[Openswan Users] SA Established but traffic not flowing
Big Wave Dave
bigwavedave at gmail.com
Wed Sep 5 16:22:13 EDT 2007
I am unable to get my openswan setup completely working. I am able to
get the "SA" established, but no traffic flows between the two sites.
I am attempting to connect an OpenSwan Ubuntu box to a Juniper
(Netscreen) SSG-140. I spent several hours on the phone with Juniper
this morning, who assured me that side is setup correctly. I haven't
used openswan since the 2.4 kernel days, and it appears things have
changed in regards to the tunnel interfaces
Since the SA is established, I have high-hopes that I am close to
success. The intent is that this will be a net-to-net config. The
OpenSwan side is a linux firewall/router for an network
(10.102.0.0/16). The Juniper side is 192.168.0.0/16. Unfortunately I
am unable to ping between the two networks. The Linux side adds a
route when ipsec is started, pointing 192.168.0.0/16 to the default
external gateway of the box.
I have attached my ipsec.conf as well as output from "ipsec barf".
Hopefully the list will allow the attachments through.
Please let me know if more information is necessary.
Thanks for any help!
Dave
-------------- next part --------------
config setup
plutodebug="control parsing"
conn datadomain
type=tunnel
authby=secret
left=172.16.21.57
leftsubnet=10.102.0.0/16
leftnexthop=%defaultroute
right=172.16.61.87
rightsubnet=192.168.0.0/16
rightnexthop=172.16.61.81
#rightnexthop=%defaultroute
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------------- next part --------------
root at host01:~# ipsec barf
host01
Wed Sep 5 16:07:24 EDT 2007
+ _________________________ version
+
+ ipsec --version
Linux Openswan U2.4.5/K2.6.17-11-server (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+
+ cat /proc/version
Linux version 2.6.17-11-server (root at terranova) (gcc version 4.1.2 20060928 (prerelease) (Ubuntu 4.1.1-13ubuntu5)) #2 SMP Thu Feb 1 19:53 :33 UTC 2007 (Ubuntu 2.6.17-11.35-server)
+ _________________________ /proc/net/ipsec_eroute
+
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
172.16.21.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
10.102.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 172.16.21.1 255.255.0.0 UG 0 0 0 eth1
0.0.0.0 172.16.21.1 0.0.0.0 UG 0 0 0 eth1
+ _________________________ /proc/net/ipsec_spi
+
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+
+ ip xfrm state
src 172.16.21.57 dst 172.16.61.87
proto esp spi 0x0c6df033 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x946e14385d3cc8b1324bd94cd03313da94a3a385
enc des3_ede 0xa05cd575abcb2e05bc923be80fe968658eeb089aa8ef4f0e
src 172.16.61.87 dst 172.16.21.57
proto esp spi 0x1b9a4a3d reqid 16385 mode tunnel
replay-window 32
auth sha1 0xbd0cfa6ca8e2d2798bedb254d4500ed09a53359a
enc des3_ede 0x973b1608ae13d74bf5df60c946828e4055ed98a0bde2fac0
+ _________________________ ip-xfrm-policy
+
+ ip xfrm policy
src 192.168.0.0/16 dst 10.102.0.0/16
dir in priority 2608
tmpl src 172.16.61.87 dst 172.16.21.57
proto esp reqid 16385 mode tunnel
src 10.102.0.0/16 dst 192.168.0.0/16
dir out priority 2608
tmpl src 172.16.21.57 dst 172.16.61.87
proto esp reqid 16385 mode tunnel
src 192.168.0.0/16 dst 10.102.0.0/16
dir fwd priority 2608
tmpl src 172.16.61.87 dst 172.16.21.57
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
+ _________________________ /proc/sys/net/ipsec-star
+
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.102.0.1
000 interface eth1/eth1 172.16.21.57
000 %myid = (none)
000 debug parsing+control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "somedomain": 10.102.0.0/16===172.16.21.57---172.16.21.1...172.16.61.81---172.16.61.87===192.168.0.0/16; erouted; eroute owner: #2
000 "somedomain": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "somedomain": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "somedomain": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16; interface: eth1;
000 "somedomain": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "somedomain": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #2: "somedomain":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27672s; newest IPSEC; eroute owner
000 #2: "somedomain" esp.c6df033 at 172.16.61.87 esp.1b9a4a3d at 172.16.21.57 tun.0 at 172.16.61.87 tun.0 at 172.16.21.57
000 #1: "somedomain":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2580s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
+ _________________________ ifconfig-a
+
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:40:05:37:2C:7C
inet addr:10.102.0.1 Bcast:10.102.0.255 Mask:255.255.255.0
inet6 addr: fe80::240:5ff:fe37:2c7c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12971779 errors:1 dropped:0 overruns:0 frame:0
TX packets:19599253 errors:3 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1752551328 (1.6 GiB) TX bytes:2596161026 (2.4 GiB)
Interrupt:153 Base address:0xa400
eth1 Link encap:Ethernet HWaddr 00:04:5A:41:F3:A3
inet addr:172.16.21.57 Bcast:172.16.21.127 Mask:255.255.255.128
inet6 addr: fe80::204:5aff:fe41:f3a3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37256875 errors:0 dropped:0 overruns:0 frame:0
TX packets:12229753 errors:2 dropped:0 overruns:0 carrier:4
collisions:85618 txqueuelen:1000
RX bytes:3735950653 (3.4 GiB) TX bytes:1243354906 (1.1 GiB)
Interrupt:145 Base address:0xa800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:169042 errors:0 dropped:0 overruns:0 frame:0
TX packets:169042 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26070572 (24.8 MiB) TX bytes:26070572 (24.8 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
88: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:40:05:37:2c:7c brd ff:ff:ff:ff:ff:ff
inet 10.102.0.1/24 brd 10.102.0.255 scope global eth0
inet6 fe80::240:5ff:fe37:2c7c/64 scope link
valid_lft forever preferred_lft forever
89: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:5a:41:f3:a3 brd ff:ff:ff:ff:ff:ff
inet 172.16.21.57/25 brd 172.16.21.127 scope global eth1
inet6 fe80::204:5aff:fe41:f3a3/64 scope link
valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+
+ ip route list
172.16.21.0/25 dev eth1 proto kernel scope link src 172.16.21.57
10.102.0.0/24 dev eth0 proto kernel scope link src 10.102.0.1
192.168.0.0/16 via 172.16.21.1 dev eth1
default via 172.16.21.1 dev eth1
+ _________________________ ip-rule-list
+
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5/K2.6.17-11-server (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+
+ [ -x /sbin/mii-tool ]
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: National DP83840A rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-HD, link ok
product info: vendor 00:08:95, model 1 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-HD 10baseT-HD
+ _________________________ ipsec/directory
+
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname --fqdn
host01.princeton.somedomain.com
+ _________________________ hostname/ipaddress
+
+ hostname --ip-address
10.102.0.1
+ _________________________ uptime
+
+ uptime
16:07:26 up 20 days, 55 min, 4 users, load average: 0.55, 0.34, 0.22
+ _________________________ ps
+
+ ps alxwf
+ egrep -i ppid|pluto|ipsec|klips
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 4060 2897 18 0 1656 492 wait S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
1 0 4137 4060 22 0 1656 300 - R+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
1 0 3785 1 25 0 2464 448 wait S pts/0 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug control parsing --uniquei ds yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virt ual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid / var/run/pluto/pluto.pid
1 0 3786 3785 25 0 2464 628 wait S pts/0 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug control parsing --uni queids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating -- virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --p id /var/run/pluto/pluto.pid
4 0 3789 3786 15 0 7096 2328 - S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secre ts --ipsecdir /etc/ipsec.d --debug-control --debug-parsing --use-auto --uniqueids
1 0 3795 3789 26 10 7036 1004 - SN pts/0 0:00 | \_ pluto helper # 0 -nofork
0 0 3859 3789 19 0 1528 304 - S pts/0 0:00 | \_ _pluto_adns
0 0 3787 3785 19 0 1660 488 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 3788 1 16 0 1584 520 pipe_w S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
routephys=eth1
routevirt=ipsec0
routeaddr=172.16.21.57
routenexthop=172.16.21.1
+ _________________________ ipsec/conf
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
plutodebug="control parsing"
#plutodebug="all"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
conn somedomain
type=tunnel
authby=secret
left=172.16.21.57
leftsubnet=10.102.0.0/16
leftnexthop=%defaultroute
right=172.16.61.87
rightsubnet=192.168.0.0/16
rightnexthop=172.16.61.81
#rightnexthop=%defaultroute
auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 55
+ _________________________ ipsec/secrets
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
172.16.21.57 172.16.61.87 : PSK "[sums to c9f7...]"
+ _________________________ ipsec/listall
+
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ [ /etc/ipsec.d/policies ]
+ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root 15859 Jul 10 2006 _confread
-rwxr-xr-x 1 root root 4236 Jul 10 2006 _copyright
-rwxr-xr-x 1 root root 2379 Jul 10 2006 _include
-rwxr-xr-x 1 root root 1475 Jul 10 2006 _keycensor
-rwxr-xr-x 1 root root 7980 Jul 10 2006 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jul 10 2006 _plutoload
-rwxr-xr-x 1 root root 7059 Jul 10 2006 _plutorun
-rwxr-xr-x 1 root root 12275 Jul 10 2006 _realsetup
-rwxr-xr-x 1 root root 1975 Jul 10 2006 _secretcensor
-rwxr-xr-x 1 root root 9952 Jul 10 2006 _startklips
-rwxr-xr-x 1 root root 13912 Jul 10 2006 _updown
-rwxr-xr-x 1 root root 15740 Jul 10 2006 _updown_x509
-rwxr-xr-x 1 root root 18891 Jul 10 2006 auto
-rwxr-xr-x 1 root root 11331 Jul 10 2006 barf
-rwxr-xr-x 1 root root 816 Jul 10 2006 calcgoo
-rwxr-xr-x 1 root root 77544 Jul 10 2006 eroute
-rwxr-xr-x 1 root root 17428 Jul 10 2006 ikeping
-rwxr-xr-x 1 root root 1942 Jul 10 2006 ipsec_pr.template
-rwxr-xr-x 1 root root 60732 Jul 10 2006 klipsdebug
-rwxr-xr-x 1 root root 1836 Jul 10 2006 livetest
-rwxr-xr-x 1 root root 2605 Jul 10 2006 look
-rwxr-xr-x 1 root root 7147 Jul 10 2006 mailkey
-rwxr-xr-x 1 root root 16015 Jul 10 2006 manual
-rwxr-xr-x 1 root root 1926 Jul 10 2006 newhostkey
-rwxr-xr-x 1 root root 51872 Jul 10 2006 pf_key
-rwxr-xr-x 1 root root 652872 Jul 10 2006 pluto
-rwxr-xr-x 1 root root 6264 Jul 10 2006 ranbits
-rwxr-xr-x 1 root root 18588 Jul 10 2006 rsasigkey
-rwxr-xr-x 1 root root 766 Jul 10 2006 secrets
-rwxr-xr-x 1 root root 17624 Jul 10 2006 send-pr
lrwxrwxrwx 1 root root 17 Aug 29 21:53 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jul 10 2006 showdefaults
-rwxr-xr-x 1 root root 4748 Jul 10 2006 showhostkey
-rwxr-xr-x 1 root root 118228 Jul 10 2006 spi
-rwxr-xr-x 1 root root 65540 Jul 10 2006 spigrp
-rwxr-xr-x 1 root root 10372 Jul 10 2006 tncfg
-rwxr-xr-x 1 root root 11623 Jul 10 2006 verify
-rwxr-xr-x 1 root root 51188 Jul 10 2006 whack
+ _________________________ ipsec/ls-execdir
+
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root 15859 Jul 10 2006 _confread
-rwxr-xr-x 1 root root 4236 Jul 10 2006 _copyright
-rwxr-xr-x 1 root root 2379 Jul 10 2006 _include
-rwxr-xr-x 1 root root 1475 Jul 10 2006 _keycensor
-rwxr-xr-x 1 root root 7980 Jul 10 2006 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jul 10 2006 _plutoload
-rwxr-xr-x 1 root root 7059 Jul 10 2006 _plutorun
-rwxr-xr-x 1 root root 12275 Jul 10 2006 _realsetup
-rwxr-xr-x 1 root root 1975 Jul 10 2006 _secretcensor
-rwxr-xr-x 1 root root 9952 Jul 10 2006 _startklips
-rwxr-xr-x 1 root root 13912 Jul 10 2006 _updown
-rwxr-xr-x 1 root root 15740 Jul 10 2006 _updown_x509
-rwxr-xr-x 1 root root 18891 Jul 10 2006 auto
-rwxr-xr-x 1 root root 11331 Jul 10 2006 barf
-rwxr-xr-x 1 root root 816 Jul 10 2006 calcgoo
-rwxr-xr-x 1 root root 77544 Jul 10 2006 eroute
-rwxr-xr-x 1 root root 17428 Jul 10 2006 ikeping
-rwxr-xr-x 1 root root 1942 Jul 10 2006 ipsec_pr.template
-rwxr-xr-x 1 root root 60732 Jul 10 2006 klipsdebug
-rwxr-xr-x 1 root root 1836 Jul 10 2006 livetest
-rwxr-xr-x 1 root root 2605 Jul 10 2006 look
-rwxr-xr-x 1 root root 7147 Jul 10 2006 mailkey
-rwxr-xr-x 1 root root 16015 Jul 10 2006 manual
-rwxr-xr-x 1 root root 1926 Jul 10 2006 newhostkey
-rwxr-xr-x 1 root root 51872 Jul 10 2006 pf_key
-rwxr-xr-x 1 root root 652872 Jul 10 2006 pluto
-rwxr-xr-x 1 root root 6264 Jul 10 2006 ranbits
-rwxr-xr-x 1 root root 18588 Jul 10 2006 rsasigkey
-rwxr-xr-x 1 root root 766 Jul 10 2006 secrets
-rwxr-xr-x 1 root root 17624 Jul 10 2006 send-pr
lrwxrwxrwx 1 root root 17 Aug 29 21:53 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jul 10 2006 showdefaults
-rwxr-xr-x 1 root root 4748 Jul 10 2006 showhostkey
-rwxr-xr-x 1 root root 118228 Jul 10 2006 spi
-rwxr-xr-x 1 root root 65540 Jul 10 2006 spigrp
-rwxr-xr-x 1 root root 10372 Jul 10 2006 tncfg
-rwxr-xr-x 1 root root 11623 Jul 10 2006 verify
-rwxr-xr-x 1 root root 51188 Jul 10 2006 whack
+ _________________________ ipsec/updowns
+
+ ls /usr/lib/ipsec
+ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway
# communications is IPv6, then a suffix of -v6 is added
# to the verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub?
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
rc=$?
if [ $rc -ne 0 ];
then
changesource
fi
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
# check if given sourceip is local and add as alias if not
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: File exists'*)
# should not happen, but ... ignore if the
# address was already assigned on interface
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
# Change used route source to destination if there is previous
# Route to same PLUTO_PEER_CLIENT. This is basically to fix
# configuration errors where all conns to same destination don't
# have (left/right)sourceip set.
st=0
parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route change $parms"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such file or directory'*)
# Will happen every time first tunnel is activated because
# there is no previous route to PLUTO_PEER_CLIENT. So we
# need to ignore this error.
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica?
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub?
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev ${PLUTO_INTERFACE%:*}"
parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table '$IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ /proc/net/dev
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:26071082 169048 0 0 0 0 0 0 26071082 169048 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:1752552240 12971794 1 0 0 0 0 0 2596161068 19599254 3 0 3 0 0 0
eth1:3735954227 37256922 0 0 0 0 0 0 1243416552 12229820 2 0 0 85618 4 0
+ _________________________ /proc/net/route
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 00E7E118 00000000 0001 0 0 0 80FFFFFF 0 0 0
eth0 0000660A 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 0000A8C0 01E7E118 0003 0 0 0 0000FFFF 0 0 0
eth1 00000000 01E7E118 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_red irects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo /accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+
+ uname -a
Linux host01 2.6.17-11-server #2 SMP Thu Feb 1 19:53:33 UTC 2007 i686 GNU/Linux
+ _________________________ config-built-with
+
+ test -r /proc/config_built_with
+ _________________________ distro-release
+
+ test -f /etc/redhat-release
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
+ uname -r
+ echo NETKEY (2.6.17-11-server) support detected
NETKEY (2.6.17-11-server) support detected
+ _________________________ ipfwadm
+
+ test -r /sbin/ipfwadm
+ no old-style linux 1.x/2.0 ipfwadm firewall support
/usr/lib/ipsec/barf: 1: no old-style linux 1.x/2.0 ipfwadm firewall support: not found
+ _________________________ ipchains
+
+ test -r /sbin/ipchains
+ echo no old-style linux 2.0 ipchains firewall support
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 5 packets, 1772 bytes)
pkts bytes target prot opt in out source destination
22526 3046K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
98657 17M eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
338K 39M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJEC T:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
12986 748K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2971K 4055M eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1764K 122M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
3250 262K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
3184 256K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJ ECT:'
3184 256K reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
22526 3046K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
1 328 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
49246 7751K fw2net all -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
114K 19M fw2loc all -- * eth0 0.0.0.0/0 10.102.0.0/24 policy match dir out pol none
0 0 fw2loc all -- * eth0 0.0.0.0/0 255.255.255.255
22221 808K fw2loc all -- * eth0 0.0.0.0/0 224.0.0.0/4
12570 1056K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
12570 1056K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJE CT:'
12570 1056K reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (3 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
1520 162K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
1520 162K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
255 15132 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain Reject (6 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
15820 1318K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
15820 1318K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
70 6017 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
2 165 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJ ECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
50 3845 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
75 9901 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
12738 1028K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
12738 1028K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
1749K 121M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
1760K 122M loc2net all -- * eth1 10.102.0.0/24 0.0.0.0/0 policy match dir out pol none
0 0 loc2net all -- * ppp0 10.102.0.0/24 0.0.0.0/0 policy match dir out pol none
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
248K 11M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
248K 11M smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
248 87083 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
81226 28M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
338K 39M loc2fw all -- * * 10.102.0.0/24 0.0.0.0/0 policy match dir in pol none
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
2962K 4054M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
0 0 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
2971K 4055M net2loc all -- * eth0 0.0.0.0/0 10.102.0.0/24 policy match dir out pol none
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
35508 12M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
35508 12M smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
33838 12M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
63073 4871K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
64819 5088K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
Chain fw2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2all:REJE CT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (3 references)
pkts bytes target prot opt in out source destination
106K 18M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 1092 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
30592 2286K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (2 references)
pkts bytes target prot opt in out source destination
48876 7716K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
36 2391 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
182 15288 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
152 17150 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2all:REJ ECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
90206 29M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
21 1260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 264 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
248K 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source destination
1751K 121M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9552 772K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix `Shorewall:logflags:DR OP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DRO P:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (2 references)
pkts bytes target prot opt in out source destination
63149 4915K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 636 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
25 2984 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
113 7882 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
1520 162K Drop all -- * * 0.0.0.0/0 0.0.0.0/0
1459 154K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP :'
1459 154K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (2 references)
pkts bytes target prot opt in out source destination
2971K 4055M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2loc:DRO P:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 net2loc all -- * eth0 0.0.0.0/0 10.102.0.0/24 policy match dir out pol none
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none
Chain reject (13 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 172.16.21.127 0.0.0.0/0
0 0 DROP all -- * * 10.102.0.255 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
6 288 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
3216 260K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
12645 1061K REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 172.16.21.127 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP :'
0 0 DROP all -- * * 172.16.21.127 0.0.0.0/0
0 0 LOG all -- * * 10.102.0.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP :'
0 0 DROP all -- * * 10.102.0.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP :'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP :'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02
+ _________________________ iptables-nat
+
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 14445 packets, 1270K bytes)
pkts bytes target prot opt in out source destination
12520 1018K loc_dnat all -- eth0 * 10.102.0.0/24 0.0.0.0/0 policy match dir in pol none
Chain POSTROUTING (policy ACCEPT 2712 packets, 312K bytes)
pkts bytes target prot opt in out source destination
7642 485K eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 15273 packets, 1367K bytes)
pkts bytes target prot opt in out source destination
Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
7475 468K MASQUERADE all -- * * 10.102.0.0/24 0.0.0.0/0 policy match dir out pol none
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 192.168.244.202 tcp dpt:873 redir ports 873
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.102.0.0/24 0.0.0.0/0 policy match dir out pol none
+ _________________________ iptables-mangle
+
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5194K packets, 4237M bytes)
pkts bytes target prot opt in out source destination
5194K 4237M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 460K packets, 59M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 4734K packets, 4178M bytes)
pkts bytes target prot opt in out source destination
4734K 4178M tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 13M packets, 1581M bytes)
pkts bytes target prot opt in out source destination
221K 32M tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 4968K packets, 4210M bytes)
pkts bytes target prot opt in out source destination
4968K 4210M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
+ _________________________ /proc/modules
+
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 24320 2 - Live 0xd0d02000
xfrm4_tunnel 3712 0 - Live 0xd0c6a000
af_key 38288 0 - Live 0xd0c86000
deflate 5120 0 - Live 0xd0caf000
zlib_deflate 22040 1 deflate, Live 0xd0d25000
twofish 46848 0 - Live 0xd0d36000
serpent 21120 0 - Live 0xd0d1e000
blowfish 10496 0 - Live 0xd0d1a000
sha256 12288 0 - Live 0xd0d16000
crypto_null 3840 0 - Live 0xd0cad000
aes 28864 0 - Live 0xd0d0d000
des 18944 2 - Live 0xd0cd2000
tunnel4 4612 1 xfrm4_tunnel, Live 0xd0caa000
ipcomp 9224 0 - Live 0xd0c96000
esp4 9600 2 - Live 0xd0c92000
ah4 8064 0 - Live 0xd0c3c000
tulip 55072 0 - Live 0xd0871000
nfs 249804 0 - Live 0xd0d4c000
lockd 67848 1 nfs, Live 0xd0cc0000
sunrpc 165820 2 nfs,lockd, Live 0xd0cd8000
af_packet 24584 0 - Live 0xd0ca2000
autofs4 23300 1 - Live 0xd0c9b000
ip6table_filter 3968 1 - Live 0xd0c65000
ip6_tables 16484 1 ip6table_filter, Live 0xd0c74000
xt_state 3328 23 - Live 0xd0c63000
xt_tcpudp 4480 31 - Live 0xd0c60000
xt_pkttype 2944 4 - Live 0xd0c72000
iptable_raw 3200 0 - Live 0xd0c70000
xt_CLASSIFY 2944 0 - Live 0xd0c6e000
xt_connmark 3200 0 - Live 0xd0c6c000
xt_physdev 3600 0 - Live 0xd0c5e000
xt_policy 4992 27 - Live 0xd0c5b000
xt_multiport 4608 4 - Live 0xd0c58000
xt_conntrack 3712 0 - Live 0xd0c52000
iptable_mangle 3968 1 - Live 0xd0c50000
ipt_ULOG 9348 0 - Live 0xd0c54000
ipt_TTL 3456 0 - Live 0xd0c4e000
ipt_ttl 3072 0 - Live 0xd0c4c000
ipt_TOS 3456 0 - Live 0xd0c4a000
ipt_tos 2688 0 - Live 0xd0c48000
ipt_TCPMSS 5376 1 - Live 0xd0c45000
ipt_SAME 3456 0 - Live 0xd0c43000
ipt_REJECT 6784 4 - Live 0xd0c15000
ipt_REDIRECT 3200 1 - Live 0xd0c3a000
ipt_recent 12044 0 - Live 0xd0c3f000
ipt_owner 3200 0 - Live 0xd0c34000
ipt_NETMAP 3072 0 - Live 0xd0c32000
ipt_MASQUERADE 4864 2 - Live 0xd0c2b000
ipt_LOG 8320 14 - Live 0xd0c36000
ipt_iprange 2944 0 - Live 0xd0c29000
ipt_hashlimit 10632 0 - Live 0xd0c2e000
ipt_ECN 4352 0 - Live 0xd0c26000
ipt_ecn 3456 0 - Live 0xd0c24000
ipt_DSCP 3456 0 - Live 0xd0c1d000
ipt_dscp 2816 0 - Live 0xd0c1b000
ipt_CLUSTERIP 10116 0 - Live 0xd0c20000
ipt_ah 3072 0 - Live 0xd0be7000
ipt_addrtype 3072 0 - Live 0xd0bdc000
ip_nat_irc 3840 0 - Live 0xd0998000
ip_nat_tftp 2944 0 - Live 0xd097e000
ip_nat_ftp 4736 0 - Live 0xd0c18000
ip_conntrack_irc 7920 1 ip_nat_irc, Live 0xd0afa000
ip_conntrack_tftp 5368 1 ip_nat_tftp, Live 0xd0be4000
ip_conntrack_ftp 8816 1 ip_nat_ftp, Live 0xd0c11000
iptable_nat 8964 1 - Live 0xd0be9000
ip_nat 19884 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat, Live 0xd0bde000
sha1 3840 2 - Live 0xd0afd000
arc4 3200 0 - Live 0xd0a92000
ppp_mppe 8324 0 - Live 0xd0bd3000
ip_conntrack 53088 12 xt_state,xt_connmark,xt_conntrack,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_tf tp,ip_conntrack_ftp,iptable_nat,ip_nat, Live 0xd0c03000
nfnetlink 8088 2 ip_nat,ip_conntrack, Live 0xd0a87000
iptable_filter 4224 1 - Live 0xd0a8a000
ip_tables 15204 4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter, Live 0xd0a8d000
x_tables 16132 35 ip6_tables,xt_state,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_connmark,xt_physdev,xt_policy,xt_multiport,xt_conntrack,ipt_ULO G,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_ iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,iptable_nat,ip_tables, Live 0xd0a25000
ppp_async 13440 0 - Live 0xd09c0000
crc_ccitt 3200 1 ppp_async, Live 0xd08fa000
ppp_generic 30484 2 ppp_mppe,ppp_async, Live 0xd09dd000
slhc 8448 1 ppp_generic, Live 0xd09d9000
md_mod 82836 0 - Live 0xd0bed000
lp 12964 0 - Live 0xd09a2000
joydev 11200 0 - Live 0xd09bc000
tsdev 9152 0 - Live 0xd09ab000
snd_au8820 36768 0 - Live 0xd0a0a000
gameport 17032 2 snd_au8820, Live 0xd09d3000
ipv6 271136 28 - Live 0xd0a94000
snd_ac97_codec 97440 1 snd_au8820, Live 0xd0a2a000
snd_pcm_oss 47232 0 - Live 0xd09fd000
snd_mixer_oss 19328 1 snd_pcm_oss, Live 0xd09cd000
snd_pcm 84356 3 snd_au8820,snd_ac97_codec,snd_pcm_oss, Live 0xd09e7000
snd_timer 25348 1 snd_pcm, Live 0xd09c5000
snd_page_alloc 11528 1 snd_pcm, Live 0xd09a7000
snd_ac97_bus 3456 1 snd_ac97_codec, Live 0xd085a000
i2c_voodoo3 6276 0 - Live 0xd0995000
i2c_algo_bit 10376 1 i2c_voodoo3, Live 0xd097a000
snd_mpu401_uart 10240 1 snd_au8820, Live 0xd0991000
psmouse 41352 0 - Live 0xd09b0000
snd_rawmidi 27136 1 snd_mpu401_uart, Live 0xd099a000
snd_seq_device 9868 1 snd_rawmidi, Live 0xd0976000
evdev 11392 0 - Live 0xd0972000
i2c_piix4 10000 0 - Live 0xd096e000
serio_raw 8452 0 - Live 0xd0907000
i2c_core 23424 2 i2c_algo_bit,i2c_piix4, Live 0xd0955000
pcspkr 4352 0 - Live 0xd08cd000
intel_agp 26012 1 - Live 0xd0966000
agpgart 35016 1 intel_agp, Live 0xd095c000
parport_pc 37796 1 - Live 0xd08ef000
parport 39368 2 lp,parport_pc, Live 0xd08fc000
snd 58116 9 snd_au8820,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device, Live 0xd094 0000
floppy 62916 0 - Live 0xd092f000
soundcore 11232 1 snd, Live 0xd08eb000
shpchp 42144 0 - Live 0xd088d000
pci_hotplug 32828 1 shpchp, Live 0xd08e1000
ext3 142600 3 - Live 0xd090b000
jbd 62100 1 ext3, Live 0xd08bc000
dm_mod 62616 3 - Live 0xd08d0000
usbhid 45280 2 - Live 0xd0880000
ide_generic 2432 0 - Live 0xd0855000
uhci_hcd 25096 0 - Live 0xd082a000
usbcore 134656 5 usbhid,uhci_hcd, Live 0xd089a000
hpt366 20480 2 - Live 0xd084d000
ide_cd 33696 0 - Live 0xd0867000
cdrom 38944 1 ide_cd, Live 0xd085c000
ide_disk 18560 6 - Live 0xd0847000
piix 11780 1 - Live 0xd081d000
generic 6276 0 - Live 0xd0827000
processor 31560 0 - Live 0xd083e000
fbcon 41376 0 - Live 0xd0832000
tileblit 3840 1 fbcon, Live 0xd0825000
font 9344 1 fbcon, Live 0xd0821000
bitblit 7296 1 fbcon, Live 0xd0818000
softcursor 3328 1 bitblit, Live 0xd081b000
vesafb 9244 0 - Live 0xd080d000
capability 5896 0 - Live 0xd0815000
commoncap 8704 1 capability, Live 0xd0811000
+ _________________________ /proc/meminfo
+
+ cat /proc/meminfo
MemTotal: 256008 kB
MemFree: 5424 kB
Buffers: 104984 kB
Cached: 91384 kB
SwapCached: 16 kB
Active: 117736 kB
Inactive: 90112 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 256008 kB
LowFree: 5424 kB
SwapTotal: 746980 kB
SwapFree: 746776 kB
Dirty: 208 kB
Writeback: 0 kB
Mapped: 17552 kB
Slab: 36232 kB
CommitLimit: 874984 kB
Committed_AS: 111104 kB
PageTables: 816 kB
VmallocTotal: 774136 kB
VmallocUsed: 5528 kB
VmallocChunk: 768368 kB
+ _________________________ /proc/net/ipsec-ls
+
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+
+ test -f /proc/config.gz
+ uname -r
+ test -f /lib/modules/2.6.17-11-server/build/.config
+ echo no .config file found, cannot list kernel properties
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/syslog-ng/syslog-ng.conf
+
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search princeton.somedomain.com somedomain.com chaos.local
+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 Mar 7 00:54 2.6.17-10-server
drwxr-xr-x 4 root root 4096 Mar 27 18:40 2.6.17-11-server
+ _________________________ /proc/ksyms-netif_rx
+
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c026ec90 T __netif_rx_schedule
c026ff20 T netif_rx
c0271350 T netif_rx_ni
c03551a8 r __ksymtab___netif_rx_schedule
c03551d0 r __ksymtab_netif_rx_ni
c03552b0 r __ksymtab_netif_rx
c0358ac4 r __kcrctab___netif_rx_schedule
c0358ad8 r __kcrctab_netif_rx_ni
c0358b48 r __kcrctab_netif_rx
c0362f08 r __kstrtab___netif_rx_schedule
c0362f6b r __kstrtab_netif_rx_ni
c036312e r __kstrtab_netif_rx
c026ff20 U netif_rx [tulip]
c026ff20 U netif_rx [ppp_generic]
c026ff20 U netif_rx [ipv6]
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.17-10-server:
2.6.17-11-server:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ sed -n 1908,$p /var/log/syslog
+ egrep -i ipsec|klips|pluto
+ cat
Sep 5 16:03:22 host01 ipsec_setup: Starting Openswan IPsec 2.4.5...
Sep 5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/key/af_key.ko
Sep 5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/ipv4/xfrm4_tunnel.ko
Sep 5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/xfrm/xfrm_user.ko
Sep 5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/drivers/char/hw_random.ko
Sep 5 16:03:22 host01 ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-11-server/kernel/drivers/char/hw_random.ko): No such device
Sep 5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/drivers/crypto/padlock.ko
Sep 5 16:03:22 host01 ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-11-server/kernel/drivers/crypto/padlock.ko): No s uch device
Sep 5 16:03:24 host01 ipsec__plutorun: 104 "somedomain" #1: STATE_MAIN_I1: initiate
Sep 5 16:03:24 host01 ipsec__plutorun: ...could not start conn "somedomain"
+ _________________________ plog
+
+ sed -n 17870,$p /var/log/auth.log
+ egrep -i pluto
+ cat
Sep 5 16:03:22 host01 ipsec__plutorun: Starting Pluto subsystem...
Sep 5 16:03:22 host01 pluto[3789]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Ven dor ID OEGfuJ[Ye{Ah)
Sep 5 16:03:22 host01 pluto[3789]: Setting NAT-Traversal port-4500 floating to off
Sep 5 16:03:22 host01 pluto[3789]: port floating activation criteria nat_t=0/port_fload=1
Sep 5 16:03:22 host01 pluto[3789]: including NAT-Traversal patch (Version 0.6c) [disabled]
Sep 5 16:03:22 host01 pluto[3789]: | opening /dev/urandom
Sep 5 16:03:22 host01 pluto[3789]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Sep 5 16:03:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep 5 16:03:22 host01 pluto[3789]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 5 16:03:22 host01 pluto[3789]: starting up 1 cryptographic helpers
Sep 5 16:03:22 host01 pluto[3795]: | opening /dev/urandom
Sep 5 16:03:22 host01 pluto[3789]: started helper pid=3795 (fd:6)
Sep 5 16:03:22 host01 pluto[3789]: Using Linux 2.6 IPsec interface code on 2.6.17-11-server
Sep 5 16:03:22 host01 pluto[3795]: ! helper 0 waiting on fd: 7
Sep 5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/cacerts'
Sep 5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/aacerts'
Sep 5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/ocspcerts'
Sep 5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/crls'
Sep 5 16:03:23 host01 pluto[3789]: Warning: empty directory
Sep 5 16:03:23 host01 pluto[3789]: | inserting event EVENT_LOG_DAILY, timeout in 28597 seconds
Sep 5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep 5 16:03:23 host01 pluto[3789]: |
Sep 5 16:03:23 host01 pluto[3789]: | *received whack message
Sep 5 16:03:23 host01 pluto[3789]: | Added new connection somedomain with policy PSK+ENCRYPT+TUNNEL+PFS
Sep 5 16:03:23 host01 pluto[3789]: | counting wild cards for (none) is 15
Sep 5 16:03:23 host01 pluto[3789]: | counting wild cards for (none) is 15
Sep 5 16:03:23 host01 pluto[3789]: added connection description "somedomain"
Sep 5 16:03:23 host01 pluto[3789]: | 10.102.0.0/16===172.16.21.57---172.16.21.1...172.16.61.81---172.16.61.87===192.168.0.0/16
Sep 5 16:03:23 host01 pluto[3789]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS
Sep 5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep 5 16:03:23 host01 pluto[3789]: |
Sep 5 16:03:23 host01 pluto[3789]: | *received whack message
Sep 5 16:03:23 host01 pluto[3789]: listening for IKE messages
Sep 5 16:03:23 host01 pluto[3789]: | found lo with address 127.0.0.1
Sep 5 16:03:23 host01 pluto[3789]: | found eth0 with address 10.102.0.1
Sep 5 16:03:23 host01 pluto[3789]: | found eth1 with address 172.16.21.57
Sep 5 16:03:23 host01 pluto[3789]: adding interface eth1/eth1 172.16.21.57:500
Sep 5 16:03:23 host01 pluto[3789]: adding interface eth0/eth0 10.102.0.1:500
Sep 5 16:03:23 host01 pluto[3789]: adding interface lo/lo 127.0.0.1:500
Sep 5 16:03:23 host01 pluto[3789]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Sep 5 16:03:23 host01 pluto[3789]: adding interface lo/lo ::1:500
Sep 5 16:03:23 host01 pluto[3789]: loading secrets from "/etc/ipsec.secrets"
Sep 5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received whack message
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | route owner of "somedomain" unrouted: NULL; eroute owner: NULL
Sep 5 16:03:24 host01 pluto[3789]: | could_route called for somedomain (kind=CK_PERMANENT)
Sep 5 16:03:24 host01 pluto[3789]: | route owner of "somedomain" unrouted: NULL; eroute owner: NULL
Sep 5 16:03:24 host01 pluto[3789]: | add eroute 192.168.0.0/16:0 --0-> 10.102.0.0/16:0 => %trap (raw_eroute)
Sep 5 16:03:24 host01 pluto[3789]: | eroute_connection add eroute 10.102.0.0/16:0 --0-> 192.168.0.0/16:0 => %trap (raw_eroute)
Sep 5 16:03:24 host01 pluto[3789]: | route_and_eroute: firewall_notified: true
Sep 5 16:03:24 host01 pluto[3789]: | command executing prepare-client
Sep 5 16:03:24 host01 pluto[3789]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='da tadomain' PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.1 02.0.0/16' PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='207.47 .14.87' PLUTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.2 55.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS' ipsec _updown
Sep 5 16:03:24 host01 pluto[3789]: | command executing route-client
Sep 5 16:03:24 host01 pluto[3789]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='datado main' PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.102.0 .0/16' PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.16.61. 87' PLUTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0 .0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS' ipsec _updown
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received whack message
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | empty esp_info, returning empty
Sep 5 16:03:24 host01 pluto[3789]: | creating state object #1 at 0x80fe5f8
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 00 00 00 00 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: | Queuing pending Quick Mode with 172.16.61.87 "somedomain"
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: initiating Main Mode
Sep 5 16:03:24 host01 pluto[3789]: | sending 212 bytes for main_outI1 through eth1:500 to 172.16.61.87:500:
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received 156 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep 5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep 5 16:03:24 host01 pluto[3789]: | initiator cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | responder cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_SA
Sep 5 16:03:24 host01 pluto[3789]: | ISAKMP version: ISAKMP Version 1.0
Sep 5 16:03:24 host01 pluto[3789]: | exchange type: ISAKMP_XCHG_IDPROT
Sep 5 16:03:24 host01 pluto[3789]: | flags: none
Sep 5 16:03:24 host01 pluto[3789]: | message ID: 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | length: 156
Sep 5 16:03:24 host01 pluto[3789]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | state object not found
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 00 00 00 00 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep 5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep 5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I1
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Security Association Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_VID
Sep 5 16:03:24 host01 pluto[3789]: | length: 52
Sep 5 16:03:24 host01 pluto[3789]: | DOI: ISAKMP_DOI_IPSEC
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_VID
Sep 5 16:03:24 host01 pluto[3789]: | length: 32
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_VID
Sep 5 16:03:24 host01 pluto[3789]: | length: 20
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | length: 24
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd845100000000 00000000]
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: received Vendor ID payload [Dead Peer Detection]
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Sep 5 16:03:24 host01 pluto[3789]: | ****parse IPsec DOI SIT:
Sep 5 16:03:24 host01 pluto[3789]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Sep 5 16:03:24 host01 pluto[3789]: | ****parse ISAKMP Proposal Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | length: 40
Sep 5 16:03:24 host01 pluto[3789]: | proposal number: 1
Sep 5 16:03:24 host01 pluto[3789]: | protocol ID: PROTO_ISAKMP
Sep 5 16:03:24 host01 pluto[3789]: | SPI size: 0
Sep 5 16:03:24 host01 pluto[3789]: | number of transforms: 1
Sep 5 16:03:24 host01 pluto[3789]: | *****parse ISAKMP Transform Payload (ISAKMP):
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | length: 32
Sep 5 16:03:24 host01 pluto[3789]: | transform number: 1
Sep 5 16:03:24 host01 pluto[3789]: | transform ID: KEY_IKE
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 5
Sep 5 16:03:24 host01 pluto[3789]: | [5 is OAKLEY_3DES_CBC]
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_HASH_ALGORITHM
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 2
Sep 5 16:03:24 host01 pluto[3789]: | [2 is OAKLEY_SHA1]
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_GROUP_DESCRIPTION
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 2
Sep 5 16:03:24 host01 pluto[3789]: | [2 is OAKLEY_GROUP_MODP1024]
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_AUTHENTICATION_METHOD
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 1
Sep 5 16:03:24 host01 pluto[3789]: | [1 is OAKLEY_PRESHARED_KEY]
Sep 5 16:03:24 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:24 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:24 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep 5 16:03:24 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep 5 16:03:24 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep 5 16:03:24 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_LIFE_TYPE
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 1
Sep 5 16:03:24 host01 pluto[3789]: | [1 is OAKLEY_LIFE_SECONDS]
Sep 5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep 5 16:03:24 host01 pluto[3789]: | af+type: OAKLEY_LIFE_DURATION
Sep 5 16:03:24 host01 pluto[3789]: | length/value: 3600
Sep 5 16:03:24 host01 pluto[3789]: | Oakley Transform 1 accepted
Sep 5 16:03:24 host01 pluto[3789]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Sep 5 16:03:24 host01 pluto[3789]: | asking helper 0 to do build_kenonce op on seq: 1
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
Sep 5 16:03:24 host01 pluto[3795]: ! helper -1 doing build_kenonce op id: 1
Sep 5 16:03:24 host01 pluto[3789]: | complete state transition with STF_SUSPEND
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 00 00 00 00 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 5 16:03:24 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep 5 16:03:24 host01 pluto[3789]: | sending 180 bytes for STATE_MAIN_I1 through eth1:500 to 172.16.61.87:500:
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep 5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received 184 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep 5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep 5 16:03:24 host01 pluto[3789]: | initiator cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | responder cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_KE
Sep 5 16:03:24 host01 pluto[3789]: | ISAKMP version: ISAKMP Version 1.0
Sep 5 16:03:24 host01 pluto[3789]: | exchange type: ISAKMP_XCHG_IDPROT
Sep 5 16:03:24 host01 pluto[3789]: | flags: none
Sep 5 16:03:24 host01 pluto[3789]: | message ID: 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | length: 184
Sep 5 16:03:24 host01 pluto[3789]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep 5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I2
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Key Exchange Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONCE
Sep 5 16:03:24 host01 pluto[3789]: | length: 132
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Nonce Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | length: 24
Sep 5 16:03:24 host01 pluto[3789]: | thinking about whether to send my certificate:
Sep 5 16:03:24 host01 pluto[3789]: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | sendcert: CERT_ALWAYSSEND and I did not get a certificate request
Sep 5 16:03:24 host01 pluto[3789]: | so do not send cert.
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: I did not send a certificate because I do not have one.
Sep 5 16:03:24 host01 pluto[3789]: | I am not sending a certificate request
Sep 5 16:03:24 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:24 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:24 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep 5 16:03:24 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep 5 16:03:24 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep 5 16:03:24 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep 5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 5 16:03:24 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep 5 16:03:24 host01 pluto[3789]: | sending 68 bytes for STATE_MAIN_I2 through eth1:500 to 172.16.61.87:500:
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep 5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received 68 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep 5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep 5 16:03:24 host01 pluto[3789]: | initiator cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | responder cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_ID
Sep 5 16:03:24 host01 pluto[3789]: | ISAKMP version: ISAKMP Version 1.0
Sep 5 16:03:24 host01 pluto[3789]: | exchange type: ISAKMP_XCHG_IDPROT
Sep 5 16:03:24 host01 pluto[3789]: | flags: ISAKMP_FLAG_ENCRYPTION
Sep 5 16:03:24 host01 pluto[3789]: | message ID: 00 00 00 00
Sep 5 16:03:24 host01 pluto[3789]: | length: 68
Sep 5 16:03:24 host01 pluto[3789]: | processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep 5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I3
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_HASH
Sep 5 16:03:24 host01 pluto[3789]: | length: 12
Sep 5 16:03:24 host01 pluto[3789]: | ID type: ID_IPV4_ADDR
Sep 5 16:03:24 host01 pluto[3789]: | DOI specific A: 17
Sep 5 16:03:24 host01 pluto[3789]: | DOI specific B: 500
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Hash Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:24 host01 pluto[3789]: | length: 24
Sep 5 16:03:24 host01 pluto[3789]: | removing 4 bytes of padding
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: Main mode peer ID is ID_IPV4_ADDR: '172.16.61.87'
Sep 5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SA_REPLACE, timeout in 2820 seconds for #1
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_c bc_192 prf=oakley_sha group=modp1024}
Sep 5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep 5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep 5 16:03:24 host01 pluto[3789]: | unqueuing pending Quick Mode with 172.16.61.87 "somedomain"
Sep 5 16:03:24 host01 pluto[3789]: | duplicating state object #1
Sep 5 16:03:24 host01 pluto[3789]: | creating state object #2 at 0x8100a60
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
Sep 5 16:03:24 host01 pluto[3789]: "somedomain" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep 5 16:03:24 host01 pluto[3789]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Sep 5 16:03:24 host01 pluto[3789]: | asking helper 0 to do build_kenonce op on seq: 2
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
Sep 5 16:03:24 host01 pluto[3795]: ! helper -1 doing build_kenonce op id: 2
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | empty esp_info, returning empty
Sep 5 16:03:24 host01 pluto[3789]: | sending 372 bytes for quick_outI1 through eth1:500 to 172.16.61.87:500:
Sep 5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
Sep 5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #2
Sep 5 16:03:24 host01 pluto[3789]: |
Sep 5 16:03:24 host01 pluto[3789]: | *received 332 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep 5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep 5 16:03:24 host01 pluto[3789]: | initiator cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | responder cookie:
Sep 5 16:03:24 host01 pluto[3789]: | 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_HASH
Sep 5 16:03:24 host01 pluto[3789]: | ISAKMP version: ISAKMP Version 1.0
Sep 5 16:03:24 host01 pluto[3789]: | exchange type: ISAKMP_XCHG_QUICK
Sep 5 16:03:24 host01 pluto[3789]: | flags: ISAKMP_FLAG_ENCRYPTION
Sep 5 16:03:24 host01 pluto[3789]: | message ID: 7b 13 8d f1
Sep 5 16:03:24 host01 pluto[3789]: | length: 332
Sep 5 16:03:24 host01 pluto[3789]: | processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
Sep 5 16:03:24 host01 pluto[3789]: | ICOOKIE: 33 9b 73 e1 e8 94 eb af
Sep 5 16:03:24 host01 pluto[3789]: | RCOOKIE: 2a cf ac d9 ea 92 05 f6
Sep 5 16:03:24 host01 pluto[3789]: | peer: cf 2f 0e 57
Sep 5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep 5 16:03:24 host01 pluto[3789]: | peer and cookies match on #2, provided msgid 7b138df1 vs 7b138df1
Sep 5 16:03:24 host01 pluto[3789]: | state object #2 found, in STATE_QUICK_I1
Sep 5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Hash Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_SA
Sep 5 16:03:24 host01 pluto[3789]: | length: 24
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Security Association Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONCE
Sep 5 16:03:24 host01 pluto[3789]: | length: 56
Sep 5 16:03:24 host01 pluto[3789]: | DOI: ISAKMP_DOI_IPSEC
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Nonce Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_KE
Sep 5 16:03:24 host01 pluto[3789]: | length: 24
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Key Exchange Payload:
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_ID
Sep 5 16:03:24 host01 pluto[3789]: | length: 132
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_ID
Sep 5 16:03:24 host01 pluto[3789]: | length: 16
Sep 5 16:03:24 host01 pluto[3789]: | ID type: ID_IPV4_ADDR_SUBNET
Sep 5 16:03:24 host01 pluto[3789]: | Protocol ID: 0
Sep 5 16:03:24 host01 pluto[3789]: | port: 0
Sep 5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Sep 5 16:03:24 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_N
Sep 5 16:03:25 host01 pluto[3789]: | length: 16
Sep 5 16:03:25 host01 pluto[3789]: | ID type: ID_IPV4_ADDR_SUBNET
Sep 5 16:03:25 host01 pluto[3789]: | Protocol ID: 0
Sep 5 16:03:25 host01 pluto[3789]: | port: 0
Sep 5 16:03:25 host01 pluto[3789]: | ***parse ISAKMP Notification Payload:
Sep 5 16:03:25 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:25 host01 pluto[3789]: | length: 28
Sep 5 16:03:25 host01 pluto[3789]: | DOI: ISAKMP_DOI_IPSEC
Sep 5 16:03:25 host01 pluto[3789]: | protocol ID: 3
Sep 5 16:03:25 host01 pluto[3789]: | SPI size: 4
Sep 5 16:03:25 host01 pluto[3789]: | Notify Message Type: IPSEC_RESPONDER_LIFETIME
Sep 5 16:03:25 host01 pluto[3789]: | removing 8 bytes of padding
Sep 5 16:03:25 host01 pluto[3789]: "somedomain" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep 5 16:03:25 host01 pluto[3789]: | info: 0c 6d f0 33 80 01 00 01 00 02 00 04 00 00 0e 10
Sep 5 16:03:25 host01 pluto[3789]: | ****parse IPsec DOI SIT:
Sep 5 16:03:25 host01 pluto[3789]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Sep 5 16:03:25 host01 pluto[3789]: | ****parse ISAKMP Proposal Payload:
Sep 5 16:03:25 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:25 host01 pluto[3789]: | length: 44
Sep 5 16:03:25 host01 pluto[3789]: | proposal number: 1
Sep 5 16:03:25 host01 pluto[3789]: | protocol ID: PROTO_IPSEC_ESP
Sep 5 16:03:25 host01 pluto[3789]: | SPI size: 4
Sep 5 16:03:25 host01 pluto[3789]: | number of transforms: 1
Sep 5 16:03:25 host01 pluto[3789]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
Sep 5 16:03:25 host01 pluto[3789]: | SPI 0c 6d f0 33
Sep 5 16:03:25 host01 pluto[3789]: | *****parse ISAKMP Transform Payload (ESP):
Sep 5 16:03:25 host01 pluto[3789]: | next payload type: ISAKMP_NEXT_NONE
Sep 5 16:03:25 host01 pluto[3789]: | length: 32
Sep 5 16:03:25 host01 pluto[3789]: | transform number: 1
Sep 5 16:03:25 host01 pluto[3789]: | transform ID: ESP_3DES
Sep 5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep 5 16:03:25 host01 pluto[3789]: | af+type: SA_LIFE_TYPE
Sep 5 16:03:25 host01 pluto[3789]: | length/value: 1
Sep 5 16:03:25 host01 pluto[3789]: | [1 is SA_LIFE_TYPE_SECONDS]
Sep 5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep 5 16:03:25 host01 pluto[3789]: | af+type: SA_LIFE_DURATION (variable length)
Sep 5 16:03:25 host01 pluto[3789]: | length/value: 4
Sep 5 16:03:25 host01 pluto[3789]: | long duration: 28800
Sep 5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep 5 16:03:25 host01 pluto[3789]: | af+type: ENCAPSULATION_MODE
Sep 5 16:03:25 host01 pluto[3789]: | length/value: 1
Sep 5 16:03:25 host01 pluto[3789]: | [1 is ENCAPSULATION_MODE_TUNNEL]
Sep 5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep 5 16:03:25 host01 pluto[3789]: | af+type: AUTH_ALGORITHM
Sep 5 16:03:25 host01 pluto[3789]: | length/value: 2
Sep 5 16:03:25 host01 pluto[3789]: | [2 is AUTH_ALGORITHM_HMAC_SHA1]
Sep 5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep 5 16:03:25 host01 pluto[3789]: | af+type: GROUP_DESCRIPTION
Sep 5 16:03:25 host01 pluto[3789]: | length/value: 2
Sep 5 16:03:25 host01 pluto[3789]: | [2 is OAKLEY_GROUP_MODP1024]
Sep 5 16:03:25 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:25 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep 5 16:03:25 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep 5 16:03:25 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep 5 16:03:25 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep 5 16:03:25 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep 5 16:03:25 host01 pluto[3789]: | our client is subnet 10.102.0.0/16
Sep 5 16:03:25 host01 pluto[3789]: | our client protocol/port is 0/0
Sep 5 16:03:25 host01 pluto[3789]: | peer client is subnet 192.168.0.0/16
Sep 5 16:03:25 host01 pluto[3789]: | peer client protocol/port is 0/0
Sep 5 16:03:25 host01 pluto[3789]: | compute_proto_keymat:needed_len (after ESP enc)=24
Sep 5 16:03:25 host01 pluto[3789]: | compute_proto_keymat:needed_len (after ESP auth)=44
Sep 5 16:03:25 host01 pluto[3789]: | install_ipsec_sa() for #2: inbound and outbound
Sep 5 16:03:25 host01 pluto[3789]: | route owner of "somedomain" prospective erouted: self; eroute owner: self
Sep 5 16:03:25 host01 pluto[3789]: | could_route called for somedomain (kind=CK_PERMANENT)
Sep 5 16:03:25 host01 pluto[3789]: | add inbound eroute 192.168.0.0/16:0 --0-> 10.102.0.0/16:0 => tun.10000 at 172.16.21.57 (raw_eroute)
Sep 5 16:03:25 host01 pluto[3789]: | sr for #2: prospective erouted
Sep 5 16:03:25 host01 pluto[3789]: | route owner of "somedomain" prospective erouted: self; eroute owner: self
Sep 5 16:03:25 host01 pluto[3789]: | eroute_connection replace eroute 10.102.0.0/16:0 --0-> 192.168.0.0/16:0 => tun.0 at 172.16.61.87 (raw_ eroute)
Sep 5 16:03:25 host01 pluto[3789]: | command executing up-client
Sep 5 16:03:25 host01 pluto[3789]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='somedomain' PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.102.0.0/16' PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.16.61.87' PL UTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' PL UTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP' ipsec _updown
Sep 5 16:03:25 host01 pluto[3789]: | route_and_eroute: firewall_notified: true
Sep 5 16:03:25 host01 pluto[3789]: | route_and_eroute: instance "somedomain", setting eroute_owner {spd=0x80fde44,sr=0x80fde44} to #2 (w as #0) (newest_ipsec_sa=#0)
Sep 5 16:03:25 host01 pluto[3789]: | complete state transition with STF_OK
Sep 5 16:03:25 host01 pluto[3789]: "somedomain" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 5 16:03:25 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep 5 16:03:25 host01 pluto[3789]: | sending 52 bytes for STATE_QUICK_I1 through eth1:500 to 172.16.61.87:500:
Sep 5 16:03:25 host01 pluto[3789]: | inserting event EVENT_SA_REPLACE, timeout in 27911 seconds for #2
Sep 5 16:03:25 host01 pluto[3789]: "somedomain" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0c6df033 <0x1b9a4a3d xfrm=3DE S_0-HMAC_SHA1 NATD=none DPD=none}
Sep 5 16:03:25 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep 5 16:03:25 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep 5 16:03:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep 5 16:05:22 host01 pluto[3789]: |
Sep 5 16:05:22 host01 pluto[3789]: | *time to handle event
Sep 5 16:05:22 host01 pluto[3789]: | handling event EVENT_PENDING_PHASE2
Sep 5 16:05:22 host01 pluto[3789]: | event after this is EVENT_SA_REPLACE in 2702 seconds
Sep 5 16:05:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep 5 16:05:22 host01 pluto[3789]: | pending review: connection "somedomain" checked
Sep 5 16:05:22 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 120 seconds
Sep 5 16:05:24 host01 pluto[3789]: |
Sep 5 16:05:24 host01 pluto[3789]: | *received whack message
Sep 5 16:05:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep 5 16:05:25 host01 pluto[3789]: |
Sep 5 16:05:25 host01 pluto[3789]: | *received whack message
Sep 5 16:05:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep 5 16:05:26 host01 pluto[3789]: |
Sep 5 16:05:26 host01 pluto[3789]: | *received whack message
Sep 5 16:05:26 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 116 seconds
Sep 5 16:07:22 host01 pluto[3789]: |
Sep 5 16:07:22 host01 pluto[3789]: | *time to handle event
Sep 5 16:07:22 host01 pluto[3789]: | handling event EVENT_PENDING_PHASE2
Sep 5 16:07:22 host01 pluto[3789]: | event after this is EVENT_SA_REPLACE in 2582 seconds
Sep 5 16:07:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep 5 16:07:22 host01 pluto[3789]: | pending review: connection "somedomain" checked
Sep 5 16:07:22 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 120 seconds
Sep 5 16:07:24 host01 pluto[3789]: |
Sep 5 16:07:24 host01 pluto[3789]: | *received whack message
Sep 5 16:07:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep 5 16:07:25 host01 pluto[3789]: |
Sep 5 16:07:25 host01 pluto[3789]: | *received whack message
Sep 5 16:07:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep 5 16:07:26 host01 pluto[3789]: |
Sep 5 16:07:26 host01 pluto[3789]: | *received whack message
Sep 5 16:07:26 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 116 seconds
+ _________________________ date
+
+ date
Wed Sep 5 16:07:28 EDT 2007
root at host01:~#
More information about the Users
mailing list