[Openswan Users] Kernel/Openswan upgrade breaks VPN routing
Mark Wilson
mark at pkasystems.co.uk
Thu Aug 21 10:04:19 EDT 2008
Hi,
I have a working VPN using Openswan 2.4.4 with Klips and kernel 2.4.22. I
need to migrate it to a new machine, running a 2.6.24 kernel, preferably
using Netkey (the natpatch doesn't work). I built the programs for
Openswan 2.6.16, did an ipsec setup start & the log looked like a tunnel
had been established. I tried to ping an address at the other end, but got
no reply (this works on the old setup). The admin guy at the other end
says that his logs show the tunnel coming up, but my pings come in
un-encrypted, across the public net instead of through the tunnel.
The ping is aimed at 195.171.138.10
There's a netgear adsl modem router at my end, with a DMZ entry pointing
at this Linux box.
below is ipsec barf output - any ideas?
nordfw
Thu Aug 21 13:33:27 BST 2008
+ _________________________ version
+ ipsec --version
Linux Openswan U2.6.16/K2.6.24.5-smp (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.24.5-smp (root at newfw) (gcc version 4.2.3) #1 SMP Tue Aug 12 16:10:09 BST 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.254.254 0.0.0.0 UG 0 0 0 eth1
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip xfrm state
src 81.144.223.206 dst 192.168.254.1
proto esp spi 0x76a63c54 reqid 16389 mode tunnel
replay-window 32
auth hmac(md5) 0xea924fb80351af5c0086d67c905f7d92
enc cbc(des3_ede) 0x09f1be9125e0f811a1203a7baad571d421cc5d3ea0275157
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.254.1 dst 81.144.223.206
proto esp spi 0x36d02290 reqid 16389 mode tunnel
replay-window 32
auth hmac(md5) 0xa62bb775b03d82b73da4491467fe1e24
enc cbc(des3_ede) 0x1c7f76bcd391a87caad2e07d4ee14798411542030ab7af4c
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 81.144.223.206 dst 192.168.254.1
proto esp spi 0x7e65f3f6 reqid 16385 mode tunnel
replay-window 32
auth hmac(md5) 0xfa4b23aa880a45b87995a17b10fda161
enc cbc(des3_ede) 0xfc01e992821be621b48bc9a4bad56e4351bfcada95c164c2
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.254.1 dst 81.144.223.206
proto esp spi 0x7e72b4c1 reqid 16385 mode tunnel
replay-window 32
auth hmac(md5) 0xa18197c13d9fd2a3b0710054bf63506c
enc cbc(des3_ede) 0x98ad6029ba3cf1f7947b48feb050a809a1ae86a5f665d5f9
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 81.144.223.206 dst 192.168.254.1
proto esp spi 0x2eee5ad3 reqid 16401 mode tunnel
replay-window 32
auth hmac(md5) 0x62a6cc65c73871206b755c4198c089e5
enc cbc(des3_ede) 0x29d38d6db3c268a2a3b462ba1fda7a51d4aebff97ab60a89
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.254.1 dst 81.144.223.206
proto esp spi 0x163c3670 reqid 16401 mode tunnel
replay-window 32
auth hmac(md5) 0x617b6e56f9e83ce233768f08fa1f6fac
enc cbc(des3_ede) 0x87dbba19edcfcb529f75bd5cabb6f8419be35fdc278620ca
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 81.144.223.206 dst 192.168.254.1
proto esp spi 0x16fc2e82 reqid 16397 mode tunnel
replay-window 32
auth hmac(md5) 0xceb00c50fcd40fe9851768b60c2bda42
enc cbc(des3_ede) 0xc053537f5e5999ea1d0d71cd4997af4b36362d34f17e92a0
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.254.1 dst 81.144.223.206
proto esp spi 0x10eea774 reqid 16397 mode tunnel
replay-window 32
auth hmac(md5) 0x35ee7187d7e844e0bb1e5dc20e194265
enc cbc(des3_ede) 0x6f3faec3019a81914e69e25d838a5985457afa20b9cfe67a
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 81.144.223.206 dst 192.168.254.1
proto esp spi 0x949bbc0a reqid 16393 mode tunnel
replay-window 32
auth hmac(md5) 0x3263fa464fac01986cd54e6a4790d5ab
enc cbc(des3_ede) 0x205614ffba21e098bad325ff8cf3704e34613d326a97d9e0
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.254.1 dst 81.144.223.206
proto esp spi 0xf0cbe1ba reqid 16393 mode tunnel
replay-window 32
auth hmac(md5) 0x61e2df425438f3ec48e3c4c068c94572
enc cbc(des3_ede) 0x074c7960997ea1dead9e00bc878e19d21ffd26e645eb7d31
sel src 0.0.0.0/0 dst 0.0.0.0/0
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src 194.201.255.0/24 dst 192.168.254.1/32
dir in priority 2088
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16389 mode tunnel
src 195.171.138.0/24 dst 192.168.254.1/32
dir in priority 2088
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16385 mode tunnel
src 81.144.223.206/32 dst 192.168.254.1/32
dir in priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16401 mode tunnel
src 193.129.243.92/32 dst 192.168.254.1/32
dir in priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16397 mode tunnel
src 193.129.243.91/32 dst 192.168.254.1/32
dir in priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16393 mode tunnel
src 192.168.254.1/32 dst 195.171.138.0/24
dir out priority 2088
tmpl src 192.168.254.1 dst 81.144.223.206
proto esp reqid 16385 mode tunnel
src 192.168.254.1/32 dst 194.201.255.0/24
dir out priority 2088
tmpl src 192.168.254.1 dst 81.144.223.206
proto esp reqid 16389 mode tunnel
src 192.168.254.1/32 dst 81.144.223.206/32
dir out priority 2080
tmpl src 192.168.254.1 dst 81.144.223.206
proto esp reqid 16401 mode tunnel
src 192.168.254.1/32 dst 193.129.243.92/32
dir out priority 2080
tmpl src 192.168.254.1 dst 81.144.223.206
proto esp reqid 16397 mode tunnel
src 192.168.254.1/32 dst 193.129.243.91/32
dir out priority 2080
tmpl src 192.168.254.1 dst 81.144.223.206
proto esp reqid 16393 mode tunnel
src 194.201.255.0/24 dst 192.168.254.1/32
dir fwd priority 2088
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16389 mode tunnel
src 195.171.138.0/24 dst 192.168.254.1/32
dir fwd priority 2088
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16385 mode tunnel
src 81.144.223.206/32 dst 192.168.254.1/32
dir fwd priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16401 mode tunnel
src 193.129.243.92/32 dst 192.168.254.1/32
dir fwd priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16397 mode tunnel
src 193.129.243.91/32 dst 192.168.254.1/32
dir fwd priority 2080
tmpl src 81.144.223.206 dst 192.168.254.1
proto esp reqid 16393 mode tunnel
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
+ _________________________ /proc/crypto
+ test -r /proc/crypto
+ cat /proc/crypto
name : cbc(twofish)
driver : cbc(twofish-i586)
module : kernel
priority : 200
refcnt : 1
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
name : cbc(camellia)
driver : cbc(camellia-generic)
module : kernel
priority : 100
refcnt : 1
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
name : cbc(serpent)
driver : cbc(serpent-generic)
module : kernel
priority : 0
refcnt : 1
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
name : cbc(aes)
driver : cbc(aes-i586)
module : kernel
priority : 200
refcnt : 1
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
name : cbc(blowfish)
driver : cbc(blowfish-generic)
module : kernel
priority : 0
refcnt : 1
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 8
name : cbc(des3_ede)
driver : cbc(des3_ede-generic)
module : kernel
priority : 0
refcnt : 11
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
name : cbc(des)
driver : cbc(des-generic)
module : kernel
priority : 0
refcnt : 1
type : blkcipher
blocksize : 8
min keysize : 8
max keysize : 8
ivsize : 8
name : ecb(cipher_null)
driver : ecb(cipher_null-generic)
module : kernel
priority : 0
refcnt : 1
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
name : xcbc(aes)
driver : xcbc(aes-i586)
module : kernel
priority : 200
refcnt : 1
type : hash
blocksize : 16
digestsize : 16
name : hmac(sha256)
driver : hmac(sha256-generic)
module : kernel
priority : 0
refcnt : 1
type : hash
blocksize : 64
digestsize : 32
name : hmac(sha1)
driver : hmac(sha1-generic)
module : kernel
priority : 0
refcnt : 1
type : hash
blocksize : 64
digestsize : 20
name : hmac(md5)
driver : hmac(md5-generic)
module : kernel
priority : 0
refcnt : 11
type : hash
blocksize : 64
digestsize : 16
name : hmac(digest_null)
driver : hmac(digest_null-generic)
module : kernel
priority : 0
refcnt : 1
type : hash
blocksize : 1
digestsize : 0
name : crc32c
driver : crc32c-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 32
digestsize : 4
name : michael_mic
driver : michael_mic-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 8
digestsize : 8
name : deflate
driver : deflate-generic
module : kernel
priority : 0
refcnt : 1
type : compression
name : seed
driver : seed-generic
module : kernel
priority : 100
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 16
name : anubis
driver : anubis-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 40
name : khazad
driver : khazad-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16
name : xeta
driver : xeta-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16
name : xtea
driver : xtea-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16
name : tea
driver : tea-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 16
max keysize : 16
name : arc4
driver : arc4-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 1
min keysize : 1
max keysize : 256
name : cast6
driver : cast6-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : cast5
driver : cast5-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 5
max keysize : 16
name : camellia
driver : camellia-generic
module : kernel
priority : 100
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : kernel
priority : 100
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : tnepres
driver : tnepres-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : serpent
driver : serpent-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : twofish
driver : twofish-generic
module : kernel
priority : 100
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : blowfish
driver : blowfish-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56
name : fcrypt
driver : fcrypt-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8
name : des3_ede
driver : des3_ede-generic
module : kernel
priority : 0
refcnt : 11
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24
name : des
driver : des-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8
name : tgr128
driver : tgr128-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 16
name : tgr160
driver : tgr160-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 20
name : tgr192
driver : tgr192-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 24
name : wp256
driver : wp256-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 32
name : wp384
driver : wp384-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 48
name : wp512
driver : wp512-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 64
name : sha512
driver : sha512-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 128
digestsize : 64
name : sha384
driver : sha384-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 128
digestsize : 48
name : sha256
driver : sha256-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 32
name : sha1
driver : sha1-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 20
name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 11
type : digest
blocksize : 64
digestsize : 16
name : md4
driver : md4-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 64
digestsize : 16
name : compress_null
driver : compress_null-generic
module : kernel
priority : 0
refcnt : 1
type : compression
name : digest_null
driver : digest_null-generic
module : kernel
priority : 0
refcnt : 1
type : digest
blocksize : 1
digestsize : 0
name : cipher_null
driver : cipher_null-generic
module : kernel
priority : 0
refcnt : 1
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0
name : twofish
driver : twofish-i586
module : kernel
priority : 200
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-i586
module : kernel
priority : 200
refcnt : 1
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
+ __________________________/proc/sys/net/core/xfrm-star
/usr/local/libexec/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: No such file or directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop
0
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.254
000 interface eth0/eth0 192.168.1.254
000 interface eth1/eth1 192.168.254.1
000 interface eth1/eth1 192.168.254.1
000 interface eth1/eth1 82.133.95.225
000 interface eth1/eth1 82.133.95.225
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,10,36} trans={0,10,840} attrs={0,10,1120}
000
000 "cns": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]; erouted; eroute owner: #2
000 "cns": myip=unset; hisip=unset;
000 "cns": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "cns": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "cns": newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "cns": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "cns": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2,
000 "cns": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "cns": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "cns": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "lpd-mcp-lpd": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===193.129.243.91/32; erouted; eroute owner: #4
000 "lpd-mcp-lpd": myip=unset; hisip=unset;
000 "lpd-mcp-lpd": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "lpd-mcp-lpd": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "lpd-mcp-lpd": newest ISAKMP SA: #0; newest IPsec SA: #4;
000 "lpd-mcp-lpd": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "lpd-mcp-lpd": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2,
000 "lpd-mcp-lpd": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "lpd-mcp-lpd": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "lpd-mcp-lpd": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "lpd2-mcp-lpd2": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===193.129.243.92/32; erouted; eroute owner: #3
000 "lpd2-mcp-lpd2": myip=unset; hisip=unset;
000 "lpd2-mcp-lpd2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "lpd2-mcp-lpd2": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "lpd2-mcp-lpd2": newest ISAKMP SA: #0; newest IPsec SA: #3;
000 "lpd2-mcp-lpd2": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "lpd2-mcp-lpd2": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2,
000 "lpd2-mcp-lpd2": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "lpd2-mcp-lpd2": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "lpd2-mcp-lpd2": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "net-cns-net": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===195.171.138.0/24; erouted; eroute owner: #6
000 "net-cns-net": myip=unset; hisip=unset;
000 "net-cns-net": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "net-cns-net": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth1;
000 "net-cns-net": newest ISAKMP SA: #1; newest IPsec SA: #6;
000 "net-cns-net": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "net-cns-net": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2,
000 "net-cns-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "net-cns-net": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "net-cns-net": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "net-cns-net": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "net-mcp-net": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===194.201.255.0/24; erouted; eroute owner: #5
000 "net-mcp-net": myip=unset; hisip=unset;
000 "net-mcp-net": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "net-mcp-net": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth1;
000 "net-mcp-net": newest ISAKMP SA: #0; newest IPsec SA: #5;
000 "net-mcp-net": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "net-mcp-net": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2,
000 "net-mcp-net": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "net-mcp-net": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "net-mcp-net": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000
000 #2: "cns":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "cns" esp.163c3670 at 81.144.223.206 esp.2eee5ad3 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #4: "lpd-mcp-lpd":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #4: "lpd-mcp-lpd" esp.f0cbe1ba at 81.144.223.206 esp.949bbc0a at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #3: "lpd2-mcp-lpd2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "lpd2-mcp-lpd2" esp.10eea774 at 81.144.223.206 esp.16fc2e82 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #6: "net-cns-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #6: "net-cns-net" esp.7e72b4c1 at 81.144.223.206 esp.7e65f3f6 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #1: "net-cns-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 28352s; newest ISAKMP; nodpd; idle; import:admin initiate
000 #5: "net-mcp-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #5: "net-mcp-net" esp.36d02290 at 81.144.223.206 esp.76a63c54 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:1c:25:6c:4a:c2
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21c:25ff:fe6c:4ac2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:152699 errors:0 dropped:0 overruns:0 frame:0
TX packets:33142 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26610609 (25.3 MiB) TX bytes:5701480 (5.4 MiB)
Interrupt:22 Base address:0x6800
eth1 Link encap:Ethernet HWaddr 00:50:fc:72:52:c4
inet addr:192.168.254.1 Bcast:192.168.254.255 Mask:255.255.255.0
inet6 addr: fe80::250:fcff:fe72:52c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15391 errors:0 dropped:0 overruns:0 frame:0
TX packets:8305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2005128 (1.9 MiB) TX bytes:1650293 (1.5 MiB)
Interrupt:17 Base address:0xe800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11408 (11.1 KiB) TX bytes:11408 (11.1 KiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1c:25:6c:4a:c2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
inet6 fe80::21c:25ff:fe6c:4ac2/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:fc:72:52:c4 brd ff:ff:ff:ff:ff:ff
inet 192.168.254.1/24 brd 192.168.254.255 scope global eth1
inet 82.133.95.225/32 brd 192.168.254.255 scope global eth1
inet6 fe80::250:fcff:fe72:52c4/64 scope link
valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+ ip route list
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.1
127.0.0.0/8 dev lo scope link
default via 192.168.254.254 dev eth1 metric 1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.16/K2.6.24.5-smp (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: vendor 00:07:32, model 17 rev 2
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
nordfw.nordsea.net
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.1.254
+ _________________________ uptime
+ uptime
13:33:27 up 2 days, 19:02, 2 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 29747 27971 20 0 2988 1536 - S+ pts/0 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 29827 29747 20 0 2988 792 - R+ pts/0 0:00 \_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 29377 1 20 0 2568 480 - S pts/0 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive --disable_port_floating no --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
1 0 29378 29377 20 0 2568 624 - S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive --disable_port_floating no --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
4 0 29379 29378 20 0 3088 1440 - S pts/0 0:00 | \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal
1 0 29383 29379 30 10 3080 656 - SN pts/0 0:00 | \_ pluto helper # 0
0 0 29382 29377 20 0 2532 1212 - S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 29380 1 20 0 1688 532 - S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routevirt=none
routeaddr=192.168.254.1
routenexthop=192.168.254.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
protostack=netkey
nat_traversal=yes
# uniqueids=no
# interfaces="ipsec0=eth1"
# Add connections here
conn %default
keyingtries=3
conn net-cns-net
also=cns
rightsubnet=195.171.138.0/24
conn net-mcp-net
also=cns
rightsubnet=194.201.255.0/24
conn lpd-mcp-lpd
also=cns
rightsubnet=193.129.243.91/32
conn lpd2-mcp-lpd2
also=cns
rightsubnet=193.129.243.92/32
#conn net-ewt-net
# also=ewt
# rightsubnet=192.168.0.0/24
## rightid=192.168.0.199
conn cns
type=tunnel
rekeyfuzz=0%
rekeymargin=5m
authby=secret
auth=esp
ikelifetime=8h
keylife=1h
keyexchange=ike
esp=3des-md5-96
ike=3des-md5-96
pfs=no
forceencaps=yes
left=%defaultroute
leftid=82.133.95.225
right=81.144.223.206
auto=start
## leftsubnet=192.168.254.0/24
## leftsourceip=82.133.95.225
## leftsubnet=82.133.95.225/32
##mw 250106## leftid=@nolltd.gotadsl.co.uk
conn fsmdov
type=tunnel
rekeyfuzz=0%
rekeymargin=5m
authby=secret
auth=esp
ikelifetime=8h
keylife=1h
keyexchange=ike
esp=3des-md5-96
ike=3des-md5-96
pfs=no
left=%defaultroute
leftsubnet=82.133.95.225/32
right=62.3.234.215
rightsubnet=192.168.253.0/24
## auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 88
###############################################################################
###############################################################################
#vvvvvvvv Below are test configs ONLY vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
###############################################################################
###############################################################################
conn pkasys-mw
type=tunnel
rekeyfuzz=0%
rekeymargin=5m
authby=secret
auth=esp
ikelifetime=8h
keylife=1h
keyexchange=ike
esp=3des-md5-96
ike=3des-md5-96
pfs=no
left=%defaultroute
leftsubnet=82.133.95.225/32
right=62.3.238.183
rightid="@p4xp"
## auto=start
conn pkasys
#
authby=secret
pfs=no
rekey=no
keyingtries=3
#
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
#
left=%defaultroute
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=62.3.238.183
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
82.133.95.225 81.144.223.206: PSK "[sums to 86cc...]"
@nolltd.gotadsl.co.uk 81.144.223.206: PSK "[sums to 86cc...]"
192.168.254.1 81.144.223.206: PSK "[sums to 86cc...]"
192.168.254.2 81.144.223.206: PSK "[sums to 86cc...]"
## ^^ mw - 25-Jan-06 - will this work??? ^^^
## ^^ something did.
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 4: PSK 81.144.223.206 192.168.254.2
000 3: PSK 81.144.223.206 192.168.254.1
000 2: PSK 81.144.223.206 @nolltd.gotadsl.co.uk
000 1: PSK 81.144.223.206 82.133.95.225
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 260
-rwxr-xr-x 1 root root 15848 Aug 12 16:52 _confread
-rwxr-xr-x 1 root root 12785 Aug 20 15:49 _copyright
-rwxr-xr-x 1 root root 14297 Aug 12 16:52 _copyright.old
-rwxr-xr-x 1 root root 2379 Aug 20 15:49 _include
-rwxr-xr-x 1 root root 2379 Aug 12 16:52 _include.old
-rwxr-xr-x 1 root root 1475 Aug 20 15:49 _keycensor
-rwxr-xr-x 1 root root 1475 Aug 12 16:52 _keycensor.old
-rwxr-xr-x 1 root root 2632 Aug 20 15:49 _plutoload
-rwxr-xr-x 1 root root 3648 Aug 12 16:52 _plutoload.old
-rwxr-xr-x 1 root root 7635 Aug 20 15:49 _plutorun
-rwxr-xr-x 1 root root 8069 Aug 12 16:52 _plutorun.old
-rwxr-xr-x 1 root root 12863 Aug 20 15:49 _realsetup
-rwxr-xr-x 1 root root 12324 Aug 12 16:52 _realsetup.old
-rwxr-xr-x 1 root root 1975 Aug 20 15:49 _secretcensor
-rwxr-xr-x 1 root root 1975 Aug 12 16:52 _secretcensor.old
-rwxr-xr-x 1 root root 8119 Aug 20 15:49 _startklips
-rwxr-xr-x 1 root root 8119 Aug 20 15:49 _startklips.old
-rwxr-xr-x 1 root root 5773 Aug 20 15:49 _startnetkey
-rwxr-xr-x 1 root root 4886 Aug 20 15:49 _updown
-rwxr-xr-x 1 root root 14030 Aug 20 15:49 _updown.klips
-rwxr-xr-x 1 root root 14030 Aug 20 15:49 _updown.klips.old
-rwxr-xr-x 1 root root 11798 Aug 20 15:49 _updown.mast
-rwxr-xr-x 1 root root 11798 Aug 20 15:49 _updown.mast.old
-rwxr-xr-x 1 root root 8534 Aug 20 15:49 _updown.netkey
-rwxr-xr-x 1 root root 13918 Aug 12 16:52 _updown.old
-rwxr-xr-x 1 root root 15746 Aug 12 16:52 _updown_x509
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 9052
-rwxr-xr-x 1 root root 28513 Aug 12 16:52 _pluto_adns
-rwxr-xr-x 1 root root 394624 Aug 20 15:49 addconn
-rwxr-xr-x 1 root root 6129 Aug 20 15:49 auto
-rwxr-xr-x 1 root root 18891 Aug 12 16:52 auto.old
-rwxr-xr-x 1 root root 10758 Aug 20 15:49 barf
-rwxr-xr-x 1 root root 11367 Aug 12 16:52 barf.old
-rwxr-xr-x 1 root root 816 Aug 12 16:52 calcgoo
-rwxr-xr-x 1 root root 175196 Aug 20 15:49 eroute
-rwxr-xr-x 1 root root 200133 Aug 12 16:52 eroute.old
-rwxr-xr-x 1 root root 50978 Aug 20 15:49 ikeping
-rwxr-xr-x 1 root root 65213 Aug 12 16:52 ikeping.old
-rwxr-xr-x 1 root root 115366 Aug 20 15:49 klipsdebug
-rwxr-xr-x 1 root root 129923 Aug 12 16:52 klipsdebug.old
-rwxr-xr-x 1 root root 1836 Aug 20 15:49 livetest
-rwxr-xr-x 1 root root 1836 Aug 12 16:52 livetest.old
-rwxr-xr-x 1 root root 2591 Aug 20 15:49 look
-rwxr-xr-x 1 root root 2604 Aug 12 16:52 look.old
-rwxr-xr-x 1 root root 845118 Aug 20 15:49 lwdnsq
-rwxr-xr-x 1 root root 7094 Aug 12 16:52 mailkey
-rwxr-xr-x 1 root root 16015 Aug 12 16:52 manual
-rwxr-xr-x 1 root root 1921 Aug 20 15:49 newhostkey
-rwxr-xr-x 1 root root 1951 Aug 12 16:52 newhostkey.old
-rwxr-xr-x 1 root root 110624 Aug 20 15:49 pf_key
-rwxr-xr-x 1 root root 115320 Aug 12 16:52 pf_key.old
-rwxr-xr-x 1 root root 2831623 Aug 20 15:49 pluto
-rwxr-xr-x 1 root root 1915910 Aug 12 16:52 pluto.old
-rwxr-xr-x 1 root root 17518 Aug 20 15:49 ranbits
-rwxr-xr-x 1 root root 21198 Aug 12 16:52 ranbits.old
-rwxr-xr-x 1 root root 38193 Aug 20 15:49 rsasigkey
-rwxr-xr-x 1 root root 50657 Aug 12 16:52 rsasigkey.old
-rwxr-xr-x 1 root root 766 Aug 20 15:49 secrets
-rwxr-xr-x 1 root root 766 Aug 12 16:52 secrets.old
lrwxrwxrwx 1 root root 22 Aug 20 15:49 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Aug 20 15:49 showdefaults
-rwxr-xr-x 1 root root 1054 Aug 12 16:52 showdefaults.old
-rwxr-xr-x 1 root root 439597 Aug 20 15:49 showhostkey
-rwxr-xr-x 1 root root 4845 Aug 12 16:52 showhostkey.old
-rwxr-xr-x 1 root root 63990 Aug 20 15:49 showpolicy
-rwxr-xr-x 1 root root 286306 Aug 20 15:49 spi
-rwxr-xr-x 1 root root 325527 Aug 12 16:52 spi.old
-rwxr-xr-x 1 root root 149896 Aug 20 15:49 spigrp
-rwxr-xr-x 1 root root 165100 Aug 12 16:52 spigrp.old
-rwxr-xr-x 1 root root 129305 Aug 20 15:49 tncfg
-rwxr-xr-x 1 root root 24264 Aug 12 16:52 tncfg.old
-rwxr-xr-x 1 root root 13026 Aug 20 15:49 verify
-rwxr-xr-x 1 root root 13530 Aug 12 16:52 verify.old
-rwxr-xr-x 1 root root 112187 Aug 20 15:49 whack
-rwxr-xr-x 1 root root 159252 Aug 12 16:52 whack.old
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 11408 71 0 0 0 0 0 0 11408 71 0 0 0 0 0 0
eth0:26610609 152699 0 0 0 0 0 0 5701540 33143 0 0 0 0 0 0
eth1: 2005188 15392 0 0 0 0 0 0 1650293 8305 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 0001A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth1 00FEA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth1 00000000 FEFEA8C0 0003 0 0 1 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
eth1/accept_redirects:0
eth1/secure_redirects:1
eth1/send_redirects:0
lo/accept_redirects:0
lo/secure_redirects:1
lo/send_redirects:0
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux nordfw 2.6.24.5-smp #1 SMP Tue Aug 12 16:10:09 BST 2008 i686 Intel(R) Pentium(R) Dual CPU E2200 @ 2.20GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.24.5-smp) support detected '
NETKEY (2.6.24.5-smp) support detected
+ _________________________ iptables
+ test -r /sbin/iptables
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipcomp6 9992 0 - Live 0xf8cf6000
ipcomp 9608 0 - Live 0xf8afb000
ah6 9600 0 - Live 0xf8ced000
ah4 8704 0 - Live 0xf8ce9000
esp6 9856 0 - Live 0xf8ce5000
esp4 9728 10 - Live 0xf8ce1000
xfrm4_mode_beet 6272 0 - Live 0xf8cd2000
xfrm4_tunnel 6272 0 - Live 0xf8ccf000
xfrm4_mode_tunnel 6272 20 - Live 0xf8ccc000
xfrm4_mode_transport 5632 0 - Live 0xf8cb2000
xfrm6_mode_transport 5760 0 - Live 0xf8caf000
xfrm6_mode_ro 5504 0 - Live 0xf8b72000
xfrm6_mode_beet 5888 0 - Live 0xf8b4d000
xfrm6_mode_tunnel 6272 0 - Live 0xf8b4a000
af_key 33808 0 - Live 0xf8cd7000
xfrm6_tunnel 10016 1 ipcomp6, Live 0xf8cb8000
tunnel6 6792 1 xfrm6_tunnel, Live 0xf8aff000
tun 12160 0 - Live 0xf8ca2000
ipt_REJECT 7552 1 - Live 0xf8ca9000
xt_state 5888 45 - Live 0xf8cb5000
xt_tcpudp 6912 92 - Live 0xf8ca6000
iptable_nat 9860 1 - Live 0xf8b56000
nf_nat 19500 1 iptable_nat, Live 0xf8c87000
iptable_filter 6272 1 - Live 0xf8b7c000
ip_tables 14788 2 iptable_nat,iptable_filter, Live 0xf8c8d000
x_tables 14980 5 ipt_REJECT,xt_state,xt_tcpudp,iptable_nat,ip_tables, Live 0xf8a7b000
nf_conntrack_ftp 10912 0 - Live 0xf8b52000
nf_conntrack_ipv4 17032 47 iptable_nat, Live 0xf8c81000
nf_conntrack 53440 5 xt_state,iptable_nat,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4, Live 0xf8c93000
tunnel4 6792 1 xfrm4_tunnel, Live 0xf8a71000
geode_aes 8968 0 - Live 0xf8aae000
snd_seq_dummy 6660 0 - Live 0xf8a35000
snd_seq_oss 32896 0 - Live 0xf8b68000
snd_seq_midi_event 10112 1 snd_seq_oss, Live 0xf8aaa000
snd_seq 50256 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live 0xf8b5a000
snd_seq_device 10380 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xf884a000
snd_pcm_oss 40352 0 - Live 0xf8a85000
snd_mixer_oss 17920 1 snd_pcm_oss, Live 0xf8aa4000
ipv6 234724 32 ipcomp6,ah6,esp6,xfrm6_mode_beet,xfrm6_tunnel,tunnel6, Live 0xf8ac0000
lp 13348 0 - Live 0xf8874000
fuse 45588 1 - Live 0xf8ab3000
snd_hda_intel 289052 0 - Live 0xf8b02000
snd_pcm 72068 2 snd_pcm_oss,snd_hda_intel, Live 0xf8a91000
snd_timer 22532 2 snd_seq,snd_pcm, Live 0xf8a74000
thermal 16540 0 - Live 0xf8a5b000
serio_raw 9092 0 - Live 0xf8a57000
i2c_i801 11792 0 - Live 0xf8a53000
button 10000 0 - Live 0xf8a45000
snd_page_alloc 11528 2 snd_hda_intel,snd_pcm, Live 0xf8a41000
psmouse 40336 0 - Live 0xf8a61000
rtc_cmos 11040 0 - Live 0xf8a31000
intel_agp 25236 1 - Live 0xf8a4b000
snd_hwdep 10756 1 snd_hda_intel, Live 0xf8a2d000
processor 32680 1 thermal, Live 0xf8a38000
evdev 12672 3 - Live 0xf8879000
rtc_core 18696 1 rtc_cmos, Live 0xf8a27000
i2c_core 22528 1 i2c_i801, Live 0xf8a09000
rtc_lib 6528 1 rtc_core, Live 0xf8852000
agpgart 30664 1 intel_agp, Live 0xf8a1e000
8139too 25600 0 - Live 0xf8a01000
snd 47716 9 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_hda_intel,snd_pcm,snd_timer,snd_hwdep, Live 0xf8a11000
soundcore 9824 1 snd, Live 0xf8870000
mii 8448 1 8139too, Live 0xf884e000
sg 30224 0 - Live 0xf8867000
parport_pc 27556 1 - Live 0xf885f000
r8169 30468 0 - Live 0xf8823000
ehci_hcd 35468 0 - Live 0xf8855000
iTCO_wdt 13988 0 - Live 0xf8834000
parport 34632 2 lp,parport_pc, Live 0xf8840000
uhci_hcd 25996 0 - Live 0xf882c000
iTCO_vendor_support 7044 1 iTCO_wdt, Live 0xf8820000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1025296 kB
MemFree: 626280 kB
Buffers: 116500 kB
Cached: 223936 kB
SwapCached: 0 kB
Active: 161492 kB
Inactive: 188160 kB
HighTotal: 121536 kB
HighFree: 444 kB
LowTotal: 903760 kB
LowFree: 625836 kB
SwapTotal: 3943948 kB
SwapFree: 3943948 kB
Dirty: 380 kB
Writeback: 0 kB
AnonPages: 9244 kB
Mapped: 7048 kB
Slab: 37296 kB
SReclaimable: 27972 kB
SUnreclaim: 9324 kB
PageTables: 444 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 4456596 kB
Committed_AS: 67860 kB
VmallocTotal: 114680 kB
VmallocUsed: 7436 kB
VmallocChunk: 107112 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
# CONFIG_IPV6_MIP6 is not set
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_MULTIPLE_TABLES is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_ACKVEC=y
CONFIG_IP_DCCP_CCID2=m
# CONFIG_IP_DCCP_CCID2_DEBUG is not set
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_CCID3_DEBUG is not set
CONFIG_IP_DCCP_CCID3_RTO=100
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IP1000=m
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPW2200_MONITOR=y
CONFIG_IPW2200_RADIOTAP=y
CONFIG_IPW2200_PROMISCUOUS=y
CONFIG_IPW2200_QOS=y
# CONFIG_IPW2200_DEBUG is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
CONFIG_CRYPTO_DEV_GEODE=m
+ _________________________ etc/syslog.conf
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.* /dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
# Private authentication message logging:
authpriv.* -/var/log/secure
# Cron related logs:
cron.* -/var/log/cron
# Mail related logs:
mail.* -/var/log/maillog
# Emergency level messages go to all users:
*.emerg *
# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit -/var/log/news/news.crit
#news.=err -/var/log/news/news.err
#news.notice -/var/log/news/news.notice
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search nordsea.net
nameserver 212.139.132.5
nameserver 212.139.132.21
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Apr 30 23:23 2.6.24.5
drwxr-xr-x 3 root root 4096 Aug 12 16:20 2.6.24.5-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c03625d0 T netif_rx
c0362820 T netif_rx_ni
c0362820 u netif_rx_ni [tun]
c03625d0 u netif_rx [ipv6]
c03625d0 u netif_rx [r8169]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.24.5:
2.6.24.5-smp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1750,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Aug 21 13:30:58 nordfw ipsec_setup: Starting Openswan IPsec U2.6.16/K2.6.24.5-smp...
Aug 21 13:30:58 nordfw ipsec_setup: multiple ip addresses, using 192.168.254.1 on eth1
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "net-cns-net"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "net-mcp-net"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "lpd-mcp-lpd"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "lpd2-mcp-lpd2"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "cns"
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "net-cns-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "net-mcp-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "lpd-mcp-lpd": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "lpd2-mcp-lpd2": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "cns": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 104 "net-cns-net" #1: STATE_MAIN_I1: initiate
+ _________________________ plog
+ sed -n '5224,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Aug 21 13:30:58 nordfw ipsec__plutorun: Starting Pluto subsystem...
Aug 21 13:30:58 nordfw pluto[29379]: Starting Pluto (Openswan Version 2.6.16; Vendor ID OEj}csWvZ\134{c) pid:29379
Aug 21 13:30:58 nordfw pluto[29379]: Setting NAT-Traversal port-4500 floating to on
Aug 21 13:30:58 nordfw pluto[29379]: port floating activation criteria nat_t=1/port_float=1
Aug 21 13:30:58 nordfw pluto[29379]: including NAT-Traversal patch (Version 0.6c)
Aug 21 13:30:58 nordfw pluto[29379]: using /dev/urandom as source of random entropy
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: starting up 1 cryptographic helpers
Aug 21 13:30:58 nordfw pluto[29383]: using /dev/urandom as source of random entropy
Aug 21 13:30:58 nordfw pluto[29379]: started helper pid=29383 (fd:7)
Aug 21 13:30:58 nordfw pluto[29379]: Using Linux 2.6 IPsec interface code on 2.6.24.5-smp (experimental code)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changing to directory '/etc/ipsec.d/crls'
Aug 21 13:30:59 nordfw pluto[29379]: Warning: empty directory
Aug 21 13:30:59 nordfw pluto[29379]: Changing back to directory '/etc' failed - (2 No such file or directory)
Aug 21 13:30:59 nordfw pluto[29379]: Changing back to directory '/etc' failed - (2 No such file or directory)
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "net-cns-net"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "net-mcp-net"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "lpd-mcp-lpd"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "lpd2-mcp-lpd2"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "cns"
Aug 21 13:30:59 nordfw pluto[29379]: listening for IKE messages
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 82.133.95.225:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 82.133.95.225:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 192.168.254.1:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 192.168.254.1:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth0/eth0 192.168.1.254:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth0/eth0 192.168.1.254:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo 127.0.0.1:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo 127.0.0.1:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo ::1:500
Aug 21 13:30:59 nordfw pluto[29379]: loading secrets from "/etc/ipsec.secrets"
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "cns": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: initiating Main Mode
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: Main mode peer ID is ID_IPV4_ADDR: '81.144.223.206'
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:15e7b3c3 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:e9854b72 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:14fb285e proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:fe063ce9 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:2bf2d4c3 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x163c3670 <0x2eee5ad3 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x10eea774 <0x16fc2e82 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf0cbe1ba <0x949bbc0a xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x36d02290 <0x76a63c54 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x7e72b4c1 <0x7e65f3f6 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
+ _________________________ date
+ date
Thu Aug 21 13:33:27 BST 2008
Best regards,
Mark Wilson
PKA Systems Ltd.
More information about the Users
mailing list