr-x  1 root root  1475 Sep 12 14:42 _keycensor
-rwxr-xr-x  1 root root  3586 Sep 12 14:42 _plutoload
-rwxr-xr-x  1 root root  7431 Sep 12 14:42 _plutorun
-rwxr-xr-x  1 root root 12275 Sep 12 14:42 _realsetup
-rwxr-xr-x  1 root root  1975 Sep 12 14:42 _secretcensor
-rwxr-xr-x  1 root root  9778 Sep 12 14:42 _startklips
-rwxr-xr-x  1 root root 13417 Sep 12 14:42 _updown
-rwxr-xr-x  1 root root 15746 Sep 12 14:42 _updown_x509
-rwxr-xr-x  1 root root  1942 Sep 12 14:42 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 3156
-rwxr-xr-x  1 root root   29013 Sep 12 14:42 _pluto_adns
-rwxr-xr-x  1 root root   19081 Sep 12 14:42 auto
-rwxr-xr-x  1 root root   10584 Sep 12 14:42 barf
-rwxr-xr-x  1 root root     816 Sep 12 14:42 calcgoo
-rwxr-xr-x  1 root root  192735 Sep 12 14:42 eroute
-rwxr-xr-x  1 root root   60724 Sep 12 14:42 ikeping
-rwxr-xr-x  1 root root  126608 Sep 12 14:42 klipsdebug
-rwxr-xr-x  1 root root    1836 Sep 12 14:42 livetest
-rwxr-xr-x  1 root root    2605 Sep 12 14:42 look
-rwxr-xr-x  1 root root    7153 Sep 12 14:42 mailkey
-rwxr-xr-x  1 root root   15996 Sep 12 14:42 manual
-rwxr-xr-x  1 root root    1926 Sep 12 14:42 newhostkey
-rwxr-xr-x  1 root root  111589 Sep 12 14:42 pf_key
-rwxr-xr-x  1 root root 1824493 Sep 12 14:42 pluto
-rwxr-xr-x  1 root root   26814 Sep 12 14:42 ranbits
-rwxr-xr-x  1 root root   50286 Sep 12 14:42 rsasigkey
-rwxr-xr-x  1 root root     766 Sep 12 14:42 secrets
-rwxr-xr-x  1 root root   17636 Sep 12 14:42 send-pr
lrwxrwxrwx  1 root root      22 Sep 12 14:58 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x  1 root root    1054 Sep 12 14:42 showdefaults
-rwxr-xr-x  1 root root    4748 Sep 12 14:42 showhostkey
-rwxr-xr-x  1 root root  306106 Sep 12 14:42 spi
-rwxr-xr-x  1 root root  157953 Sep 12 14:42 spigrp
-rwxr-xr-x  1 root root   26191 Sep 12 14:42 tncfg
-rwxr-xr-x  1 root root   10607 Sep 12 14:42 verify
-rwxr-xr-x  1 root root  132257 Sep 12 14:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes 
packets errs drop fifo colls carrier compressed
    lo:    4691      38    0    0    0     0          0         0     4691 
38    0    0    0     0       0          0
  eth0:21806356   25457    0    0    0     0          0         0  5450587 
24165    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway  Flags RefCnt Use Metric Mask  MTU Window IRTT
eth0 00E4B6D8 00000000 0001 0 0 0 80FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
eth0 00000000 01E4B6D8 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com 2.6.16-xenU #1 SMP 
Mon Aug 14 19:11:10 SAST 2006 i686 athlon i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 4 (Stentz)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.16-xenU) support detected '
NETKEY (2.6.16-xenU) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm 
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain INPUT (policy ACCEPT 5861 packets, 579K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy ACCEPT 9266 packets, 3275K bytes)
 pkts bytes target     prot opt in     out     source 
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain OUTPUT (policy ACCEPT 1 packets, 63 bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 1 packets, 63 bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain INPUT (policy ACCEPT 1222 packets, 92504 bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy ACCEPT 1774 packets, 1350K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 1774 packets, 1350K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain PREROUTING (policy ACCEPT 1222 packets, 92504 bytes)
 pkts bytes target     prot opt in     out     source 
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm4_tunnel 4100 0 - Live 0xee059000
iptable_mangle 3456 0 - Live 0xee043000
iptable_nat 9476 0 - Live 0xee025000
ip_nat 18196 1 iptable_nat, Live 0xee060000
ip_conntrack 55256 2 iptable_nat,ip_nat, Live 0xee06b000
nfnetlink 6552 2 ip_nat,ip_conntrack, Live 0xee040000
iptable_filter 3584 0 - Live 0xee03e000
ip_tables 13940 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xee054000
x_tables 13188 2 iptable_nat,ip_tables, Live 0xee04f000
aes_i586 34164 0 - Live 0xee045000
sha1 3456 0 - Live 0xee03c000
ipcomp 7176 0 - Live 0xee029000
esp4 7296 0 - Live 0xee01f000
ah4 5888 0 - Live 0xee022000
dm_mod 49044 0 - Live 0xee02f000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:      1740944 kB
MemFree:       1238568 kB
Buffers:        157704 kB
Cached:         263556 kB
SwapCached:          0 kB
Active:         313384 kB
Inactive:       133844 kB
HighTotal:     1003528 kB
HighFree:       704716 kB
LowTotal:       737416 kB
LowFree:        533852 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:             300 kB
Writeback:           0 kB
Mapped:          29748 kB
Slab:            28544 kB
CommitLimit:    870472 kB
Committed_AS:   116280 kB
PageTables:        668 kB
VmallocTotal:   118776 kB
VmallocUsed:       508 kB
VmallocChunk:   118220 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
# CONFIG_IP_MULTIPLE_TABLES is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
CONFIG_IP_PNP=y
# CONFIG_IP_PNP_DHCP is not set
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
# CONFIG_IP_NF_ARPFILTER is not set
# CONFIG_IP_NF_ARP_MANGLE is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*       /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  /var/log/messages

# The authpriv file has restricted access.
authpriv.*      /var/log/secure

# Log all the mail messages in one place.
mail.*       -/var/log/maillog


# Log cron stuff
cron.*       /var/log/cron

# Everybody gets emergency messages
*.emerg       *

# Save news errors of level crit and higher in a special file.
uucp,news.crit      /var/log/spooler

# Save boot messages also to boot.log
local7.*      /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search usma1.compute.amazonaws.com
nameserver 216.182.224.21
nameserver 216.182.224.22
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x  5 root root 4096 Aug 23 17:57 2.6.16-1.2069_FC4
drwxr-xr-x  3 root root 4096 Aug 23 17:59 2.6.16-xenU
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02727f0 T netif_rx
c0272b40 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.16-1.2069_FC4:
2.6.16-xenU:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '118,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: Starting Openswan IPsec 
U2.4.4/K2.6.16-xenU...
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/ah4.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/esp4.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/ipcomp.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/crypto/sha1.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/arch/i386/crypto/aes-i586.ko
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not 
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!: 
exited with error status 1
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec 
after pause...
Sep 12 14:05:04 domu-12-31-33-00-01-a3 ipsec_setup: Openswan IPsec 
apparently already running, start aborted
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
stopped
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan 
IPsec...
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0 
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
started
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan 
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not 
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!: 
exited with error status 1
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec 
after pause...
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
stopped
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan 
IPsec...
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0 
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
started
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan 
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not 
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!: 
exited with error status 1
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec 
after pause...
Sep 12 14:05:34 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
stopped
Sep 12 14:05:34 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan 
IPsec...
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0 
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
started
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan 
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not 
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!: 
exited with error status 1
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec 
after pause...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
stopped
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan 
IPsec...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0 
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
started
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan 
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: insmod 
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not 
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!: 
exited with error status 1
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec 
after pause...
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec 
stopped
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan 
IPsec...
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0 
216.182.228.41/255.255.255.128 broadcast 216.182.228.127

Thanks, Paul.


Michael 



More information about the Users mailing list