[Openswan Users] Xen, Amazon EC2, and the art of OpenSWAN
Michael Nguyen
michaeln at twentyten.org
Wed Sep 13 12:23:01 EDT 2006
From: "Paul Wouters" <paul at xelerance.com>
> On Wed, 13 Sep 2006, Michael Nguyen wrote:
[snip]
> That is not the output of "ipsec barf"
Michael misunderstood... This is a lot of text...
domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com
Wed Sep 13 12:18:39 EDT 2006
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.16-xenU (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.16-xenU (builder at patchbat.amazonsa) (gcc version 4.0.1
20050727 (Red Hat 4.0.1-5)) #1 SMP Mon Aug 14 19:11:10 SAST 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
216.182.228.0 0.0.0.0 255.255.255.128 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
0.0.0.0 216.182.228.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
No SPD entries.
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 12:31:33:00:01:A3
inet addr:216.182.228.41 Bcast:216.182.228.127
Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25453 errors:0 dropped:0 overruns:0 frame:0
TX packets:24162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21805924 (20.7 MiB) TX bytes:5450257 (5.1 MiB)
eth0:1 Link encap:Ethernet HWaddr 12:31:33:00:01:A3
inet addr:10.1.4.1 Bcast:10.1.4.1 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4691 (4.5 KiB) TX bytes:4691 (4.5 KiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 12:31:33:00:01:a3 brd ff:ff:ff:ff:ff:ff
inet 216.182.228.41/25 brd 216.182.228.127 scope global eth0
inet 10.1.4.1/32 brd 10.1.4.1 scope global eth0:1
+ _________________________ ip-route-list
+ ip route list
216.182.228.0/25 dev eth0 proto kernel scope link src 216.182.228.41
169.254.0.0/16 dev eth0 scope link
default via 216.182.228.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.16-xenU (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [FAILED]
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
SIOCGMIIPHY on 'eth0' failed: Operation not supported
no MII interfaces found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
216.182.228.41
+ _________________________ uptime
+ uptime
12:18:39 up 23:30, 1 user, load average: 0.55, 0.46, 0.42
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 4671 1580 20 0 2260 984 - R+ pts/0 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
1 0 4669 1 17 0 2256 428 wait S ? 0:00 /bin/sh
/usr/lib/ipsec/_plutorun --re --debug all --uniqueids
es --nocrsend --strictcrlpolicy --nat_traversal
es --keep_alive --protostack
uto --force_keepalive --disable_port_floating --virtual_private
%v4:10.1.4.0/24 --crlcheckinterval
--ocspuri --nhelpers --dump --opts --stderrlog --wait
o --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=216.182.228.41
routenexthop=216.182.228.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="all"
nat_traversal=yes
virtual_private=%v4:10.1.4.0/24
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
conn officevpn
left=216.182.228.41
leftsubnet=216.182.228.0/25
leftid=@AmazonEC2
leftxauthclient=yes
right=207.115.74.31
rightsubnet=10.1.1.0/24
rightxauthserver=yes
rightid=@ABCDEABCDE01
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3des-md5-96
ike=3des-md5-96
authby=secret
xauth=yes
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 65
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits domu-12-31-33-00-01-a3.usma1.compute.amazonaws.com Tue
Sep 12 14:05:00 2006
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNd6efde]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
@AmazonEC2 @0006B10CC118 : PSK "[sums to 2263...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 116
-rwxr-xr-x 1 root root 15535 Sep 12 14:42 _confread
-rwxr-xr-x 1 root root 15554 Sep 12 14:42 _copyright
-rwxr-xr-x 1 root root 2379 Sep 12 14:42 _include
-rwxr-xr-x 1 root root 1475 Sep 12 14:42 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 12 14:42 _plutoload
-rwxr-xr-x 1 root root 7431 Sep 12 14:42 _plutorun
-rwxr-xr-x 1 root root 12275 Sep 12 14:42 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 12 14:42 _secretcensor
-rwxr-xr-x 1 root root 9778 Sep 12 14:42 _startklips
-rwxr-xr-x 1 root root 13417 Sep 12 14:42 _updown
-rwxr-xr-x 1 root root 15746 Sep 12 14:42 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 12 14:42 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 3156
-rwxr-xr-x 1 root root 29013 Sep 12 14:42 _pluto_adns
-rwxr-xr-x 1 root root 19081 Sep 12 14:42 auto
-rwxr-xr-x 1 root root 10584 Sep 12 14:42 barf
-rwxr-xr-x 1 root root 816 Sep 12 14:42 calcgoo
-rwxr-xr-x 1 root root 192735 Sep 12 14:42 eroute
-rwxr-xr-x 1 root root 60724 Sep 12 14:42 ikeping
-rwxr-xr-x 1 root root 126608 Sep 12 14:42 klipsdebug
-rwxr-xr-x 1 root root 1836 Sep 12 14:42 livetest
-rwxr-xr-x 1 root root 2605 Sep 12 14:42 look
-rwxr-xr-x 1 root root 7153 Sep 12 14:42 mailkey
-rwxr-xr-x 1 root root 15996 Sep 12 14:42 manual
-rwxr-xr-x 1 root root 1926 Sep 12 14:42 newhostkey
-rwxr-xr-x 1 root root 111589 Sep 12 14:42 pf_key
-rwxr-xr-x 1 root root 1824493 Sep 12 14:42 pluto
-rwxr-xr-x 1 root root 26814 Sep 12 14:42 ranbits
-rwxr-xr-x 1 root root 50286 Sep 12 14:42 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 12 14:42 secrets
-rwxr-xr-x 1 root root 17636 Sep 12 14:42 send-pr
lrwxrwxrwx 1 root root 22 Sep 12 14:58 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Sep 12 14:42 showdefaults
-rwxr-xr-x 1 root root 4748 Sep 12 14:42 showhostkey
-rwxr-xr-x 1 root root 306106 Sep 12 14:42 spi
-rwxr-xr-x 1 root root 157953 Sep 12 14:42 spigrp
-rwxr-xr-x 1 root root 26191 Sep 12 14:42 tncfg
-rwxr-xr-x 1 root root 10607 Sep 12 14:42 verify
-rwxr-xr-x 1 root root 132257 Sep 12 14:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 4691 38 0 0 0 0 0 0 4691
38 0 0 0 0 0 0
eth0:21806356 25457 0 0 0 0 0 0 5450587
24165 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 00E4B6D8 00000000 0001 0 0 0 80FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
eth0 00000000 01E4B6D8 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux domU-12-31-33-00-01-A3.usma1.compute.amazonaws.com 2.6.16-xenU #1 SMP
Mon Aug 14 19:11:10 SAST 2006 i686 athlon i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 4 (Stentz)
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.16-xenU) support detected '
NETKEY (2.6.16-xenU) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 5861 packets, 579K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 9266 packets, 3275K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain OUTPUT (policy ACCEPT 1 packets, 63 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1 packets, 63 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 1222 packets, 92504 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1774 packets, 1350K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1774 packets, 1350K bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 1222 packets, 92504 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm4_tunnel 4100 0 - Live 0xee059000
iptable_mangle 3456 0 - Live 0xee043000
iptable_nat 9476 0 - Live 0xee025000
ip_nat 18196 1 iptable_nat, Live 0xee060000
ip_conntrack 55256 2 iptable_nat,ip_nat, Live 0xee06b000
nfnetlink 6552 2 ip_nat,ip_conntrack, Live 0xee040000
iptable_filter 3584 0 - Live 0xee03e000
ip_tables 13940 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xee054000
x_tables 13188 2 iptable_nat,ip_tables, Live 0xee04f000
aes_i586 34164 0 - Live 0xee045000
sha1 3456 0 - Live 0xee03c000
ipcomp 7176 0 - Live 0xee029000
esp4 7296 0 - Live 0xee01f000
ah4 5888 0 - Live 0xee022000
dm_mod 49044 0 - Live 0xee02f000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1740944 kB
MemFree: 1238568 kB
Buffers: 157704 kB
Cached: 263556 kB
SwapCached: 0 kB
Active: 313384 kB
Inactive: 133844 kB
HighTotal: 1003528 kB
HighFree: 704716 kB
LowTotal: 737416 kB
LowFree: 533852 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 300 kB
Writeback: 0 kB
Mapped: 29748 kB
Slab: 28544 kB
CommitLimit: 870472 kB
Committed_AS: 116280 kB
PageTables: 668 kB
VmallocTotal: 118776 kB
VmallocUsed: 508 kB
VmallocChunk: 118220 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
# CONFIG_IP_MULTIPLE_TABLES is not set
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
CONFIG_IP_PNP=y
# CONFIG_IP_PNP_DHCP is not set
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
# CONFIG_IP_MROUTE is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
# CONFIG_IP_NF_ARPFILTER is not set
# CONFIG_IP_NF_ARP_MANGLE is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search usma1.compute.amazonaws.com
nameserver 216.182.224.21
nameserver 216.182.224.22
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 5 root root 4096 Aug 23 17:57 2.6.16-1.2069_FC4
drwxr-xr-x 3 root root 4096 Aug 23 17:59 2.6.16-xenU
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02727f0 T netif_rx
c0272b40 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.16-1.2069_FC4:
2.6.16-xenU:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '118,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: Starting Openswan IPsec
U2.4.4/K2.6.16-xenU...
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/ah4.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/esp4.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/ipcomp.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/crypto/sha1.ko
Sep 12 14:05:00 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/arch/i386/crypto/aes-i586.ko
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!:
exited with error status 1
Sep 12 14:05:01 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec
after pause...
Sep 12 14:05:04 domu-12-31-33-00-01-a3 ipsec_setup: Openswan IPsec
apparently already running, start aborted
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
stopped
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan
IPsec...
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
started
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:12 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!:
exited with error status 1
Sep 12 14:05:13 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec
after pause...
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
stopped
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan
IPsec...
Sep 12 14:05:23 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
started
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!:
exited with error status 1
Sep 12 14:05:24 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec
after pause...
Sep 12 14:05:34 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
stopped
Sep 12 14:05:34 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan
IPsec...
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
started
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!:
exited with error status 1
Sep 12 14:05:35 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec
after pause...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
stopped
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan
IPsec...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
started
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: Restarting Openswan
IPsec U2.4.4/K2.6.16-xenU...
Sep 12 14:05:46 domu-12-31-33-00-01-a3 ipsec_setup: insmod
/lib/modules/2.6.16-xenU/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: whack: Pluto is not
running (no "/var/run/pluto/pluto.ctl")
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: !pluto failure!:
exited with error status 1
Sep 12 14:05:47 domu-12-31-33-00-01-a3 ipsec__plutorun: restarting IPsec
after pause...
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: ...Openswan IPsec
stopped
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: Stopping Openswan
IPsec...
Sep 12 14:05:57 domu-12-31-33-00-01-a3 ipsec_setup: KLIPS ipsec0 on eth0
216.182.228.41/255.255.255.128 broadcast 216.182.228.127
Thanks, Paul.
Michael
More information about the Users
mailing list