[Openswan Users] Kernel/Openswan upgrade breaks VPN routing

Mark Wilson mark at pkasystems.co.uk
Thu Aug 21 10:04:19 EDT 2008


Hi,

I have a working VPN using Openswan 2.4.4 with Klips and kernel 2.4.22. I 
need to migrate it to a new machine, running a 2.6.24 kernel, preferably 
using Netkey (the natpatch doesn't work). I built the programs for 
Openswan 2.6.16, did an ipsec setup start & the log looked like a tunnel 
had been established. I tried to ping an address at the other end, but got 
no reply (this works on the old setup). The admin guy at the other end 
says that his logs show the tunnel coming up, but my pings come in 
un-encrypted, across the public net instead of through the tunnel.

The ping is aimed at 195.171.138.10

There's a netgear adsl modem router at my end, with a DMZ entry pointing 
at this Linux box.

below is ipsec barf output - any ideas?

nordfw
Thu Aug 21 13:33:27 BST 2008
+ _________________________ version
+ ipsec --version
Linux Openswan U2.6.16/K2.6.24.5-smp (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.24.5-smp (root at newfw) (gcc version 4.2.3) #1 SMP Tue Aug 12 16:10:09 BST 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.254.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.254.254 0.0.0.0         UG        0 0          0 eth1
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode
+ _________________________ ip-xfrm-state
+ ip xfrm state
src 81.144.223.206 dst 192.168.254.1
 	proto esp spi 0x76a63c54 reqid 16389 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0xea924fb80351af5c0086d67c905f7d92
 	enc cbc(des3_ede) 0x09f1be9125e0f811a1203a7baad571d421cc5d3ea0275157
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.168.254.1 dst 81.144.223.206
 	proto esp spi 0x36d02290 reqid 16389 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0xa62bb775b03d82b73da4491467fe1e24
 	enc cbc(des3_ede) 0x1c7f76bcd391a87caad2e07d4ee14798411542030ab7af4c
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 81.144.223.206 dst 192.168.254.1
 	proto esp spi 0x7e65f3f6 reqid 16385 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0xfa4b23aa880a45b87995a17b10fda161
 	enc cbc(des3_ede) 0xfc01e992821be621b48bc9a4bad56e4351bfcada95c164c2
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.168.254.1 dst 81.144.223.206
 	proto esp spi 0x7e72b4c1 reqid 16385 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0xa18197c13d9fd2a3b0710054bf63506c
 	enc cbc(des3_ede) 0x98ad6029ba3cf1f7947b48feb050a809a1ae86a5f665d5f9
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 81.144.223.206 dst 192.168.254.1
 	proto esp spi 0x2eee5ad3 reqid 16401 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0x62a6cc65c73871206b755c4198c089e5
 	enc cbc(des3_ede) 0x29d38d6db3c268a2a3b462ba1fda7a51d4aebff97ab60a89
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.168.254.1 dst 81.144.223.206
 	proto esp spi 0x163c3670 reqid 16401 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0x617b6e56f9e83ce233768f08fa1f6fac
 	enc cbc(des3_ede) 0x87dbba19edcfcb529f75bd5cabb6f8419be35fdc278620ca
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 81.144.223.206 dst 192.168.254.1
 	proto esp spi 0x16fc2e82 reqid 16397 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0xceb00c50fcd40fe9851768b60c2bda42
 	enc cbc(des3_ede) 0xc053537f5e5999ea1d0d71cd4997af4b36362d34f17e92a0
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.168.254.1 dst 81.144.223.206
 	proto esp spi 0x10eea774 reqid 16397 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0x35ee7187d7e844e0bb1e5dc20e194265
 	enc cbc(des3_ede) 0x6f3faec3019a81914e69e25d838a5985457afa20b9cfe67a
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 81.144.223.206 dst 192.168.254.1
 	proto esp spi 0x949bbc0a reqid 16393 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0x3263fa464fac01986cd54e6a4790d5ab
 	enc cbc(des3_ede) 0x205614ffba21e098bad325ff8cf3704e34613d326a97d9e0
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.168.254.1 dst 81.144.223.206
 	proto esp spi 0xf0cbe1ba reqid 16393 mode tunnel
 	replay-window 32
 	auth hmac(md5) 0x61e2df425438f3ec48e3c4c068c94572
 	enc cbc(des3_ede) 0x074c7960997ea1dead9e00bc878e19d21ffd26e645eb7d31
 	sel src 0.0.0.0/0 dst 0.0.0.0/0 
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src 194.201.255.0/24 dst 192.168.254.1/32
 	dir in priority 2088
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16389 mode tunnel
src 195.171.138.0/24 dst 192.168.254.1/32
 	dir in priority 2088
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16385 mode tunnel
src 81.144.223.206/32 dst 192.168.254.1/32
 	dir in priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16401 mode tunnel
src 193.129.243.92/32 dst 192.168.254.1/32
 	dir in priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16397 mode tunnel
src 193.129.243.91/32 dst 192.168.254.1/32
 	dir in priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16393 mode tunnel
src 192.168.254.1/32 dst 195.171.138.0/24
 	dir out priority 2088
 	tmpl src 192.168.254.1 dst 81.144.223.206
 		proto esp reqid 16385 mode tunnel
src 192.168.254.1/32 dst 194.201.255.0/24
 	dir out priority 2088
 	tmpl src 192.168.254.1 dst 81.144.223.206
 		proto esp reqid 16389 mode tunnel
src 192.168.254.1/32 dst 81.144.223.206/32
 	dir out priority 2080
 	tmpl src 192.168.254.1 dst 81.144.223.206
 		proto esp reqid 16401 mode tunnel
src 192.168.254.1/32 dst 193.129.243.92/32
 	dir out priority 2080
 	tmpl src 192.168.254.1 dst 81.144.223.206
 		proto esp reqid 16397 mode tunnel
src 192.168.254.1/32 dst 193.129.243.91/32
 	dir out priority 2080
 	tmpl src 192.168.254.1 dst 81.144.223.206
 		proto esp reqid 16393 mode tunnel
src 194.201.255.0/24 dst 192.168.254.1/32
 	dir fwd priority 2088
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16389 mode tunnel
src 195.171.138.0/24 dst 192.168.254.1/32
 	dir fwd priority 2088
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16385 mode tunnel
src 81.144.223.206/32 dst 192.168.254.1/32
 	dir fwd priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16401 mode tunnel
src 193.129.243.92/32 dst 192.168.254.1/32
 	dir fwd priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16397 mode tunnel
src 193.129.243.91/32 dst 192.168.254.1/32
 	dir fwd priority 2080
 	tmpl src 81.144.223.206 dst 192.168.254.1
 		proto esp reqid 16393 mode tunnel
src ::/0 dst ::/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir in priority 0 
src ::/0 dst ::/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0
 	dir out priority 0 
+ _________________________ /proc/crypto
+ test -r /proc/crypto
+ cat /proc/crypto
name         : cbc(twofish)
driver       : cbc(twofish-i586)
module       : kernel
priority     : 200
refcnt       : 1
type         : blkcipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16

name         : cbc(camellia)
driver       : cbc(camellia-generic)
module       : kernel
priority     : 100
refcnt       : 1
type         : blkcipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16

name         : cbc(serpent)
driver       : cbc(serpent-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : blkcipher
blocksize    : 16
min keysize  : 0
max keysize  : 32
ivsize       : 16

name         : cbc(aes)
driver       : cbc(aes-i586)
module       : kernel
priority     : 200
refcnt       : 1
type         : blkcipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16

name         : cbc(blowfish)
driver       : cbc(blowfish-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : blkcipher
blocksize    : 8
min keysize  : 4
max keysize  : 56
ivsize       : 8

name         : cbc(des3_ede)
driver       : cbc(des3_ede-generic)
module       : kernel
priority     : 0
refcnt       : 11
type         : blkcipher
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8

name         : cbc(des)
driver       : cbc(des-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : blkcipher
blocksize    : 8
min keysize  : 8
max keysize  : 8
ivsize       : 8

name         : ecb(cipher_null)
driver       : ecb(cipher_null-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : blkcipher
blocksize    : 1
min keysize  : 0
max keysize  : 0
ivsize       : 0

name         : xcbc(aes)
driver       : xcbc(aes-i586)
module       : kernel
priority     : 200
refcnt       : 1
type         : hash
blocksize    : 16
digestsize   : 16

name         : hmac(sha256)
driver       : hmac(sha256-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : hash
blocksize    : 64
digestsize   : 32

name         : hmac(sha1)
driver       : hmac(sha1-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : hash
blocksize    : 64
digestsize   : 20

name         : hmac(md5)
driver       : hmac(md5-generic)
module       : kernel
priority     : 0
refcnt       : 11
type         : hash
blocksize    : 64
digestsize   : 16

name         : hmac(digest_null)
driver       : hmac(digest_null-generic)
module       : kernel
priority     : 0
refcnt       : 1
type         : hash
blocksize    : 1
digestsize   : 0

name         : crc32c
driver       : crc32c-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 32
digestsize   : 4

name         : michael_mic
driver       : michael_mic-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 8
digestsize   : 8

name         : deflate
driver       : deflate-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : compression

name         : seed
driver       : seed-generic
module       : kernel
priority     : 100
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 16

name         : anubis
driver       : anubis-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 40

name         : khazad
driver       : khazad-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 16
max keysize  : 16

name         : xeta
driver       : xeta-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 16
max keysize  : 16

name         : xtea
driver       : xtea-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 16
max keysize  : 16

name         : tea
driver       : tea-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 16
max keysize  : 16

name         : arc4
driver       : arc4-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 1
min keysize  : 1
max keysize  : 256

name         : cast6
driver       : cast6-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : cast5
driver       : cast5-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 5
max keysize  : 16

name         : camellia
driver       : camellia-generic
module       : kernel
priority     : 100
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : tnepres
driver       : tnepres-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 0
max keysize  : 32

name         : serpent
driver       : serpent-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 0
max keysize  : 32

name         : twofish
driver       : twofish-generic
module       : kernel
priority     : 100
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : blowfish
driver       : blowfish-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 4
max keysize  : 56

name         : fcrypt
driver       : fcrypt-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 8
max keysize  : 8

name         : des3_ede
driver       : des3_ede-generic
module       : kernel
priority     : 0
refcnt       : 11
type         : cipher
blocksize    : 8
min keysize  : 24
max keysize  : 24

name         : des
driver       : des-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 8
min keysize  : 8
max keysize  : 8

name         : tgr128
driver       : tgr128-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 16

name         : tgr160
driver       : tgr160-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 20

name         : tgr192
driver       : tgr192-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 24

name         : wp256
driver       : wp256-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 32

name         : wp384
driver       : wp384-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 48

name         : wp512
driver       : wp512-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 64

name         : sha512
driver       : sha512-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 128
digestsize   : 64

name         : sha384
driver       : sha384-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 128
digestsize   : 48

name         : sha256
driver       : sha256-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 32

name         : sha1
driver       : sha1-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 20

name         : md5
driver       : md5-generic
module       : kernel
priority     : 0
refcnt       : 11
type         : digest
blocksize    : 64
digestsize   : 16

name         : md4
driver       : md4-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 64
digestsize   : 16

name         : compress_null
driver       : compress_null-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : compression

name         : digest_null
driver       : digest_null-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : digest
blocksize    : 1
digestsize   : 0

name         : cipher_null
driver       : cipher_null-generic
module       : kernel
priority     : 0
refcnt       : 1
type         : cipher
blocksize    : 1
min keysize  : 0
max keysize  : 0

name         : twofish
driver       : twofish-i586
module       : kernel
priority     : 200
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : aes
driver       : aes-i586
module       : kernel
priority     : 200
refcnt       : 1
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

+ __________________________/proc/sys/net/core/xfrm-star
/usr/local/libexec/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: No such file or directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop
0
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.254
000 interface eth0/eth0 192.168.1.254
000 interface eth1/eth1 192.168.254.1
000 interface eth1/eth1 192.168.254.1
000 interface eth1/eth1 82.133.95.225
000 interface eth1/eth1 82.133.95.225
000 %myid = (none)
000 debug none
000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000 
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,10,36} trans={0,10,840} attrs={0,10,1120} 
000 
000 "cns": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]; erouted; eroute owner: #2
000 "cns":     myip=unset; hisip=unset;
000 "cns":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "cns":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1; 
000 "cns":   newest ISAKMP SA: #0; newest IPsec SA: #2; 
000 "cns":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "cns":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2, 
000 "cns":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "cns":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "cns":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "lpd-mcp-lpd": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===193.129.243.91/32; erouted; eroute owner: #4
000 "lpd-mcp-lpd":     myip=unset; hisip=unset;
000 "lpd-mcp-lpd":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "lpd-mcp-lpd":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1; 
000 "lpd-mcp-lpd":   newest ISAKMP SA: #0; newest IPsec SA: #4; 
000 "lpd-mcp-lpd":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "lpd-mcp-lpd":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2, 
000 "lpd-mcp-lpd":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "lpd-mcp-lpd":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "lpd-mcp-lpd":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "lpd2-mcp-lpd2": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===193.129.243.92/32; erouted; eroute owner: #3
000 "lpd2-mcp-lpd2":     myip=unset; hisip=unset;
000 "lpd2-mcp-lpd2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "lpd2-mcp-lpd2":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth1; 
000 "lpd2-mcp-lpd2":   newest ISAKMP SA: #0; newest IPsec SA: #3; 
000 "lpd2-mcp-lpd2":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "lpd2-mcp-lpd2":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2, 
000 "lpd2-mcp-lpd2":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "lpd2-mcp-lpd2":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "lpd2-mcp-lpd2":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "net-cns-net": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===195.171.138.0/24; erouted; eroute owner: #6
000 "net-cns-net":     myip=unset; hisip=unset;
000 "net-cns-net":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "net-cns-net":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth1; 
000 "net-cns-net":   newest ISAKMP SA: #1; newest IPsec SA: #6; 
000 "net-cns-net":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "net-cns-net":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2, 
000 "net-cns-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "net-cns-net":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "net-cns-net":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "net-cns-net":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 "net-mcp-net": 192.168.254.1[82.133.95.225,+S=C]...81.144.223.206<81.144.223.206>[+S=C]===194.201.255.0/24; erouted; eroute owner: #5
000 "net-mcp-net":     myip=unset; hisip=unset;
000 "net-mcp-net":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 0%; keyingtries: 3
000 "net-mcp-net":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth1; 
000 "net-mcp-net":   newest ISAKMP SA: #0; newest IPsec SA: #5; 
000 "net-mcp-net":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "net-mcp-net":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_096-5, 3DES_CBC(5)_192-MD5(1)_096-2, 
000 "net-mcp-net":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "net-mcp-net":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "net-mcp-net":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000 
000 #2: "cns":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "cns" esp.163c3670 at 81.144.223.206 esp.2eee5ad3 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #4: "lpd-mcp-lpd":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #4: "lpd-mcp-lpd" esp.f0cbe1ba at 81.144.223.206 esp.949bbc0a at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #3: "lpd2-mcp-lpd2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "lpd2-mcp-lpd2" esp.10eea774 at 81.144.223.206 esp.16fc2e82 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #6: "net-cns-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #6: "net-cns-net" esp.7e72b4c1 at 81.144.223.206 esp.7e65f3f6 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 #1: "net-cns-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 28352s; newest ISAKMP; nodpd; idle; import:admin initiate
000 #5: "net-mcp-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3152s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #5: "net-mcp-net" esp.36d02290 at 81.144.223.206 esp.76a63c54 at 192.168.254.1 tun.0 at 81.144.223.206 tun.0 at 192.168.254.1 ref=0 refhim=4294901761
000 
+ _________________________ ifconfig-a
+ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1c:25:6c:4a:c2
           inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
           inet6 addr: fe80::21c:25ff:fe6c:4ac2/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:152699 errors:0 dropped:0 overruns:0 frame:0
           TX packets:33142 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:26610609 (25.3 MiB)  TX bytes:5701480 (5.4 MiB)
           Interrupt:22 Base address:0x6800

eth1      Link encap:Ethernet  HWaddr 00:50:fc:72:52:c4
           inet addr:192.168.254.1  Bcast:192.168.254.255  Mask:255.255.255.0
           inet6 addr: fe80::250:fcff:fe72:52c4/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:15391 errors:0 dropped:0 overruns:0 frame:0
           TX packets:8305 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:2005128 (1.9 MiB)  TX bytes:1650293 (1.5 MiB)
           Interrupt:17 Base address:0xe800

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:71 errors:0 dropped:0 overruns:0 frame:0
           TX packets:71 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:11408 (11.1 KiB)  TX bytes:11408 (11.1 KiB)

+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:1c:25:6c:4a:c2 brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
     inet6 fe80::21c:25ff:fe6c:4ac2/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:50:fc:72:52:c4 brd ff:ff:ff:ff:ff:ff
     inet 192.168.254.1/24 brd 192.168.254.255 scope global eth1
     inet 82.133.95.225/32 brd 192.168.254.255 scope global eth1
     inet6 fe80::250:fcff:fe72:52c4/64 scope link
        valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+ ip route list
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 
192.168.254.0/24 dev eth1  proto kernel  scope link  src 192.168.254.1 
127.0.0.0/8 dev lo  scope link 
default via 192.168.254.254 dev eth1  metric 1 
+ _________________________ ip-rule-list
+ ip rule list
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.16/K2.6.24.5-smp (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing 
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
   product info: vendor 00:07:32, model 17 rev 2
   basic mode:   autonegotiation enabled
   basic status: autonegotiation complete, link ok
   capabilities: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
   link partner: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: negotiated 100baseTx-FD, link ok
   product info: vendor 00:00:00, model 0 rev 0
   basic mode:   autonegotiation enabled
   basic status: autonegotiation complete, link ok
   capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
   link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
nordfw.nordsea.net
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.1.254 
+ _________________________ uptime
+ uptime
  13:33:27 up 2 days, 19:02,  2 users,  load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
0     0 29747 27971  20   0   2988  1536 -      S+   pts/0      0:00              \_ /bin/sh /usr/local/libexec/ipsec/barf
1     0 29827 29747  20   0   2988   792 -      R+   pts/0      0:00                  \_ /bin/sh /usr/local/libexec/ipsec/barf
1     0 29377     1  20   0   2568   480 -      S    pts/0      0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive  --disable_port_floating no --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
1     0 29378 29377  20   0   2568   624 -      S    pts/0      0:00  \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive  --disable_port_floating no --virtual_private  --crlcheckinterval 0 --ocspuri  --nhelpers  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
4     0 29379 29378  20   0   3088  1440 -      S    pts/0      0:00  |   \_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal
1     0 29383 29379  30  10   3080   656 -      SN   pts/0      0:00  |       \_ pluto helper  #  0 
0     0 29382 29377  20   0   2532  1212 -      S    pts/0      0:00  \_ /bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post 
0     0 29380     1  20   0   1688   532 -      S    pts/0      0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routevirt=none
routeaddr=192.168.254.1
routenexthop=192.168.254.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
 	interfaces=%defaultroute
 	protostack=netkey
 	nat_traversal=yes
#	uniqueids=no
#        interfaces="ipsec0=eth1"

# Add connections here

conn %default
 	keyingtries=3

conn net-cns-net
 	also=cns
 	rightsubnet=195.171.138.0/24

conn net-mcp-net
 	also=cns
 	rightsubnet=194.201.255.0/24

conn lpd-mcp-lpd
 	also=cns
 	rightsubnet=193.129.243.91/32

conn lpd2-mcp-lpd2
 	also=cns
 	rightsubnet=193.129.243.92/32

#conn net-ewt-net
#	also=ewt
#        rightsubnet=192.168.0.0/24
##        rightid=192.168.0.199

conn cns
 	type=tunnel
 	rekeyfuzz=0%
 	rekeymargin=5m
 	authby=secret
 	auth=esp
 	ikelifetime=8h
 	keylife=1h
 	keyexchange=ike
 	esp=3des-md5-96
 	ike=3des-md5-96
 	pfs=no
 	forceencaps=yes
 	left=%defaultroute
 	leftid=82.133.95.225
 	right=81.144.223.206
 	auto=start
##	leftsubnet=192.168.254.0/24
##	leftsourceip=82.133.95.225
##	leftsubnet=82.133.95.225/32
##mw 250106##	leftid=@nolltd.gotadsl.co.uk


conn fsmdov
         type=tunnel
         rekeyfuzz=0%
         rekeymargin=5m
         authby=secret
         auth=esp
 	ikelifetime=8h
 	keylife=1h
         keyexchange=ike
         esp=3des-md5-96
         ike=3des-md5-96
         pfs=no
         left=%defaultroute
 	leftsubnet=82.133.95.225/32
         right=62.3.234.215
         rightsubnet=192.168.253.0/24
##	auto=start

#Disable Opportunistic Encryption

#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

#> /etc/ipsec.conf 88

###############################################################################
###############################################################################
#vvvvvvvv Below are test configs ONLY vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
###############################################################################
###############################################################################


conn pkasys-mw
         type=tunnel
         rekeyfuzz=0%
         rekeymargin=5m
         authby=secret
         auth=esp
 	ikelifetime=8h
 	keylife=1h
         keyexchange=ike
         esp=3des-md5-96
         ike=3des-md5-96
         pfs=no
         left=%defaultroute
 	leftsubnet=82.133.95.225/32
         right=62.3.238.183
 	rightid="@p4xp"
##	auto=start

conn pkasys
         #
         authby=secret
         pfs=no
         rekey=no
         keyingtries=3
         #
         # ----------------------------------------------------------
         # The VPN server.
         #
         # Allow incoming connections on the external network interface.
         # If you want to use a different interface or if there is no
         # defaultroute, you can use:   left=your.ip.addr.ess
         #
         left=%defaultroute
         #
         leftprotoport=17/1701
         # If you insist on supporting non-updated Windows clients,
         # you can use:    leftprotoport=17/%any
         #
         # ----------------------------------------------------------
         # The remote user(s).
         #
         # Allow incoming connections only from this IP address.
         right=62.3.238.183
         # If you want to allow multiple connections from any IP address,
         # you can use:    right=%any
         #
         rightprotoport=17/%any
         #
         # ----------------------------------------------------------
         # Change 'ignore' to 'add' to enable this configuration.
         #
         auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
82.133.95.225 81.144.223.206: PSK "[sums to 86cc...]"
@nolltd.gotadsl.co.uk 81.144.223.206: PSK "[sums to 86cc...]"
192.168.254.1 81.144.223.206: PSK "[sums to 86cc...]"
192.168.254.2 81.144.223.206: PSK "[sums to 86cc...]"
## ^^ mw - 25-Jan-06 - will this work??? ^^^
## ^^ something did.
+ _________________________ ipsec/listall
+ ipsec auto --listall
000 
000 List of Public Keys:
000 
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000     4: PSK 81.144.223.206 192.168.254.2
000     3: PSK 81.144.223.206 192.168.254.1
000     2: PSK 81.144.223.206 @nolltd.gotadsl.co.uk
000     1: PSK 81.144.223.206 82.133.95.225
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications.  If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 260
-rwxr-xr-x 1 root root 15848 Aug 12 16:52 _confread
-rwxr-xr-x 1 root root 12785 Aug 20 15:49 _copyright
-rwxr-xr-x 1 root root 14297 Aug 12 16:52 _copyright.old
-rwxr-xr-x 1 root root  2379 Aug 20 15:49 _include
-rwxr-xr-x 1 root root  2379 Aug 12 16:52 _include.old
-rwxr-xr-x 1 root root  1475 Aug 20 15:49 _keycensor
-rwxr-xr-x 1 root root  1475 Aug 12 16:52 _keycensor.old
-rwxr-xr-x 1 root root  2632 Aug 20 15:49 _plutoload
-rwxr-xr-x 1 root root  3648 Aug 12 16:52 _plutoload.old
-rwxr-xr-x 1 root root  7635 Aug 20 15:49 _plutorun
-rwxr-xr-x 1 root root  8069 Aug 12 16:52 _plutorun.old
-rwxr-xr-x 1 root root 12863 Aug 20 15:49 _realsetup
-rwxr-xr-x 1 root root 12324 Aug 12 16:52 _realsetup.old
-rwxr-xr-x 1 root root  1975 Aug 20 15:49 _secretcensor
-rwxr-xr-x 1 root root  1975 Aug 12 16:52 _secretcensor.old
-rwxr-xr-x 1 root root  8119 Aug 20 15:49 _startklips
-rwxr-xr-x 1 root root  8119 Aug 20 15:49 _startklips.old
-rwxr-xr-x 1 root root  5773 Aug 20 15:49 _startnetkey
-rwxr-xr-x 1 root root  4886 Aug 20 15:49 _updown
-rwxr-xr-x 1 root root 14030 Aug 20 15:49 _updown.klips
-rwxr-xr-x 1 root root 14030 Aug 20 15:49 _updown.klips.old
-rwxr-xr-x 1 root root 11798 Aug 20 15:49 _updown.mast
-rwxr-xr-x 1 root root 11798 Aug 20 15:49 _updown.mast.old
-rwxr-xr-x 1 root root  8534 Aug 20 15:49 _updown.netkey
-rwxr-xr-x 1 root root 13918 Aug 12 16:52 _updown.old
-rwxr-xr-x 1 root root 15746 Aug 12 16:52 _updown_x509
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 9052
-rwxr-xr-x 1 root root   28513 Aug 12 16:52 _pluto_adns
-rwxr-xr-x 1 root root  394624 Aug 20 15:49 addconn
-rwxr-xr-x 1 root root    6129 Aug 20 15:49 auto
-rwxr-xr-x 1 root root   18891 Aug 12 16:52 auto.old
-rwxr-xr-x 1 root root   10758 Aug 20 15:49 barf
-rwxr-xr-x 1 root root   11367 Aug 12 16:52 barf.old
-rwxr-xr-x 1 root root     816 Aug 12 16:52 calcgoo
-rwxr-xr-x 1 root root  175196 Aug 20 15:49 eroute
-rwxr-xr-x 1 root root  200133 Aug 12 16:52 eroute.old
-rwxr-xr-x 1 root root   50978 Aug 20 15:49 ikeping
-rwxr-xr-x 1 root root   65213 Aug 12 16:52 ikeping.old
-rwxr-xr-x 1 root root  115366 Aug 20 15:49 klipsdebug
-rwxr-xr-x 1 root root  129923 Aug 12 16:52 klipsdebug.old
-rwxr-xr-x 1 root root    1836 Aug 20 15:49 livetest
-rwxr-xr-x 1 root root    1836 Aug 12 16:52 livetest.old
-rwxr-xr-x 1 root root    2591 Aug 20 15:49 look
-rwxr-xr-x 1 root root    2604 Aug 12 16:52 look.old
-rwxr-xr-x 1 root root  845118 Aug 20 15:49 lwdnsq
-rwxr-xr-x 1 root root    7094 Aug 12 16:52 mailkey
-rwxr-xr-x 1 root root   16015 Aug 12 16:52 manual
-rwxr-xr-x 1 root root    1921 Aug 20 15:49 newhostkey
-rwxr-xr-x 1 root root    1951 Aug 12 16:52 newhostkey.old
-rwxr-xr-x 1 root root  110624 Aug 20 15:49 pf_key
-rwxr-xr-x 1 root root  115320 Aug 12 16:52 pf_key.old
-rwxr-xr-x 1 root root 2831623 Aug 20 15:49 pluto
-rwxr-xr-x 1 root root 1915910 Aug 12 16:52 pluto.old
-rwxr-xr-x 1 root root   17518 Aug 20 15:49 ranbits
-rwxr-xr-x 1 root root   21198 Aug 12 16:52 ranbits.old
-rwxr-xr-x 1 root root   38193 Aug 20 15:49 rsasigkey
-rwxr-xr-x 1 root root   50657 Aug 12 16:52 rsasigkey.old
-rwxr-xr-x 1 root root     766 Aug 20 15:49 secrets
-rwxr-xr-x 1 root root     766 Aug 12 16:52 secrets.old
lrwxrwxrwx 1 root root      22 Aug 20 15:49 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root    1054 Aug 20 15:49 showdefaults
-rwxr-xr-x 1 root root    1054 Aug 12 16:52 showdefaults.old
-rwxr-xr-x 1 root root  439597 Aug 20 15:49 showhostkey
-rwxr-xr-x 1 root root    4845 Aug 12 16:52 showhostkey.old
-rwxr-xr-x 1 root root   63990 Aug 20 15:49 showpolicy
-rwxr-xr-x 1 root root  286306 Aug 20 15:49 spi
-rwxr-xr-x 1 root root  325527 Aug 12 16:52 spi.old
-rwxr-xr-x 1 root root  149896 Aug 20 15:49 spigrp
-rwxr-xr-x 1 root root  165100 Aug 12 16:52 spigrp.old
-rwxr-xr-x 1 root root  129305 Aug 20 15:49 tncfg
-rwxr-xr-x 1 root root   24264 Aug 12 16:52 tncfg.old
-rwxr-xr-x 1 root root   13026 Aug 20 15:49 verify
-rwxr-xr-x 1 root root   13530 Aug 12 16:52 verify.old
-rwxr-xr-x 1 root root  112187 Aug 20 15:49 whack
-rwxr-xr-x 1 root root  159252 Aug 12 16:52 whack.old
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
  face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
     lo:   11408      71    0    0    0     0          0         0    11408      71    0    0    0     0       0          0
   eth0:26610609  152699    0    0    0     0          0         0  5701540   33143    0    0    0     0       0          0
   eth1: 2005188   15392    0    0    0     0          0         0  1650293    8305    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface	Destination	Gateway 	Flags	RefCnt	Use	Metric	Mask		MTU	Window	IRTT 
eth0	0001A8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0 
eth1	00FEA8C0	00000000	0001	0	0	0	00FFFFFF	0	0	0 
lo	0000007F	00000000	0001	0	0	0	000000FF	0	0	0 
eth1	00000000	FEFEA8C0	0003	0	0	1	00000000	0	0	0 
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
eth1/accept_redirects:0
eth1/secure_redirects:1
eth1/send_redirects:0
lo/accept_redirects:0
lo/secure_redirects:1
lo/send_redirects:0
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux nordfw 2.6.24.5-smp #1 SMP Tue Aug 12 16:10:09 BST 2008 i686 Intel(R) Pentium(R) Dual  CPU  E2200  @ 2.20GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.24.5-smp) support detected '
NETKEY (2.6.24.5-smp) support detected 
+ _________________________ iptables
+ test -r /sbin/iptables
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipcomp6 9992 0 - Live 0xf8cf6000
ipcomp 9608 0 - Live 0xf8afb000
ah6 9600 0 - Live 0xf8ced000
ah4 8704 0 - Live 0xf8ce9000
esp6 9856 0 - Live 0xf8ce5000
esp4 9728 10 - Live 0xf8ce1000
xfrm4_mode_beet 6272 0 - Live 0xf8cd2000
xfrm4_tunnel 6272 0 - Live 0xf8ccf000
xfrm4_mode_tunnel 6272 20 - Live 0xf8ccc000
xfrm4_mode_transport 5632 0 - Live 0xf8cb2000
xfrm6_mode_transport 5760 0 - Live 0xf8caf000
xfrm6_mode_ro 5504 0 - Live 0xf8b72000
xfrm6_mode_beet 5888 0 - Live 0xf8b4d000
xfrm6_mode_tunnel 6272 0 - Live 0xf8b4a000
af_key 33808 0 - Live 0xf8cd7000
xfrm6_tunnel 10016 1 ipcomp6, Live 0xf8cb8000
tunnel6 6792 1 xfrm6_tunnel, Live 0xf8aff000
tun 12160 0 - Live 0xf8ca2000
ipt_REJECT 7552 1 - Live 0xf8ca9000
xt_state 5888 45 - Live 0xf8cb5000
xt_tcpudp 6912 92 - Live 0xf8ca6000
iptable_nat 9860 1 - Live 0xf8b56000
nf_nat 19500 1 iptable_nat, Live 0xf8c87000
iptable_filter 6272 1 - Live 0xf8b7c000
ip_tables 14788 2 iptable_nat,iptable_filter, Live 0xf8c8d000
x_tables 14980 5 ipt_REJECT,xt_state,xt_tcpudp,iptable_nat,ip_tables, Live 0xf8a7b000
nf_conntrack_ftp 10912 0 - Live 0xf8b52000
nf_conntrack_ipv4 17032 47 iptable_nat, Live 0xf8c81000
nf_conntrack 53440 5 xt_state,iptable_nat,nf_nat,nf_conntrack_ftp,nf_conntrack_ipv4, Live 0xf8c93000
tunnel4 6792 1 xfrm4_tunnel, Live 0xf8a71000
geode_aes 8968 0 - Live 0xf8aae000
snd_seq_dummy 6660 0 - Live 0xf8a35000
snd_seq_oss 32896 0 - Live 0xf8b68000
snd_seq_midi_event 10112 1 snd_seq_oss, Live 0xf8aaa000
snd_seq 50256 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live 0xf8b5a000
snd_seq_device 10380 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xf884a000
snd_pcm_oss 40352 0 - Live 0xf8a85000
snd_mixer_oss 17920 1 snd_pcm_oss, Live 0xf8aa4000
ipv6 234724 32 ipcomp6,ah6,esp6,xfrm6_mode_beet,xfrm6_tunnel,tunnel6, Live 0xf8ac0000
lp 13348 0 - Live 0xf8874000
fuse 45588 1 - Live 0xf8ab3000
snd_hda_intel 289052 0 - Live 0xf8b02000
snd_pcm 72068 2 snd_pcm_oss,snd_hda_intel, Live 0xf8a91000
snd_timer 22532 2 snd_seq,snd_pcm, Live 0xf8a74000
thermal 16540 0 - Live 0xf8a5b000
serio_raw 9092 0 - Live 0xf8a57000
i2c_i801 11792 0 - Live 0xf8a53000
button 10000 0 - Live 0xf8a45000
snd_page_alloc 11528 2 snd_hda_intel,snd_pcm, Live 0xf8a41000
psmouse 40336 0 - Live 0xf8a61000
rtc_cmos 11040 0 - Live 0xf8a31000
intel_agp 25236 1 - Live 0xf8a4b000
snd_hwdep 10756 1 snd_hda_intel, Live 0xf8a2d000
processor 32680 1 thermal, Live 0xf8a38000
evdev 12672 3 - Live 0xf8879000
rtc_core 18696 1 rtc_cmos, Live 0xf8a27000
i2c_core 22528 1 i2c_i801, Live 0xf8a09000
rtc_lib 6528 1 rtc_core, Live 0xf8852000
agpgart 30664 1 intel_agp, Live 0xf8a1e000
8139too 25600 0 - Live 0xf8a01000
snd 47716 9 snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_hda_intel,snd_pcm,snd_timer,snd_hwdep, Live 0xf8a11000
soundcore 9824 1 snd, Live 0xf8870000
mii 8448 1 8139too, Live 0xf884e000
sg 30224 0 - Live 0xf8867000
parport_pc 27556 1 - Live 0xf885f000
r8169 30468 0 - Live 0xf8823000
ehci_hcd 35468 0 - Live 0xf8855000
iTCO_wdt 13988 0 - Live 0xf8834000
parport 34632 2 lp,parport_pc, Live 0xf8840000
uhci_hcd 25996 0 - Live 0xf882c000
iTCO_vendor_support 7044 1 iTCO_wdt, Live 0xf8820000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:      1025296 kB
MemFree:        626280 kB
Buffers:        116500 kB
Cached:         223936 kB
SwapCached:          0 kB
Active:         161492 kB
Inactive:       188160 kB
HighTotal:      121536 kB
HighFree:          444 kB
LowTotal:       903760 kB
LowFree:        625836 kB
SwapTotal:     3943948 kB
SwapFree:      3943948 kB
Dirty:             380 kB
Writeback:           0 kB
AnonPages:        9244 kB
Mapped:           7048 kB
Slab:            37296 kB
SReclaimable:    27972 kB
SUnreclaim:       9324 kB
PageTables:        444 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   4456596 kB
Committed_AS:    67860 kB
VmallocTotal:   114680 kB
VmallocUsed:      7436 kB
VmallocChunk:   107112 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
# CONFIG_IPV6_MIP6 is not set
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_MULTIPLE_TABLES is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_ACKVEC=y
CONFIG_IP_DCCP_CCID2=m
# CONFIG_IP_DCCP_CCID2_DEBUG is not set
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_CCID3_DEBUG is not set
CONFIG_IP_DCCP_CCID3_RTO=100
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IP1000=m
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
CONFIG_IPW2200_MONITOR=y
CONFIG_IPW2200_RADIOTAP=y
CONFIG_IPW2200_PROMISCUOUS=y
CONFIG_IPW2200_QOS=y
# CONFIG_IPW2200_DEBUG is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
CONFIG_CRYPTO_DEV_GEODE=m
+ _________________________ etc/syslog.conf
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux.  Note the '-' prefixing some
# of these entries;  this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.

# Uncomment this to see kernel messages on the console.
#kern.*							/dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
 	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
 	authpriv.none;cron.none;mail.none;news.none	-/var/log/syslog

# Debugging information is logged here.
*.=debug						-/var/log/debug

# Private authentication message logging:
authpriv.*						-/var/log/secure

# Cron related logs:
cron.*							-/var/log/cron

# Mail related logs:
mail.*							-/var/log/maillog

# Emergency level messages go to all users:
*.emerg							*

# This log is for news and uucp errors:
uucp,news.crit						-/var/log/spooler

# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit					-/var/log/news/news.crit
#news.=err					-/var/log/news/news.err
#news.notice					-/var/log/news/news.notice

+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search nordsea.net
nameserver 212.139.132.5
nameserver 212.139.132.21
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Apr 30 23:23 2.6.24.5
drwxr-xr-x 3 root root 4096 Aug 12 16:20 2.6.24.5-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c03625d0 T netif_rx
c0362820 T netif_rx_ni
c0362820 u netif_rx_ni	[tun]
c03625d0 u netif_rx	[ipv6]
c03625d0 u netif_rx	[r8169]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.24.5: 
2.6.24.5-smp: 
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1750,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Aug 21 13:30:58 nordfw ipsec_setup: Starting Openswan IPsec U2.6.16/K2.6.24.5-smp...
Aug 21 13:30:58 nordfw ipsec_setup: multiple ip addresses, using  192.168.254.1 on eth1
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "net-cns-net"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "net-mcp-net"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "lpd-mcp-lpd"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "lpd2-mcp-lpd2"
Aug 21 13:30:59 nordfw ipsec__plutorun: 002 added connection description "cns"
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "net-cns-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "net-mcp-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "lpd-mcp-lpd": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "lpd2-mcp-lpd2": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 000 "cns": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw ipsec__plutorun: 104 "net-cns-net" #1: STATE_MAIN_I1: initiate
+ _________________________ plog
+ sed -n '5224,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Aug 21 13:30:58 nordfw ipsec__plutorun: Starting Pluto subsystem...
Aug 21 13:30:58 nordfw pluto[29379]: Starting Pluto (Openswan Version 2.6.16; Vendor ID OEj}csWvZ\134{c) pid:29379
Aug 21 13:30:58 nordfw pluto[29379]: Setting NAT-Traversal port-4500 floating to on
Aug 21 13:30:58 nordfw pluto[29379]:    port floating activation criteria nat_t=1/port_float=1
Aug 21 13:30:58 nordfw pluto[29379]:    including NAT-Traversal patch (Version 0.6c)
Aug 21 13:30:58 nordfw pluto[29379]: using /dev/urandom as source of random entropy
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 21 13:30:58 nordfw pluto[29379]: starting up 1 cryptographic helpers
Aug 21 13:30:58 nordfw pluto[29383]: using /dev/urandom as source of random entropy
Aug 21 13:30:58 nordfw pluto[29379]: started helper pid=29383 (fd:7)
Aug 21 13:30:58 nordfw pluto[29379]: Using Linux 2.6 IPsec interface code on 2.6.24.5-smp (experimental code)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names 
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_add(): ERROR: Algorithm already exists
Aug 21 13:30:59 nordfw pluto[29379]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug 21 13:30:59 nordfw pluto[29379]: Changing to directory '/etc/ipsec.d/crls'
Aug 21 13:30:59 nordfw pluto[29379]:   Warning: empty directory
Aug 21 13:30:59 nordfw pluto[29379]: Changing back to directory '/etc' failed - (2 No such file or directory)
Aug 21 13:30:59 nordfw pluto[29379]: Changing back to directory '/etc' failed - (2 No such file or directory)
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "net-cns-net"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "net-mcp-net"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "lpd-mcp-lpd"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "lpd2-mcp-lpd2"
Aug 21 13:30:59 nordfw pluto[29379]: added connection description "cns"
Aug 21 13:30:59 nordfw pluto[29379]: listening for IKE messages
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 82.133.95.225:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 82.133.95.225:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 192.168.254.1:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth1/eth1 192.168.254.1:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth0/eth0 192.168.1.254:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface eth0/eth0 192.168.1.254:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo 127.0.0.1:500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo 127.0.0.1:4500
Aug 21 13:30:59 nordfw pluto[29379]: adding interface lo/lo ::1:500
Aug 21 13:30:59 nordfw pluto[29379]: loading secrets from "/etc/ipsec.secrets"
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "cns": request to add a prospective erouted policy with netkey kernel --- experimental
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: initiating Main Mode
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: Main mode peer ID is ID_IPV4_ADDR: '81.144.223.206'
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:15e7b3c3 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:e9854b72 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:14fb285e proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:fe063ce9 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:2bf2d4c3 proposal=3DES(3)_192-MD5(1)_096 pfsgroup=no-pfs}
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "cns" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x163c3670 <0x2eee5ad3 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "lpd2-mcp-lpd2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x10eea774 <0x16fc2e82 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "lpd-mcp-lpd" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf0cbe1ba <0x949bbc0a xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-mcp-net" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x36d02290 <0x76a63c54 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 21 13:30:59 nordfw pluto[29379]: "net-cns-net" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x7e72b4c1 <0x7e65f3f6 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
+ _________________________ date
+ date
Thu Aug 21 13:33:27 BST 2008

Best regards,

Mark Wilson


PKA Systems Ltd.


More information about the Users mailing list