[Openswan Users] L2TP problem... I think
Andrew Tolboe
tolboe at reaction-eng.com
Sun Mar 2 23:25:27 EST 2008
Jacco de Leeuw wrote:
> Andrew Tolboe wrote:
>
>
>> I'm at home (behind a little router box). So the server is listening
>> right on the public ip, so there is no NAT-T on the server side, but it
>> is possible that the clients are behind NAT-T. Is this incorrect usage
>> of that setting?
>>
>
> No, that should work. Perhaps you could post the output of 'ipsec barf >
> output.txt' after you try to connect? And which l2tpd version are you
> using?
>
> I cannot imagine that Windows does not log some kind of error code.
> IIRC it says something even at an interactivity timeout. You could
> even look in the Eventviewer if there is no popup window.
>
> Jacco
>
Here is the output from the windows log
The user ****** successfully established a connection to Reaction
Engineering using the device VPN3-1.
Three miles later:
The connection to Reaction Engineering made by user ****** using device
VPN3-1 was disconnected.
Here is the output:
gateway
Sun Mar 2 21:11:08 MST 2008
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.6/K2.6.18-5-686 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.18-5-686 (Debian 2.6.18.dfsg.1-17) (dannf at debian.org)
(gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon
Dec 24 16:41:07 UTC 2007
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 ***.***.103.161 255.255.255.240 UG 0 0
0 br0
***.***.103.160 0.0.0.0 255.255.255.240 U 0 0
0 br0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
bond0.101
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
bond0.103
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
bond0.100
0.0.0.0 ***.***.103.161 0.0.0.0 UG 0 0
0 br0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip xfrm state
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface bond0.100/bond0.100 192.168.0.1
000 interface bond0.100/bond0.100 192.168.0.1
000 interface bond0.101/bond0.101 192.168.2.1
000 interface bond0.101/bond0.101 192.168.2.1
000 interface bond0.103/bond0.103 192.168.1.1
000 interface bond0.103/bond0.103 192.168.1.1
000 interface br0/br0 ***.***.103.174
000 interface br0/br0 ***.***.103.174
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-X.509": ***.***.103.174[C=US, ST=Utah, L=Salt Lake City,
O=Reaction Engineering International, CN=VPN Server,
E=admin at reaction-eng.com]:17/1701...%virtual:17/1701===?; unrouted;
eroute owner: #0
000 "l2tp-X.509": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "l2tp-X.509": CAs: 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'...'C=US, ST=Utah, L=Salt Lake City,
O=Reaction Engineering International, CN=Reaction Engineering
Certification Authority, E=admin at reaction-eng.com'
000 "l2tp-X.509": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "l2tp-X.509": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio:
32,32; interface: br0;
000 "l2tp-X.509": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
bond0 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1218969534 errors:38460 dropped:1 overruns:0
frame:19816
TX packets:1054830975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:751786055 (716.9 MiB) TX bytes:3048731246 (2.8 GiB)
bond0.99 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:81454711 errors:0 dropped:0 overruns:0 frame:0
TX packets:61294523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3109996543 (2.8 GiB) TX bytes:2324113939 (2.1 GiB)
bond0.100 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:408036446 errors:0 dropped:0 overruns:0 frame:0
TX packets:641657646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3132163237 (2.9 GiB) TX bytes:2137477135 (1.9 GiB)
bond0.101 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:710902476 errors:0 dropped:0 overruns:0 frame:0
TX packets:334422866 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1358629214 (1.2 GiB) TX bytes:944057063 (900.3 MiB)
bond0.102 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:13383155 errors:0 dropped:0 overruns:0 frame:0
TX packets:12798857 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2250088613 (2.0 GiB) TX bytes:2533784606 (2.3 GiB)
bond0.103 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:3760772 errors:0 dropped:0 overruns:0 frame:0
TX packets:3939536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2553305529 (2.3 GiB) TX bytes:3619695152 (3.3 GiB)
br0 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet addr:***.***.103.174 Bcast:***.***.103.175
Mask:255.255.255.240
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:81800477 errors:0 dropped:0 overruns:0 frame:0
TX packets:61856592 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4034240422 (3.7 GiB) TX bytes:3698952864 (3.4 GiB)
eth0 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:114322531 errors:2 dropped:0 overruns:0 frame:1
TX packets:356442050 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2236152130 (2.0 GiB) TX bytes:329050425 (313.8 MiB)
Base address:0xece0 Memory:fe9e0000-fea00000
eth1 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:96044402 errors:38458 dropped:0 overruns:0 frame:19815
TX packets:77654426 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3230868857 (3.0 GiB) TX bytes:70612908 (67.3 MiB)
Base address:0xecc0 Memory:fe9a0000-fe9c0000
eth2 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:561268871 errors:0 dropped:1 overruns:0 frame:0
TX packets:473002464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4121833568 (3.8 GiB) TX bytes:3144474233 (2.9 GiB)
Interrupt:169
eth3 Link encap:Ethernet HWaddr 00:15:17:2A:3A:4C
inet6 addr: fe80::215:17ff:fe2a:3a4c/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:447333730 errors:0 dropped:0 overruns:0 frame:0
TX packets:147732035 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4047833388 (3.7 GiB) TX bytes:3799560976 (3.5 GiB)
Interrupt:58
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3788 errors:0 dropped:0 overruns:0 frame:0
TX packets:3788 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:601750 (587.6 KiB) TX bytes:601750 (587.6 KiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,SLAVE,UP,10000> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
3: eth3: <BROADCAST,MULTICAST,SLAVE,UP,10000> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,SLAVE,UP,10000> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,SLAVE,UP,10000> mtu 1500 qdisc pfifo_fast
master bond0 qlen 1000
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
10: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
16: bond0.99 at bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500 qdisc
noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
17: bond0.102 at bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500
qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
18: bond0.100 at bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500
qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global bond0.100
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
19: bond0.101 at bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500
qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global bond0.101
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
20: bond0.103 at bond0: <BROADCAST,MULTICAST,MASTER,UP,10000> mtu 1500
qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global bond0.103
inet6 fe80::215:17ff:fe2a:3a4c/64 scope link
valid_lft forever preferred_lft forever
61: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:15:17:2a:3a:4c brd ff:ff:ff:ff:ff:ff
inet ***.***.103.174/28 brd ***.***.103.175 scope global br0
inet6 fe80::200:ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+ ip route list
0.0.0.0/28 via ***.***.103.161 dev br0
***.***.103.160/28 dev br0 proto kernel scope link src ***.***.103.174
192.168.2.0/24 dev bond0.101 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev bond0.103 proto kernel scope link src 192.168.1.1
192.168.0.0/24 dev bond0.100 proto kernel scope link src 192.168.0.1
default via ***.***.103.161 dev br0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup 255
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.18-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:aa:00, model 56 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:aa:00, model 56 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth2: negotiated 100baseTx-FD, link ok
product info: vendor 00:08:18, model 24 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth3: negotiated 100baseTx-FD, link ok
product info: vendor 00:08:18, model 24 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
gateway.reaction-eng.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
***.***.103.174
+ _________________________ uptime
+ uptime
21:11:08 up 62 days, 3:23, 3 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 972 968 21 0 3656 1260 wait S+ pts/2
0:00 \_ /bin/sh /usr/lib/ipsec/barf
0 0 1050 972 24 0 1644 532 pipe_w S+ pts/2
0:00 \_ grep -E -i ppid|pluto|ipsec|klips
1 0 744 1 19 0 2452 452 wait S ? 0:00
/bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto
--force_keepalive --disable_port_floating --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0
--ocspuri --nhelpers 0 --dump --opts --stderrlog --wait no --pre
--post --log daemon.error --pid /var/run/pluto/pluto.pid
1 0 745 744 19 0 2452 644 wait S ? 0:00 \_
/bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal yes --keep_alive --protostack auto
--force_keepalive --disable_port_floating --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0
--ocspuri --nhelpers 0 --dump --opts --stderrlog --wait no --pre
--post --log daemon.error --pid /var/run/pluto/pluto.pid
4 0 746 745 17 0 7084 2408 - S ? 0:00
| \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --use-auto --uniqueids --nat_traversal
--virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
--nhelpers 0
0 0 825 746 18 0 1504 288 429496 S ? 0:00
| \_ _pluto_adns
0 0 747 744 21 0 2424 1128 pipe_w S ? 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 748 1 19 0 1560 400 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=br0
routevirt=ipsec0
routeaddr=***.***.103.174
routenexthop=***.***.103.161
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#< /etc/ipsec.d/examples/l2tp-cert.conf 1
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=%defaultroute
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/gateway.reaction-eng.com.pem
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
#> /etc/ipsec.conf 31
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 33
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
[sums to 68b3...]: RSA /etc/ipsec.d/private/gateway.reaction-eng.com.key ""
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Mar 02 21:04:21 2008, 1024 RSA Key AwEAAZ5VN, until Jan 07 20:37:27
2018 ok
000 ID_DER_ASN1_DN 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Tolboe, E=tolboe at reaction-eng.com'
000 Issuer 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'
000 Mar 02 14:18:26 2008, 1024 RSA Key AwEAAc9T/, until Jan 29 20:07:28
2018 ok
000 ID_DER_ASN1_DN 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=VPN Server, E=admin at reaction-eng.com'
000 Issuer 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'
000
000 List of X.509 End Certificates:
000
000 Mar 02 14:18:26 2008, count: 1
000 subject: 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=VPN Server, E=admin at reaction-eng.com'
000 issuer: 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'
000 serial: 00:e4:dc:65:66:18:c1:61:10
000 pubkey: 1024 RSA Key AwEAAc9T/, has private key
000 validity: not before Feb 01 20:07:28 2008 ok
000 not after Jan 29 20:07:28 2018 ok
000
000 List of X.509 CA Certificates:
000
000 Mar 02 14:18:26 2008, count: 1
000 subject: 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'
000 issuer: 'C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com'
000 serial: 00:d1:65:a8:28:5f:72:1e:68
000 pubkey: 1024 RSA Key AwEAAbduc
000 validity: not before Jan 10 20:37:27 2008 ok
000 not after Jan 07 20:37:27 2018 ok
000 subjkey:
7c:04:5c:64:b7:18:37:1c:ea:3c:5f:f7:84:bb:9c:6f:45:b0:49:7e
000 authkey:
7c:04:5c:64:b7:18:37:1c:ea:3c:5f:f7:84:bb:9c:6f:45:b0:49:7e
000 aserial: 00:d1:65:a8:28:5f:72:1e:68
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1365
-rwxr-xr-x 1 root root 15848 Mar 4 2007 _confread
-rwxr-xr-x 1 root root 4364 Mar 4 2007 _copyright
-rwxr-xr-x 1 root root 2379 Mar 4 2007 _include
-rwxr-xr-x 1 root root 1475 Mar 4 2007 _keycensor
-rwxr-xr-x 1 root root 8012 Mar 4 2007 _pluto_adns
-rwxr-xr-x 1 root root 3586 Mar 4 2007 _plutoload
-rwxr-xr-x 1 root root 7209 Mar 4 2007 _plutorun
-rwxr-xr-x 1 root root 12335 Mar 4 2007 _realsetup
-rwxr-xr-x 1 root root 1975 Mar 4 2007 _secretcensor
-rwxr-xr-x 1 root root 10070 Mar 4 2007 _startklips
-rwxr-xr-x 1 root root 13912 Mar 4 2007 _updown
-rwxr-xr-x 1 root root 15740 Mar 4 2007 _updown_x509
-rwxr-xr-x 1 root root 18891 Mar 4 2007 auto
-rwxr-xr-x 1 root root 11331 Mar 4 2007 barf
-rwxr-xr-x 1 root root 816 Mar 4 2007 calcgoo
-rwxr-xr-x 1 root root 77832 Mar 4 2007 eroute
-rwxr-xr-x 1 root root 17992 Mar 4 2007 ikeping
-rwxr-xr-x 1 root root 1942 Mar 4 2007 ipsec_pr.template
-rwxr-xr-x 1 root root 60732 Mar 4 2007 klipsdebug
-rwxr-xr-x 1 root root 1836 Mar 4 2007 livetest
-rwxr-xr-x 1 root root 2605 Mar 4 2007 look
-rwxr-xr-x 1 root root 7147 Mar 4 2007 mailkey
-rwxr-xr-x 1 root root 16015 Mar 4 2007 manual
-rwxr-xr-x 1 root root 1951 Mar 4 2007 newhostkey
-rwxr-xr-x 1 root root 51872 Mar 4 2007 pf_key
-rwxr-xr-x 1 root root 648712 Mar 4 2007 pluto
-rwxr-xr-x 1 root root 6360 Mar 4 2007 ranbits
-rwxr-xr-x 1 root root 18844 Mar 4 2007 rsasigkey
-rwxr-xr-x 1 root root 766 Mar 4 2007 secrets
-rwxr-xr-x 1 root root 17624 Mar 4 2007 send-pr
lrwxrwxrwx 1 root root 17 Feb 1 23:57 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Mar 4 2007 showdefaults
-rwxr-xr-x 1 root root 4748 Mar 4 2007 showhostkey
-rwxr-xr-x 1 root root 118516 Mar 4 2007 spi
-rwxr-xr-x 1 root root 65796 Mar 4 2007 spigrp
-rwxr-xr-x 1 root root 10340 Mar 4 2007 tncfg
-rwxr-xr-x 1 root root 11628 Mar 4 2007 verify
-rwxr-xr-x 1 root root 51188 Mar 4 2007 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1365
-rwxr-xr-x 1 root root 15848 Mar 4 2007 _confread
-rwxr-xr-x 1 root root 4364 Mar 4 2007 _copyright
-rwxr-xr-x 1 root root 2379 Mar 4 2007 _include
-rwxr-xr-x 1 root root 1475 Mar 4 2007 _keycensor
-rwxr-xr-x 1 root root 8012 Mar 4 2007 _pluto_adns
-rwxr-xr-x 1 root root 3586 Mar 4 2007 _plutoload
-rwxr-xr-x 1 root root 7209 Mar 4 2007 _plutorun
-rwxr-xr-x 1 root root 12335 Mar 4 2007 _realsetup
-rwxr-xr-x 1 root root 1975 Mar 4 2007 _secretcensor
-rwxr-xr-x 1 root root 10070 Mar 4 2007 _startklips
-rwxr-xr-x 1 root root 13912 Mar 4 2007 _updown
-rwxr-xr-x 1 root root 15740 Mar 4 2007 _updown_x509
-rwxr-xr-x 1 root root 18891 Mar 4 2007 auto
-rwxr-xr-x 1 root root 11331 Mar 4 2007 barf
-rwxr-xr-x 1 root root 816 Mar 4 2007 calcgoo
-rwxr-xr-x 1 root root 77832 Mar 4 2007 eroute
-rwxr-xr-x 1 root root 17992 Mar 4 2007 ikeping
-rwxr-xr-x 1 root root 1942 Mar 4 2007 ipsec_pr.template
-rwxr-xr-x 1 root root 60732 Mar 4 2007 klipsdebug
-rwxr-xr-x 1 root root 1836 Mar 4 2007 livetest
-rwxr-xr-x 1 root root 2605 Mar 4 2007 look
-rwxr-xr-x 1 root root 7147 Mar 4 2007 mailkey
-rwxr-xr-x 1 root root 16015 Mar 4 2007 manual
-rwxr-xr-x 1 root root 1951 Mar 4 2007 newhostkey
-rwxr-xr-x 1 root root 51872 Mar 4 2007 pf_key
-rwxr-xr-x 1 root root 648712 Mar 4 2007 pluto
-rwxr-xr-x 1 root root 6360 Mar 4 2007 ranbits
-rwxr-xr-x 1 root root 18844 Mar 4 2007 rsasigkey
-rwxr-xr-x 1 root root 766 Mar 4 2007 secrets
-rwxr-xr-x 1 root root 17624 Mar 4 2007 send-pr
lrwxrwxrwx 1 root root 17 Feb 1 23:57 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Mar 4 2007 showdefaults
-rwxr-xr-x 1 root root 4748 Mar 4 2007 showhostkey
-rwxr-xr-x 1 root root 118516 Mar 4 2007 spi
-rwxr-xr-x 1 root root 65796 Mar 4 2007 spigrp
-rwxr-xr-x 1 root root 10340 Mar 4 2007 tncfg
-rwxr-xr-x 1 root root 11628 Mar 4 2007 verify
-rwxr-xr-x 1 root root 51188 Mar 4 2007 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ for f in '`ls ${IPSEC_EXECDIR-/usr/libexec/ipsec} | egrep updown`'
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.11 2006/02/20 22:57:28 paul Exp $
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway
# communications is IPv6, then a suffix of -v6 is added
# to the verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
#
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
rc=$?
if [ $rc -ne 0 ];
then
changesource
fi
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
# check if given sourceip is local and add as alias if not
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev
${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: File exists'*)
# should not happen, but ... ignore if the
# address was already assigned on interface
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
# Change used route source to destination if there is previous
# Route to same PLUTO_PEER_CLIENT. This is basically to fix
# configuration errors where all conns to same destination don't
# have (left/right)sourceip set.
st=0
parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route change $parms"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such file or directory'*)
# Will happen every time first tunnel is activated because
# there is no previous route to PLUTO_PEER_CLIENT. So we
# need to ignore this error.
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route
delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ for f in '`ls ${IPSEC_EXECDIR-/usr/libexec/ipsec} | egrep updown`'
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
#
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/default/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/default/pluto_updown ]
then
. /etc/default/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev
${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev ${PLUTO_INTERFACE%:*}"
parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table '$IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete
$parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route
delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT
-j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT
-j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT
-j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT
-j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME ==
$PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER --
$PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 601750 3788 0 0 0 0 0 0
601750 3788 0 0 0 0 0 0
eth2:4121833568 561268871 0 1 0 0 0 149589693
3144474233 473002464 0 0 0 0 0 0
eth3:4047833388 447333730 0 0 0 0 0 364057
3799560976 147732035 0 0 0 0 0 0
eth0:2236152130 114322531 2 0 0 1 0 3998425
329050425 356442050 0 0 0 0 0 0
eth1:3230868857 96044402 38458 0 0 19815 0 536052
70612908 77654426 0 0 0 0 0 0
bond0:751786055 1218969534 38460 1 0 19816 0 154488227
3048731246 1054830975 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
bond0.99:3109996673 81454713 0 0 0 0 0 1390
2324113939 61294523 0 0 0 0 0 0
bond0.102:2250088613 13383155 0 0 0 0 0 0
2533784660 12798858 0 0 0 0 0 0
bond0.100:3132163408 408036449 0 0 0 0 0 5898225
2137477543 641657651 0 0 0 0 0 0
bond0.101:1358629598 710902482 0 0 0 0 0 147113561
944057216 334422868 0 0 0 0 0 0
bond0.103:2553305529 3760772 0 0 0 0 0 43447
3619695152 3939536 0 0 0 0 0 0
br0:4034240422 81800477 0 0 0 0 0 1408245
3698952864 61856592 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window
IRTT
br0 00000000 A16746A6 0003 0 0 0 F0FFFFFF 0
0
0
br0 A06746A6 00000000 0001 0 0 0 F0FFFFFF 0
0
0
bond0.101 0002A8C0 00000000 0001 0 0 0 00FFFFFF
0 0
0
bond0.103 0001A8C0 00000000 0001 0 0 0 00FFFFFF
0 0
0
bond0.100 0000A8C0 00000000 0001 0 0 0 00FFFFFF
0 0
0
br0 00000000 A16746A6 0003 0 0 0 00000000 0
0
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter bond0.100/rp_filter bond0.101/rp_filter
bond0.103/rp_filter br0/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter eth2/rp_filter eth3/rp_filter lo/rp_filter
all/rp_filter:1
bond0.100/rp_filter:0
bond0.101/rp_filter:0
bond0.103/rp_filter:0
br0/rp_filter:1
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
eth2/rp_filter:0
eth3/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter bond0.100/rp_filter bond0.101/rp_filter
bond0.103/rp_filter br0/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter eth2/rp_filter eth3/rp_filter lo/rp_filter
all/rp_filter:1
bond0.100/rp_filter:0
bond0.101/rp_filter:0
bond0.103/rp_filter:0
br0/rp_filter:1
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
eth2/rp_filter:0
eth3/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
bond0.100/accept_redirects bond0.100/secure_redirects
bond0.100/send_redirects bond0.101/accept_redirects
bond0.101/secure_redirects bond0.101/send_redirects
bond0.103/accept_redirects bond0.103/secure_redirects
bond0.103/send_redirects br0/accept_redirects br0/secure_redirects
br0/send_redirects default/accept_redirects default/secure_redirects
default/send_redirects eth0/accept_redirects eth0/secure_redirects
eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
eth1/send_redirects eth2/accept_redirects eth2/secure_redirects
eth2/send_redirects eth3/accept_redirects eth3/secure_redirects
eth3/send_redirects lo/accept_redirects lo/secure_redirects
lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
bond0.100/accept_redirects:1
bond0.100/secure_redirects:1
bond0.100/send_redirects:1
bond0.101/accept_redirects:1
bond0.101/secure_redirects:1
bond0.101/send_redirects:1
bond0.103/accept_redirects:1
bond0.103/secure_redirects:1
bond0.103/send_redirects:1
br0/accept_redirects:1
br0/secure_redirects:1
br0/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
eth2/accept_redirects:1
eth2/secure_redirects:1
eth2/send_redirects:1
eth3/accept_redirects:1
eth3/secure_redirects:1
eth3/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux gateway 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686
GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.18-5-686) support detected '
NETKEY (2.6.18-5-686) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/lib/ipsec/barf: line 305: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 2 packets, 335 bytes)
pkts bytes target prot opt in out source
destination
3102 294K ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- lo * 0.0.0.0/0
0.0.0.0/0
185 31026 br0_in 0 -- br0 * 0.0.0.0/0
0.0.0.0/0
32569 2910K bond0_100_in 0 -- bond0.100 *
0.0.0.0/0 0.0.0.0/0
2388 294K bond0_101_in 0 -- bond0.101 *
0.0.0.0/0 0.0.0.0/0
0 0 bond0_103_in 0 -- bond0.103 *
0.0.0.0/0 0.0.0.0/0
35 5337 ppp_in 0 -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 84 bytes)
pkts bytes target prot opt in out source
destination
14M 13G ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
24999 1934K br0_fwd 0 -- br0 * 0.0.0.0/0
0.0.0.0/0
2528 152K bond0_100_fwd 0 -- bond0.100 *
0.0.0.0/0 0.0.0.0/0
6647 556K bond0_101_fwd 0 -- bond0.101 *
0.0.0.0/0 0.0.0.0/0
0 0 bond0_103_fwd 0 -- bond0.103 *
0.0.0.0/0 0.0.0.0/0
57 2928 ppp_fwd 0 -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3092 577K ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * bond0.100 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT udp -- * bond0.101 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT udp -- * bond0.103 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
19 1390 fw2net 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out bond0.99 policy match
dir out pol none
16 1138 fw2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
25 2286 fw2loc 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 fw2loc 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 fw2loc 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 fw2loc 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 fw2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:ACCEPT:'
0 0 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (4 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
17553 1497K dropBcast 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
17497 1481K dropInvalid 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
14 768 dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain Reject (15 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
511 45048 dropBcast 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
511 45048 dropInvalid 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
22 1250 dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain all2all (6 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain bond0_100_fwd (1 references)
pkts bytes target prot opt in out source
destination
2528 152K dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
2528 152K smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
2286 126K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
2528 152K loc2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 loc2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
Chain bond0_100_in (1 references)
pkts bytes target prot opt in out source
destination
32569 2910K dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
32569 2910K smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
142 46617 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
1 60 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
32427 2863K loc2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain bond0_101_fwd (1 references)
pkts bytes target prot opt in out source
destination
6647 556K dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
6647 556K smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
5715 484K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
404 32320 loc2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
6243 524K ACCEPT 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 loc2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
Chain bond0_101_in (1 references)
pkts bytes target prot opt in out source
destination
2388 294K dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
2388 294K smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
2388 294K loc2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain bond0_103_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
0 0 loc2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 loc2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
Chain bond0_103_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
0 0 loc2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain br0_fwd (1 references)
pkts bytes target prot opt in out source
destination
24999 1934K dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
24999 1934K smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
0 0 vpn_frwd 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol ipsec
21202 1705K net2dmz 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 PHYSDEV match
--physdev-out bond0.102 policy match dir out pol none
0 0 net2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
out pol none
0 0 net2loc 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
out pol none
0 0 net2loc 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
out pol none
0 0 net2loc 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
out pol none
0 0 net2loc 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
out pol none
4 291 dmz2net 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 PHYSDEV match
--physdev-out bond0.99 policy match dir out pol none
0 0 dmz2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol none
3793 228K dmz2loc 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol none
0 0 dmz2loc 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol none
0 0 dmz2loc 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol none
0 0 dmz2loc 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol none
0 0 dmz2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir out pol ipsec
0 0 all2all 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 all2all 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 all2all 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 all2all 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
Chain br0_in (1 references)
pkts bytes target prot opt in out source
destination
185 31026 dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
164 28275 smurfs 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW policy match dir in pol none
164 28275 net2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.99 policy match dir
in pol none
0 0 dmz2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in bond0.102 policy match
dir in pol none
0 0 all2all 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
21 2751 vpn2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol ipsec
Chain dmz2all (0 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2fw:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2loc (4 references)
pkts bytes target prot opt in out source
destination
29 1992 ACCEPT udp -- * * ***.***.103.164
192.168.0.6 udp dpt:53
0 0 ACCEPT tcp -- * * ***.***.103.164
192.168.0.6 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.0.6 tcp dpt:123
26 1976 ACCEPT udp -- * * 0.0.0.0/0
192.168.0.6 udp dpt:123
0 0 ACCEPT tcp -- * * ***.***.103.163
192.168.0.6 tcp dpt:389
4 240 ACCEPT tcp -- * * ***.***.103.164
0.0.0.0/0 multiport dports 22,3389,5900
3694 222K ACCEPT tcp -- * * ***.***.103.164
192.168.0.6 multiport dports 2049,111,389
0 0 ACCEPT udp -- * * ***.***.103.164
192.168.0.6 multiport dports 2049,111,758,875,691
40 2112 ACCEPT tcp -- * * ***.***.103.164
192.168.0.4 multiport dports 2049,111,758,874,789,624,625
0 0 ACCEPT udp -- * * ***.***.103.164
192.168.0.4 multiport dports 2049,111,758,874,789,624,625
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2loc:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source
destination
4 291 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * ***.***.103.163
0.0.0.0/0 multiport dports 25,80
0 0 ACCEPT tcp -- * * ***.***.103.164
0.0.0.0/0 multiport dports 80,443,22,21,20
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2net:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2pub (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:749
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:750
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:751
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:47
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:873
Chain dmz2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:dmz2vpn:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
56 16012 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
133 6108 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
16 962 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
Chain dynamic (10 references)
pkts bytes target prot opt in out source
destination
Chain fw2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2all:ACCEPT:'
0 0 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (4 references)
pkts bytes target prot opt in out source
destination
18 1260 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.0.6 multiport dports 1812,1813
7 1026 ACCEPT udp -- * * 0.0.0.0/0
192.168.0.6 multiport dports 1812,1813
0 0 fw2all 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
3 252 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
Chain fw2pub (1 references)
pkts bytes target prot opt in out source
destination
16 1138 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:749
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:750
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:751
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:47
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:873
0 0 fw2all 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1701
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4500 state NEW
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2vpn:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2all (0 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (4 references)
pkts bytes target prot opt in out source
destination
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
193 16212 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
34656 3147K ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2pub (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
146 12752 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
2062 114K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
44 2496 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
2 128 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
143 7424 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
4 192 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:873
18 792 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5050
6 270 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:749
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:750
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:751
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:47
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:873
0 0 ACCEPT tcp -- * * 192.168.0.6
0.0.0.0/0 tcp dpt:123
50 3800 ACCEPT udp -- * * 192.168.0.6
0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0
203.246.118.83 tcp dpt:19050
0 0 ACCEPT udp -- * * 0.0.0.0/0
203.246.118.83 udp dpt:19050
511 45048 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
456 42526 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2pub:REJECT:'
456 42526 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (4 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2vpn:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:logreject:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (0 references)
pkts bytes target prot opt in out source
destination
0 0 Drop 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source
destination
1952 117K ACCEPT tcp -- * * 0.0.0.0/0
***.***.103.163 multiport dports 22,80,443
1835 110K ACCEPT tcp -- * * 0.0.0.0/0
***.***.103.164 multiport dports 22,21,20
17415 1478K Drop 0 -- * * 0.0.0.0/0
0.0.0.0/0
17385 1470K LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2dmz:DROP:'
17385 1470K DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
18 3024 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
5 1700 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
3 4932 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4500 state NEW
138 18619 Drop 0 -- * * 0.0.0.0/0
0.0.0.0/0
18 6161 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:'
18 6161 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (4 references)
pkts bytes target prot opt in out source
destination
0 0 Drop 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2loc:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2pub (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:749
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:750
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:751
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:47
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:873
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source
destination
57 2928 dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
54 2640 loc2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
3 288 ACCEPT 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 ACCEPT 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 loc2vpn 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
Chain ppp_in (1 references)
pkts bytes target prot opt in out source
destination
35 5337 dynamic 0 -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
35 5337 loc2fw 0 -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain reject (23 references)
pkts bytes target prot opt in out source
destination
0 0 DROP 0 -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4
0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP 0 -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4
0.0.0.0/0
6 288 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
450 42238 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT 0 -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (8 references)
pkts bytes target prot opt in out source
destination
0 0 LOG 0 -- * * ***.***.103.175
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * ***.***.103.175
0.0.0.0/0
0 0 LOG 0 -- * * 192.168.0.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.0.255
0.0.0.0/0
0 0 LOG 0 -- * * 192.168.2.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.2.255
0.0.0.0/0
0 0 LOG 0 -- * * 192.168.1.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.1.255
0.0.0.0/0
0 0 LOG 0 -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG 0 -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 224.0.0.0/4
0.0.0.0/0
Chain tcpflags (6 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:0 flags:0x17/0x02
Chain vpn2dmz (1 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vpn2dmz:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source
destination
21 2751 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1701
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:500 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4500 state NEW
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vpn2fw:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2loc (4 references)
pkts bytes target prot opt in out source
destination
0 0 Reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vpn2loc:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2pub (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:749
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:750
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:751
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:47
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:873
0 0 all2all 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 vpn2dmz 0 -- * br0 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out bond0.102 policy match
dir out pol none
0 0 vpn2pub 0 -- * br0 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 vpn2loc 0 -- * bond0.100 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 vpn2loc 0 -- * bond0.101 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 vpn2loc 0 -- * bond0.103 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
0 0 vpn2loc 0 -- * ppp+ 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 31595 packets, 2699K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8145 packets, 499K bytes)
pkts bytes target prot opt in out source
destination
5996 353K br0_masq 0 -- * br0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 44 packets, 3676 bytes)
pkts bytes target prot opt in out source
destination
Chain br0_masq (1 references)
pkts bytes target prot opt in out source
destination
2178 124K MASQUERADE 0 -- * * 192.168.0.0/24
0.0.0.0/0 policy match dir out pol none
0 0 MASQUERADE 0 -- * * 192.168.2.0/24
0.0.0.0/0 policy match dir out pol none
8 362 MASQUERADE 0 -- * * 192.168.1.0/24
0.0.0.0/0 policy match dir out pol none
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 15M packets, 13G bytes)
pkts bytes target prot opt in out source
destination
15M 13G tcpre 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 38282 packets, 3535K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 14M packets, 13G bytes)
pkts bytes target prot opt in out source
destination
14M 13G tcfor 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6257K packets, 2508M bytes)
pkts bytes target prot opt in out source
destination
3413 609K tcout 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 14M packets, 13G bytes)
pkts bytes target prot opt in out source
destination
14M 13G tcpost 0 -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 20352 2 - Live 0xf8f07000
xfrm4_tunnel 2624 0 - Live 0xf8ed4000
af_key 32016 0 - Live 0xf8f29000
ipcomp 7336 0 - Live 0xf8ee0000
esp4 7648 0 - Live 0xf8ebf000
ah4 6336 0 - Live 0xf8ead000
ppp_deflate 5792 0 - Live 0xf8efa000
bsd_comp 5600 0 - Live 0xf8ee8000
ppp_async 11008 0 - Live 0xf8ef6000
crc_ccitt 2240 1 ppp_async, Live 0xf8eda000
ppp_generic 25908 3 ppp_deflate,bsd_comp,ppp_async, Live 0xf8eff000
slhc 6528 1 ppp_generic, Live 0xf8ecf000
xfrm4_mode_transport 2176 0 - Live 0xf8ed6000
tunnel4 3396 1 xfrm4_tunnel, Live 0xf8ed2000
deflate 3840 0 - Live 0xf8ebd000
zlib_deflate 18200 2 ppp_deflate,deflate, Live 0xf8f23000
twofish 43136 0 - Live 0xf8f33000
serpent 19008 0 - Live 0xf8f1d000
aes 28160 0 - Live 0xf8f15000
blowfish 9440 0 - Live 0xf8ec6000
des 17536 0 - Live 0xf8f0f000
sha256 11104 0 - Live 0xf8ec2000
sha1 2656 0 - Live 0xf8eb6000
crypto_null 2656 0 - Live 0xf8eb4000
ip6table_filter 2912 1 - Live 0xf8eb2000
ip6_tables 14148 1 ip6table_filter, Live 0xf8eb8000
ipv6 226272 27 - Live 0xf8f5a000
button 6672 0 - Live 0xf8ea3000
ac 5188 0 - Live 0xf8eaa000
battery 9636 0 - Live 0xf8ecb000
iptable_raw 2144 0 - Live 0xf8eb0000
xt_policy 3648 76 - Live 0xf8ea8000
xt_multiport 3264 15 - Live 0xf8ea6000
ipt_ULOG 7780 0 - Live 0xf8e95000
ipt_TTL 2400 0 - Live 0xf8ea1000
ipt_ttl 1984 0 - Live 0xf8e9f000
ipt_TOS 2304 0 - Live 0xf8e9d000
ipt_tos 1760 0 - Live 0xf8e9b000
ipt_TCPMSS 4096 0 - Live 0xf8e84000
ipt_SAME 2496 0 - Live 0xf8e8f000
ipt_REJECT 5248 4 - Live 0xf8e98000
ipt_REDIRECT 2176 0 - Live 0xf8e8d000
ipt_recent 8432 0 - Live 0xf8e91000
ipt_owner 2080 0 - Live 0xf8e8b000
ipt_NETMAP 2176 0 - Live 0xf8e86000
ipt_MASQUERADE 3712 3 - Live 0xf8e7c000
ipt_LOG 6112 30 - Live 0xf8e88000
ipt_iprange 1888 0 - Live 0xf8e7e000
ipt_hashlimit 8744 0 - Live 0xf8e80000
ipt_ECN 3072 0 - Live 0xf8e66000
ipt_ecn 2304 0 - Live 0xf8e7a000
ipt_DSCP 2336 0 - Live 0xf8e74000
ipt_dscp 1792 0 - Live 0xf8e72000
ipt_CLUSTERIP 8196 0 - Live 0xf8e76000
ipt_ah 2016 0 - Live 0xf8e70000
ipt_addrtype 1952 0 - Live 0xf8e6e000
ip_nat_tftp 1920 0 - Live 0xf8e68000
ip_nat_snmp_basic 9316 0 - Live 0xf8e6a000
ip_nat_pptp 5988 0 - Live 0xf8e5a000
ip_nat_irc 2720 0 - Live 0xf8e64000
ip_nat_ftp 3328 0 - Live 0xf8e62000
ip_nat_amanda 2400 0 - Live 0xf8e60000
ip_conntrack_tftp 4344 1 ip_nat_tftp, Live 0xf8e5d000
ip_conntrack_pptp 11504 1 ip_nat_pptp, Live 0xf8e45000
ip_conntrack_netbios_ns 3040 0 - Live 0xf8e41000
ip_conntrack_irc 6800 1 ip_nat_irc, Live 0xf8e57000
ip_conntrack_ftp 7760 1 ip_nat_ftp, Live 0xf8df9000
ts_kmp 2208 5 - Live 0xf8e43000
ip_conntrack_amanda 4932 1 ip_nat_amanda, Live 0xf8e3e000
xt_tcpmss 2336 0 - Live 0xf8e3c000
xt_pkttype 2016 4 - Live 0xf8e3a000
xt_physdev 3024 19 - Live 0xf8e38000
bridge 49436 1 xt_physdev, Live 0xf8e49000
xt_NFQUEUE 2144 0 - Live 0xf8e36000
xt_MARK 2464 0 - Live 0xf8e34000
xt_mark 1984 0 - Live 0xf8e32000
xt_mac 2016 0 - Live 0xf8e30000
xt_limit 2752 0 - Live 0xf8e2e000
xt_length 2048 0 - Live 0xf8e2c000
xt_helper 2560 0 - Live 0xf8e2a000
xt_dccp 3396 0 - Live 0xf8e28000
xt_conntrack 2624 0 - Live 0xf8e26000
xt_CONNMARK 2464 0 - Live 0xf8e24000
xt_connmark 2144 0 - Live 0xf8e04000
xt_CLASSIFY 1984 0 - Live 0xf8e02000
xt_tcpudp 3136 165 - Live 0xf8dde000
xt_state 2272 33 - Live 0xf8de0000
iptable_nat 7044 1 - Live 0xf8df6000
ip_nat 16876 10
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_pptp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,iptable_nat,
Live 0xf8dfc000
ip_conntrack 49088 20
ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_pptp,ip_nat_irc,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat,
Live 0xf8e06000
iptable_mangle 2880 1 - Live 0xf8dd1000
nfnetlink 6680 2 ip_nat,ip_conntrack, Live 0xf8dcc000
iptable_filter 3104 1 - Live 0xf8dcf000
ip_tables 13028 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter,
Live 0xf8dd9000
x_tables 13316 45
ip6_tables,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables,
Live 0xf8a19000
8021q 18344 0 - Live 0xf8dd3000
bonding 71528 0 - Live 0xf8de3000
dm_snapshot 15552 0 - Live 0xf89b1000
dm_mirror 19152 0 - Live 0xf899b000
dm_mod 50232 2 dm_snapshot,dm_mirror, Live 0xf89e1000
loop 15048 0 - Live 0xf89a6000
rtc 12372 0 - Live 0xf89a1000
i2c_i801 7468 0 - Live 0xf893a000
i2c_core 19680 1 i2c_i801, Live 0xf8941000
pcspkr 3072 0 - Live 0xf88de000
psmouse 35016 0 - Live 0xf8991000
serio_raw 6660 0 - Live 0xf8937000
tsdev 7520 0 - Live 0xf88ab000
evdev 9088 0 - Live 0xf8933000
reiserfs 212640 3 - Live 0xf8a1e000
sd_mod 19040 5 - Live 0xf8890000
ide_cd 36064 0 - Live 0xf88ca000
cdrom 32544 1 ide_cd, Live 0xf88d5000
usbhid 37248 0 - Live 0xf88f1000
ata_piix 13896 4 - Live 0xf88a2000
libata 89396 1 ata_piix, Live 0xf8969000
scsi_mod 124168 2 sd_mod,libata, Live 0xf8949000
piix 9444 0 [permanent], Live 0xf889e000
ehci_hcd 28136 0 - Live 0xf8896000
e1000 108480 0 - Live 0xf88ae000
generic 4868 0 [permanent], Live 0xf8821000
ide_core 110504 3 ide_cd,piix,generic, Live 0xf883b000
tg3 94948 0 - Live 0xf8874000
uhci_hcd 21164 0 - Live 0xf8834000
usbcore 112644 4 usbhid,ehci_hcd,uhci_hcd, Live 0xf8857000
thermal 13608 0 - Live 0xf882f000
processor 28840 1 thermal, Live 0xf8826000
fan 4804 0 - Live 0xf8819000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1036436 kB
MemFree: 666672 kB
Buffers: 88424 kB
Cached: 147908 kB
SwapCached: 0 kB
Active: 283860 kB
Inactive: 42904 kB
HighTotal: 130816 kB
HighFree: 2532 kB
LowTotal: 905620 kB
LowFree: 664140 kB
SwapTotal: 3710928 kB
SwapFree: 3710928 kB
Dirty: 136 kB
Writeback: 0 kB
AnonPages: 90472 kB
Mapped: 6808 kB
Slab: 29732 kB
PageTables: 1080 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 4229144 kB
Committed_AS: 763656 kB
VmallocTotal: 114680 kB
VmallocUsed: 7744 kB
VmallocChunk: 106692 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.18-5-686/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search reaction-eng.com
nameserver 192.168.0.6
nameserver 198.60.22.2
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 0
drwxr-xr-x 3 root root 440 Dec 28 14:59 2.6.18-5-686
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c022812a T __netif_rx_schedule
c0229168 T netif_rx
c022a514 T netif_rx_ni
c0229168 U netif_rx [ppp_generic]
c0229168 U netif_rx [ipv6]
c0229168 U netif_rx [8021q]
c022812a U __netif_rx_schedule [e1000]
c022812a U __netif_rx_schedule [tg3]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.18-5-686:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '3611,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Mar 2 14:18:26 firewall ipsec_setup: Starting Openswan IPsec 2.4.6...
Mar 2 14:18:26 firewall ipsec_setup: insmod
/lib/modules/2.6.18-5-686/kernel/net/key/af_key.ko
Mar 2 14:18:26 firewall ipsec_setup: insmod
/lib/modules/2.6.18-5-686/kernel/net/ipv4/xfrm4_tunnel.ko
Mar 2 14:18:26 firewall ipsec_setup: insmod
/lib/modules/2.6.18-5-686/kernel/net/xfrm/xfrm_user.ko
+ _________________________ plog
+ sed -n '376,$p' /var/log/auth.log
+ egrep -i pluto
+ case "$1" in
+ cat
Mar 2 14:18:26 firewall ipsec__plutorun: Starting Pluto subsystem...
Mar 2 14:18:26 firewall pluto[746]: Starting Pluto (Openswan Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor
ID OElLO]RdWNRD)
Mar 2 14:18:26 firewall pluto[746]: Setting NAT-Traversal port-4500
floating to on
Mar 2 14:18:26 firewall pluto[746]: port floating activation
criteria nat_t=1/port_fload=1
Mar 2 14:18:26 firewall pluto[746]: including NAT-Traversal patch
(Version 0.6c)
Mar 2 14:18:26 firewall pluto[746]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random
Mar 2 14:18:26 firewall pluto[746]: WARNING: Using /dev/urandom as the
source of random
Mar 2 14:18:26 firewall pluto[746]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Mar 2 14:18:26 firewall pluto[746]: no helpers will be started, all
cryptographic operations will be done inline
Mar 2 14:18:26 firewall pluto[746]: Using Linux 2.6 IPsec interface
code on 2.6.18-5-686
Mar 2 14:18:26 firewall pluto[746]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 2 14:18:26 firewall pluto[746]: loaded CA cert file 'cacert.pem'
(1505 bytes)
Mar 2 14:18:26 firewall pluto[746]: Changing to directory
'/etc/ipsec.d/aacerts'
Mar 2 14:18:26 firewall pluto[746]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 2 14:18:26 firewall pluto[746]: Changing to directory
'/etc/ipsec.d/crls'
Mar 2 14:18:26 firewall pluto[746]: Warning: empty directory
Mar 2 14:18:26 firewall pluto[746]: loaded host cert file
'/etc/ipsec.d/certs/gateway.reaction-eng.com.pem' (1046 bytes)
Mar 2 14:18:26 firewall pluto[746]: added connection description
"l2tp-X.509"
Mar 2 14:18:26 firewall pluto[746]: listening for IKE messages
Mar 2 14:18:26 firewall pluto[746]: adding interface br0/br0
***.***.103.174:500
Mar 2 14:18:26 firewall pluto[746]: adding interface br0/br0
***.***.103.174:4500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.103/bond0.103 192.168.1.1:500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.103/bond0.103 192.168.1.1:4500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.101/bond0.101 192.168.2.1:500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.101/bond0.101 192.168.2.1:4500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.100/bond0.100 192.168.0.1:500
Mar 2 14:18:26 firewall pluto[746]: adding interface
bond0.100/bond0.100 192.168.0.1:4500
Mar 2 14:18:26 firewall pluto[746]: adding interface lo/lo 127.0.0.1:500
Mar 2 14:18:26 firewall pluto[746]: adding interface lo/lo 127.0.0.1:4500
Mar 2 14:18:26 firewall pluto[746]: adding interface lo/lo ::1:500
Mar 2 14:18:27 firewall pluto[746]: loading secrets from
"/etc/ipsec.secrets"
Mar 2 14:18:27 firewall pluto[746]: loaded private key file
'/etc/ipsec.d/private/gateway.reaction-eng.com.key' (887 bytes)
Mar 2 14:18:33 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 2 14:18:33 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 2 14:18:33 firewall pluto[746]: packet from 155.97.239.238:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Mar 2 14:18:33 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
responding to Main Mode from unknown peer 155.97.239.238
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 2 14:18:33 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Utah, L=Salt Lake City,
O=Reaction Engineering International, CN=Tolboe, E=tolboe at reaction-eng.com'
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
no crl from issuer "C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com" found (strict=no)
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[1] 155.97.239.238 #1:
switched from "l2tp-X.509" to "l2tp-X.509"
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
I am sending my cert
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 2 14:18:34 firewall pluto[746]: | NAT-T: new mapping
155.97.239.238:500/4500)
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #2:
responding to Quick Mode {msgid:cca6e5ad}
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 2 14:18:34 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x4313518b <0x8c64e023
xfrm=3DES_0-HMAC_MD5 NATD=155.97.239.238:4500 DPD=none}
Mar 2 14:18:40 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 14:19:01 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
received Delete SA(0x4313518b) payload: deleting IPSEC State #2
Mar 2 14:19:01 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
received and ignored informational message
Mar 2 14:19:01 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238 #1:
received Delete SA payload: deleting ISAKMP State #1
Mar 2 14:19:01 firewall pluto[746]: "l2tp-X.509"[2] 155.97.239.238:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 14:19:01 firewall pluto[746]: packet from 155.97.239.238:4500:
received and ignored informational message
Mar 2 14:19:03 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:03:20 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 2 21:03:21 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 2 21:03:21 firewall pluto[746]: packet from 155.97.239.238:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Mar 2 21:03:21 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
responding to Main Mode from unknown peer 155.97.239.238
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Utah, L=Salt Lake City,
O=Reaction Engineering International, CN=Tolboe, E=tolboe at reaction-eng.com'
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
no crl from issuer "C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com" found (strict=no)
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[3] 155.97.239.238 #3:
switched from "l2tp-X.509" to "l2tp-X.509"
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
I am sending my cert
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 2 21:03:21 firewall pluto[746]: | NAT-T: new mapping
155.97.239.238:500/4500)
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #4:
responding to Quick Mode {msgid:5a00d695}
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 2 21:03:21 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #4:
STATE_QUICK_R2: IPsec SA established {ESP=>0xd51b4d10 <0x8bca1cb6
xfrm=3DES_0-HMAC_MD5 NATD=155.97.239.238:4500 DPD=none}
Mar 2 21:03:32 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:03:51 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
received Delete SA(0xd51b4d10) payload: deleting IPSEC State #4
Mar 2 21:03:51 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
received and ignored informational message
Mar 2 21:03:51 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238 #3:
received Delete SA payload: deleting ISAKMP State #3
Mar 2 21:03:51 firewall pluto[746]: "l2tp-X.509"[4] 155.97.239.238:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 21:03:51 firewall pluto[746]: packet from 155.97.239.238:4500:
received and ignored informational message
Mar 2 21:03:54 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:03:54 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:04:20 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 2 21:04:20 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [FRAGMENTATION]
Mar 2 21:04:20 firewall pluto[746]: packet from 155.97.239.238:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Mar 2 21:04:20 firewall pluto[746]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Mar 2 21:04:20 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
responding to Main Mode from unknown peer 155.97.239.238
Mar 2 21:04:20 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 2 21:04:20 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Utah, L=Salt Lake City,
O=Reaction Engineering International, CN=Tolboe, E=tolboe at reaction-eng.com'
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
no crl from issuer "C=US, ST=Utah, L=Salt Lake City, O=Reaction
Engineering International, CN=Reaction Engineering Certification
Authority, E=admin at reaction-eng.com" found (strict=no)
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[5] 155.97.239.238 #5:
switched from "l2tp-X.509" to "l2tp-X.509"
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
I am sending my cert
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 2 21:04:21 firewall pluto[746]: | NAT-T: new mapping
155.97.239.238:500/4500)
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #6:
responding to Quick Mode {msgid:c24ddd70}
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #6:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #6:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #6:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 2 21:04:21 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #6:
STATE_QUICK_R2: IPsec SA established {ESP=>0x5ff49e75 <0x8cd7e0c5
xfrm=3DES_0-HMAC_MD5 NATD=155.97.239.238:4500 DPD=none}
Mar 2 21:04:26 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:06:32 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
received Delete SA(0x5ff49e75) payload: deleting IPSEC State #6
Mar 2 21:06:32 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
received and ignored informational message
Mar 2 21:06:32 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238 #5:
received Delete SA payload: deleting ISAKMP State #5
Mar 2 21:06:32 firewall pluto[746]: "l2tp-X.509"[6] 155.97.239.238:
deleting connection "l2tp-X.509" instance with peer 155.97.239.238
{isakmp=#0/ipsec=#0}
Mar 2 21:06:32 firewall pluto[746]: packet from 155.97.239.238:4500:
received and ignored informational message
Mar 2 21:06:35 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
Mar 2 21:06:35 firewall pluto[746]: ERROR: asynchronous network error
report on br0 (sport=4500) for message to 155.97.239.238 port 4500,
complainant ***.***.103.174: No route to host [errno 113, origin ICMP
type 3 code 1 (not authenticated)]
+ _________________________ date
+ date
Sun Mar 2 21:11:08 MST 2008
More information about the Users
mailing list