[Openswan Users] SA Established but traffic not flowing

Big Wave Dave bigwavedave at gmail.com
Wed Sep 5 16:22:13 EDT 2007


I am unable to get my openswan setup completely working.  I am able to
get the "SA" established, but no traffic flows between the two sites.
I am attempting to connect an OpenSwan Ubuntu box to a Juniper
(Netscreen) SSG-140.  I spent several hours on the phone with Juniper
this morning, who assured me that side is setup correctly.  I haven't
used openswan since the 2.4 kernel days, and it appears things have
changed in regards to the tunnel interfaces

Since the SA is established, I have high-hopes that I am close to
success.  The intent is that this will be a net-to-net config.  The
OpenSwan side is a linux firewall/router for an network
(10.102.0.0/16). The Juniper side is 192.168.0.0/16.  Unfortunately I
am unable to ping between the two networks.  The Linux side adds a
route when ipsec is started, pointing 192.168.0.0/16 to the default
external gateway of the box.

I have attached my ipsec.conf as well as output from "ipsec barf".
Hopefully the list will allow the attachments through.

Please let me know if more information is necessary.
Thanks for any help!
Dave
-------------- next part --------------
config setup
        plutodebug="control parsing"

conn datadomain
        type=tunnel
        authby=secret
        left=172.16.21.57
        leftsubnet=10.102.0.0/16
        leftnexthop=%defaultroute
        right=172.16.61.87
        rightsubnet=192.168.0.0/16
        rightnexthop=172.16.61.81
        #rightnexthop=%defaultroute
        auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------------- next part --------------
root at host01:~# ipsec barf
host01
Wed Sep  5 16:07:24 EDT 2007
+ _________________________ version
+
+ ipsec --version
Linux Openswan U2.4.5/K2.6.17-11-server (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+
+ cat /proc/version
Linux version 2.6.17-11-server (root at terranova) (gcc version 4.1.2 20060928 (prerelease) (Ubuntu 4.1.1-13ubuntu5)) #2 SMP Thu Feb 1 19:53                       :33 UTC 2007 (Ubuntu 2.6.17-11.35-server)
+ _________________________ /proc/net/ipsec_eroute
+
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.21.0    0.0.0.0         255.255.255.128 U         0 0          0 eth1
10.102.0.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.0.0     172.16.21.1    255.255.0.0     UG        0 0          0 eth1
0.0.0.0         172.16.21.1    0.0.0.0         UG        0 0          0 eth1
+ _________________________ /proc/net/ipsec_spi
+
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ ip-xfrm-state
+
+ ip xfrm state
src 172.16.21.57 dst 172.16.61.87
        proto esp spi 0x0c6df033 reqid 16385 mode tunnel
        replay-window 32
        auth sha1 0x946e14385d3cc8b1324bd94cd03313da94a3a385
        enc des3_ede 0xa05cd575abcb2e05bc923be80fe968658eeb089aa8ef4f0e
src 172.16.61.87 dst 172.16.21.57
        proto esp spi 0x1b9a4a3d reqid 16385 mode tunnel
        replay-window 32
        auth sha1 0xbd0cfa6ca8e2d2798bedb254d4500ed09a53359a
        enc des3_ede 0x973b1608ae13d74bf5df60c946828e4055ed98a0bde2fac0
+ _________________________ ip-xfrm-policy
+
+ ip xfrm policy
src 192.168.0.0/16 dst 10.102.0.0/16
        dir in priority 2608
        tmpl src 172.16.61.87 dst 172.16.21.57
                proto esp reqid 16385 mode tunnel
src 10.102.0.0/16 dst 192.168.0.0/16
        dir out priority 2608
        tmpl src 172.16.21.57 dst 172.16.61.87
                proto esp reqid 16385 mode tunnel
src 192.168.0.0/16 dst 10.102.0.0/16
        dir fwd priority 2608
        tmpl src 172.16.61.87 dst 172.16.21.57
                proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
        dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 0
src ::/0 dst ::/0
        dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 0
+ _________________________ /proc/sys/net/ipsec-star
+
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.102.0.1
000 interface eth1/eth1 172.16.21.57
000 %myid = (none)
000 debug parsing+control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "somedomain": 10.102.0.0/16===172.16.21.57---172.16.21.1...172.16.61.81---172.16.61.87===192.168.0.0/16; erouted; eroute owner: #2
000 "somedomain":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "somedomain":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "somedomain":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16; interface: eth1;
000 "somedomain":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "somedomain":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #2: "somedomain":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27672s; newest IPSEC; eroute owner
000 #2: "somedomain" esp.c6df033 at 172.16.61.87 esp.1b9a4a3d at 172.16.21.57 tun.0 at 172.16.61.87 tun.0 at 172.16.21.57
000 #1: "somedomain":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2580s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
+ _________________________ ifconfig-a
+
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:40:05:37:2C:7C
          inet addr:10.102.0.1  Bcast:10.102.0.255  Mask:255.255.255.0
          inet6 addr: fe80::240:5ff:fe37:2c7c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12971779 errors:1 dropped:0 overruns:0 frame:0
          TX packets:19599253 errors:3 dropped:0 overruns:3 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1752551328 (1.6 GiB)  TX bytes:2596161026 (2.4 GiB)
          Interrupt:153 Base address:0xa400

eth1      Link encap:Ethernet  HWaddr 00:04:5A:41:F3:A3
          inet addr:172.16.21.57  Bcast:172.16.21.127  Mask:255.255.255.128
          inet6 addr: fe80::204:5aff:fe41:f3a3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37256875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12229753 errors:2 dropped:0 overruns:0 carrier:4
          collisions:85618 txqueuelen:1000
          RX bytes:3735950653 (3.4 GiB)  TX bytes:1243354906 (1.1 GiB)
          Interrupt:145 Base address:0xa800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:169042 errors:0 dropped:0 overruns:0 frame:0
          TX packets:169042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26070572 (24.8 MiB)  TX bytes:26070572 (24.8 MiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

+ _________________________ ip-addr-list
+
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
88: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:05:37:2c:7c brd ff:ff:ff:ff:ff:ff
    inet 10.102.0.1/24 brd 10.102.0.255 scope global eth0
    inet6 fe80::240:5ff:fe37:2c7c/64 scope link
       valid_lft forever preferred_lft forever
89: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:5a:41:f3:a3 brd ff:ff:ff:ff:ff:ff
    inet 172.16.21.57/25 brd 172.16.21.127 scope global eth1
    inet6 fe80::204:5aff:fe41:f3a3/64 scope link
       valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+
+ ip route list
172.16.21.0/25 dev eth1  proto kernel  scope link  src 172.16.21.57
10.102.0.0/24 dev eth0  proto kernel  scope link  src 10.102.0.1
192.168.0.0/16 via 172.16.21.1 dev eth1
default via 172.16.21.1 dev eth1
+ _________________________ ip-rule-list
+
+ ip rule list
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
+ _________________________ ipsec_verify
+
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5/K2.6.17-11-server (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
+ _________________________ mii-tool
+
+ [ -x /sbin/mii-tool ]
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
  product info: National DP83840A rev 1
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-HD, link ok
  product info: vendor 00:08:95, model 1 rev 0
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  link partner: 100baseTx-HD 10baseT-HD
+ _________________________ ipsec/directory
+
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname --fqdn
host01.princeton.somedomain.com
+ _________________________ hostname/ipaddress
+
+ hostname --ip-address
10.102.0.1
+ _________________________ uptime
+
+ uptime
 16:07:26 up 20 days, 55 min,  4 users,  load average: 0.55, 0.34, 0.22
+ _________________________ ps
+
+ ps alxwf
+ egrep -i ppid|pluto|ipsec|klips
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
0     0  4060  2897  18   0   1656   492 wait   S+   pts/0      0:00                      \_ /bin/sh /usr/lib/ipsec/barf
1     0  4137  4060  22   0   1656   300 -      R+   pts/0      0:00                          \_ /bin/sh /usr/lib/ipsec/barf
1     0  3785     1  25   0   2464   448 wait   S    pts/0      0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug control parsing --uniquei                       ds yes --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating  --virt                       ual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --pid /                       var/run/pluto/pluto.pid
1     0  3786  3785  25   0   2464   628 wait   S    pts/0      0:00  \_ /bin/bash /usr/lib/ipsec/_plutorun --debug control parsing --uni                       queids yes --nocrsend  --strictcrlpolicy  --nat_traversal  --keep_alive  --protostack auto --force_keepalive  --disable_port_floating  --                       virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --p                       id /var/run/pluto/pluto.pid
4     0  3789  3786  15   0   7096  2328 -      S    pts/0      0:00  |   \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secre                       ts --ipsecdir /etc/ipsec.d --debug-control --debug-parsing --use-auto --uniqueids
1     0  3795  3789  26  10   7036  1004 -      SN   pts/0      0:00  |       \_ pluto helper  #  0    -nofork                                                  
0     0  3859  3789  19   0   1528   304 -      S    pts/0      0:00  |       \_ _pluto_adns
0     0  3787  3785  19   0   1660   488 pipe_w S    pts/0      0:00  \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0     0  3788     1  16   0   1584   520 pipe_w S    pts/0      0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
routephys=eth1
routevirt=ipsec0
routeaddr=172.16.21.57
routenexthop=172.16.21.1
+ _________________________ ipsec/conf
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        plutodebug="control parsing"
        #plutodebug="all"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

# sample VPN connection
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=start

conn somedomain
        type=tunnel
        authby=secret
        left=172.16.21.57
        leftsubnet=10.102.0.0/16
        leftnexthop=%defaultroute
        right=172.16.61.87
        rightsubnet=192.168.0.0/16
        rightnexthop=172.16.61.81
        #rightnexthop=%defaultroute
        auto=start

#Disable Opportunistic Encryption

#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

#> /etc/ipsec.conf 55
+ _________________________ ipsec/secrets
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
172.16.21.57 172.16.61.87 : PSK "[sums to c9f7...]"
+ _________________________ ipsec/listall
+
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ [ /etc/ipsec.d/policies ]
+ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

+ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root  15859 Jul 10  2006 _confread
-rwxr-xr-x 1 root root   4236 Jul 10  2006 _copyright
-rwxr-xr-x 1 root root   2379 Jul 10  2006 _include
-rwxr-xr-x 1 root root   1475 Jul 10  2006 _keycensor
-rwxr-xr-x 1 root root   7980 Jul 10  2006 _pluto_adns
-rwxr-xr-x 1 root root   3586 Jul 10  2006 _plutoload
-rwxr-xr-x 1 root root   7059 Jul 10  2006 _plutorun
-rwxr-xr-x 1 root root  12275 Jul 10  2006 _realsetup
-rwxr-xr-x 1 root root   1975 Jul 10  2006 _secretcensor
-rwxr-xr-x 1 root root   9952 Jul 10  2006 _startklips
-rwxr-xr-x 1 root root  13912 Jul 10  2006 _updown
-rwxr-xr-x 1 root root  15740 Jul 10  2006 _updown_x509
-rwxr-xr-x 1 root root  18891 Jul 10  2006 auto
-rwxr-xr-x 1 root root  11331 Jul 10  2006 barf
-rwxr-xr-x 1 root root    816 Jul 10  2006 calcgoo
-rwxr-xr-x 1 root root  77544 Jul 10  2006 eroute
-rwxr-xr-x 1 root root  17428 Jul 10  2006 ikeping
-rwxr-xr-x 1 root root   1942 Jul 10  2006 ipsec_pr.template
-rwxr-xr-x 1 root root  60732 Jul 10  2006 klipsdebug
-rwxr-xr-x 1 root root   1836 Jul 10  2006 livetest
-rwxr-xr-x 1 root root   2605 Jul 10  2006 look
-rwxr-xr-x 1 root root   7147 Jul 10  2006 mailkey
-rwxr-xr-x 1 root root  16015 Jul 10  2006 manual
-rwxr-xr-x 1 root root   1926 Jul 10  2006 newhostkey
-rwxr-xr-x 1 root root  51872 Jul 10  2006 pf_key
-rwxr-xr-x 1 root root 652872 Jul 10  2006 pluto
-rwxr-xr-x 1 root root   6264 Jul 10  2006 ranbits
-rwxr-xr-x 1 root root  18588 Jul 10  2006 rsasigkey
-rwxr-xr-x 1 root root    766 Jul 10  2006 secrets
-rwxr-xr-x 1 root root  17624 Jul 10  2006 send-pr
lrwxrwxrwx 1 root root     17 Aug 29 21:53 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root   1054 Jul 10  2006 showdefaults
-rwxr-xr-x 1 root root   4748 Jul 10  2006 showhostkey
-rwxr-xr-x 1 root root 118228 Jul 10  2006 spi
-rwxr-xr-x 1 root root  65540 Jul 10  2006 spigrp
-rwxr-xr-x 1 root root  10372 Jul 10  2006 tncfg
-rwxr-xr-x 1 root root  11623 Jul 10  2006 verify
-rwxr-xr-x 1 root root  51188 Jul 10  2006 whack
+ _________________________ ipsec/ls-execdir
+
+ ls -l /usr/lib/ipsec
total 1388
-rwxr-xr-x 1 root root  15859 Jul 10  2006 _confread
-rwxr-xr-x 1 root root   4236 Jul 10  2006 _copyright
-rwxr-xr-x 1 root root   2379 Jul 10  2006 _include
-rwxr-xr-x 1 root root   1475 Jul 10  2006 _keycensor
-rwxr-xr-x 1 root root   7980 Jul 10  2006 _pluto_adns
-rwxr-xr-x 1 root root   3586 Jul 10  2006 _plutoload
-rwxr-xr-x 1 root root   7059 Jul 10  2006 _plutorun
-rwxr-xr-x 1 root root  12275 Jul 10  2006 _realsetup
-rwxr-xr-x 1 root root   1975 Jul 10  2006 _secretcensor
-rwxr-xr-x 1 root root   9952 Jul 10  2006 _startklips
-rwxr-xr-x 1 root root  13912 Jul 10  2006 _updown
-rwxr-xr-x 1 root root  15740 Jul 10  2006 _updown_x509
-rwxr-xr-x 1 root root  18891 Jul 10  2006 auto
-rwxr-xr-x 1 root root  11331 Jul 10  2006 barf
-rwxr-xr-x 1 root root    816 Jul 10  2006 calcgoo
-rwxr-xr-x 1 root root  77544 Jul 10  2006 eroute
-rwxr-xr-x 1 root root  17428 Jul 10  2006 ikeping
-rwxr-xr-x 1 root root   1942 Jul 10  2006 ipsec_pr.template
-rwxr-xr-x 1 root root  60732 Jul 10  2006 klipsdebug
-rwxr-xr-x 1 root root   1836 Jul 10  2006 livetest
-rwxr-xr-x 1 root root   2605 Jul 10  2006 look
-rwxr-xr-x 1 root root   7147 Jul 10  2006 mailkey
-rwxr-xr-x 1 root root  16015 Jul 10  2006 manual
-rwxr-xr-x 1 root root   1926 Jul 10  2006 newhostkey
-rwxr-xr-x 1 root root  51872 Jul 10  2006 pf_key
-rwxr-xr-x 1 root root 652872 Jul 10  2006 pluto
-rwxr-xr-x 1 root root   6264 Jul 10  2006 ranbits
-rwxr-xr-x 1 root root  18588 Jul 10  2006 rsasigkey
-rwxr-xr-x 1 root root    766 Jul 10  2006 secrets
-rwxr-xr-x 1 root root  17624 Jul 10  2006 send-pr
lrwxrwxrwx 1 root root     17 Aug 29 21:53 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root   1054 Jul 10  2006 showdefaults
-rwxr-xr-x 1 root root   4748 Jul 10  2006 showhostkey
-rwxr-xr-x 1 root root 118228 Jul 10  2006 spi
-rwxr-xr-x 1 root root  65540 Jul 10  2006 spigrp
-rwxr-xr-x 1 root root  10372 Jul 10  2006 tncfg
-rwxr-xr-x 1 root root  11623 Jul 10  2006 verify
-rwxr-xr-x 1 root root  51188 Jul 10  2006 whack
+ _________________________ ipsec/updowns
+
+ ls /usr/lib/ipsec
+ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $



# CAUTION:  Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.

LC_ALL=C export LC_ALL

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#      PLUTO_VERSION
#              indicates  what  version of this interface is being
#              used.  This document describes version  1.1.   This
#              is upwardly compatible with version 1.0.
#
#       PLUTO_VERB
#              specifies the name of the operation to be performed
#              (prepare-host, prepare-client, up-host, up-client,
#              down-host, or down-client).  If the address family
#              for security gateway to security gateway
#              communications is IPv6, then a suffix of -v6 is added
#              to the verb.
#
#       PLUTO_CONNECTION
#              is the name of the  connection  for  which  we  are
#              routing.
#
#       PLUTO_CONN_POLICY
#              the policy of the connection, as in:
#     RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
#       PLUTO_NEXT_HOP
#              is the next hop to which packets bound for the peer
#              must be sent.
#
#       PLUTO_INTERFACE
#              is the name of the ipsec interface to be used.
#
#       PLUTO_ME
#              is the IP address of our host.
#
#       PLUTO_MY_CLIENT
#              is the IP address / count of our client subnet.  If
#              the  client  is  just  the  host,  this will be the
#              host's own IP address / max (where max  is  32  for
#              IPv4 and 128 for IPv6).
#
#       PLUTO_MY_CLIENT_NET
#              is the IP address of our client net.  If the client
#              is just the host, this will be the  host's  own  IP
#              address.
#
#       PLUTO_MY_CLIENT_MASK
#              is  the  mask for our client net.  If the client is
#              just the host, this will be 255.255.255.255.
#
#       PLUTO_MY_SOURCEIP
#              if non-empty, then the source address for the route will be
#              set to this IP address.
#
#       PLUTO_MY_PROTOCOL
#              is the protocol  for this  connection.  Useful  for
#              firewalling.
#
#       PLUTO_MY_PORT
#              is the port. Useful for firewalling.
#
#       PLUTO_PEER
#              is the IP address of our peer.
#
#       PLUTO_PEER_CLIENT
#              is the IP address / count of the peer's client sub?
#              net.   If the client is just the peer, this will be
#              the peer's own IP address / max (where  max  is  32
#              for IPv4 and 128 for IPv6).
#
#       PLUTO_PEER_CLIENT_NET
#              is the IP address of the peer's client net.  If the
#              client is just the peer, this will  be  the  peer's
#              own IP address.
#
#       PLUTO_PEER_CLIENT_MASK
#              is  the  mask  for  the  peer's client net.  If the
#              client   is   just   the   peer,   this   will   be
#              255.255.255.255.
#
#       PLUTO_PEER_PROTOCOL
#              is  the  protocol  set  for  remote  end  with port
#              selector.
#
#       PLUTO_PEER_PORT
#              is the peer's port. Useful for firewalling.
#
#       PLUTO_CONNECTION_TYPE
#

# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
#       DEFAULTSOURCE
#              is the default value for PLUTO_MY_SOURCEIP
#
#       IPROUTETABLE
#              is the default value for IPROUTETABLE
#
#       IPROUTEARGS
#              is the extra argument list for ip route command
#
#       IPRULEARGS
#              is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
    . /etc/default/pluto_updown
fi

# check interface version
case "$PLUTO_VERSION" in
1.[0])  # Older Pluto?!?  Play it safe, script may be using new features.
        echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
        echo "$0:       called by obsolete Pluto?" >&2
        exit 2
        ;;
1.*)    ;;
*)      echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
        exit 2
        ;;
esac

# check parameter(s)
case "$1:$*" in
':')                    # no parameters
        ;;
ipfwadm:ipfwadm)        # due to (left/right)firewall; for default script only
        ;;
custom:*)               # custom parameters (see above CAUTION comment)
        ;;
*)      echo "$0: unknown parameters \`$*'" >&2
        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
        doroute add
        ip route flush cache
}

downroute() {
        doroute delete
        ip route flush cache
}

uprule() {
        # policy based advanced routing
        if [ -n "$IPROUTETABLE" ]
        then
            dorule delete
            dorule add
        fi
        # virtual sourceip support
        if [ -n "$PLUTO_MY_SOURCEIP" ]
        then
            addsource
            rc=$?
            if [ $rc -ne 0 ];
            then
                changesource
            fi
        fi
        ip route flush cache
}

downrule() {
        if [ -n "$IPROUTETABLE" ]
        then
            dorule delete
            ip route flush cache
        fi
}

addsource() {
        st=0
        # check if given sourceip is local and add as alias if not
        if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
        then
            it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
            oops="`eval $it 2>&1`"
            st=$?
            if test " $oops" = " " -a " $st" != " 0"
            then
                oops="silent error, exit status $st"
            fi
            case "$oops" in
                    'RTNETLINK answers: File exists'*)
                    # should not happen, but ... ignore if the
                    # address was already assigned on interface
                    oops=""
                    st=0
                    ;;
            esac
            if test " $oops" != " " -o " $st" != " 0"
            then
                echo "$0: addsource \`$it' failed ($oops)" >&2
            fi
        fi
        return $st
}

changesource() {
        # Change used route source to destination if there is previous
        # Route to same PLUTO_PEER_CLIENT. This is basically to fix
        # configuration errors where all conns to same destination don't
        #  have (left/right)sourceip set.
        st=0
        parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
        parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
        if [ -n "$IPROUTETABLE" ]
        then
            parms="$parms table $IPROUTETABLE"
        fi
        it="ip route change $parms"
        case "$PLUTO_PEER_CLIENT" in
        "0.0.0.0/0")
                # opportunistic encryption work around
                it=
                ;;
        esac
        oops="`eval $it 2>&1`"
        st=$?
        if test " $oops" = " " -a " $st" != " 0"
        then
            oops="silent error, exit status $st"
        fi
        case "$oops" in
                'RTNETLINK answers: No such file or directory'*)
                # Will happen every time first tunnel is activated because
                # there is no previous route to PLUTO_PEER_CLIENT. So we
                # need to ignore this error.
                oops=""
                st=0
                ;;
        esac
        if test " $oops" != " " -o " $st" != " 0"
        then
            echo "$0: changesource \`$it' failed ($oops)" >&2
        fi
        return $st
}

dorule() {
        st=0
        it2=
        iprule="from $PLUTO_MY_CLIENT"
        iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
        case "$PLUTO_PEER_CLIENT" in
        "0.0.0.0/0")
                # opportunistic encryption work around
                st=0
                ;;
        *)
                if [ -z "$PLUTO_MY_SOURCEIP" ]
                then
                    if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
                    then
                        it="ip rule $1 iif lo $iprule2"
                    else
                        it="ip rule $1 $iprule $iprule2"
                    fi
                else
                    if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
                    then
                        it="ip rule $1 iif lo $iprule2"
                    else
                        it="ip rule $1 $iprule $iprule2"
                        it2="ip rule $1 iif lo $iprule2"
                    fi
                fi
                oops="`eval $it 2>&1`"
                st=$?
                if test " $oops" = " " -a " $st" != " 0"
                then
                    oops="silent error, exit status $st"
                fi
                case "$oops" in
                'RTNETLINK answers: No such process'*)
                        # This is what ip rule gives
                        # for "could not find such a rule"
                        oops=
                        st=0
                        ;;
                esac
                if test " $oops" != " " -o " $st" != " 0"
                then
                    echo "$0: dorule \`$it' failed ($oops)" >&2
                fi
                if test "$st" = "0" -a -n "$it2"
                then
                    oops="`eval $it2 2>&1`"
                    st=$?
                    if test " $oops" = " " -a " $st" != " 0"
                    then
                        oops="silent error, exit status $st"
                    fi
                    case "$oops" in
                    'RTNETLINK answers: No such process'*)
                            # This is what ip rule gives
                            # for "could not find such a rule"
                            oops=
                            st=0
                            ;;
                    esac
                    if test " $oops" != " " -o " $st" != " 0"
                    then
                        echo "$0: dorule \`$it2' failed ($oops)" >&2
                    fi
                fi
                ;;
            esac
        return $st
}


doroute() {
        st=0
        parms="$PLUTO_PEER_CLIENT"
        parms2=
        if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
        then
           parms2="via $PLUTO_NEXT_HOP"
        fi
        parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
        parms3="$IPROUTEARGS"
        if [ -n "$IPROUTETABLE" ]
        then
            parms3="$parms3 table $IPROUTETABLE"
        fi

        if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
        then
            PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
        fi

        if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
        then
            addsource
            parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
        fi

        case "$PLUTO_PEER_CLIENT" in
        "0.0.0.0/0")
                # opportunistic encryption work around
                # need to provide route that eclipses default, without
                # replacing it.
                it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
                        ip route $1 128.0.0.0/1 $parms2 $parms3"
                ;;
        *)      it="ip route $1 $parms $parms2 $parms3"
                ;;
        esac
        oops="`eval $it 2>&1`"
        st=$?
        if test " $oops" = " " -a " $st" != " 0"
        then
            oops="silent error, exit status $st"
        fi
        if test " $oops" != " " -o " $st" != " 0"
        then
            echo "$0: doroute \`$it' failed ($oops)" >&2
        fi
        return $st
}


# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
        # delete possibly-existing route (preliminary to adding a route)
        case "$PLUTO_PEER_CLIENT" in
        "0.0.0.0/0")
                # need to provide route that eclipses default, without
                # replacing it.
                parms1="0.0.0.0/1"
                parms2="128.0.0.0/1"
                it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
                oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
                ;;
        *)
                parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
                if [ -n "$IPROUTETABLE" ]
                then
                    parms="$parms table $IPROUTETABLE"
                fi
                it="ip route delete $parms 2>&1"
                oops="`ip route delete $parms 2>&1`"
                ;;
        esac
        status="$?"
        if test " $oops" = " " -a " $status" != " 0"
        then
                oops="silent error, exit status $status"
        fi
        case "$oops" in
        *'RTNETLINK answers: No such process'*)
                # This is what route (currently -- not documented!) gives
                # for "could not find such a route".
                oops=
                status=0
                ;;
        esac
        if test " $oops" != " " -o " $status" != " 0"
        then
                echo "$0: \`$it' failed ($oops)" >&2
        fi
        exit $status
        ;;
route-host:*|route-client:*)
        # connection to me or my client subnet being routed
        uproute
        ;;
unroute-host:*|unroute-client:*)
        # connection to me or my client subnet being unrouted
        downroute
        ;;
up-host:*)
        # connection to me coming up
        uprule
        # If you are doing a custom version, firewall commands go here.
        ;;
down-host:*)
        # connection to me going down
        downrule
        # If you are doing a custom version, firewall commands go here.
        ;;
up-client:)
        # connection to my client subnet coming up
        uprule
        # If you are doing a custom version, firewall commands go here.
        ;;
down-client:)
        # connection to my client subnet going down
        downrule
        # If you are doing a custom version, firewall commands go here.
        ;;
up-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, coming up
        uprule
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, going down
        downrule
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
        ;;
route-host-v6:*|route-client-v6:*)
        # connection to me or my client subnet being routed
        #uproute_v6
        ;;
unroute-host-v6:*|unroute-client-v6:*)
        # connection to me or my client subnet being unrouted
        #downroute_v6
        ;;
up-host-v6:*)
        # connection to me coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-host-v6:*)
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
        ;;
up-client-v6:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-client-v6:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        ;;
*)      echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
        ;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#

# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice                   -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
        S_MY_PORT="--sport $PLUTO_MY_PORT"
        D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
        S_PEER_PORT="--sport $PLUTO_PEER_PORT"
        D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi

# CAUTION:  Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.

LC_ALL=C export LC_ALL

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#      PLUTO_VERSION
#              indicates  what  version of this interface is being
#              used.  This document describes version  1.1.   This
#              is upwardly compatible with version 1.0.
#
#       PLUTO_VERB
#              specifies the name of the operation to be performed
#              (prepare-host, prepare-client, up-host, up-client,
#              down-host, or down-client).  If the address family
#              for security gateway to security gateway communica?
#              tions is IPv6, then a suffix of -v6 is added to the
#              verb.
#
#       PLUTO_CONNECTION
#              is the name of the  connection  for  which  we  are
#              routing.
#
#       PLUTO_CONN_POLICY
#              the policy of the connection, as in:
#     RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
#       PLUTO_NEXT_HOP
#              is the next hop to which packets bound for the peer
#              must be sent.
#
#       PLUTO_INTERFACE
#              is the name of the ipsec interface to be used.
#
#       PLUTO_ME
#              is the IP address of our host.
#
#       PLUTO_MY_CLIENT
#              is the IP address / count of our client subnet.  If
#              the  client  is  just  the  host,  this will be the
#              host's own IP address / max (where max  is  32  for
#              IPv4 and 128 for IPv6).
#
#       PLUTO_MY_CLIENT_NET
#              is the IP address of our client net.  If the client
#              is just the host, this will be the  host's  own  IP
#              address.
#
#       PLUTO_MY_CLIENT_MASK
#              is  the  mask for our client net.  If the client is
#              just the host, this will be 255.255.255.255.
#
#       PLUTO_MY_SOURCEIP
#              if non-empty, then the source address for the route will be
#              set to this IP address.
#
#       PLUTO_MY_PROTOCOL
#              is the protocol  for this  connection.  Useful  for
#              firewalling.
#
#       PLUTO_MY_PORT
#              is the port. Useful for firewalling.
#
#       PLUTO_PEER
#              is the IP address of our peer.
#
#       PLUTO_PEER_CLIENT
#              is the IP address / count of the peer's client sub?
#              net.   If the client is just the peer, this will be
#              the peer's own IP address / max (where  max  is  32
#              for IPv4 and 128 for IPv6).
#
#       PLUTO_PEER_CLIENT_NET
#              is the IP address of the peer's client net.  If the
#              client is just the peer, this will  be  the  peer's
#              own IP address.
#
#       PLUTO_PEER_CLIENT_MASK
#              is  the  mask  for  the  peer's client net.  If the
#              client   is   just   the   peer,   this   will   be
#              255.255.255.255.
#
#       PLUTO_PEER_PROTOCOL
#              is  the  protocol  set  for  remote  end  with port
#              selector.
#
#       PLUTO_PEER_PORT
#              is the peer's port. Useful for firewalling.
#
#       PLUTO_CONNECTION_TYPE
#

# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
#       DEFAULTSOURCE
#              is the default value for PLUTO_MY_SOURCEIP
#
#       IPROUTETABLE
#              is the default value for IPROUTETABLE
#
#       IPROUTEARGS
#              is the extra argument list for ip route command
#
#       IPRULEARGS
#              is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
    . /etc/default/pluto_updown
fi

# check interface version
case "$PLUTO_VERSION" in
1.[0])  # Older Pluto?!?  Play it safe, script may be using new features.
        echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
        echo "$0:       called by obsolete Pluto?" >&2
        exit 2
        ;;
1.*)    ;;
*)      echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
        exit 2
        ;;
esac

# check parameter(s)
case "$1:$*" in
':')                    # no parameters
        ;;
ipfwadm:ipfwadm)        # due to (left/right)firewall; for default script only
        ;;
custom:*)               # custom parameters (see above CAUTION comment)
        ;;
*)      echo "$0: unknown parameters \`$*'" >&2
        exit 2
        ;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
        doroute add
        ip route flush cache
}

downroute() {
        doroute delete
        ip route flush cache
}

uprule() {
        # policy based advanced routing
        if [ -n "$IPROUTETABLE" ]
        then
            dorule delete
            dorule add
        fi
        # virtual sourceip support
        if [ -n "$PLUTO_MY_SOURCEIP" ]
        then
            addsource
            changesource
        fi
        ip route flush cache
}

downrule() {
        if [ -n "$IPROUTETABLE" ]
        then
            dorule delete
            ip route flush cache
        fi
}

addsource() {
        st=0
        if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
        then
            it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
            oops="`eval $it 2>&1`"
            st=$?
            if test " $oops" = " " -a " $st" != " 0"
            then
                oops="silent error, exit status $st"
            fi
            if test " $oops" != " " -o " $st" != " 0"
            then
                echo "$0: addsource \`$it' failed ($oops)" >&2
            fi
        fi
        return $st
}

changesource() {
        st=0
        parms="$PLUTO_PEER_CLIENT"
        parms2="dev ${PLUTO_INTERFACE%:*}"
        parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
        if [ -n "$IPROUTETABLE" ]
        then
            parms3="$parms3 table '$IPROUTETABLE'"
        fi
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # opportunistic encryption work around
                it=
                ;;
        esac
        oops="`eval $it 2>&1`"
        st=$?
        if test " $oops" = " " -a " $st" != " 0"
        then
            oops="silent error, exit status $st"
        fi
        if test " $oops" != " " -o " $st" != " 0"
        then
            echo "$0: changesource \`$it' failed ($oops)" >&2
        fi
        return $st
}

dorule() {
        st=0
        it2=
        iprule="from $PLUTO_MY_CLIENT"
        iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # opportunistic encryption work around
                st=0
                ;;
        *)
                if [ -z "$PLUTO_MY_SOURCEIP" ]
                then
                    if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
                    then
                        it="ip rule $1 iif lo $iprule2"
                    else
                        it="ip rule $1 $iprule $iprule2"
                    fi
                else
                    if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
                    then
                        it="ip rule $1 iif lo $iprule2"
                    else
                        it="ip rule $1 $iprule $iprule2"
                        it2="ip rule $1 iif lo $iprule2"
                    fi
                fi
                oops="`eval $it 2>&1`"
                st=$?
                if test " $oops" = " " -a " $st" != " 0"
                then
                    oops="silent error, exit status $st"
                fi
                case "$oops" in
                'RTNETLINK answers: No such process'*)
                        # This is what ip rule gives
                        # for "could not find such a rule"
                        oops=
                        st=0
                        ;;
                esac
                if test " $oops" != " " -o " $st" != " 0"
                then
                    echo "$0: dorule \`$it' failed ($oops)" >&2
                fi
                if test "$st" = "0" -a -n "$it2"
                then
                    oops="`eval $it2 2>&1`"
                    st=$?
                    if test " $oops" = " " -a " $st" != " 0"
                    then
                        oops="silent error, exit status $st"
                    fi
                    case "$oops" in
                    'RTNETLINK answers: No such process'*)
                            # This is what ip rule gives
                            # for "could not find such a rule"
                            oops=
                            st=0
                            ;;
                    esac
                    if test " $oops" != " " -o " $st" != " 0"
                    then
                        echo "$0: dorule \`$it2' failed ($oops)" >&2
                    fi
                fi
                ;;
            esac
        return $st
}


doroute() {
        st=0
        parms="$PLUTO_PEER_CLIENT"
        parms2=
        if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
        then
           parms2="via $PLUTO_NEXT_HOP"
        fi
        parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
        parms3="$IPROUTEARGS"
        if [ -n "$IPROUTETABLE" ]
        then
            parms3="$parms3 table $IPROUTETABLE"
        fi

        if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
        then
            PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
        fi

        if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
        then
            addsource
            parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
        fi

        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # opportunistic encryption work around
                # need to provide route that eclipses default, without
                # replacing it.
                it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
                        ip route $1 128.0.0.0/1 $parms2 $parms3"
                ;;
        *)      it="ip route $1 $parms $parms2 $parms3"
                ;;
        esac
        oops="`eval $it 2>&1`"
        st=$?
        if test " $oops" = " " -a " $st" != " 0"
        then
            oops="silent error, exit status $st"
        fi
        if test " $oops" != " " -o " $st" != " 0"
        then
            echo "$0: doroute \`$it' failed ($oops)" >&2
        fi
        return $st
}


# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
        # delete possibly-existing route (preliminary to adding a route)
        case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
        "0.0.0.0/0.0.0.0")
                # need to provide route that eclipses default, without
                # replacing it.
                parms1="0.0.0.0/1"
                parms2="128.0.0.0/1"
                it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
                oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
                ;;
        *)
                parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
                if [ -n "$IPROUTETABLE" ]
                then
                    parms="$parms table $IPROUTETABLE"
                fi
                it="ip route delete $parms 2>&1"
                oops="`ip route delete $parms 2>&1`"
                ;;
        esac
        status="$?"
        if test " $oops" = " " -a " $status" != " 0"
        then
                oops="silent error, exit status $status"
        fi
        case "$oops" in
        *'RTNETLINK answers: No such process'*)
                # This is what route (currently -- not documented!) gives
                # for "could not find such a route".
                oops=
                status=0
                ;;
        esac
        if test " $oops" != " " -o " $status" != " 0"
        then
                echo "$0: \`$it' failed ($oops)" >&2
        fi
        exit $status
        ;;
route-host:*|route-client:*)
        # connection to me or my client subnet being routed
        uproute
        ;;
unroute-host:*|unroute-client:*)
        # connection to me or my client subnet being unrouted
        downroute
        ;;
up-host:*)
        # connection to me coming up
        uprule
        # If you are doing a custom version, firewall commands go here.
        iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT -j ACCEPT
        iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO \
            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
        else
          logger -t $TAG -p $FAC_PRIO \
            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
        fi
        ;;
down-host:*)
        # connection to me going down
        downrule
        # If you are doing a custom version, firewall commands go here.
        iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT -j ACCEPT
        iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO -- \
            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
        else
          logger -t $TAG -p $FAC_PRIO -- \
          "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
        fi
        ;;
up-client:)
        # connection to my client subnet coming up
        uprule
        # If you are doing a custom version, firewall commands go here.
        iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO \
            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        else
          logger -t $TAG -p $FAC_PRIO \
            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        fi
        ;;
down-client:)
        # connection to my client subnet going down
        downrule
        # If you are doing a custom version, firewall commands go here.
        iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
        iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
        #
        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
        then
          logger -t $TAG -p $FAC_PRIO -- \
            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        else
          logger -t $TAG -p $FAC_PRIO -- \
            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
        fi
        ;;
up-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, coming up
        uprule
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
down-client:ipfwadm)
        # connection to client subnet, with (left/right)firewall=yes, going down
        downrule
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
        ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
        ;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
        ;;
route-host-v6:*|route-client-v6:*)
        # connection to me or my client subnet being routed
        #uproute_v6
        ;;
unroute-host-v6:*|unroute-client-v6:*)
        # connection to me or my client subnet being unrouted
        #downroute_v6
        ;;
up-host-v6:*)
        # connection to me coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-host-v6:*)
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
        ;;
up-client-v6:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        ;;
down-client-v6:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        ;;
*)      echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
        ;;
esac
+ _________________________ /proc/net/dev
+
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo:26071082  169048    0    0    0     0          0         0 26071082  169048    0    0    0     0       0          0
  sit0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth0:1752552240 12971794    1    0    0     0          0         0 2596161068 19599254    3    0    3     0       0          0
  eth1:3735954227 37256922    0    0    0     0          0         0 1243416552 12229820    2    0    0 85618       4          0
+ _________________________ /proc/net/route
+
+ cat /proc/net/route
Iface   Destination     Gateway         Flags   RefCnt  Use     Metric  Mask            MTU     Window  IRTT                                                    
eth1    00E7E118        00000000        0001    0       0       0       80FFFFFF        0       0       0                                                       
eth0    0000660A        00000000        0001    0       0       0       00FFFFFF        0       0       0                                                       
eth1    0000A8C0        01E7E118        0003    0       0       0       0000FFFF        0       0       0                                                       
eth1    00000000        01E7E118        0003    0       0       0       00000000        0       0       0                                                       
+ _________________________ /proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_red                       irects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo                       /accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+
+ uname -a
Linux host01 2.6.17-11-server #2 SMP Thu Feb 1 19:53:33 UTC 2007 i686 GNU/Linux
+ _________________________ config-built-with
+
+ test -r /proc/config_built_with
+ _________________________ distro-release
+
+ test -f /etc/redhat-release
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
+ uname -r
+ echo NETKEY (2.6.17-11-server) support detected
NETKEY (2.6.17-11-server) support detected
+ _________________________ ipfwadm
+
+ test -r /sbin/ipfwadm
+ no old-style linux 1.x/2.0 ipfwadm firewall support
/usr/lib/ipsec/barf: 1: no old-style linux 1.x/2.0 ipfwadm firewall support: not found
+ _________________________ ipchains
+
+ test -r /sbin/ipchains
+ echo no old-style linux 2.0 ipchains firewall support
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 5 packets, 1772 bytes)
 pkts bytes target     prot opt in     out     source               destination
22526 3046K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
98657   17M eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
 338K   39M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJEC                       T:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 1 packets, 328 bytes)
 pkts bytes target     prot opt in     out     source               destination
12986  748K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2971K 4055M eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
1764K  122M eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 3250  262K Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3184  256K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJ                       ECT:'
 3184  256K reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
22526 3046K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
    0     0 ACCEPT     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
    1   328 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
49246 7751K fw2net     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
    0     0 fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
 114K   19M fw2loc     all  --  *      eth0    0.0.0.0/0            10.102.0.0/24       policy match dir out pol none
    0     0 fw2loc     all  --  *      eth0    0.0.0.0/0            255.255.255.255
22221  808K fw2loc     all  --  *      eth0    0.0.0.0/0            224.0.0.0/4
12570 1056K Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
12570 1056K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJE                       CT:'
12570 1056K reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain Drop (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
 1520  162K dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11
 1520  162K dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900
  255 15132 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53

Chain Reject (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
15820 1318K dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11
15820 1318K dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900
   70  6017 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    2   165 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:all2all:REJ                       ECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination
   50  3845 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination
   75  9901 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
12738 1028K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
12738 1028K smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
1749K  121M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
1760K  122M loc2net    all  --  *      eth1    10.102.0.0/24        0.0.0.0/0           policy match dir out pol none
    0     0 loc2net    all  --  *      ppp0    10.102.0.0/24        0.0.0.0/0           policy match dir out pol none

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 248K   11M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
 248K   11M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
  248 87083 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
81226   28M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
 338K   39M loc2fw     all  --  *      *       10.102.0.0/24        0.0.0.0/0           policy match dir in pol none

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
2962K 4054M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
    0     0 ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
2971K 4055M net2loc    all  --  *      eth0    0.0.0.0/0            10.102.0.0/24       policy match dir out pol none

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
35508   12M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
35508   12M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
33838   12M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
63073 4871K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
64819 5088K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none

Chain fw2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:fw2all:REJE                       CT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (3 references)
 pkts bytes target     prot opt in     out     source               destination
 106K   18M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   13  1092 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
30592 2286K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
48876 7716K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   36  2391 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
  182 15288 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  152 17150 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:loc2all:REJ                       ECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
90206   29M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   21  1260 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    8   264 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
 248K   10M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               destination
1751K  121M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 9552  772K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 4 level 6 prefix `Shorewall:logflags:DR                       OP:'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2all:DRO                       P:'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination
63149 4915K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   12   636 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
   25  2984 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:4500
  113  7882 reject     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
 1520  162K Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1459  154K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP                       :'
 1459  154K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination
2971K 4055M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2loc:DRO                       P:'
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
    0     0 net2loc    all  --  *      eth0    0.0.0.0/0            10.102.0.0/24       policy match dir out pol none

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
    0     0 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW policy match dir in pol none
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir in pol none

Chain reject (13 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast
    0     0 DROP       all  --  *      *       172.16.21.127       0.0.0.0/0
    0     0 DROP       all  --  *      *       10.102.0.255         0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0
    6   288 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
 3216  260K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
12645 1061K REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain smurfs (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       172.16.21.127       0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP                       :'
    0     0 DROP       all  --  *      *       172.16.21.127       0.0.0.0/0
    0     0 LOG        all  --  *      *       10.102.0.255         0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP                       :'
    0     0 DROP       all  --  *      *       10.102.0.255         0.0.0.0/0
    0     0 LOG        all  --  *      *       255.255.255.255      0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP                       :'
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP                       :'
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0

Chain tcpflags (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 flags:0x17/0x02
+ _________________________ iptables-nat
+
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 14445 packets, 1270K bytes)
 pkts bytes target     prot opt in     out     source               destination
12520 1018K loc_dnat   all  --  eth0   *       10.102.0.0/24        0.0.0.0/0           policy match dir in pol none

Chain POSTROUTING (policy ACCEPT 2712 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               destination
 7642  485K eth1_masq  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15273 packets, 1367K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
 7475  468K MASQUERADE  all  --  *      *       10.102.0.0/24        0.0.0.0/0           policy match dir out pol none

Chain loc_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            192.168.244.202     tcp dpt:873 redir ports 873

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.102.0.0/24        0.0.0.0/0           policy match dir out pol none
+ _________________________ iptables-mangle
+
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5194K packets, 4237M bytes)
 pkts bytes target     prot opt in     out     source               destination
5194K 4237M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 460K packets, 59M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 4734K packets, 4178M bytes)
 pkts bytes target     prot opt in     out     source               destination
4734K 4178M tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 13M packets, 1581M bytes)
 pkts bytes target     prot opt in     out     source               destination
 221K   32M tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 4968K packets, 4210M bytes)
 pkts bytes target     prot opt in     out     source               destination
4968K 4210M tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination
+ _________________________ /proc/modules
+
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 24320 2 - Live 0xd0d02000
xfrm4_tunnel 3712 0 - Live 0xd0c6a000
af_key 38288 0 - Live 0xd0c86000
deflate 5120 0 - Live 0xd0caf000
zlib_deflate 22040 1 deflate, Live 0xd0d25000
twofish 46848 0 - Live 0xd0d36000
serpent 21120 0 - Live 0xd0d1e000
blowfish 10496 0 - Live 0xd0d1a000
sha256 12288 0 - Live 0xd0d16000
crypto_null 3840 0 - Live 0xd0cad000
aes 28864 0 - Live 0xd0d0d000
des 18944 2 - Live 0xd0cd2000
tunnel4 4612 1 xfrm4_tunnel, Live 0xd0caa000
ipcomp 9224 0 - Live 0xd0c96000
esp4 9600 2 - Live 0xd0c92000
ah4 8064 0 - Live 0xd0c3c000
tulip 55072 0 - Live 0xd0871000
nfs 249804 0 - Live 0xd0d4c000
lockd 67848 1 nfs, Live 0xd0cc0000
sunrpc 165820 2 nfs,lockd, Live 0xd0cd8000
af_packet 24584 0 - Live 0xd0ca2000
autofs4 23300 1 - Live 0xd0c9b000
ip6table_filter 3968 1 - Live 0xd0c65000
ip6_tables 16484 1 ip6table_filter, Live 0xd0c74000
xt_state 3328 23 - Live 0xd0c63000
xt_tcpudp 4480 31 - Live 0xd0c60000
xt_pkttype 2944 4 - Live 0xd0c72000
iptable_raw 3200 0 - Live 0xd0c70000
xt_CLASSIFY 2944 0 - Live 0xd0c6e000
xt_connmark 3200 0 - Live 0xd0c6c000
xt_physdev 3600 0 - Live 0xd0c5e000
xt_policy 4992 27 - Live 0xd0c5b000
xt_multiport 4608 4 - Live 0xd0c58000
xt_conntrack 3712 0 - Live 0xd0c52000
iptable_mangle 3968 1 - Live 0xd0c50000
ipt_ULOG 9348 0 - Live 0xd0c54000
ipt_TTL 3456 0 - Live 0xd0c4e000
ipt_ttl 3072 0 - Live 0xd0c4c000
ipt_TOS 3456 0 - Live 0xd0c4a000
ipt_tos 2688 0 - Live 0xd0c48000
ipt_TCPMSS 5376 1 - Live 0xd0c45000
ipt_SAME 3456 0 - Live 0xd0c43000
ipt_REJECT 6784 4 - Live 0xd0c15000
ipt_REDIRECT 3200 1 - Live 0xd0c3a000
ipt_recent 12044 0 - Live 0xd0c3f000
ipt_owner 3200 0 - Live 0xd0c34000
ipt_NETMAP 3072 0 - Live 0xd0c32000
ipt_MASQUERADE 4864 2 - Live 0xd0c2b000
ipt_LOG 8320 14 - Live 0xd0c36000
ipt_iprange 2944 0 - Live 0xd0c29000
ipt_hashlimit 10632 0 - Live 0xd0c2e000
ipt_ECN 4352 0 - Live 0xd0c26000
ipt_ecn 3456 0 - Live 0xd0c24000
ipt_DSCP 3456 0 - Live 0xd0c1d000
ipt_dscp 2816 0 - Live 0xd0c1b000
ipt_CLUSTERIP 10116 0 - Live 0xd0c20000
ipt_ah 3072 0 - Live 0xd0be7000
ipt_addrtype 3072 0 - Live 0xd0bdc000
ip_nat_irc 3840 0 - Live 0xd0998000
ip_nat_tftp 2944 0 - Live 0xd097e000
ip_nat_ftp 4736 0 - Live 0xd0c18000
ip_conntrack_irc 7920 1 ip_nat_irc, Live 0xd0afa000
ip_conntrack_tftp 5368 1 ip_nat_tftp, Live 0xd0be4000
ip_conntrack_ftp 8816 1 ip_nat_ftp, Live 0xd0c11000
iptable_nat 8964 1 - Live 0xd0be9000
ip_nat 19884 8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat, Live 0xd0bde000
sha1 3840 2 - Live 0xd0afd000
arc4 3200 0 - Live 0xd0a92000
ppp_mppe 8324 0 - Live 0xd0bd3000
ip_conntrack 53088 12 xt_state,xt_connmark,xt_conntrack,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_tf                       tp,ip_conntrack_ftp,iptable_nat,ip_nat, Live 0xd0c03000
nfnetlink 8088 2 ip_nat,ip_conntrack, Live 0xd0a87000
iptable_filter 4224 1 - Live 0xd0a8a000
ip_tables 15204 4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter, Live 0xd0a8d000
x_tables 16132 35 ip6_tables,xt_state,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_connmark,xt_physdev,xt_policy,xt_multiport,xt_conntrack,ipt_ULO                       G,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_                       iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,iptable_nat,ip_tables, Live 0xd0a25000
ppp_async 13440 0 - Live 0xd09c0000
crc_ccitt 3200 1 ppp_async, Live 0xd08fa000
ppp_generic 30484 2 ppp_mppe,ppp_async, Live 0xd09dd000
slhc 8448 1 ppp_generic, Live 0xd09d9000
md_mod 82836 0 - Live 0xd0bed000
lp 12964 0 - Live 0xd09a2000
joydev 11200 0 - Live 0xd09bc000
tsdev 9152 0 - Live 0xd09ab000
snd_au8820 36768 0 - Live 0xd0a0a000
gameport 17032 2 snd_au8820, Live 0xd09d3000
ipv6 271136 28 - Live 0xd0a94000
snd_ac97_codec 97440 1 snd_au8820, Live 0xd0a2a000
snd_pcm_oss 47232 0 - Live 0xd09fd000
snd_mixer_oss 19328 1 snd_pcm_oss, Live 0xd09cd000
snd_pcm 84356 3 snd_au8820,snd_ac97_codec,snd_pcm_oss, Live 0xd09e7000
snd_timer 25348 1 snd_pcm, Live 0xd09c5000
snd_page_alloc 11528 1 snd_pcm, Live 0xd09a7000
snd_ac97_bus 3456 1 snd_ac97_codec, Live 0xd085a000
i2c_voodoo3 6276 0 - Live 0xd0995000
i2c_algo_bit 10376 1 i2c_voodoo3, Live 0xd097a000
snd_mpu401_uart 10240 1 snd_au8820, Live 0xd0991000
psmouse 41352 0 - Live 0xd09b0000
snd_rawmidi 27136 1 snd_mpu401_uart, Live 0xd099a000
snd_seq_device 9868 1 snd_rawmidi, Live 0xd0976000
evdev 11392 0 - Live 0xd0972000
i2c_piix4 10000 0 - Live 0xd096e000
serio_raw 8452 0 - Live 0xd0907000
i2c_core 23424 2 i2c_algo_bit,i2c_piix4, Live 0xd0955000
pcspkr 4352 0 - Live 0xd08cd000
intel_agp 26012 1 - Live 0xd0966000
agpgart 35016 1 intel_agp, Live 0xd095c000
parport_pc 37796 1 - Live 0xd08ef000
parport 39368 2 lp,parport_pc, Live 0xd08fc000
snd 58116 9 snd_au8820,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device, Live 0xd094                       0000
floppy 62916 0 - Live 0xd092f000
soundcore 11232 1 snd, Live 0xd08eb000
shpchp 42144 0 - Live 0xd088d000
pci_hotplug 32828 1 shpchp, Live 0xd08e1000
ext3 142600 3 - Live 0xd090b000
jbd 62100 1 ext3, Live 0xd08bc000
dm_mod 62616 3 - Live 0xd08d0000
usbhid 45280 2 - Live 0xd0880000
ide_generic 2432 0 - Live 0xd0855000
uhci_hcd 25096 0 - Live 0xd082a000
usbcore 134656 5 usbhid,uhci_hcd, Live 0xd089a000
hpt366 20480 2 - Live 0xd084d000
ide_cd 33696 0 - Live 0xd0867000
cdrom 38944 1 ide_cd, Live 0xd085c000
ide_disk 18560 6 - Live 0xd0847000
piix 11780 1 - Live 0xd081d000
generic 6276 0 - Live 0xd0827000
processor 31560 0 - Live 0xd083e000
fbcon 41376 0 - Live 0xd0832000
tileblit 3840 1 fbcon, Live 0xd0825000
font 9344 1 fbcon, Live 0xd0821000
bitblit 7296 1 fbcon, Live 0xd0818000
softcursor 3328 1 bitblit, Live 0xd081b000
vesafb 9244 0 - Live 0xd080d000
capability 5896 0 - Live 0xd0815000
commoncap 8704 1 capability, Live 0xd0811000
+ _________________________ /proc/meminfo
+
+ cat /proc/meminfo
MemTotal:       256008 kB
MemFree:          5424 kB
Buffers:        104984 kB
Cached:          91384 kB
SwapCached:         16 kB
Active:         117736 kB
Inactive:        90112 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       256008 kB
LowFree:          5424 kB
SwapTotal:      746980 kB
SwapFree:       746776 kB
Dirty:             208 kB
Writeback:           0 kB
Mapped:          17552 kB
Slab:            36232 kB
CommitLimit:    874984 kB
Committed_AS:   111104 kB
PageTables:        816 kB
VmallocTotal:   774136 kB
VmallocUsed:      5528 kB
VmallocChunk:   768368 kB
+ _________________________ /proc/net/ipsec-ls
+
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+
+ test -f /proc/config.gz
+ uname -r
+ test -f /lib/modules/2.6.17-11-server/build/.config
+ echo no .config file found, cannot list kernel properties
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+
+ cat /etc/syslog.conf
#  /etc/syslog.conf     Configuration file for syslogd.
#
#                       For more information see syslog.conf(5)
#                       manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

# Logging for INN news system
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.crit;news.err;news.notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

+ _________________________ etc/syslog-ng/syslog-ng.conf
+
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search princeton.somedomain.com somedomain.com chaos.local
+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 Mar  7 00:54 2.6.17-10-server
drwxr-xr-x 4 root root 4096 Mar 27 18:40 2.6.17-11-server
+ _________________________ /proc/ksyms-netif_rx
+
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c026ec90 T __netif_rx_schedule
c026ff20 T netif_rx
c0271350 T netif_rx_ni
c03551a8 r __ksymtab___netif_rx_schedule
c03551d0 r __ksymtab_netif_rx_ni
c03552b0 r __ksymtab_netif_rx
c0358ac4 r __kcrctab___netif_rx_schedule
c0358ad8 r __kcrctab_netif_rx_ni
c0358b48 r __kcrctab_netif_rx
c0362f08 r __kstrtab___netif_rx_schedule
c0362f6b r __kstrtab_netif_rx_ni
c036312e r __kstrtab_netif_rx
c026ff20 U netif_rx     [tulip]
c026ff20 U netif_rx     [ppp_generic]
c026ff20 U netif_rx     [ipv6]
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.17-10-server:
2.6.17-11-server:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ sed -n 1908,$p /var/log/syslog
+ egrep -i ipsec|klips|pluto
+ cat
Sep  5 16:03:22 host01 ipsec_setup: Starting Openswan IPsec 2.4.5...
Sep  5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/key/af_key.ko
Sep  5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/ipv4/xfrm4_tunnel.ko
Sep  5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/net/xfrm/xfrm_user.ko
Sep  5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/drivers/char/hw_random.ko
Sep  5 16:03:22 host01 ipsec_setup: FATAL: Error inserting hw_random (/lib/modules/2.6.17-11-server/kernel/drivers/char/hw_random.ko): No                        such device
Sep  5 16:03:22 host01 ipsec_setup: insmod /lib/modules/2.6.17-11-server/kernel/drivers/crypto/padlock.ko
Sep  5 16:03:22 host01 ipsec_setup: FATAL: Error inserting padlock (/lib/modules/2.6.17-11-server/kernel/drivers/crypto/padlock.ko): No s                       uch device
Sep  5 16:03:24 host01 ipsec__plutorun: 104 "somedomain" #1: STATE_MAIN_I1: initiate
Sep  5 16:03:24 host01 ipsec__plutorun: ...could not start conn "somedomain"
+ _________________________ plog
+
+ sed -n 17870,$p /var/log/auth.log
+ egrep -i pluto
+ cat
Sep  5 16:03:22 host01 ipsec__plutorun: Starting Pluto subsystem...
Sep  5 16:03:22 host01 pluto[3789]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Ven                       dor ID OEGfuJ[Ye{Ah)
Sep  5 16:03:22 host01 pluto[3789]: Setting NAT-Traversal port-4500 floating to off
Sep  5 16:03:22 host01 pluto[3789]:    port floating activation criteria nat_t=0/port_fload=1
Sep  5 16:03:22 host01 pluto[3789]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Sep  5 16:03:22 host01 pluto[3789]: | opening /dev/urandom
Sep  5 16:03:22 host01 pluto[3789]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Sep  5 16:03:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep  5 16:03:22 host01 pluto[3789]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep  5 16:03:22 host01 pluto[3789]: starting up 1 cryptographic helpers
Sep  5 16:03:22 host01 pluto[3795]: | opening /dev/urandom
Sep  5 16:03:22 host01 pluto[3789]: started helper pid=3795 (fd:6)
Sep  5 16:03:22 host01 pluto[3789]: Using Linux 2.6 IPsec interface code on 2.6.17-11-server
Sep  5 16:03:22 host01 pluto[3795]: ! helper 0 waiting on fd: 7
Sep  5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/cacerts'
Sep  5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/aacerts'
Sep  5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/ocspcerts'
Sep  5 16:03:23 host01 pluto[3789]: Changing to directory '/etc/ipsec.d/crls'
Sep  5 16:03:23 host01 pluto[3789]:   Warning: empty directory
Sep  5 16:03:23 host01 pluto[3789]: | inserting event EVENT_LOG_DAILY, timeout in 28597 seconds
Sep  5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep  5 16:03:23 host01 pluto[3789]: |
Sep  5 16:03:23 host01 pluto[3789]: | *received whack message
Sep  5 16:03:23 host01 pluto[3789]: | Added new connection somedomain with policy PSK+ENCRYPT+TUNNEL+PFS
Sep  5 16:03:23 host01 pluto[3789]: | counting wild cards for (none) is 15
Sep  5 16:03:23 host01 pluto[3789]: | counting wild cards for (none) is 15
Sep  5 16:03:23 host01 pluto[3789]: added connection description "somedomain"
Sep  5 16:03:23 host01 pluto[3789]: | 10.102.0.0/16===172.16.21.57---172.16.21.1...172.16.61.81---172.16.61.87===192.168.0.0/16
Sep  5 16:03:23 host01 pluto[3789]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:                        PSK+ENCRYPT+TUNNEL+PFS
Sep  5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep  5 16:03:23 host01 pluto[3789]: |
Sep  5 16:03:23 host01 pluto[3789]: | *received whack message
Sep  5 16:03:23 host01 pluto[3789]: listening for IKE messages
Sep  5 16:03:23 host01 pluto[3789]: | found lo with address 127.0.0.1
Sep  5 16:03:23 host01 pluto[3789]: | found eth0 with address 10.102.0.1
Sep  5 16:03:23 host01 pluto[3789]: | found eth1 with address 172.16.21.57
Sep  5 16:03:23 host01 pluto[3789]: adding interface eth1/eth1 172.16.21.57:500
Sep  5 16:03:23 host01 pluto[3789]: adding interface eth0/eth0 10.102.0.1:500
Sep  5 16:03:23 host01 pluto[3789]: adding interface lo/lo 127.0.0.1:500
Sep  5 16:03:23 host01 pluto[3789]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Sep  5 16:03:23 host01 pluto[3789]: adding interface lo/lo ::1:500
Sep  5 16:03:23 host01 pluto[3789]: loading secrets from "/etc/ipsec.secrets"
Sep  5 16:03:23 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 119 seconds
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received whack message
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | route owner of "somedomain" unrouted: NULL; eroute owner: NULL
Sep  5 16:03:24 host01 pluto[3789]: | could_route called for somedomain (kind=CK_PERMANENT)
Sep  5 16:03:24 host01 pluto[3789]: | route owner of "somedomain" unrouted: NULL; eroute owner: NULL
Sep  5 16:03:24 host01 pluto[3789]: | add eroute 192.168.0.0/16:0 --0-> 10.102.0.0/16:0 => %trap (raw_eroute)
Sep  5 16:03:24 host01 pluto[3789]: | eroute_connection add eroute 10.102.0.0/16:0 --0-> 192.168.0.0/16:0 => %trap (raw_eroute)
Sep  5 16:03:24 host01 pluto[3789]: | route_and_eroute: firewall_notified: true
Sep  5 16:03:24 host01 pluto[3789]: | command executing prepare-client
Sep  5 16:03:24 host01 pluto[3789]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='da                       tadomain' PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.1                       02.0.0/16' PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='207.47                       .14.87' PLUTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.2                       55.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS'   ipsec _updown
Sep  5 16:03:24 host01 pluto[3789]: | command executing route-client
Sep  5 16:03:24 host01 pluto[3789]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='datado                       main' PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.102.0                       .0/16' PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.16.61.                       87' PLUTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0                       .0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS'   ipsec _updown
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received whack message
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | empty esp_info, returning empty
Sep  5 16:03:24 host01 pluto[3789]: | creating state object #1 at 0x80fe5f8
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  00 00 00 00  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: | Queuing pending Quick Mode with 172.16.61.87 "somedomain"
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: initiating Main Mode
Sep  5 16:03:24 host01 pluto[3789]: | sending 212 bytes for main_outI1 through eth1:500 to 172.16.61.87:500:
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received 156 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep  5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep  5 16:03:24 host01 pluto[3789]: |    initiator cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: |    responder cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_SA
Sep  5 16:03:24 host01 pluto[3789]: |    ISAKMP version: ISAKMP Version 1.0
Sep  5 16:03:24 host01 pluto[3789]: |    exchange type: ISAKMP_XCHG_IDPROT
Sep  5 16:03:24 host01 pluto[3789]: |    flags: none
Sep  5 16:03:24 host01 pluto[3789]: |    message ID:  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: |    length: 156
Sep  5 16:03:24 host01 pluto[3789]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | state object not found
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  00 00 00 00  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep  5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep  5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I1
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Security Association Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_VID
Sep  5 16:03:24 host01 pluto[3789]: |    length: 52
Sep  5 16:03:24 host01 pluto[3789]: |    DOI: ISAKMP_DOI_IPSEC
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_VID
Sep  5 16:03:24 host01 pluto[3789]: |    length: 32
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_VID
Sep  5 16:03:24 host01 pluto[3789]: |    length: 20
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Vendor ID Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 24
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd845100000000                       00000000]
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: received Vendor ID payload [Dead Peer Detection]
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Sep  5 16:03:24 host01 pluto[3789]: | ****parse IPsec DOI SIT:
Sep  5 16:03:24 host01 pluto[3789]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Sep  5 16:03:24 host01 pluto[3789]: | ****parse ISAKMP Proposal Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 40
Sep  5 16:03:24 host01 pluto[3789]: |    proposal number: 1
Sep  5 16:03:24 host01 pluto[3789]: |    protocol ID: PROTO_ISAKMP
Sep  5 16:03:24 host01 pluto[3789]: |    SPI size: 0
Sep  5 16:03:24 host01 pluto[3789]: |    number of transforms: 1
Sep  5 16:03:24 host01 pluto[3789]: | *****parse ISAKMP Transform Payload (ISAKMP):
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 32
Sep  5 16:03:24 host01 pluto[3789]: |    transform number: 1
Sep  5 16:03:24 host01 pluto[3789]: |    transform ID: KEY_IKE
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 5
Sep  5 16:03:24 host01 pluto[3789]: |    [5 is OAKLEY_3DES_CBC]
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_HASH_ALGORITHM
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 2
Sep  5 16:03:24 host01 pluto[3789]: |    [2 is OAKLEY_SHA1]
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 2
Sep  5 16:03:24 host01 pluto[3789]: |    [2 is OAKLEY_GROUP_MODP1024]
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 1
Sep  5 16:03:24 host01 pluto[3789]: |    [1 is OAKLEY_PRESHARED_KEY]
Sep  5 16:03:24 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:24 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:24 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep  5 16:03:24 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep  5 16:03:24 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep  5 16:03:24 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_LIFE_TYPE
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 1
Sep  5 16:03:24 host01 pluto[3789]: |    [1 is OAKLEY_LIFE_SECONDS]
Sep  5 16:03:24 host01 pluto[3789]: | ******parse ISAKMP Oakley attribute:
Sep  5 16:03:24 host01 pluto[3789]: |    af+type: OAKLEY_LIFE_DURATION
Sep  5 16:03:24 host01 pluto[3789]: |    length/value: 3600
Sep  5 16:03:24 host01 pluto[3789]: | Oakley Transform 1 accepted
Sep  5 16:03:24 host01 pluto[3789]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Sep  5 16:03:24 host01 pluto[3789]: | asking helper 0 to do build_kenonce op on seq: 1
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
Sep  5 16:03:24 host01 pluto[3795]: ! helper -1 doing build_kenonce op id: 1
Sep  5 16:03:24 host01 pluto[3789]: | complete state transition with STF_SUSPEND
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  00 00 00 00  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 5
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep  5 16:03:24 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep  5 16:03:24 host01 pluto[3789]: | sending 180 bytes for STATE_MAIN_I1 through eth1:500 to 172.16.61.87:500:
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep  5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep  5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received 184 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep  5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep  5 16:03:24 host01 pluto[3789]: |    initiator cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: |    responder cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_KE
Sep  5 16:03:24 host01 pluto[3789]: |    ISAKMP version: ISAKMP Version 1.0
Sep  5 16:03:24 host01 pluto[3789]: |    exchange type: ISAKMP_XCHG_IDPROT
Sep  5 16:03:24 host01 pluto[3789]: |    flags: none
Sep  5 16:03:24 host01 pluto[3789]: |    message ID:  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: |    length: 184
Sep  5 16:03:24 host01 pluto[3789]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep  5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I2
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Key Exchange Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONCE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 132
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Nonce Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 24
Sep  5 16:03:24 host01 pluto[3789]: | thinking about whether to send my certificate:
Sep  5 16:03:24 host01 pluto[3789]: |   I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |   sendcert: CERT_ALWAYSSEND and I did not get a certificate request
Sep  5 16:03:24 host01 pluto[3789]: |   so do not send cert.
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: I did not send a certificate because I do not have one.
Sep  5 16:03:24 host01 pluto[3789]: |  I am not sending a certificate request
Sep  5 16:03:24 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:24 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:24 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep  5 16:03:24 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep  5 16:03:24 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep  5 16:03:24 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep  5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep  5 16:03:24 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep  5 16:03:24 host01 pluto[3789]: | sending 68 bytes for STATE_MAIN_I2 through eth1:500 to 172.16.61.87:500:
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep  5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep  5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received 68 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep  5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep  5 16:03:24 host01 pluto[3789]: |    initiator cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: |    responder cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_ID
Sep  5 16:03:24 host01 pluto[3789]: |    ISAKMP version: ISAKMP Version 1.0
Sep  5 16:03:24 host01 pluto[3789]: |    exchange type: ISAKMP_XCHG_IDPROT
Sep  5 16:03:24 host01 pluto[3789]: |    flags: ISAKMP_FLAG_ENCRYPTION
Sep  5 16:03:24 host01 pluto[3789]: |    message ID:  00 00 00 00
Sep  5 16:03:24 host01 pluto[3789]: |    length: 68
Sep  5 16:03:24 host01 pluto[3789]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000
Sep  5 16:03:24 host01 pluto[3789]: | state object #1 found, in STATE_MAIN_I3
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_HASH
Sep  5 16:03:24 host01 pluto[3789]: |    length: 12
Sep  5 16:03:24 host01 pluto[3789]: |    ID type: ID_IPV4_ADDR
Sep  5 16:03:24 host01 pluto[3789]: |    DOI specific A: 17
Sep  5 16:03:24 host01 pluto[3789]: |    DOI specific B: 500
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Hash Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 24
Sep  5 16:03:24 host01 pluto[3789]: | removing 4 bytes of padding
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: Main mode peer ID is ID_IPV4_ADDR: '172.16.61.87'
Sep  5 16:03:24 host01 pluto[3789]: | complete state transition with STF_OK
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SA_REPLACE, timeout in 2820 seconds for #1
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_c                       bc_192 prf=oakley_sha group=modp1024}
Sep  5 16:03:24 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep  5 16:03:24 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep  5 16:03:24 host01 pluto[3789]: | unqueuing pending Quick Mode with 172.16.61.87 "somedomain"
Sep  5 16:03:24 host01 pluto[3789]: | duplicating state object #1
Sep  5 16:03:24 host01 pluto[3789]: | creating state object #2 at 0x8100a60
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
Sep  5 16:03:24 host01 pluto[3789]: "somedomain" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep  5 16:03:24 host01 pluto[3789]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Sep  5 16:03:24 host01 pluto[3789]: | asking helper 0 to do build_kenonce op on seq: 2
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
Sep  5 16:03:24 host01 pluto[3795]: ! helper -1 doing build_kenonce op id: 2
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | empty esp_info, returning empty
Sep  5 16:03:24 host01 pluto[3789]: | sending 372 bytes for quick_outI1 through eth1:500 to 172.16.61.87:500:
Sep  5 16:03:24 host01 pluto[3789]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
Sep  5 16:03:24 host01 pluto[3789]: | next event EVENT_RETRANSMIT in 10 seconds for #2
Sep  5 16:03:24 host01 pluto[3789]: |
Sep  5 16:03:24 host01 pluto[3789]: | *received 332 bytes from 172.16.61.87:500 on eth1 (port=500)
Sep  5 16:03:24 host01 pluto[3789]: | **parse ISAKMP Message:
Sep  5 16:03:24 host01 pluto[3789]: |    initiator cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: |    responder cookie:
Sep  5 16:03:24 host01 pluto[3789]: |   2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_HASH
Sep  5 16:03:24 host01 pluto[3789]: |    ISAKMP version: ISAKMP Version 1.0
Sep  5 16:03:24 host01 pluto[3789]: |    exchange type: ISAKMP_XCHG_QUICK
Sep  5 16:03:24 host01 pluto[3789]: |    flags: ISAKMP_FLAG_ENCRYPTION
Sep  5 16:03:24 host01 pluto[3789]: |    message ID:  7b 13 8d f1
Sep  5 16:03:24 host01 pluto[3789]: |    length: 332
Sep  5 16:03:24 host01 pluto[3789]: |  processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
Sep  5 16:03:24 host01 pluto[3789]: | ICOOKIE:  33 9b 73 e1  e8 94 eb af
Sep  5 16:03:24 host01 pluto[3789]: | RCOOKIE:  2a cf ac d9  ea 92 05 f6
Sep  5 16:03:24 host01 pluto[3789]: | peer:  cf 2f 0e 57
Sep  5 16:03:24 host01 pluto[3789]: | state hash entry 8
Sep  5 16:03:24 host01 pluto[3789]: | peer and cookies match on #2, provided msgid 7b138df1 vs 7b138df1
Sep  5 16:03:24 host01 pluto[3789]: | state object #2 found, in STATE_QUICK_I1
Sep  5 16:03:24 host01 pluto[3789]: | processing connection somedomain
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Hash Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_SA
Sep  5 16:03:24 host01 pluto[3789]: |    length: 24
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Security Association Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONCE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 56
Sep  5 16:03:24 host01 pluto[3789]: |    DOI: ISAKMP_DOI_IPSEC
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Nonce Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_KE
Sep  5 16:03:24 host01 pluto[3789]: |    length: 24
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Key Exchange Payload:
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_ID
Sep  5 16:03:24 host01 pluto[3789]: |    length: 132
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_ID
Sep  5 16:03:24 host01 pluto[3789]: |    length: 16
Sep  5 16:03:24 host01 pluto[3789]: |    ID type: ID_IPV4_ADDR_SUBNET
Sep  5 16:03:24 host01 pluto[3789]: |    Protocol ID: 0
Sep  5 16:03:24 host01 pluto[3789]: |    port: 0
Sep  5 16:03:24 host01 pluto[3789]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Sep  5 16:03:24 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_N
Sep  5 16:03:25 host01 pluto[3789]: |    length: 16
Sep  5 16:03:25 host01 pluto[3789]: |    ID type: ID_IPV4_ADDR_SUBNET
Sep  5 16:03:25 host01 pluto[3789]: |    Protocol ID: 0
Sep  5 16:03:25 host01 pluto[3789]: |    port: 0
Sep  5 16:03:25 host01 pluto[3789]: | ***parse ISAKMP Notification Payload:
Sep  5 16:03:25 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:25 host01 pluto[3789]: |    length: 28
Sep  5 16:03:25 host01 pluto[3789]: |    DOI: ISAKMP_DOI_IPSEC
Sep  5 16:03:25 host01 pluto[3789]: |    protocol ID: 3
Sep  5 16:03:25 host01 pluto[3789]: |    SPI size: 4
Sep  5 16:03:25 host01 pluto[3789]: |    Notify Message Type: IPSEC_RESPONDER_LIFETIME
Sep  5 16:03:25 host01 pluto[3789]: | removing 8 bytes of padding
Sep  5 16:03:25 host01 pluto[3789]: "somedomain" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Sep  5 16:03:25 host01 pluto[3789]: | info:  0c 6d f0 33  80 01 00 01  00 02 00 04  00 00 0e 10
Sep  5 16:03:25 host01 pluto[3789]: | ****parse IPsec DOI SIT:
Sep  5 16:03:25 host01 pluto[3789]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Sep  5 16:03:25 host01 pluto[3789]: | ****parse ISAKMP Proposal Payload:
Sep  5 16:03:25 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:25 host01 pluto[3789]: |    length: 44
Sep  5 16:03:25 host01 pluto[3789]: |    proposal number: 1
Sep  5 16:03:25 host01 pluto[3789]: |    protocol ID: PROTO_IPSEC_ESP
Sep  5 16:03:25 host01 pluto[3789]: |    SPI size: 4
Sep  5 16:03:25 host01 pluto[3789]: |    number of transforms: 1
Sep  5 16:03:25 host01 pluto[3789]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
Sep  5 16:03:25 host01 pluto[3789]: | SPI  0c 6d f0 33
Sep  5 16:03:25 host01 pluto[3789]: | *****parse ISAKMP Transform Payload (ESP):
Sep  5 16:03:25 host01 pluto[3789]: |    next payload type: ISAKMP_NEXT_NONE
Sep  5 16:03:25 host01 pluto[3789]: |    length: 32
Sep  5 16:03:25 host01 pluto[3789]: |    transform number: 1
Sep  5 16:03:25 host01 pluto[3789]: |    transform ID: ESP_3DES
Sep  5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep  5 16:03:25 host01 pluto[3789]: |    af+type: SA_LIFE_TYPE
Sep  5 16:03:25 host01 pluto[3789]: |    length/value: 1
Sep  5 16:03:25 host01 pluto[3789]: |    [1 is SA_LIFE_TYPE_SECONDS]
Sep  5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep  5 16:03:25 host01 pluto[3789]: |    af+type: SA_LIFE_DURATION (variable length)
Sep  5 16:03:25 host01 pluto[3789]: |    length/value: 4
Sep  5 16:03:25 host01 pluto[3789]: |    long duration: 28800
Sep  5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep  5 16:03:25 host01 pluto[3789]: |    af+type: ENCAPSULATION_MODE
Sep  5 16:03:25 host01 pluto[3789]: |    length/value: 1
Sep  5 16:03:25 host01 pluto[3789]: |    [1 is ENCAPSULATION_MODE_TUNNEL]
Sep  5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep  5 16:03:25 host01 pluto[3789]: |    af+type: AUTH_ALGORITHM
Sep  5 16:03:25 host01 pluto[3789]: |    length/value: 2
Sep  5 16:03:25 host01 pluto[3789]: |    [2 is AUTH_ALGORITHM_HMAC_SHA1]
Sep  5 16:03:25 host01 pluto[3789]: | ******parse ISAKMP IPsec DOI attribute:
Sep  5 16:03:25 host01 pluto[3789]: |    af+type: GROUP_DESCRIPTION
Sep  5 16:03:25 host01 pluto[3789]: |    length/value: 2
Sep  5 16:03:25 host01 pluto[3789]: |    [2 is OAKLEY_GROUP_MODP1024]
Sep  5 16:03:25 host01 pluto[3789]: | started looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:25 host01 pluto[3789]: | actually looking for secret for 172.16.21.57->172.16.61.87 of kind PPK_PSK
Sep  5 16:03:25 host01 pluto[3789]: | 1: compared PSK 172.16.61.87 to 172.16.21.57 / 172.16.61.87 -> 2
Sep  5 16:03:25 host01 pluto[3789]: | 2: compared PSK 172.16.21.57 to 172.16.21.57 / 172.16.61.87 -> 6
Sep  5 16:03:25 host01 pluto[3789]: | best_match 0>6 best=0x80fe4f0 (line=1)
Sep  5 16:03:25 host01 pluto[3789]: | concluding with best_match=6 best=0x80fe4f0 (lineno=1)
Sep  5 16:03:25 host01 pluto[3789]: | our client is subnet 10.102.0.0/16
Sep  5 16:03:25 host01 pluto[3789]: | our client protocol/port is 0/0
Sep  5 16:03:25 host01 pluto[3789]: | peer client is subnet 192.168.0.0/16
Sep  5 16:03:25 host01 pluto[3789]: | peer client protocol/port is 0/0
Sep  5 16:03:25 host01 pluto[3789]: | compute_proto_keymat:needed_len (after ESP enc)=24
Sep  5 16:03:25 host01 pluto[3789]: | compute_proto_keymat:needed_len (after ESP auth)=44
Sep  5 16:03:25 host01 pluto[3789]: | install_ipsec_sa() for #2: inbound and outbound
Sep  5 16:03:25 host01 pluto[3789]: | route owner of "somedomain" prospective erouted: self; eroute owner: self
Sep  5 16:03:25 host01 pluto[3789]: | could_route called for somedomain (kind=CK_PERMANENT)
Sep  5 16:03:25 host01 pluto[3789]: | add inbound eroute 192.168.0.0/16:0 --0-> 10.102.0.0/16:0 => tun.10000 at 172.16.21.57 (raw_eroute)
Sep  5 16:03:25 host01 pluto[3789]: | sr for #2: prospective erouted
Sep  5 16:03:25 host01 pluto[3789]: | route owner of "somedomain" prospective erouted: self; eroute owner: self
Sep  5 16:03:25 host01 pluto[3789]: | eroute_connection replace eroute 10.102.0.0/16:0 --0-> 192.168.0.0/16:0 => tun.0 at 172.16.61.87 (raw_                       eroute)
Sep  5 16:03:25 host01 pluto[3789]: | command executing up-client
Sep  5 16:03:25 host01 pluto[3789]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='somedomain'                        PLUTO_NEXT_HOP='172.16.21.1' PLUTO_INTERFACE='eth1' PLUTO_ME='172.16.21.57' PLUTO_MY_ID='172.16.21.57' PLUTO_MY_CLIENT='10.102.0.0/16'                        PLUTO_MY_CLIENT_NET='10.102.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.16.61.87' PL                       UTO_PEER_ID='172.16.61.87' PLUTO_PEER_CLIENT='192.168.0.0/16' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' PL                       UTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP'   ipsec _updown
Sep  5 16:03:25 host01 pluto[3789]: | route_and_eroute: firewall_notified: true
Sep  5 16:03:25 host01 pluto[3789]: | route_and_eroute: instance "somedomain", setting eroute_owner {spd=0x80fde44,sr=0x80fde44} to #2 (w                       as #0) (newest_ipsec_sa=#0)
Sep  5 16:03:25 host01 pluto[3789]: | complete state transition with STF_OK
Sep  5 16:03:25 host01 pluto[3789]: "somedomain" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep  5 16:03:25 host01 pluto[3789]: | sending reply packet to 172.16.61.87:500 (from port=500)
Sep  5 16:03:25 host01 pluto[3789]: | sending 52 bytes for STATE_QUICK_I1 through eth1:500 to 172.16.61.87:500:
Sep  5 16:03:25 host01 pluto[3789]: | inserting event EVENT_SA_REPLACE, timeout in 27911 seconds for #2
Sep  5 16:03:25 host01 pluto[3789]: "somedomain" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0c6df033 <0x1b9a4a3d xfrm=3DE                       S_0-HMAC_SHA1 NATD=none DPD=none}
Sep  5 16:03:25 host01 pluto[3789]: | modecfg pull: noquirk policy:push not-client
Sep  5 16:03:25 host01 pluto[3789]: | phase 1 is done, looking for phase 1 to unpend
Sep  5 16:03:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep  5 16:05:22 host01 pluto[3789]: |
Sep  5 16:05:22 host01 pluto[3789]: | *time to handle event
Sep  5 16:05:22 host01 pluto[3789]: | handling event EVENT_PENDING_PHASE2
Sep  5 16:05:22 host01 pluto[3789]: | event after this is EVENT_SA_REPLACE in 2702 seconds
Sep  5 16:05:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep  5 16:05:22 host01 pluto[3789]: | pending review: connection "somedomain" checked
Sep  5 16:05:22 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 120 seconds
Sep  5 16:05:24 host01 pluto[3789]: |
Sep  5 16:05:24 host01 pluto[3789]: | *received whack message
Sep  5 16:05:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep  5 16:05:25 host01 pluto[3789]: |
Sep  5 16:05:25 host01 pluto[3789]: | *received whack message
Sep  5 16:05:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep  5 16:05:26 host01 pluto[3789]: |
Sep  5 16:05:26 host01 pluto[3789]: | *received whack message
Sep  5 16:05:26 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 116 seconds
Sep  5 16:07:22 host01 pluto[3789]: |
Sep  5 16:07:22 host01 pluto[3789]: | *time to handle event
Sep  5 16:07:22 host01 pluto[3789]: | handling event EVENT_PENDING_PHASE2
Sep  5 16:07:22 host01 pluto[3789]: | event after this is EVENT_SA_REPLACE in 2582 seconds
Sep  5 16:07:22 host01 pluto[3789]: | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
Sep  5 16:07:22 host01 pluto[3789]: | pending review: connection "somedomain" checked
Sep  5 16:07:22 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 120 seconds
Sep  5 16:07:24 host01 pluto[3789]: |
Sep  5 16:07:24 host01 pluto[3789]: | *received whack message
Sep  5 16:07:24 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 118 seconds
Sep  5 16:07:25 host01 pluto[3789]: |
Sep  5 16:07:25 host01 pluto[3789]: | *received whack message
Sep  5 16:07:25 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 117 seconds
Sep  5 16:07:26 host01 pluto[3789]: |
Sep  5 16:07:26 host01 pluto[3789]: | *received whack message
Sep  5 16:07:26 host01 pluto[3789]: | next event EVENT_PENDING_PHASE2 in 116 seconds
+ _________________________ date
+
+ date
Wed Sep  5 16:07:28 EDT 2007
root at host01:~#


More information about the Users mailing list