[Openswan Users] Connection disconnects frequently and will not connect with NAT-T enabled
Jonathan Larsen
jon at heartslc.com
Mon Jan 5 14:56:45 EST 2009
I am using Openswan Version 2.4.13 w/KLIPS.
Using kernel 2.6.19
I do not control the other end of the VPN. All I know is that it's a
cisco vpn 3000, or at least that is what openswan reports back.
We've been having trouble with the connection saying connected. Maybe
about after 15 min, it disconnects. This is when NAT-T is off, it's the
only way I actually have been able to get it connected.
Here is the output when we connect.
root at windu:~# /usr/local/sbin/ipsec auto --up stmarks_meditech
112 "stmarks_meditech" #1: STATE_AGGR_I1: initiate
003 "stmarks_meditech" #1: received Vendor ID payload [Cisco-Unity]
003 "stmarks_meditech" #1: received Vendor ID payload [XAUTH]
003 "stmarks_meditech" #1: received Vendor ID payload [Dead Peer
Detection]
003 "stmarks_meditech" #1: ignoring Vendor ID payload [FRAGMENTATION
c0000000]
003 "stmarks_meditech" #1: ignoring Vendor ID payload [Cisco VPN 3000
Series]
003 "stmarks_meditech" #1: protocol/port in Phase 1 ID Payload must be
0/0 or 17/500 but are 17/0
003 "stmarks_meditech" #1: protocol/port in Phase 1 ID Payload must be
0/0 or 17/500 but are 17/0
004 "stmarks_meditech" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
117 "stmarks_meditech" #2: STATE_QUICK_I1: initiate
004 "stmarks_meditech" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x824bfd5f <0xa1558950 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}
root at windu:~# /usr/local/sbin/ipsec auto --up stmarks_pacs
117 "stmarks_pacs" #3: STATE_QUICK_I1: initiate
004 "stmarks_pacs" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xdf4e67d5 <0xa1558951 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
root at windu:~# /usr/local/sbin/ipsec auto --up stmarks_tracemaster
117 "stmarks_tracemaster" #4: STATE_QUICK_I1: initiate
004 "stmarks_tracemaster" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x2811a7fb <0xa1558952 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}
root at windu:~# /usr/local/sbin/ipsec auto --up stmarks_pacs2
117 "stmarks_pacs2" #5: STATE_QUICK_I1: initiate
004 "stmarks_pacs2" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x8cbcff6f <0xa1558953 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Here are the errors from the secure log just before we notice that it's
stopped working.
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [Cisco-Unity]
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [XAUTH]
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
port floating is off
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: protocol/port in
Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: responding to
Aggressive Mode, state #10, connection "stmarks_pacs2" from 199.91.34.69
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: transition from
state STATE_AGGR_R0 to state STATE_AGGR_R1
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: STATE_AGGR_R1:
sent AR1, expecting AI2
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: received Vendor
ID payload [Dead Peer Detection]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: ignoring Vendor
ID payload [Cisco VPN 3000 Series]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: received Hash
Payload does not match computed value
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: sending
encrypted notification INVALID_HASH_INFORMATION to 199.91.34.69:500
Jan 5 12:25:52 windu pluto[4637]: "stmarks_meditech" #8: received
Delete SA payload: deleting ISAKMP State #8
Jan 5 12:25:52 windu pluto[4637]: packet from 199.91.34.69:500:
received and ignored informational message
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 180
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:03 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:03 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:03 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 250
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:05 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:05 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:05 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 209
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:07 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:07 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:07 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 163
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:09 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:09 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 120
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 25
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 229
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 226
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:24 windu pluto[4637]: "stmarks_pacs2" #10: max number of
retransmissions (2) reached STATE_AGGR_R1
I am behind a firewall (where everyone is natted behind), and my VPN
server is not DMZ'd. I have a SNAT rule on my firewall that translates
the 10.65.33.252/30 network into the public IP that the otherside of the
VPN is looking for.
When I enable NAT-T, it fails on "STATE_QUICK_I1: initiate" for any
connection.
When I create an alias of eth0 to be the public IP and add
ipsec1=eth0:0, and change the to: left="my public ip" it hangs on
"STATE_AGGR_I1: initiate".
I can see it leave my firewall at that point too. Just no traffic
coming back from the right side.
I had a feeling that it has to do with me getting it setup correctly
with NAT-T since they are sending, "[draft-ietf-ipsec-nat-t-ike-02_n]"
and I am not sending nat-t back.
Any help will be greatly appreciated!
Oh since this is really my first time posting to the list, all this info
is pretty long. Is it more customary to post it elsewhere and provide
links or send it as attachments?
Below is the output of ipsec barf
windu
Wed Dec 31 15:28:53 MST 2008
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.13 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.19-smp (root at windu) (gcc version 4.2.3) #1 SMP Tue Dec
30 20:03:07 MST 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.65.33.252/30 -> 10.162.187.18/32 =>
tun0x100e at 199.91.34.69
0 10.65.33.252/30 -> 10.163.173.6/32 =>
tun0x1010 at 199.91.34.69
0 10.65.33.252/30 -> 10.163.173.23/32 =>
tun0x100c at 199.91.34.69
6 10.65.33.252/30 -> 170.229.48.128/26 =>
tun0x100a at 199.91.34.69
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.163.173.23 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.163.173.6 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.162.187.18 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
eth0
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
170.229.48.128 0.0.0.0 255.255.255.192 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 10.65.33.254 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0xbea0f371 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0x6918bb2a742c0600 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2562,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=77
esp0xada163c at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x735ee61890057643 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2082,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=84
esp0xada163b at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x673a56d08b0daa62 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2562,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=72
esp0xada163a at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0xf317201755ecad6e ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=58
esp0xada1639 at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x61c2d594c8801e24 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=48
tun0x1010 at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=addtime(2082,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=88
tun0x100e at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=addtime(2562,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=76
tun0x100c at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=62
tun0x100a at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=bytes(408,0,0)addtime(2592,0,0)usetime(195,0,0)packets(6,0,0
) idle=184 natencap=none natsport=0 natdport=0 refcount=10 ref=52
esp0x67efcd68 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0xca515cf3e17ca76b ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2082,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=89
esp0xf3df6674 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0xab7500e3fa8ead03 ooowin=64 seq=6 alen=160 aklen=160
eklen=192
life(c,s,h)=bytes(624,0,0)addtime(2592,0,0)usetime(195,0,0)packets(6,0,0
) idle=184 natencap=none natsport=0 natdport=0 refcount=4 ref=53
tun0x100f at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.163.173.6/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=addtime(2082,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=83
esp0x77377c44 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0x0b4debc088777ad6 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=63
tun0x100d at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.162.187.18/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=addtime(2562,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=71
tun0x100b at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.163.173.23/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=57
tun0x1009 at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=170.229.48.128/26->10.65.33.252/30 flags=0x8<>
life(c,s,h)=addtime(2592,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=47
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1010 at 199.91.34.69 esp0x67efcd68 at 199.91.34.69
tun0x100e at 199.91.34.69 esp0xbea0f371 at 199.91.34.69
tun0x100c at 199.91.34.69 esp0x77377c44 at 199.91.34.69
tun0x100a at 199.91.34.69 esp0xf3df6674 at 199.91.34.69
tun0x100f at 10.65.33.253 esp0xada163c at 10.65.33.253
tun0x100d at 10.65.33.253 esp0xada163b at 10.65.33.253
tun0x100b at 10.65.33.253 esp0xada163a at 10.65.33.253
tun0x1009 at 10.65.33.253 esp0xada1639 at 10.65.33.253
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=1400(1500) -> 1400
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.65.33.253
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,12,36}
trans={0,12,72} attrs={0,12,48}
000
000 "stmarks_meditech":
10.65.33.252/30===10.65.33.253...199.91.34.69===170.229.48.128/26;
erouted; eroute owner: #7
000 "stmarks_meditech": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_meditech": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_meditech": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE;
prio: 30,26; interface: eth0; encap: esp;
000 "stmarks_meditech": newest ISAKMP SA: #0; newest IPsec SA: #7;
000 "stmarks_meditech": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_meditech": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_meditech": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_meditech": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_meditech": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_pacs":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.162.187.18/32;
erouted; eroute owner: #9
000 "stmarks_pacs": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs": newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "stmarks_pacs": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_pacs2":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.163.173.23/32;
erouted; eroute owner: #8
000 "stmarks_pacs2": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs2": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs2": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs2": newest ISAKMP SA: #0; newest IPsec SA: #8;
000 "stmarks_pacs2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs2": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_tracemaster":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.163.173.6/32;
erouted; eroute owner: #10
000 "stmarks_tracemaster": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_tracemaster": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_tracemaster": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE;
prio: 30,32; interface: eth0; encap: esp;
000 "stmarks_tracemaster": newest ISAKMP SA: #0; newest IPsec SA: #10;
000 "stmarks_tracemaster": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_tracemaster": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_tracemaster": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000
000 #7: "stmarks_meditech":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 25630s; newest IPSEC; eroute owner
000 #7: "stmarks_meditech" used 82s ago; esp.f3df6674 at 199.91.34.69
esp.ada1639 at 10.65.33.253 tun.100a at 199.91.34.69 tun.1009 at 10.65.33.253
000 #9: "stmarks_pacs":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 25490s; newest IPSEC; eroute owner
000 #9: "stmarks_pacs" esp.bea0f371 at 199.91.34.69
esp.ada163b at 10.65.33.253 tun.100e at 199.91.34.69 tun.100d at 10.65.33.253
000 #8: "stmarks_pacs2":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 25175s; newest IPSEC; eroute owner
000 #8: "stmarks_pacs2" esp.77377c44 at 199.91.34.69
esp.ada163a at 10.65.33.253 tun.100c at 199.91.34.69 tun.100b at 10.65.33.253
000 #10: "stmarks_tracemaster":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 25718s; newest IPSEC; eroute owner
000 #10: "stmarks_tracemaster" esp.67efcd68 at 199.91.34.69
esp.ada163c at 10.65.33.253 tun.1010 at 199.91.34.69 tun.100f at 10.65.33.253
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Bcast:10.65.33.255
Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1
RX packets:288626 errors:0 dropped:0 overruns:0 frame:0
TX packets:40327 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134195488 (127.9 MiB) TX bytes:17223353 (16.4 MiB)
Base address:0x1070 Memory:e8820000-e8840000
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:65.121.183.8 Bcast:255.255.255.255
Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1
Base address:0x1070 Memory:e8820000-e8840000
ipsec0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP RUNNING NOARP MTU:1400 Metric:1
RX packets:14419 errors:0 dropped:0 overruns:0 frame:0
TX packets:9842 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:12046081 (11.4 MiB) TX bytes:1228044 (1.1 MiB)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:984 (984.0 B) TX bytes:984 (984.0 B)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1400 qdisc pfifo_fast qlen
1000
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global eth0
inet 65.121.183.8/32 brd 255.255.255.255 scope global eth0:0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
195: ipsec0: <NOARP,UP,10000> mtu 1400 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global ipsec0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
196: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
197: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
198: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
+ _________________________ ip-route-list
+ ip route list
10.163.173.23 dev ipsec0 scope link
10.163.173.6 dev ipsec0 scope link
10.162.187.18 dev ipsec0 scope link
10.65.33.252/30 dev eth0 proto kernel scope link src 10.65.33.253
10.65.33.252/30 dev ipsec0 proto kernel scope link src 10.65.33.253
170.229.48.128/26 dev ipsec0 scope link
127.0.0.0/8 dev lo scope link
default via 10.65.33.254 dev eth0 metric 1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.13 (klips)
Checking for IPsec support in kernel
[OK]
KLIPS detected, checking for NAT Traversal support
[OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: windu
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 8.183.121.65.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 1000baseT-FD flow-control, link ok
product info: Yukon 88E1011 rev 3
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
advertising: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD
10baseT-FD 10baseT-HD
link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
windu.heartslc.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.65.33.253
+ _________________________ uptime
+ uptime
15:28:55 up 5:49, 4 users, load average: 2.14, 2.05, 2.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 17578 10918 18 0 2772 1380 - R+ pts/0 0:00 |
\_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 31782 1 24 0 2560 468 wait S ? 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal no --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
1 0 31783 31782 24 0 2560 644 wait S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal no --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
4 0 31784 31783 15 0 2720 1380 - S ? 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
1 0 31857 31784 26 10 2656 524 - SN ? 0:00 |
\_ pluto helper # 0
0 0 31858 31784 25 0 1636 304 429496 S ? 0:00 |
\_ _pluto_adns
0 0 31794 31782 16 0 2540 1224 pipe_w S ? 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 31813 1 18 0 1692 528 pipe_w S ? 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
nat_traversal=no
plutowait=no
uniqueids=yes
conn stmarks_meditech
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=170.229.48.128/26
type=tunnel
conn stmarks_pacs
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.162.187.18/32
type=tunnel
conn stmarks_tracemaster
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.6/32
type=tunnel
conn stmarks_pacs2
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.23/32
type=tunnel
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits windu Tue Nov 25 18:56:50 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNmyHZSA]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: PSK "[sums to 92d6...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4.30.3 2006-11-21 19:49:51 paul Exp $
#
#
# Michael's idea: Always have ROOT NAMESERVERS in the clear.
# It will make OE work much better on machines running
caching
# resolvers.
#
# Based on: http://www.internic.net/zones/named.root
# This file holds the information on root name servers needed to
# last update: Jan 29, 2004
# related version of root zone: 2004012900
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 116
-rwxr-xr-x 1 root root 15848 Dec 31 09:33 _confread
-rwxr-xr-x 1 root root 14289 Dec 31 09:33 _copyright
-rwxr-xr-x 1 root root 2379 Dec 31 09:33 _include
-rwxr-xr-x 1 root root 1475 Dec 31 09:33 _keycensor
-rwxr-xr-x 1 root root 3648 Dec 31 09:33 _plutoload
-rwxr-xr-x 1 root root 8069 Dec 31 09:33 _plutorun
-rwxr-xr-x 1 root root 12324 Dec 31 09:33 _realsetup
-rwxr-xr-x 1 root root 1975 Dec 31 09:33 _secretcensor
-rwxr-xr-x 1 root root 11102 Dec 31 09:33 _startklips
-rwxr-xr-x 1 root root 13918 Dec 31 09:33 _updown
-rwxr-xr-x 1 root root 15746 Dec 31 09:33 _updown_x509
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 4548
-rwxr-xr-x 1 root root 28489 Dec 31 09:32 _pluto_adns
-rwxr-xr-x 1 root root 375943 May 12 2008 addconn.old
-rwxr-xr-x 1 root root 18891 Dec 31 09:33 auto
-rwxr-xr-x 1 root root 11367 Dec 31 09:33 barf
-rwxr-xr-x 1 root root 816 Dec 31 09:33 calcgoo
-rwxr-xr-x 1 root root 199893 Dec 31 09:32 eroute
-rwxr-xr-x 1 root root 65085 Dec 31 09:33 ikeping
-rwxr-xr-x 1 root root 129819 Dec 31 09:32 klipsdebug
-rwxr-xr-x 1 root root 1836 Dec 31 09:33 livetest
-rwxr-xr-x 1 root root 2604 Dec 31 09:33 look
-rwxr-xr-x 1 root root 839794 May 12 2008 lwdnsq.old
-rwxr-xr-x 1 root root 7094 Dec 31 09:33 mailkey
-rwxr-xr-x 1 root root 16015 Dec 31 09:33 manual
-rwxr-xr-x 1 root root 1951 Dec 31 09:33 newhostkey
-rwxr-xr-x 1 root root 115216 Dec 31 09:32 pf_key
-rwxr-xr-x 1 root root 1914326 Dec 31 09:32 pluto
-rwxr-xr-x 1 root root 21174 Dec 31 09:33 ranbits
-rwxr-xr-x 1 root root 50625 Dec 31 09:33 rsasigkey
-rwxr-xr-x 1 root root 766 Dec 31 09:33 secrets
lrwxrwxrwx 1 root root 22 Dec 31 09:33 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Dec 31 09:33 showdefaults
-rwxr-xr-x 1 root root 4845 Dec 31 09:33 showhostkey
-rwxr-xr-x 1 root root 60365 May 12 2008 showpolicy.old
-rwxr-xr-x 1 root root 325143 Dec 31 09:32 spi
-rwxr-xr-x 1 root root 164884 Dec 31 09:32 spigrp
-rwxr-xr-x 1 root root 24248 Dec 31 09:32 tncfg
-rwxr-xr-x 1 root root 13530 Dec 31 09:33 verify
-rwxr-xr-x 1 root root 159092 Dec 31 09:32 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 984 14 0 0 0 0 0 0
984 14 0 0 0 0 0 0
eth0:134198590 288645 0 0 0 0 0 0
17223679 40331 0 0 0 0 0 0
ipsec0:12046081 14419 0 0 0 0 0 0
1228044 9842 0 3 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt
Use Metric Mask MTU Window
IRTT
ipsec0 17ADA30A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
ipsec0 06ADA30A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
ipsec0 12BBA20A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
eth0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
ipsec0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
ipsec0 8030E5AA 00000000 0001 0
0 0 C0FFFFFF 0 0
0
lo 0000007F 00000000 0001 0
0 0 000000FF 0 0
0
eth0 00000000 FE21410A 0003 0
0 1 00000000 0 0
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects default/send_redirects
eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects
lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
ipsec0/accept_redirects:0
ipsec0/secure_redirects:1
ipsec0/send_redirects:0
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux windu 2.6.19-smp #1 SMP Tue Dec 30 20:03:07 MST 2008 i686 Intel(R)
Xeon(R) CPU E5335 @ 2.00GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.13
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 305: no old-style linux 1.x/2.0
ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 351724 2 - Live 0xf90d2000
iptable_mangle 6144 0 - Live 0xf8ef4000
iptable_filter 6400 0 - Live 0xf8ef1000
ip_tables 15172 2 iptable_mangle,iptable_filter, Live 0xf8fe9000
x_tables 15492 1 ip_tables, Live 0xf8ef7000
ipv6 241184 10 - Live 0xf9030000
pcmcia 33836 0 - Live 0xf8fdf000
rsrc_nonstatic 14720 0 - Live 0xf8ed4000
pcmcia_core 36500 2 pcmcia,rsrc_nonstatic, Live 0xf8e91000
tun 12032 0 - Live 0xf8cdc000
lp 13480 0 - Live 0xf8cc1000
parport_pc 27300 1 - Live 0xf8e9c000
parport 34760 2 lp,parport_pc, Live 0xf8ec4000
fuse 41876 1 - Live 0xf8cf4000
intel_agp 24348 1 - Live 0xf8e8a000
agpgart 29256 1 intel_agp, Live 0xf8e81000
serio_raw 9220 0 - Live 0xf8ce0000
e1000 118976 0 - Live 0xf8ea5000
psmouse 38280 0 - Live 0xf8ce9000
pcspkr 6528 0 - Live 0xf8cd9000
i2c_piix4 11148 0 - Live 0xf8cd5000
evdev 11904 1 - Live 0xf8cc6000
sg 30108 0 - Live 0xf8ccc000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1031624 kB
MemFree: 810208 kB
Buffers: 41756 kB
Cached: 139820 kB
SwapCached: 0 kB
Active: 102840 kB
Inactive: 92460 kB
HighTotal: 131008 kB
HighFree: 264 kB
LowTotal: 900616 kB
LowFree: 809944 kB
SwapTotal: 1542232 kB
SwapFree: 1542232 kB
Dirty: 352 kB
Writeback: 0 kB
AnonPages: 13692 kB
Mapped: 7588 kB
Slab: 15772 kB
SReclaimable: 6892 kB
SUnreclaim: 8880 kB
PageTables: 564 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 2058044 kB
Committed_AS: 43028 kB
VmallocTotal: 114680 kB
VmallocUsed: 8700 kB
VmallocChunk: 105300 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Dec 31 15:28 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Dec 31 15:28 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Dec 31 15:28 /proc/net/ipsec_spi ->
ipsec/spi/all
lrwxrwxrwx 1 root root 16 Dec 31 15:28 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Dec 31 15:28 /proc/net/ipsec_tncfg ->
ipsec/tncfg
lrwxrwxrwx 1 root root 13 Dec 31 15:28 /proc/net/ipsec_version ->
ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep
'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_H
W_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
# CONFIG_IPC_NS is not set
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IPSEC_NAT_TRAVERSAL=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
# CONFIG_IPV6_ROUTER_PREF is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
# CONFIG_IP_NF_CONNTRACK is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.*
/dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/syslog
# Debugging information is logged here.
*.=debug
-/var/log/debug
# Private authentication message logging:
authpriv.*
-/var/log/secure
# Cron related logs:
cron.*
-/var/log/cron
# Mail related logs:
mail.*
-/var/log/maillog
# Emergency level messages go to all users:
*.emerg
*
# This log is for news and uucp errors:
uucp,news.crit
-/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit
-/var/log/news/news.crit
#news.=err
-/var/log/news/news.err
#news.notice
-/var/log/news/news.notice
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search heartslc.com
nameserver 10.30.0.19
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 3 root root 4096 Apr 30 2008 2.6.24.5
drwxr-xr-x 3 root root 4096 May 11 2008 2.6.24.5-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:37 2.6.19.7-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:40 2.6.19-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c05b3420 T __netif_rx_schedule
c05b4920 T netif_rx
c05b5e10 T netif_rx_ni
c05b4920 U netif_rx [ipsec]
c05b4920 U netif_rx [ipv6]
c05b5e10 U netif_rx_ni [tun]
c05b3420 U __netif_rx_schedule [e1000]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.19-smp:
2.6.19.7-smp:
2.6.24.5:
2.6.24.5-smp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '2157,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 31 13:41:31 windu ipsec_setup: Starting Openswan IPsec 2.4.13...
Dec 31 13:41:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"packetdefault": %defaultroute requested but not known
Dec 31 13:41:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"block": %defaultroute requested but not known
Dec 31 13:41:34 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
Dec 31 13:41:34 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear": %defaultroute requested but not known
Dec 31 13:41:35 windu ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known
Dec 31 13:41:35 windu ipsec__plutorun: ipsec_auto: fatal error in
"private": %defaultroute requested but not known
Dec 31 13:41:35 windu ipsec__plutorun: 021 no connection named
"packetdefault"
Dec 31 13:41:35 windu ipsec__plutorun: ...could not route conn
"packetdefault"
Dec 31 13:41:35 windu ipsec__plutorun: 021 no connection named "block"
Dec 31 13:41:35 windu ipsec__plutorun: ...could not route conn "block"
Dec 31 13:41:36 windu ipsec__plutorun: 021 no connection named
"clear-or-private"
Dec 31 13:41:36 windu ipsec__plutorun: ...could not route conn
"clear-or-private"
Dec 31 13:41:36 windu ipsec__plutorun: 021 no connection named "clear"
Dec 31 13:41:36 windu ipsec__plutorun: ...could not route conn "clear"
Dec 31 13:41:36 windu ipsec__plutorun: 021 no connection named
"private-or-clear"
Dec 31 13:41:36 windu ipsec__plutorun: ...could not route conn
"private-or-clear"
Dec 31 13:41:36 windu ipsec__plutorun: 021 no connection named "private"
Dec 31 13:41:36 windu ipsec__plutorun: ...could not route conn "private"
+ _________________________ plog
+ sed -n '13065,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 31 13:41:30 windu ipsec__plutorun: Starting Pluto subsystem...
Dec 31 13:41:31 windu pluto[31784]: Starting Pluto (Openswan Version
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
Dec 31 13:41:31 windu pluto[31784]: Setting NAT-Traversal port-4500
floating to off
Dec 31 13:41:31 windu pluto[31784]: port floating activation criteria
nat_t=0/port_fload=1
Dec 31 13:41:31 windu pluto[31784]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Dec 31 13:41:31 windu pluto[31784]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 31 13:41:31 windu pluto[31784]: starting up 1 cryptographic helpers
Dec 31 13:41:31 windu pluto[31784]: started helper pid=31857 (fd:6)
Dec 31 13:41:31 windu pluto[31784]: Using KLIPS IPsec interface code on
2.6.19-smp
Dec 31 13:41:31 windu pluto[31784]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 31 13:41:31 windu pluto[31784]: Changing to directory
'/etc/ipsec.d/aacerts'
Dec 31 13:41:31 windu pluto[31784]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Dec 31 13:41:31 windu pluto[31784]: Changing to directory
'/etc/ipsec.d/crls'
Dec 31 13:41:31 windu pluto[31784]: Warning: empty directory
Dec 31 13:41:32 windu pluto[31784]: added connection description
"stmarks_pacs2"
Dec 31 13:41:33 windu pluto[31784]: added connection description
"stmarks_meditech"
Dec 31 13:41:33 windu pluto[31784]: added connection description
"stmarks_pacs"
Dec 31 13:41:34 windu pluto[31784]: added connection description
"stmarks_tracemaster"
Dec 31 13:41:35 windu pluto[31784]: listening for IKE messages
Dec 31 13:41:35 windu pluto[31784]: adding interface ipsec0/eth0
10.65.33.253:500
Dec 31 13:41:35 windu pluto[31784]: loading secrets from
"/etc/ipsec.secrets"
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: initiating
Aggressive Mode #1, connection "stmarks_meditech"
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: received
Vendor ID payload [Cisco-Unity]
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: received
Vendor ID payload [XAUTH]
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: received
Vendor ID payload [Dead Peer Detection]
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1: transition
from state STATE_AGGR_I1 to state STATE_AGGR_I2
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #1:
STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Dec 31 13:41:41 windu pluto[31784]: "stmarks_meditech" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Dec 31 13:41:42 windu pluto[31784]: "stmarks_meditech" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 13:41:42 windu pluto[31784]: "stmarks_meditech" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x00b50ac4
<0x0ada1635 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 13:41:50 windu pluto[31784]: "stmarks_pacs" #3: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Dec 31 13:41:50 windu pluto[31784]: "stmarks_pacs" #3: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 13:41:50 windu pluto[31784]: "stmarks_pacs" #3: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x8f03a187 <0x0ada1636
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 13:41:56 windu pluto[31784]: "stmarks_tracemaster" #4: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Dec 31 13:41:57 windu pluto[31784]: "stmarks_tracemaster" #4: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 13:41:57 windu pluto[31784]: "stmarks_tracemaster" #4:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe44b2b6f
<0x0ada1637 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 13:42:02 windu pluto[31784]: "stmarks_pacs2" #5: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Dec 31 13:42:02 windu pluto[31784]: "stmarks_pacs2" #5: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 13:42:02 windu pluto[31784]: "stmarks_pacs2" #5: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0xa15a3b3a <0x0ada1638
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: initiating
Aggressive Mode #6 to replace #1, connection "stmarks_meditech"
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: received
Vendor ID payload [Cisco-Unity]
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: received
Vendor ID payload [XAUTH]
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: received
Vendor ID payload [Dead Peer Detection]
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6: transition
from state STATE_AGGR_I1 to state STATE_AGGR_I2
Dec 31 14:26:41 windu pluto[31784]: "stmarks_meditech" #6:
STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Dec 31 14:45:30 windu pluto[31784]: "stmarks_meditech" #6: received
Delete SA payload: replace IPSEC State #5 in 10 seconds
Dec 31 14:45:30 windu pluto[31784]: "stmarks_meditech" #6: received and
ignored informational message
Dec 31 14:45:30 windu pluto[31784]: "stmarks_meditech" #6: received
Delete SA payload: replace IPSEC State #2 in 10 seconds
Dec 31 14:45:30 windu pluto[31784]: "stmarks_meditech" #6: received and
ignored informational message
Dec 31 14:45:40 windu pluto[31784]: "stmarks_meditech" #7: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #2 {using
isakmp#6}
Dec 31 14:45:40 windu pluto[31784]: "stmarks_pacs2" #8: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #5 {using isakmp#6}
Dec 31 14:45:40 windu pluto[31784]: "stmarks_meditech" #7: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 14:45:40 windu pluto[31784]: "stmarks_meditech" #7:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xf3df6674
<0x0ada1639 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 14:45:40 windu pluto[31784]: "stmarks_pacs2" #8: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 14:45:40 windu pluto[31784]: "stmarks_pacs2" #8: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x77377c44 <0x0ada163a
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 14:46:00 windu pluto[31784]: "stmarks_meditech" #6: received
Delete SA payload: replace IPSEC State #3 in 10 seconds
Dec 31 14:46:00 windu pluto[31784]: "stmarks_meditech" #6: received and
ignored informational message
Dec 31 14:46:10 windu pluto[31784]: "stmarks_pacs" #9: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #3 {using isakmp#6}
Dec 31 14:46:10 windu pluto[31784]: "stmarks_pacs" #9: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 14:46:10 windu pluto[31784]: "stmarks_pacs" #9: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0xbea0f371 <0x0ada163b
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 14:54:00 windu pluto[31784]: "stmarks_meditech" #6: received
Delete SA payload: replace IPSEC State #4 in 10 seconds
Dec 31 14:54:00 windu pluto[31784]: "stmarks_meditech" #6: received and
ignored informational message
Dec 31 14:54:10 windu pluto[31784]: "stmarks_tracemaster" #10:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #4
{using isakmp#6}
Dec 31 14:54:10 windu pluto[31784]: "stmarks_tracemaster" #10:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 31 14:54:10 windu pluto[31784]: "stmarks_tracemaster" #10:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x67efcd68
<0x0ada163c xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Dec 31 15:11:41 windu pluto[31784]: packet from 199.91.34.69:500:
received Vendor ID payload [Cisco-Unity]
Dec 31 15:11:41 windu pluto[31784]: packet from 199.91.34.69:500:
received Vendor ID payload [XAUTH]
Dec 31 15:11:41 windu pluto[31784]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Dec 31 15:11:41 windu pluto[31784]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
port floating is off
Dec 31 15:11:41 windu pluto[31784]: packet from 199.91.34.69:500:
ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: responding to
Aggressive Mode, state #11, connection "stmarks_pacs2" from 199.91.34.69
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: transition from
state STATE_AGGR_R0 to state STATE_AGGR_R1
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: STATE_AGGR_R1:
sent AR1, expecting AI2
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: received Vendor
ID payload [Dead Peer Detection]
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: ignoring Vendor
ID payload [Cisco VPN 3000 Series]
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: received Hash
Payload does not match computed value
Dec 31 15:11:41 windu pluto[31784]: "stmarks_pacs2" #11: sending
encrypted notification INVALID_HASH_INFORMATION to 199.91.34.69:500
Dec 31 15:12:15 windu pluto[31784]: "stmarks_meditech" #6: received
Delete SA payload: deleting ISAKMP State #6
Dec 31 15:12:15 windu pluto[31784]: packet from 199.91.34.69:500:
received and ignored informational message
Dec 31 15:12:25 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 69
Dec 31 15:12:25 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:25 windu pluto[31784]: | payload malformed after IV
Dec 31 15:12:25 windu pluto[31784]: | 34 d4 62 7e 3b 74 18 03 f7 e0
4d 4b 03 49 38 0e
Dec 31 15:12:25 windu pluto[31784]: | 10 5b 6e d2
Dec 31 15:12:25 windu pluto[31784]: "stmarks_pacs2" #11: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Dec 31 15:12:27 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 23
Dec 31 15:12:27 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:27 windu pluto[31784]: | payload malformed after IV
Dec 31 15:12:27 windu pluto[31784]: | 34 d4 62 7e 3b 74 18 03 f7 e0
4d 4b 03 49 38 0e
Dec 31 15:12:27 windu pluto[31784]: | 10 5b 6e d2
Dec 31 15:12:27 windu pluto[31784]: "stmarks_pacs2" #11: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Dec 31 15:12:29 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 251
Dec 31 15:12:29 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:29 windu pluto[31784]: | payload malformed after IV
Dec 31 15:12:29 windu pluto[31784]: | 34 d4 62 7e 3b 74 18 03 f7 e0
4d 4b 03 49 38 0e
Dec 31 15:12:29 windu pluto[31784]: | 10 5b 6e d2
Dec 31 15:12:29 windu pluto[31784]: "stmarks_pacs2" #11: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: byte 2 of
ISAKMP Hash Payload must be zero, but is not
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:31 windu pluto[31784]: | payload malformed after IV
Dec 31 15:12:31 windu pluto[31784]: | 34 d4 62 7e 3b 74 18 03 f7 e0
4d 4b 03 49 38 0e
Dec 31 15:12:31 windu pluto[31784]: | 10 5b 6e d2
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 100
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 223
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 95
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: next payload
type of ISAKMP Hash Payload has an unknown value: 108
Dec 31 15:12:31 windu pluto[31784]: "stmarks_pacs2" #11: malformed
payload in packet
Dec 31 15:12:51 windu pluto[31784]: "stmarks_pacs2" #11: max number of
retransmissions (2) reached STATE_AGGR_R1
+ _________________________ date
+ date
Wed Dec 31 15:28:58 MST 2008
windu
Mon Jan 5 10:12:37 MST 2009
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.13 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.19-smp (root at windu) (gcc version 4.2.3) #1 SMP Tue Dec
30 20:03:07 MST 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
eth0
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 10.65.33.254 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> eth0 mtu=16260(1500) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.65.33.253
000 interface ipsec0/eth0 10.65.33.253
000 interface ipsec1/eth0:0 65.121.183.8
000 interface ipsec1/eth0:0 65.121.183.8
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "stmarks_meditech":
10.65.33.252/30===65.121.183.8:17/500...199.91.34.69:17/500===170.229.48
.128/26; unrouted; eroute owner: #0
000 "stmarks_meditech": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_meditech": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_meditech": policy: PSK+ENCRYPT+TUNNEL+AGGRESSIVE; prio:
30,26; interface: eth0:0; encap: esp;
000 "stmarks_meditech": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "stmarks_meditech": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_meditech": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_meditech": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_meditech": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs":
10.65.33.252/30===10.65.33.253:17/500...199.91.34.69:17/500===10.162.187
.18/32; unrouted; eroute owner: #0
000 "stmarks_pacs": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs": policy: PSK+ENCRYPT+TUNNEL+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "stmarks_pacs": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2":
10.65.33.252/30===10.65.33.253:17/500...199.91.34.69:17/500===10.163.173
.23/32; unrouted; eroute owner: #0
000 "stmarks_pacs2": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs2": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs2": policy: PSK+ENCRYPT+TUNNEL+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "stmarks_pacs2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs2": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster":
10.65.33.252/30===10.65.33.253:17/500...199.91.34.69:17/500===10.163.173
.6/32; unrouted; eroute owner: #0
000 "stmarks_tracemaster": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_tracemaster": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_tracemaster": policy: PSK+ENCRYPT+TUNNEL+AGGRESSIVE;
prio: 30,32; interface: eth0; encap: esp;
000 "stmarks_tracemaster": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "stmarks_tracemaster": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_tracemaster": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_tracemaster": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Bcast:10.65.33.255
Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:810581 errors:0 dropped:0 overruns:0 frame:0
TX packets:385078 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:132790699 (126.6 MiB) TX bytes:550396908 (524.8 MiB)
Base address:0x1070 Memory:e8820000-e8840000
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:65.121.183.8 Bcast:255.255.255.255 Mask:0.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0x1070 Memory:e8820000-e8840000
ipsec0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec1 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:65.121.183.8 Mask:0.0.0.0
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global eth0
inet 65.121.183.8/0 brd 255.255.255.255 scope global eth0:0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
27: ipsec0: <NOARP,UP,10000> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global ipsec0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
28: ipsec1: <NOARP,UP,10000> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 65.121.183.8/0 brd 255.255.255.255 scope global ipsec1
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
29: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
30: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
+ _________________________ ip-route-list
+ ip route list
10.65.33.252/30 dev eth0 proto kernel scope link src 10.65.33.253
10.65.33.252/30 dev ipsec0 proto kernel scope link src 10.65.33.253
127.0.0.0/8 dev lo scope link
default via 10.65.33.254 dev eth0 metric 1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.13 (klips)
Checking for IPsec support in kernel
[OK]
KLIPS detected, checking for NAT Traversal support
[OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: windu
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 8.183.121.65.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 1000baseT-FD flow-control, link ok
product info: Yukon 88E1011 rev 3
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
advertising: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD
10baseT-FD 10baseT-HD
link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
windu.heartslc.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.65.33.253
+ _________________________ uptime
+ uptime
10:12:39 up 2 days, 19:55, 1 user, load average: 2.49, 2.07, 1.97
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 2133 28099 17 0 2768 1380 - R+ pts/0 0:00
\_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 346 1 25 0 2344 432 wait S pts/0 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
1 0 347 346 23 0 2344 608 wait S pts/0 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
4 0 348 347 15 0 2660 1156 - S pts/0 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
--nat_traversal
1 0 385 348 35 10 2660 416 - SN pts/0 0:00 |
\_ pluto helper # 0
0 0 395 348 25 0 1632 304 429496 S pts/0 0:00 |
\_ _pluto_adns
0 0 349 346 18 0 2316 1060 pipe_w S pts/0 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 350 1 18 0 1696 528 pipe_w S pts/0 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0 ipsec1=eth0:0"
nat_traversal=yes
plutowait=no
uniqueids=yes
conn stmarks_meditech
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=65.121.183.8
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=170.229.48.128/26
type=tunnel
leftprotoport=17/500
rightprotoport=17/500
conn stmarks_pacs
aggrmode=yes
leftprotoport=17/500
rightprotoport=17/500
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.162.187.18/32
type=tunnel
conn stmarks_tracemaster
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.6/32
type=tunnel
leftprotoport=17/500
rightprotoport=17/500
conn stmarks_pacs2
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.23/32
type=tunnel
leftprotoport=17/500
rightprotoport=17/500
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits windu Tue Nov 25 18:56:50 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNmyHZSA]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: PSK "[sums to 92d6...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4.30.3 2006-11-21 19:49:51 paul Exp $
#
#
# Michael's idea: Always have ROOT NAMESERVERS in the clear.
# It will make OE work much better on machines running
caching
# resolvers.
#
# Based on: http://www.internic.net/zones/named.root
# This file holds the information on root name servers needed to
# last update: Jan 29, 2004
# related version of root zone: 2004012900
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 116
-rwxr-xr-x 1 root root 15848 Dec 31 09:33 _confread
-rwxr-xr-x 1 root root 14289 Dec 31 09:33 _copyright
-rwxr-xr-x 1 root root 2379 Dec 31 09:33 _include
-rwxr-xr-x 1 root root 1475 Dec 31 09:33 _keycensor
-rwxr-xr-x 1 root root 3648 Dec 31 09:33 _plutoload
-rwxr-xr-x 1 root root 8069 Dec 31 09:33 _plutorun
-rwxr-xr-x 1 root root 12324 Dec 31 09:33 _realsetup
-rwxr-xr-x 1 root root 1975 Dec 31 09:33 _secretcensor
-rwxr-xr-x 1 root root 11102 Dec 31 09:33 _startklips
-rwxr-xr-x 1 root root 13918 Dec 31 09:33 _updown
-rwxr-xr-x 1 root root 15746 Dec 31 09:33 _updown_x509
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 4548
-rwxr-xr-x 1 root root 28489 Dec 31 09:32 _pluto_adns
-rwxr-xr-x 1 root root 375943 May 12 2008 addconn.old
-rwxr-xr-x 1 root root 18891 Dec 31 09:33 auto
-rwxr-xr-x 1 root root 11367 Dec 31 09:33 barf
-rwxr-xr-x 1 root root 816 Dec 31 09:33 calcgoo
-rwxr-xr-x 1 root root 199893 Dec 31 09:32 eroute
-rwxr-xr-x 1 root root 65085 Dec 31 09:33 ikeping
-rwxr-xr-x 1 root root 129819 Dec 31 09:32 klipsdebug
-rwxr-xr-x 1 root root 1836 Dec 31 09:33 livetest
-rwxr-xr-x 1 root root 2604 Dec 31 09:33 look
-rwxr-xr-x 1 root root 839794 May 12 2008 lwdnsq.old
-rwxr-xr-x 1 root root 7094 Dec 31 09:33 mailkey
-rwxr-xr-x 1 root root 16015 Dec 31 09:33 manual
-rwxr-xr-x 1 root root 1951 Dec 31 09:33 newhostkey
-rwxr-xr-x 1 root root 115216 Dec 31 09:32 pf_key
-rwxr-xr-x 1 root root 1914326 Dec 31 09:32 pluto
-rwxr-xr-x 1 root root 21174 Dec 31 09:33 ranbits
-rwxr-xr-x 1 root root 50625 Dec 31 09:33 rsasigkey
-rwxr-xr-x 1 root root 766 Dec 31 09:33 secrets
lrwxrwxrwx 1 root root 22 Dec 31 09:33 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Dec 31 09:33 showdefaults
-rwxr-xr-x 1 root root 4845 Dec 31 09:33 showhostkey
-rwxr-xr-x 1 root root 60365 May 12 2008 showpolicy.old
-rwxr-xr-x 1 root root 325143 Dec 31 09:32 spi
-rwxr-xr-x 1 root root 164884 Dec 31 09:32 spigrp
-rwxr-xr-x 1 root root 24248 Dec 31 09:32 tncfg
-rwxr-xr-x 1 root root 13530 Dec 31 09:33 verify
-rwxr-xr-x 1 root root 159092 Dec 31 09:32 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0:132793090 810603 0 0 0 0 0 0
550397446 385084 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 3 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 3 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt
Use Metric Mask MTU Window
IRTT
eth0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
ipsec0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
lo 0000007F 00000000 0001 0
0 0 000000FF 0 0
0
eth0 00000000 FE21410A 0003 0
0 1 00000000 0 0
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
ipsec1/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
ipsec1/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects default/send_redirects
eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects
ipsec1/accept_redirects ipsec1/secure_redirects ipsec1/send_redirects
lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
ipsec0/accept_redirects:0
ipsec0/secure_redirects:1
ipsec0/send_redirects:0
ipsec1/accept_redirects:0
ipsec1/secure_redirects:1
ipsec1/send_redirects:0
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux windu 2.6.19-smp #1 SMP Tue Dec 30 20:03:07 MST 2008 i686 Intel(R)
Xeon(R) CPU E5335 @ 2.00GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.13
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 305: no old-style linux 1.x/2.0
ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 351724 2 - Live 0xf90dd000
iptable_filter 6400 0 - Live 0xf8e93000
iptable_mangle 6144 0 - Live 0xf8cfd000
ip_tables 15172 2 iptable_filter,iptable_mangle, Live 0xf8fe4000
x_tables 15492 1 ip_tables, Live 0xf8fdf000
ipv6 241184 10 - Live 0xf903b000
pcmcia 33836 0 - Live 0xf8fea000
rsrc_nonstatic 14720 0 - Live 0xf8e8e000
pcmcia_core 36500 2 pcmcia,rsrc_nonstatic, Live 0xf8ed6000
tun 12032 0 - Live 0xf8cdc000
lp 13480 0 - Live 0xf8cc1000
parport_pc 27300 1 - Live 0xf8ece000
parport 34760 2 lp,parport_pc, Live 0xf8ec4000
fuse 41876 1 - Live 0xf8e96000
serio_raw 9220 0 - Live 0xf8ce0000
intel_agp 24348 1 - Live 0xf8e81000
e1000 118976 0 - Live 0xf8ea5000
agpgart 29256 1 intel_agp, Live 0xf8cf4000
psmouse 38280 0 - Live 0xf8ce9000
pcspkr 6528 0 - Live 0xf8cd9000
i2c_piix4 11148 0 - Live 0xf8cd5000
evdev 11904 1 - Live 0xf8cc6000
sg 30108 0 - Live 0xf8ccc000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1031624 kB
MemFree: 62884 kB
Buffers: 263800 kB
Cached: 644056 kB
SwapCached: 0 kB
Active: 340152 kB
Inactive: 578588 kB
HighTotal: 131008 kB
HighFree: 512 kB
LowTotal: 900616 kB
LowFree: 62372 kB
SwapTotal: 1542232 kB
SwapFree: 1542232 kB
Dirty: 508 kB
Writeback: 0 kB
AnonPages: 10920 kB
Mapped: 7200 kB
Slab: 39420 kB
SReclaimable: 28696 kB
SUnreclaim: 10724 kB
PageTables: 500 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 2058044 kB
Committed_AS: 48792 kB
VmallocTotal: 114680 kB
VmallocUsed: 8660 kB
VmallocChunk: 105256 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jan 5 10:12 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jan 5 10:12 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jan 5 10:12 /proc/net/ipsec_spi ->
ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jan 5 10:12 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jan 5 10:12 /proc/net/ipsec_tncfg ->
ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jan 5 10:12 /proc/net/ipsec_version ->
ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep
'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_H
W_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
# CONFIG_IPC_NS is not set
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IPSEC_NAT_TRAVERSAL=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
# CONFIG_IPV6_ROUTER_PREF is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
# CONFIG_IP_NF_CONNTRACK is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.*
/dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/syslog
# Debugging information is logged here.
*.=debug
-/var/log/debug
# Private authentication message logging:
authpriv.*
-/var/log/secure
# Cron related logs:
cron.*
-/var/log/cron
# Mail related logs:
mail.*
-/var/log/maillog
# Emergency level messages go to all users:
*.emerg
*
# This log is for news and uucp errors:
uucp,news.crit
-/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit
-/var/log/news/news.crit
#news.=err
-/var/log/news/news.err
#news.notice
-/var/log/news/news.notice
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search heartslc.com
nameserver 10.30.0.19
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 3 root root 4096 Apr 30 2008 2.6.24.5
drwxr-xr-x 3 root root 4096 May 11 2008 2.6.24.5-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:37 2.6.19.7-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:40 2.6.19-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c05b3420 T __netif_rx_schedule
c05b4920 T netif_rx
c05b5e10 T netif_rx_ni
c05b4920 U netif_rx [ipsec]
c05b4920 U netif_rx [ipv6]
c05b5e10 U netif_rx_ni [tun]
c05b3420 U __netif_rx_schedule [e1000]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.19-smp:
2.6.19.7-smp:
2.6.24.5:
2.6.24.5-smp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '18,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Jan 5 10:12:30 windu ipsec_setup: Starting Openswan IPsec 2.4.13...
Jan 5 10:12:31 windu ipsec__plutorun: ipsec_auto: fatal error in
"packetdefault": %defaultroute requested but not known
Jan 5 10:12:32 windu ipsec__plutorun: ipsec_auto: fatal error in
"block": %defaultroute requested but not known
Jan 5 10:12:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
Jan 5 10:12:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear": %defaultroute requested but not known
Jan 5 10:12:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known
Jan 5 10:12:33 windu ipsec__plutorun: ipsec_auto: fatal error in
"private": %defaultroute requested but not known
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named
"packetdefault"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn
"packetdefault"
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named "block"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn "block"
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named
"clear-or-private"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn
"clear-or-private"
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named "clear"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn "clear"
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named
"private-or-clear"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn
"private-or-clear"
Jan 5 10:12:34 windu ipsec__plutorun: 021 no connection named "private"
Jan 5 10:12:34 windu ipsec__plutorun: ...could not route conn "private"
+ _________________________ plog
+ sed -n '11,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Jan 5 10:12:29 windu ipsec__plutorun: Starting Pluto subsystem...
Jan 5 10:12:30 windu pluto[348]: Starting Pluto (Openswan Version
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
Jan 5 10:12:30 windu pluto[348]: Setting NAT-Traversal port-4500
floating to on
Jan 5 10:12:30 windu pluto[348]: port floating activation criteria
nat_t=1/port_fload=1
Jan 5 10:12:30 windu pluto[348]: including NAT-Traversal patch
(Version 0.6c)
Jan 5 10:12:30 windu pluto[348]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jan 5 10:12:30 windu pluto[348]: starting up 1 cryptographic helpers
Jan 5 10:12:30 windu pluto[348]: started helper pid=385 (fd:6)
Jan 5 10:12:30 windu pluto[348]: Using KLIPS IPsec interface code on
2.6.19-smp
Jan 5 10:12:30 windu pluto[348]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 5 10:12:30 windu pluto[348]: Changing to directory
'/etc/ipsec.d/aacerts'
Jan 5 10:12:30 windu pluto[348]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jan 5 10:12:30 windu pluto[348]: Changing to directory
'/etc/ipsec.d/crls'
Jan 5 10:12:30 windu pluto[348]: Warning: empty directory
Jan 5 10:12:31 windu pluto[348]: added connection description
"stmarks_pacs2"
Jan 5 10:12:32 windu pluto[348]: added connection description
"stmarks_meditech"
Jan 5 10:12:32 windu pluto[348]: added connection description
"stmarks_pacs"
Jan 5 10:12:32 windu pluto[348]: added connection description
"stmarks_tracemaster"
Jan 5 10:12:33 windu pluto[348]: listening for IKE messages
Jan 5 10:12:33 windu pluto[348]: adding interface ipsec1/eth0:0
65.121.183.8:500
Jan 5 10:12:33 windu pluto[348]: adding interface ipsec1/eth0:0
65.121.183.8:4500
Jan 5 10:12:33 windu pluto[348]: adding interface ipsec0/eth0
10.65.33.253:500
Jan 5 10:12:33 windu pluto[348]: adding interface ipsec0/eth0
10.65.33.253:4500
Jan 5 10:12:33 windu pluto[348]: loading secrets from
"/etc/ipsec.secrets"
+ _________________________ date
+ date
Mon Jan 5 10:12:42 MST 2009
windu
Mon Jan 5 12:46:30 MST 2009
+ _________________________ version
+ ipsec --version
Linux Openswan 2.4.13 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.19-smp (root at windu) (gcc version 4.2.3) #1 SMP Tue Dec
30 20:03:07 MST 2008
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
22 10.65.33.252/30 -> 10.162.187.18/32 =>
tun0x100a at 199.91.34.69
117 10.65.33.252/30 -> 10.163.173.6/32 =>
tun0x100c at 199.91.34.69
0 10.65.33.252/30 -> 10.163.173.23/32 =>
tun0x100e at 199.91.34.69
271 10.65.33.252/30 -> 170.229.48.128/26 =>
tun0x1002 at 199.91.34.69
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.163.173.23 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.163.173.6 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.162.187.18 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
eth0
10.65.33.252 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
170.229.48.128 0.0.0.0 255.255.255.192 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 10.65.33.254 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1001 at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=170.229.48.128/26->10.65.33.252/30 flags=0x8<>
life(c,s,h)=bytes(21572,0,0)addtime(6522,0,0)usetime(6083,0,0)packets(26
1,0,0) idle=2846 natencap=none natsport=0 natdport=0 refcount=4 ref=7
esp0xcc29b7a4 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0xaa278564e8845690 ooowin=64 seq=117 alen=160
aklen=160 eklen=192
life(c,s,h)=bytes(25048,0,0)addtime(4703,0,0)usetime(4520,0,0)packets(11
7,0,0) idle=2815 natencap=none natsport=0 natdport=0 refcount=4 ref=63
tun0x100e at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=addtime(2333,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=76
esp0x824bfd5f at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0xba525deff73b014b ooowin=64 seq=271 alen=160
aklen=160 eklen=192
life(c,s,h)=bytes(27464,0,0)addtime(6522,0,0)usetime(6083,0,0)packets(27
1,0,0) idle=163 natencap=none natsport=0 natdport=0 refcount=4 ref=13
tun0x100c at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=bytes(20883,0,0)addtime(4703,0,0)usetime(4520,0,0)packets(11
7,0,0) idle=2815 natencap=none natsport=0 natdport=0 refcount=121 ref=62
tun0x100a at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=bytes(4245,0,0)addtime(4703,0,0)usetime(4509,0,0)packets(22,
0,0) idle=2757 natencap=none natsport=0 natdport=0 refcount=26 ref=52
tun0x1002 at 199.91.34.69 IPIP: dir=out src=10.65.33.253
life(c,s,h)=bytes(18273,0,0)addtime(6522,0,0)usetime(6083,0,0)packets(27
1,0,0) idle=163 natencap=none natsport=0 natdport=0 refcount=275 ref=12
esp0xa1558956 at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x0cc0c86d5a941761 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2333,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=72
esp0xa1558955 at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x279d03338889537e ooowin=64 seq=158
bit=0xfffffffff7fffff7 max_seq_diff=1 alen=160 aklen=160 eklen=192
life(c,s,h)=bytes(164132,0,0)addtime(4703,0,0)usetime(4520,0,0)packets(1
55,0,0) idle=2815 natencap=none natsport=0 natdport=0 refcount=159
ref=58
esp0xa1558954 at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x2c26934fc1989d8f ooowin=64 seq=22 bit=0x3fffff
alen=160 aklen=160 eklen=192
life(c,s,h)=bytes(9057,0,0)addtime(4703,0,0)usetime(4509,0,0)packets(22,
0,0) idle=2628 natencap=none natsport=0 natdport=0 refcount=26 ref=48
esp0xa1558950 at 10.65.33.253 ESP_3DES_HMAC_SHA1: dir=in src=199.91.34.69
iv_bits=64bits iv=0x2e09d794d3cb3b4f ooowin=64 seq=267
bit=0xffffebffffffffff max_seq_diff=1 alen=160 aklen=160 eklen=192
life(c,s,h)=bytes(21572,0,0)addtime(6522,0,0)usetime(6083,0,0)packets(26
1,0,0) idle=2846 natencap=none natsport=0 natdport=0 refcount=265 ref=8
esp0x3dce2648 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0xc85d3b7a2741b9cd ooowin=64 seq=22 alen=160 aklen=160
eklen=192
life(c,s,h)=bytes(5024,0,0)addtime(4703,0,0)usetime(4509,0,0)packets(22,
0,0) idle=2757 natencap=none natsport=0 natdport=0 refcount=4 ref=53
esp0x8fe9e232 at 199.91.34.69 ESP_3DES_HMAC_SHA1: dir=out src=10.65.33.253
iv_bits=64bits iv=0x4b577a5a965036c5 ooowin=64 alen=160 aklen=160
eklen=192 life(c,s,h)=addtime(2333,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=77
tun0x100d at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.163.173.23/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=addtime(2333,0,0) natencap=none natsport=0 natdport=0
refcount=4 ref=71
tun0x100b at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.163.173.6/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=bytes(164132,0,0)addtime(4703,0,0)usetime(4520,0,0)packets(1
55,0,0) idle=2815 natencap=none natsport=0 natdport=0 refcount=4 ref=57
tun0x1009 at 10.65.33.253 IPIP: dir=in src=199.91.34.69
policy=10.162.187.18/32->10.65.33.252/30 flags=0x8<>
life(c,s,h)=bytes(9057,0,0)addtime(4703,0,0)usetime(4509,0,0)packets(22,
0,0) idle=2628 natencap=none natsport=0 natdport=0 refcount=4 ref=47
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1001 at 10.65.33.253 esp0xa1558950 at 10.65.33.253
tun0x100e at 199.91.34.69 esp0x8fe9e232 at 199.91.34.69
tun0x100c at 199.91.34.69 esp0xcc29b7a4 at 199.91.34.69
tun0x100a at 199.91.34.69 esp0x3dce2648 at 199.91.34.69
tun0x1002 at 199.91.34.69 esp0x824bfd5f at 199.91.34.69
tun0x100d at 10.65.33.253 esp0xa1558956 at 10.65.33.253
tun0x100b at 10.65.33.253 esp0xa1558955 at 10.65.33.253
tun0x1009 at 10.65.33.253 esp0xa1558954 at 10.65.33.253
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 10.65.33.253
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,11,36}
trans={0,11,72} attrs={0,11,48}
000
000 "stmarks_meditech":
10.65.33.252/30===10.65.33.253...199.91.34.69===170.229.48.128/26;
erouted; eroute owner: #2
000 "stmarks_meditech": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_meditech": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_meditech": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE;
prio: 30,26; interface: eth0; encap: esp;
000 "stmarks_meditech": newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "stmarks_meditech": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_meditech": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_meditech": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_meditech": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_meditech": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_pacs":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.162.187.18/32;
erouted; eroute owner: #6
000 "stmarks_pacs": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs": newest ISAKMP SA: #0; newest IPsec SA: #6;
000 "stmarks_pacs": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_pacs2":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.163.173.23/32;
erouted; eroute owner: #9
000 "stmarks_pacs2": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "stmarks_pacs2": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_pacs2": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio:
30,32; interface: eth0; encap: esp;
000 "stmarks_pacs2": newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "stmarks_pacs2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_pacs2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_pacs2": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_pacs2": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000 "stmarks_tracemaster":
10.65.33.252/30===10.65.33.253...199.91.34.69===10.163.173.6/32;
erouted; eroute owner: #7
000 "stmarks_tracemaster": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "stmarks_tracemaster": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "stmarks_tracemaster": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE;
prio: 30,32; interface: eth0; encap: esp;
000 "stmarks_tracemaster": newest ISAKMP SA: #0; newest IPsec SA: #7;
000 "stmarks_tracemaster": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "stmarks_tracemaster": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "stmarks_tracemaster": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000 "stmarks_tracemaster": ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000
000 #2: "stmarks_meditech":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 21635s; newest IPSEC; eroute owner
000 #2: "stmarks_meditech" used 56s ago; esp.824bfd5f at 199.91.34.69
esp.a1558950 at 10.65.33.253 tun.1002 at 199.91.34.69 tun.1001 at 10.65.33.253
000 #6: "stmarks_pacs":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 23482s; newest IPSEC; eroute owner
000 #6: "stmarks_pacs" used 2696s ago; esp.3dce2648 at 199.91.34.69
esp.a1558954 at 10.65.33.253 tun.100a at 199.91.34.69 tun.1009 at 10.65.33.253
000 #9: "stmarks_pacs2":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 25488s; newest IPSEC; eroute owner
000 #9: "stmarks_pacs2" esp.8fe9e232 at 199.91.34.69
esp.a1558956 at 10.65.33.253 tun.100e at 199.91.34.69 tun.100d at 10.65.33.253
000 #7: "stmarks_tracemaster":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 23428s; newest IPSEC; eroute owner
000 #7: "stmarks_tracemaster" used 2696s ago; esp.cc29b7a4 at 199.91.34.69
esp.a1558955 at 10.65.33.253 tun.100c at 199.91.34.69 tun.100b at 10.65.33.253
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Bcast:10.65.33.255
Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25920 errors:0 dropped:0 overruns:0 frame:0
TX packets:3329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3911234 (3.7 MiB) TX bytes:588397 (574.6 KiB)
Base address:0x1070 Memory:e8820000-e8840000
ipsec0 Link encap:Ethernet HWaddr 00:0c:29:28:42:ff
inet addr:10.65.33.253 Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe28:42ff/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:457 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:195933 (191.3 KiB) TX bytes:67856 (66.2 KiB)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global eth0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
11: ipsec0: <NOARP,UP,10000> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:28:42:ff brd ff:ff:ff:ff:ff:ff
inet 10.65.33.253/30 brd 10.65.33.255 scope global ipsec0
inet6 fe80::20c:29ff:fe28:42ff/64 scope link
valid_lft forever preferred_lft forever
12: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
13: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
14: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
+ _________________________ ip-route-list
+ ip route list
10.163.173.23 dev ipsec0 scope link
10.163.173.6 dev ipsec0 scope link
10.162.187.18 dev ipsec0 scope link
10.65.33.252/30 dev eth0 proto kernel scope link src 10.65.33.253
10.65.33.252/30 dev ipsec0 proto kernel scope link src 10.65.33.253
170.229.48.128/26 dev ipsec0 scope link
127.0.0.0/8 dev lo scope link
default via 10.65.33.254 dev eth0 metric 1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.13 (klips)
Checking for IPsec support in kernel
[OK]
KLIPS detected, checking for NAT Traversal support
[OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: windu
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 1000baseT-FD flow-control, link ok
product info: Yukon 88E1011 rev 3
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
advertising: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD
10baseT-FD 10baseT-HD
link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
windu.heartslc.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.65.33.253
+ _________________________ uptime
+ uptime
12:46:33 up 2:03, 2 users, load average: 1.96, 1.85, 1.83
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 5979 24569 21 0 2772 1380 - R+ pts/1 0:00
\_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 4548 1 25 0 2344 436 wait S pts/1 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal no --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
1 0 4558 4548 25 0 2344 612 wait S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal no --keep_alive
--protostack auto --force_keepalive --disable_port_floating
--virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump
--opts --stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto/pluto.pid
4 0 4637 4558 15 0 2732 1388 - S pts/1 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
1 0 4638 4637 26 10 2660 524 - SN pts/1 0:00 |
\_ pluto helper # 0
0 0 4639 4637 25 0 1632 304 429496 S pts/1 0:00 |
\_ _pluto_adns
0 0 4560 4548 17 0 2316 1060 pipe_w S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 4559 1 18 0 1692 532 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
nat_traversal=no
plutowait=no
uniqueids=yes
conn stmarks_meditech
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=170.229.48.128/26
type=tunnel
#leftprotoport=17/500
#rightprotoport=17/500
conn stmarks_pacs
aggrmode=yes
#leftprotoport=17/500
#rightprotoport=17/500
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.162.187.18/32
type=tunnel
conn stmarks_tracemaster
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.6/32
type=tunnel
#leftprotoport=17/500
#rightprotoport=17/500
conn stmarks_pacs2
aggrmode=yes
auth=esp
authby=secret
auto=add
compress=no
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
keyingtries=3
left=10.65.33.253
leftsubnet=10.65.33.252/30
pfs=no
right=199.91.34.69
rightsubnet=10.163.173.23/32
type=tunnel
#leftprotoport=17/500
#rightprotoport=17/500
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits windu Tue Nov 25 18:56:50 2008
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNmyHZSA]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
: PSK "[sums to 92d6...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4.30.3 2006-11-21 19:49:51 paul Exp $
#
#
# Michael's idea: Always have ROOT NAMESERVERS in the clear.
# It will make OE work much better on machines running
caching
# resolvers.
#
# Based on: http://www.internic.net/zones/named.root
# This file holds the information on root name servers needed to
# last update: Jan 29, 2004
# related version of root zone: 2004012900
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003-02-17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 116
-rwxr-xr-x 1 root root 15848 Dec 31 09:33 _confread
-rwxr-xr-x 1 root root 14289 Dec 31 09:33 _copyright
-rwxr-xr-x 1 root root 2379 Dec 31 09:33 _include
-rwxr-xr-x 1 root root 1475 Dec 31 09:33 _keycensor
-rwxr-xr-x 1 root root 3648 Dec 31 09:33 _plutoload
-rwxr-xr-x 1 root root 8069 Dec 31 09:33 _plutorun
-rwxr-xr-x 1 root root 12324 Dec 31 09:33 _realsetup
-rwxr-xr-x 1 root root 1975 Dec 31 09:33 _secretcensor
-rwxr-xr-x 1 root root 11102 Dec 31 09:33 _startklips
-rwxr-xr-x 1 root root 13918 Dec 31 09:33 _updown
-rwxr-xr-x 1 root root 15746 Dec 31 09:33 _updown_x509
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 4548
-rwxr-xr-x 1 root root 28489 Dec 31 09:32 _pluto_adns
-rwxr-xr-x 1 root root 375943 May 12 2008 addconn.old
-rwxr-xr-x 1 root root 18891 Dec 31 09:33 auto
-rwxr-xr-x 1 root root 11367 Dec 31 09:33 barf
-rwxr-xr-x 1 root root 816 Dec 31 09:33 calcgoo
-rwxr-xr-x 1 root root 199893 Dec 31 09:32 eroute
-rwxr-xr-x 1 root root 65085 Dec 31 09:33 ikeping
-rwxr-xr-x 1 root root 129819 Dec 31 09:32 klipsdebug
-rwxr-xr-x 1 root root 1836 Dec 31 09:33 livetest
-rwxr-xr-x 1 root root 2604 Dec 31 09:33 look
-rwxr-xr-x 1 root root 839794 May 12 2008 lwdnsq.old
-rwxr-xr-x 1 root root 7094 Dec 31 09:33 mailkey
-rwxr-xr-x 1 root root 16015 Dec 31 09:33 manual
-rwxr-xr-x 1 root root 1951 Dec 31 09:33 newhostkey
-rwxr-xr-x 1 root root 115216 Dec 31 09:32 pf_key
-rwxr-xr-x 1 root root 1914326 Dec 31 09:32 pluto
-rwxr-xr-x 1 root root 21174 Dec 31 09:33 ranbits
-rwxr-xr-x 1 root root 50625 Dec 31 09:33 rsasigkey
-rwxr-xr-x 1 root root 766 Dec 31 09:33 secrets
lrwxrwxrwx 1 root root 22 Dec 31 09:33 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Dec 31 09:33 showdefaults
-rwxr-xr-x 1 root root 4845 Dec 31 09:33 showhostkey
-rwxr-xr-x 1 root root 60365 May 12 2008 showpolicy.old
-rwxr-xr-x 1 root root 325143 Dec 31 09:32 spi
-rwxr-xr-x 1 root root 164884 Dec 31 09:32 spigrp
-rwxr-xr-x 1 root root 24248 Dec 31 09:32 tncfg
-rwxr-xr-x 1 root root 13530 Dec 31 09:33 verify
-rwxr-xr-x 1 root root 159092 Dec 31 09:32 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0: 3912857 25935 0 0 0 0 0 0
588765 3333 0 0 0 0 0 0
ipsec0: 195933 457 0 0 0 0 0 0
67856 432 0 3 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt
Use Metric Mask MTU Window
IRTT
ipsec0 17ADA30A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
ipsec0 06ADA30A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
ipsec0 12BBA20A 00000000 0005 0
0 0 FFFFFFFF 0 0
0
eth0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
ipsec0 FC21410A 00000000 0001 0
0 0 FCFFFFFF 0 0
0
ipsec0 8030E5AA 00000000 0001 0
0 0 C0FFFFFF 0 0
0
lo 0000007F 00000000 0001 0
0 0 000000FF 0 0
0
eth0 00000000 FE21410A 0003 0
0 1 00000000 0 0
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects default/send_redirects
eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects
lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
ipsec0/accept_redirects:0
ipsec0/secure_redirects:1
ipsec0/send_redirects:0
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux windu 2.6.19-smp #1 SMP Tue Dec 30 20:03:07 MST 2008 i686 Intel(R)
Xeon(R) CPU E5335 @ 2.00GHz GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.4.13
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 305: no old-style linux 1.x/2.0
ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 351724 2 - Live 0xf90d3000
iptable_mangle 6144 0 - Live 0xf8fea000
iptable_filter 6400 0 - Live 0xf8fa9000
ip_tables 15172 2 iptable_mangle,iptable_filter, Live 0xf8fdb000
x_tables 15492 1 ip_tables, Live 0xf8cfb000
ipv6 241184 10 - Live 0xf9031000
pcmcia 33836 0 - Live 0xf8fe0000
rsrc_nonstatic 14720 0 - Live 0xf8f9f000
pcmcia_core 36500 2 pcmcia,rsrc_nonstatic, Live 0xf8fcb000
tun 12032 0 - Live 0xf8cf1000
lp 13480 0 - Live 0xf8cc1000
parport_pc 27300 1 - Live 0xf8fc3000
parport 34760 2 lp,parport_pc, Live 0xf8fb9000
fuse 41876 1 - Live 0xf8fad000
serio_raw 9220 0 - Live 0xf8cf5000
psmouse 38280 0 - Live 0xf8eb1000
e1000 118976 0 - Live 0xf8e81000
intel_agp 24348 1 - Live 0xf8cdc000
pcspkr 6528 0 - Live 0xf8cd9000
agpgart 29256 1 intel_agp, Live 0xf8ce3000
i2c_piix4 11148 0 - Live 0xf8cd5000
evdev 11904 1 - Live 0xf8cc6000
sg 30108 0 - Live 0xf8ccc000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1031624 kB
MemFree: 870924 kB
Buffers: 21524 kB
Cached: 103788 kB
SwapCached: 0 kB
Active: 91300 kB
Inactive: 45720 kB
HighTotal: 131008 kB
HighFree: 8156 kB
LowTotal: 900616 kB
LowFree: 862768 kB
SwapTotal: 1542232 kB
SwapFree: 1542232 kB
Dirty: 380 kB
Writeback: 0 kB
AnonPages: 11720 kB
Mapped: 7268 kB
Slab: 13672 kB
SReclaimable: 6240 kB
SUnreclaim: 7432 kB
PageTables: 504 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 2058044 kB
Committed_AS: 36596 kB
VmallocTotal: 114680 kB
VmallocUsed: 8660 kB
VmallocChunk: 105296 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jan 5 12:46 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jan 5 12:46 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jan 5 12:46 /proc/net/ipsec_spi ->
ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jan 5 12:46 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jan 5 12:46 /proc/net/ipsec_tncfg ->
ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jan 5 12:46 /proc/net/ipsec_version ->
ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep
'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_H
W_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
# CONFIG_IPC_NS is not set
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IPSEC_NAT_TRAVERSAL=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
# CONFIG_IPV6_ROUTER_PREF is not set
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_TUNNEL=m
# CONFIG_IP_NF_CONNTRACK is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
# CONFIG_IP_NF_TARGET_TCPMSS is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.*
/dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none
-/var/log/syslog
# Debugging information is logged here.
*.=debug
-/var/log/debug
# Private authentication message logging:
authpriv.*
-/var/log/secure
# Cron related logs:
cron.*
-/var/log/cron
# Mail related logs:
mail.*
-/var/log/maillog
# Emergency level messages go to all users:
*.emerg
*
# This log is for news and uucp errors:
uucp,news.crit
-/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit
-/var/log/news/news.crit
#news.=err
-/var/log/news/news.err
#news.notice
-/var/log/news/news.notice
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search heartslc.com
nameserver 10.30.0.19
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 16
drwxr-xr-x 3 root root 4096 Apr 30 2008 2.6.24.5
drwxr-xr-x 3 root root 4096 May 11 2008 2.6.24.5-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:37 2.6.19.7-smp
drwxr-xr-x 3 root root 4096 Dec 31 09:40 2.6.19-smp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c05b3420 T __netif_rx_schedule
c05b4920 T netif_rx
c05b5e10 T netif_rx_ni
c05b4920 U netif_rx [ipsec]
c05b4920 U netif_rx [ipv6]
c05b5e10 U netif_rx_ni [tun]
c05b3420 U __netif_rx_schedule [e1000]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.19-smp:
2.6.19.7-smp:
2.6.24.5:
2.6.24.5-smp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '280,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Jan 5 10:57:35 windu ipsec_setup: Starting Openswan IPsec 2.4.13...
Jan 5 10:57:36 windu ipsec__plutorun: ipsec_auto: fatal error in
"packetdefault": %defaultroute requested but not known
Jan 5 10:57:36 windu ipsec__plutorun: ipsec_auto: fatal error in
"block": %defaultroute requested but not known
Jan 5 10:57:37 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
Jan 5 10:57:38 windu ipsec__plutorun: ipsec_auto: fatal error in
"clear": %defaultroute requested but not known
Jan 5 10:57:38 windu ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known
Jan 5 10:57:38 windu ipsec__plutorun: ipsec_auto: fatal error in
"private": %defaultroute requested but not known
Jan 5 10:57:38 windu ipsec__plutorun: 021 no connection named
"packetdefault"
Jan 5 10:57:38 windu ipsec__plutorun: ...could not route conn
"packetdefault"
Jan 5 10:57:38 windu ipsec__plutorun: 021 no connection named "block"
Jan 5 10:57:38 windu ipsec__plutorun: ...could not route conn "block"
Jan 5 10:57:38 windu ipsec__plutorun: 021 no connection named
"clear-or-private"
Jan 5 10:57:39 windu ipsec__plutorun: ...could not route conn
"clear-or-private"
Jan 5 10:57:39 windu ipsec__plutorun: 021 no connection named "clear"
Jan 5 10:57:39 windu ipsec__plutorun: ...could not route conn "clear"
Jan 5 10:57:39 windu ipsec__plutorun: 021 no connection named
"private-or-clear"
Jan 5 10:57:39 windu ipsec__plutorun: ...could not route conn
"private-or-clear"
Jan 5 10:57:39 windu ipsec__plutorun: 021 no connection named "private"
Jan 5 10:57:39 windu ipsec__plutorun: ...could not route conn "private"
+ _________________________ plog
+ sed -n '265,$p' /var/log/secure
+ egrep -i pluto
+ case "$1" in
+ cat
Jan 5 10:57:34 windu ipsec__plutorun: Starting Pluto subsystem...
Jan 5 10:57:35 windu pluto[4637]: Starting Pluto (Openswan Version
2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE`fijAufQMD)
Jan 5 10:57:35 windu pluto[4637]: Setting NAT-Traversal port-4500
floating to off
Jan 5 10:57:35 windu pluto[4637]: port floating activation criteria
nat_t=0/port_fload=1
Jan 5 10:57:35 windu pluto[4637]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jan 5 10:57:35 windu pluto[4637]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jan 5 10:57:35 windu pluto[4637]: starting up 1 cryptographic helpers
Jan 5 10:57:35 windu pluto[4637]: started helper pid=4638 (fd:6)
Jan 5 10:57:35 windu pluto[4637]: Using KLIPS IPsec interface code on
2.6.19-smp
Jan 5 10:57:35 windu pluto[4637]: Changing to directory
'/etc/ipsec.d/cacerts'
Jan 5 10:57:35 windu pluto[4637]: Changing to directory
'/etc/ipsec.d/aacerts'
Jan 5 10:57:35 windu pluto[4637]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jan 5 10:57:35 windu pluto[4637]: Changing to directory
'/etc/ipsec.d/crls'
Jan 5 10:57:35 windu pluto[4637]: Warning: empty directory
Jan 5 10:57:35 windu pluto[4637]: added connection description
"stmarks_pacs2"
Jan 5 10:57:37 windu pluto[4637]: added connection description
"stmarks_meditech"
Jan 5 10:57:37 windu pluto[4637]: added connection description
"stmarks_pacs"
Jan 5 10:57:37 windu pluto[4637]: added connection description
"stmarks_tracemaster"
Jan 5 10:57:38 windu pluto[4637]: listening for IKE messages
Jan 5 10:57:38 windu pluto[4637]: adding interface ipsec0/eth0
10.65.33.253:500
Jan 5 10:57:38 windu pluto[4637]: loading secrets from
"/etc/ipsec.secrets"
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: initiating
Aggressive Mode #1, connection "stmarks_meditech"
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: received
Vendor ID payload [Cisco-Unity]
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: received
Vendor ID payload [XAUTH]
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: received
Vendor ID payload [Dead Peer Detection]
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: transition
from state STATE_AGGR_I1 to state STATE_AGGR_I2
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #1: STATE_AGGR_I2:
sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 5 10:57:47 windu pluto[4637]: "stmarks_meditech" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Jan 5 10:57:48 windu pluto[4637]: "stmarks_meditech" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 10:57:48 windu pluto[4637]: "stmarks_meditech" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x824bfd5f
<0xa1558950 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 10:57:49 windu pluto[4637]: "stmarks_pacs" #3: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Jan 5 10:57:50 windu pluto[4637]: "stmarks_pacs" #3: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 10:57:50 windu pluto[4637]: "stmarks_pacs" #3: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0xdf4e67d5 <0xa1558951
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 10:57:51 windu pluto[4637]: "stmarks_tracemaster" #4: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Jan 5 10:57:52 windu pluto[4637]: "stmarks_tracemaster" #4: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 10:57:52 windu pluto[4637]: "stmarks_tracemaster" #4:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x2811a7fb
<0xa1558952 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 10:57:53 windu pluto[4637]: "stmarks_pacs2" #5: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Jan 5 10:57:53 windu pluto[4637]: "stmarks_pacs2" #5: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 10:57:53 windu pluto[4637]: "stmarks_pacs2" #5: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x8cbcff6f <0xa1558953
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 11:27:57 windu pluto[4637]: "stmarks_meditech" #1: received
Delete SA payload: replace IPSEC State #4 in 10 seconds
Jan 5 11:27:57 windu pluto[4637]: "stmarks_meditech" #1: received and
ignored informational message
Jan 5 11:27:57 windu pluto[4637]: "stmarks_meditech" #1: received
Delete SA payload: replace IPSEC State #3 in 10 seconds
Jan 5 11:27:57 windu pluto[4637]: "stmarks_meditech" #1: received and
ignored informational message
Jan 5 11:28:07 windu pluto[4637]: "stmarks_pacs" #6: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #3 {using isakmp#1}
Jan 5 11:28:07 windu pluto[4637]: "stmarks_tracemaster" #7: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #4 {using
isakmp#1}
Jan 5 11:28:07 windu pluto[4637]: "stmarks_pacs" #6: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 11:28:07 windu pluto[4637]: "stmarks_pacs" #6: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x3dce2648 <0xa1558954
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 11:28:07 windu pluto[4637]: "stmarks_tracemaster" #7: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 11:28:07 windu pluto[4637]: "stmarks_tracemaster" #7:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xcc29b7a4
<0xa1558955 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: initiating
Aggressive Mode #8 to replace #1, connection "stmarks_meditech"
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: received
Vendor ID payload [Cisco-Unity]
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: received
Vendor ID payload [XAUTH]
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: received
Vendor ID payload [Dead Peer Detection]
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: protocol/port
in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: Aggressive
mode peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: transition
from state STATE_AGGR_I1 to state STATE_AGGR_I2
Jan 5 11:40:14 windu pluto[4637]: "stmarks_meditech" #8: STATE_AGGR_I2:
sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 5 12:07:27 windu pluto[4637]: "stmarks_meditech" #8: received
Delete SA payload: replace IPSEC State #5 in 10 seconds
Jan 5 12:07:27 windu pluto[4637]: "stmarks_meditech" #8: received and
ignored informational message
Jan 5 12:07:37 windu pluto[4637]: "stmarks_pacs2" #9: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #5 {using isakmp#8}
Jan 5 12:07:37 windu pluto[4637]: "stmarks_pacs2" #9: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 12:07:37 windu pluto[4637]: "stmarks_pacs2" #9: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x8fe9e232 <0xa1558956
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [Cisco-Unity]
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [XAUTH]
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
port floating is off
Jan 5 12:25:14 windu pluto[4637]: packet from 199.91.34.69:500:
ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: protocol/port in
Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: responding to
Aggressive Mode, state #10, connection "stmarks_pacs2" from 199.91.34.69
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: transition from
state STATE_AGGR_R0 to state STATE_AGGR_R1
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: STATE_AGGR_R1:
sent AR1, expecting AI2
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: received Vendor
ID payload [Dead Peer Detection]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: ignoring Vendor
ID payload [Cisco VPN 3000 Series]
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: Aggressive mode
peer ID is ID_IPV4_ADDR: '199.91.34.69'
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: received Hash
Payload does not match computed value
Jan 5 12:25:14 windu pluto[4637]: "stmarks_pacs2" #10: sending
encrypted notification INVALID_HASH_INFORMATION to 199.91.34.69:500
Jan 5 12:25:52 windu pluto[4637]: "stmarks_meditech" #8: received
Delete SA payload: deleting ISAKMP State #8
Jan 5 12:25:52 windu pluto[4637]: packet from 199.91.34.69:500:
received and ignored informational message
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 180
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:03 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:03 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:03 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:03 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 250
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:05 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:05 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:05 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:05 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 209
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:07 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:07 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:07 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:07 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 163
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: | payload malformed after IV
Jan 5 12:26:09 windu pluto[4637]: | 41 77 8e 33 c5 40 5a a5 94 33
84 f2 7f fe f8 eb
Jan 5 12:26:09 windu pluto[4637]: | ce e3 99 33
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: sending
notification PAYLOAD_MALFORMED to 199.91.34.69:500
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 120
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 25
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 229
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: next payload
type of ISAKMP Hash Payload has an unknown value: 226
Jan 5 12:26:09 windu pluto[4637]: "stmarks_pacs2" #10: malformed
payload in packet
Jan 5 12:26:24 windu pluto[4637]: "stmarks_pacs2" #10: max number of
retransmissions (2) reached STATE_AGGR_R1
+ _________________________ date
+ date
Mon Jan 5 12:46:36 MST 2009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090105/d1fa3cad/attachment-0001.html
More information about the Users
mailing list