[Openswan Users] Openswan config problem, no packets getting to host.
Adam Spragg
adam at optilead.co.uk
Fri Jul 2 04:46:50 EDT 2010
Hi everyone.
I'm currently attemping to set up the Openswan end of a VPN, connecting to a
Checkpoint system.
I think I'm nearly there, in that I'm not getting the errors in "ipsec barf"
that I was when I first started, and "ipsec setup status" is claiming a route
is up, and "ip route" is showing a route to the destination network that isn't
there when I shut ipsec down, and the guys at the Checkpoint end are also
seeing that the network is up.
However, if I try to connect to services on the far side, no packets arrive. I
think it may be a routing problem, but I've no idea what that might be, or
what incantation I need to make to solve it. All the docs and questions I've
found seem to indicate that in the absence of NAT (which neither of us are
using) everything should Just Work. Does anyone have any ideas?
Output of "ipsec barf" attached. I hope you don't mind, but I've anonymised it
a bit, turning our networks into aaa.aaa.aaa.0/24 and bbb.bbb.0.0/16, and the
destination gateway to xxx.xxx.xxx.xxx and network to yyy.yyy.yyy.yyy/29
If you need any more info, let me know.
Adam
--
Adam Spragg <adam at optilead.co.uk>
Developer
Optilead <http://www.optilead.co.uk/>
-------------- next part --------------
hostname
Fri Jul 2 09:28:35 BST 2010
+ _________________________ version
+ ipsec --version
Linux Openswan U2.4.4/K2.6.16.21-0.8-bigsmp (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.16.21-0.8-bigsmp (geeko at buildhost) (gcc version 4.1.0 (SUSE Linux)) #1 SMP Mon Jul 3 18:25:39 UTC 2006
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
yyy.yyy.yyy.yyy 0.0.0.0 255.255.255.248 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
aaa.aaa.aaa.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
bbb.bbb.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 aaa.aaa.aaa.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
xxx.xxx.xxx.xxx aaa.aaa.aaa.201
esp mode=tunnel spi=631062314(0x259d3f2a) reqid=16385(0x00004001)
E: aes-cbc 4d6dea59 d102d456 e830188b 45eb80cc 96a8e333 9a3f385c 913b2d66 38722eca
A: hmac-sha1 81b57162 aa8b1517 e5bdcd7c 3b5a2aac f198dd7c
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jul 2 09:23:31 2010 current: Jul 2 09:28:35 2010
diff: 304(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=30685 refcnt=0
xxx.xxx.xxx.xxx aaa.aaa.aaa.201
esp mode=tunnel spi=2698281903(0xa0d483af) reqid=16385(0x00004001)
E: aes-cbc a87e7538 abfa89a9 f79c0734 e2668945 fee9f323 c82269da 2b8d3ba2 2a316a99
A: hmac-sha1 bcdcf67b 187ab66e 0cf23d80 8472aeaa 59d3e4f0
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jul 2 08:32:53 2010 current: Jul 2 09:28:35 2010
diff: 3342(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=30685 refcnt=0
aaa.aaa.aaa.201 xxx.xxx.xxx.xxx
esp mode=tunnel spi=2156502988(0x80899fcc) reqid=16385(0x00004001)
E: aes-cbc c10ebc55 71635218 badf72a2 73d856dd 5dce59c4 0c219361 9f31d277 57c26602
A: hmac-sha1 51cc1b05 1c52d0ff a7a8ef5c b706e03a 31b74207
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jul 2 09:23:31 2010 current: Jul 2 09:28:35 2010
diff: 304(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=30685 refcnt=0
aaa.aaa.aaa.201 xxx.xxx.xxx.xxx
esp mode=tunnel spi=1760994207(0x68f6a39f) reqid=16385(0x00004001)
E: aes-cbc 535555bf de4d7dd3 7d8121fb 3bf3eddf 7f3ef723 e83e9b78 d0514060 d1bb111c
A: hmac-sha1 08127e77 07c2766d d64c6cf1 bd82d8cd 3052fe7b
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jul 2 08:32:53 2010 current: Jul 2 09:28:35 2010
diff: 3342(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=30685 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
yyy.yyy.yyy.yyy/29[any] aaa.aaa.aaa.201[any] any
in prio high + 1073739741 ipsec
esp/tunnel/xxx.xxx.xxx.xxx-aaa.aaa.aaa.201/unique#16385
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1904 seq=10 pid=30686
refcnt=1
aaa.aaa.aaa.201[any] yyy.yyy.yyy.yyy/29[any] any
out prio high + 1073739741 ipsec
esp/tunnel/aaa.aaa.aaa.201-xxx.xxx.xxx.xxx/unique#16385
created: Jul 2 09:23:31 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1897 seq=9 pid=30686
refcnt=1
yyy.yyy.yyy.yyy/29[any] aaa.aaa.aaa.201[any] any
fwd prio high + 1073739741 ipsec
esp/tunnel/xxx.xxx.xxx.xxx-aaa.aaa.aaa.201/unique#16385
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1914 seq=8 pid=30686
refcnt=1
(per-socket policy)
in none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1883 seq=7 pid=30686
refcnt=1
(per-socket policy)
in none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1867 seq=6 pid=30686
refcnt=1
(per-socket policy)
in none
created: Jul 1 19:57:42 2010 lastused: Jul 2 09:23:31 2010
lifetime: 0(s) validtime: 0(s)
spid=1851 seq=5 pid=30686
refcnt=1
(per-socket policy)
in none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1835 seq=4 pid=30686
refcnt=1
(per-socket policy)
out none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1892 seq=3 pid=30686
refcnt=1
(per-socket policy)
out none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1876 seq=2 pid=30686
refcnt=1
(per-socket policy)
out none
created: Jul 1 19:57:42 2010 lastused: Jul 2 09:23:31 2010
lifetime: 0(s) validtime: 0(s)
spid=1860 seq=1 pid=30686
refcnt=1
(per-socket policy)
out none
created: Jul 1 19:57:42 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1844 seq=0 pid=30686
refcnt=1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 aaa.aaa.aaa.124
000 interface eth0:1/eth0:1 aaa.aaa.aaa.201
000 interface eth1/eth1 192.168.0.4
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,19,36} trans={0,19,336} attrs={0,19,224}
000
000 "connname": aaa.aaa.aaa.201/32===aaa.aaa.aaa.201...xxx.xxx.xxx.xxx===yyy.yyy.yyy.yyy/29; erouted; eroute owner: #19
000 "connname": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "connname": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "connname": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,29; interface: eth0:1;
000 "connname": newest ISAKMP SA: #1; newest IPsec SA: #19;
000 "connname": IKE algorithms wanted: 7_256-2-2, flags=-strict
000 "connname": IKE algorithms found: 7_256-2_160-2,
000 "connname": IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
000 "connname": ESP algorithms wanted: 12_256-2, flags=-strict
000 "connname": ESP algorithms loaded: 12_256-2, flags=-strict
000 "connname": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>
000
000 #19: "connname":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2703s; newest IPSEC; eroute owner
000 #19: "connname" esp.80899fcc at xxx.xxx.xxx.xxx esp.259d3f2a at aaa.aaa.aaa.201 tun.0 at xxx.xxx.xxx.xxx tun.0 at aaa.aaa.aaa.201
000 #18: "connname":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 258s
000 #18: "connname" esp.68f6a39f at xxx.xxx.xxx.xxx esp.a0d483af at aaa.aaa.aaa.201 tun.0 at xxx.xxx.xxx.xxx tun.0 at aaa.aaa.aaa.201
000 #1: "connname":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 36938s; newest ISAKMP; nodpd
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:48:29:59:9A
inet addr:aaa.aaa.aaa.124 Bcast:aaa.aaa.aaa.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31794008 errors:0 dropped:0 overruns:0 frame:0
TX packets:12735054 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2923828892 (2788.3 Mb) TX bytes:2003639750 (1910.8 Mb)
Base address:0x3000 Memory:fc200000-fc220000
eth0:1 Link encap:Ethernet HWaddr 00:30:48:29:59:9A
inet addr:aaa.aaa.aaa.201 Bcast:aaa.aaa.aaa.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0x3000 Memory:fc200000-fc220000
eth1 Link encap:Ethernet HWaddr 00:30:48:29:59:9B
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:905154 errors:4294967295 dropped:0 overruns:0 frame:4294967295
TX packets:942817 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:157750611 (150.4 Mb) TX bytes:140155697 (133.6 Mb)
Base address:0x3040 Memory:fc220000-fc240000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1549724 errors:0 dropped:0 overruns:0 frame:0
TX packets:1549724 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:135337406 (129.0 Mb) TX bytes:135337406 (129.0 Mb)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:30:48:29:59:9a brd ff:ff:ff:ff:ff:ff
inet aaa.aaa.aaa.124/24 brd aaa.aaa.aaa.255 scope global eth0
inet aaa.aaa.aaa.201/24 brd aaa.aaa.aaa.255 scope global secondary eth0:1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:48:29:59:9b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth1
+ _________________________ ip-route-list
+ ip route list
yyy.yyy.yyy.yyy/29 dev eth0 scope link
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.4
aaa.aaa.aaa.0/24 dev eth0 proto kernel scope link src aaa.aaa.aaa.124
bbb.bbb.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via aaa.aaa.aaa.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.16.21-0.8-bigsmp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ '[' -x /usr/sbin/mii-tool ']'
+ mii-tool -v
/usr/lib/ipsec/barf: line 212: mii-tool: command not found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname.domain.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
aaa.aaa.aaa.124
+ _________________________ uptime
+ uptime
9:28am up 131 days 7:55, 1 user, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 30661 30440 23 0 2756 1296 wait S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
0 0 30729 30661 25 0 1856 648 pipe_w S+ pts/0 0:00 \_ /bin/grep -E -i ppid|pluto|ipsec|klips
1 0 27359 1 24 0 2752 472 wait S ? 0:00 /bin/sh /usr/lib/ipsec/_plutorun --re --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
1 0 27360 27359 24 0 2752 596 wait S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --re --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --protostack auto --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait yes --pre --post --log daemon.error --pid /var/run/pluto/pluto.pid
4 0 27361 27360 15 0 2468 1332 - S ? 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
1 0 27366 27361 26 10 2408 424 - SN ? 0:00 | \_ pluto helper # 0 -nofork
1 0 27368 27361 27 10 2408 532 - SN ? 0:00 | \_ pluto helper # 1 -nofork
1 0 27369 27361 27 10 2408 424 - SN ? 0:00 | \_ pluto helper # 2 -nofork
0 0 27416 27361 20 0 1448 292 - S ? 0:00 | \_ _pluto_adns
0 0 27362 27359 15 0 2752 1280 pipe_w S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait yes --post
0 0 27363 1 24 0 1736 600 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=aaa.aaa.aaa.124
routenexthop=aaa.aaa.aaa.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
#
# Certificate Revocation List handling:
#crlcheckinterval=600
#strictcrlpolicy=yes
#
# Change rp_filter setting? (default is 0, disabled)
# See also setting in the /etc/sysctl.conf file!
#rp_filter=%unchanged
#
# Workaround to setup all tunnels immediately, since the new default
# of "plutowait=no" causes "Resource temporarily unavailable" errors
# for the first connect attempt over each tunnel, that is delayed to
# be established later / on demand.
#
plutowait=yes
#
# Define the virtual ipsec network interface here?
#interfaces="ipsec0=eth0:1"
# default settings for connections
conn %default
# keyingtries default to %forever
#keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 49
# Connections here
# Connection to Checkpoint
conn connname
# Left security gateway, subnet behind it, nexthop toward right.
left=aaa.aaa.aaa.201
leftsubnet=aaa.aaa.aaa.201/32
leftnexthop=xxx.xxx.xxx.xxx
# Right security gateway, subnet behind it, nexthop toward left.
right=xxx.xxx.xxx.xxx
rightsubnet=yyy.yyy.yyy.yyy/29
rightnexthop=aaa.aaa.aaa.201
# Auth using shared secret
authby=secret
# Use AES256/SHA1 encryption.
ike=aes256-sha1-modp1024
esp=aes256-sha1
# IKE phase 1 rekey every 1440m
ikelifetime=1440m
# IKE phase 2 rekey every 3600s
keylife=3600s
# Try this...
pfs=no
# At startup, start this connection as "auto"
auto=start
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
#
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
# RSA 2048 bits hostname Mon Jun 21 22:31:18 2010
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOYMWYaC]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
# VPN secret.
#
# xxx.xxx.xxx.xxx aaa.aaa.aaa.96: PSK "[sums to d813...]"
xxx.xxx.xxx.xxx aaa.aaa.aaa.201: PSK "[sums to d813...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1293
-rwxr-xr-x 1 root root 15535 Jun 16 2006 _confread
-rwxr-xr-x 1 root root 4884 Jun 16 2006 _copyright
-rwxr-xr-x 1 root root 2379 Jun 16 2006 _include
-rwxr-xr-x 1 root root 1475 Jun 16 2006 _keycensor
-rwxr-xr-x 1 root root 8564 Jun 16 2006 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jun 16 2006 _plutoload
-rwxr-xr-x 1 root root 7427 Jun 16 2006 _plutorun
-rwxr-xr-x 1 root root 12448 Jun 16 2006 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 16 2006 _secretcensor
-rwxr-xr-x 1 root root 9905 Jun 16 2006 _startklips
-rwxr-xr-x 1 root root 14855 Jun 16 2006 _updown
-rwxr-xr-x 1 root root 15746 Jun 16 2006 _updown_x509
-rwxr-xr-x 1 root root 19334 Jun 16 2006 auto
-rwxr-xr-x 1 root root 10548 Jun 16 2006 barf
-rwxr-xr-x 1 root root 816 Jun 16 2006 calcgoo
-rwxr-xr-x 1 root root 78364 Jun 16 2006 eroute
-rwxr-xr-x 1 root root 16788 Jun 16 2006 ikeping
-rwxr-xr-x 1 root root 960 Jun 16 2006 ipsec_1_to_2.pl
-rw-r--r-- 1 root root 1942 Jun 16 2006 ipsec_pr.template
-rwxr-xr-x 1 root root 61312 Jun 16 2006 klipsdebug
-rwxr-xr-x 1 root root 1836 Jun 16 2006 livetest
-rwxr-xr-x 1 root root 2605 Jun 16 2006 look
-rwxr-xr-x 1 root root 7153 Jun 16 2006 mailkey
-rwxr-xr-x 1 root root 15996 Jun 16 2006 manual
-rwxr-xr-x 1 root root 1926 Jun 16 2006 newhostkey
-rwxr-xr-x 1 root root 52580 Jun 16 2006 pf_key
-rwxr-xr-x 1 root root 574408 Jun 16 2006 pluto
-rwxr-xr-x 1 root root 6972 Jun 16 2006 ranbits
-rwxr-xr-x 1 root root 19008 Jun 16 2006 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 16 2006 secrets
-rwxr-xr-x 1 root root 17624 Jun 16 2006 send-pr
lrwxrwxrwx 1 root root 17 Jun 21 22:31 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jun 16 2006 showdefaults
-rwxr-xr-x 1 root root 4748 Jun 16 2006 showhostkey
-rwxr-xr-x 1 root root 116316 Jun 16 2006 spi
-rwxr-xr-x 1 root root 66304 Jun 16 2006 spigrp
-rwxr-xr-x 1 root root 10952 Jun 16 2006 tncfg
-rwxr-xr-x 1 root root 10607 Jun 16 2006 verify
-rwxr-xr-x 1 root root 43912 Jun 16 2006 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1293
-rwxr-xr-x 1 root root 15535 Jun 16 2006 _confread
-rwxr-xr-x 1 root root 4884 Jun 16 2006 _copyright
-rwxr-xr-x 1 root root 2379 Jun 16 2006 _include
-rwxr-xr-x 1 root root 1475 Jun 16 2006 _keycensor
-rwxr-xr-x 1 root root 8564 Jun 16 2006 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jun 16 2006 _plutoload
-rwxr-xr-x 1 root root 7427 Jun 16 2006 _plutorun
-rwxr-xr-x 1 root root 12448 Jun 16 2006 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 16 2006 _secretcensor
-rwxr-xr-x 1 root root 9905 Jun 16 2006 _startklips
-rwxr-xr-x 1 root root 14855 Jun 16 2006 _updown
-rwxr-xr-x 1 root root 15746 Jun 16 2006 _updown_x509
-rwxr-xr-x 1 root root 19334 Jun 16 2006 auto
-rwxr-xr-x 1 root root 10548 Jun 16 2006 barf
-rwxr-xr-x 1 root root 816 Jun 16 2006 calcgoo
-rwxr-xr-x 1 root root 78364 Jun 16 2006 eroute
-rwxr-xr-x 1 root root 16788 Jun 16 2006 ikeping
-rwxr-xr-x 1 root root 960 Jun 16 2006 ipsec_1_to_2.pl
-rw-r--r-- 1 root root 1942 Jun 16 2006 ipsec_pr.template
-rwxr-xr-x 1 root root 61312 Jun 16 2006 klipsdebug
-rwxr-xr-x 1 root root 1836 Jun 16 2006 livetest
-rwxr-xr-x 1 root root 2605 Jun 16 2006 look
-rwxr-xr-x 1 root root 7153 Jun 16 2006 mailkey
-rwxr-xr-x 1 root root 15996 Jun 16 2006 manual
-rwxr-xr-x 1 root root 1926 Jun 16 2006 newhostkey
-rwxr-xr-x 1 root root 52580 Jun 16 2006 pf_key
-rwxr-xr-x 1 root root 574408 Jun 16 2006 pluto
-rwxr-xr-x 1 root root 6972 Jun 16 2006 ranbits
-rwxr-xr-x 1 root root 19008 Jun 16 2006 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 16 2006 secrets
-rwxr-xr-x 1 root root 17624 Jun 16 2006 send-pr
lrwxrwxrwx 1 root root 17 Jun 21 22:31 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jun 16 2006 showdefaults
-rwxr-xr-x 1 root root 4748 Jun 16 2006 showhostkey
-rwxr-xr-x 1 root root 116316 Jun 16 2006 spi
-rwxr-xr-x 1 root root 66304 Jun 16 2006 spigrp
-rwxr-xr-x 1 root root 10952 Jun 16 2006 tncfg
-rwxr-xr-x 1 root root 10607 Jun 16 2006 verify
-rwxr-xr-x 1 root root 43912 Jun 16 2006 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`'
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2004 Michael Richardson <mcr at xelerance.com>
# Copyright (C) 2003-2005 Tuomo Soini <tis at foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.in,v 1.21.2.8 2005/08/28 02:45:26 paul Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica?
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub?
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/sysconfig/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/sysconfig/pluto_updown ]
then
. /etc/sysconfig/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
if addsource
then
changesource
fi
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
# check if given sourceip is local and add as alias if not
#if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
#then
# it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
#
# Fix for Bug #66215 to solve SNAT/MASQUERADE problems with recent
# 2.6.x kernels.
# Instead of a /32 it seems better to use the netmask of the remote
# (peer) network for the sourceip as suggested by Patrick McHardy.
#
cidr=${PLUTO_PEER_CLIENT##*/}
snet=${PLUTO_MY_SOURCEIP%/*}/32
if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
then
snet=${PLUTO_MY_SOURCEIP%/*}/${cidr}
fi
# check if given "sourceip/mask" already added to interface
if ! ip addr show dev ${PLUTO_INTERFACE%:*} | grep -qs "inet ${snet}"
then
it="ip addr add ${snet} dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: File exists'*)
# should not happen, but ... ignore if the
# address was already assigned on interface
oops=""
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT dev ${PLUTO_INTERFACE%:*}"
parms="$parms src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route change $parms"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
# skip creating any routing in case it is a host to host
# tunnel and the peer network(=host) is equal to peer ip,
# except there is some different source ip to use.
if test "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ; then
test "$PLUTO_ME" != "$PLUTO_MY_SOURCEIP" && \
test -n "$PLUTO_MY_SOURCEIP" || return 0
fi
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
# nexthop is not needed on ppp interfaces. unset it to make cases
# work, where left is set but no leftnexthop (e.g. left=%dynamic)
ip link show "$PLUTO_INTERFACE" | grep -qs POINTOPOINT && \
unset PLUTO_NEXT_HOP
# skip routing via nexthop if it is not reachable through any
# directly connected network (but via default route only):
ip route list match "$PLUTO_NEXT_HOP" dev "$PLUTO_INTERFACE" | \
grep -qs -v default || unset PLUTO_NEXT_HOP
if [ -n "$PLUTO_NEXT_HOP" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ for f in '`ls ${IPSEC_EXECDIR-/usr/lib/ipsec} | egrep updown`'
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# CAUTION: Installing a new version of Openswan will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Openswan use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica?
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub?
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_CONNECTION_TYPE
#
# Import default _updown configs from the /etc/sysconfig/pluto_updown file
#
# Two variables can be set in this file:
#
# DEFAULTSOURCE
# is the default value for PLUTO_MY_SOURCEIP
#
# IPROUTETABLE
# is the default value for IPROUTETABLE
#
# IPROUTEARGS
# is the extra argument list for ip route command
#
# IPRULEARGS
# is the extra argument list for ip rule command
#
if [ -f /etc/sysconfig/pluto_updown ]
then
. /etc/sysconfig/pluto_updown
fi
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute delete
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$IPROUTETABLE" ]
then
dorule delete
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$IPROUTETABLE" ]
then
dorule delete
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev ${PLUTO_INTERFACE%:*}"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev ${PLUTO_INTERFACE%:*}"
parms3="src ${PLUTO_MY_SOURCEIP%/*} $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table '$IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $IPROUTETABLE $IPRULEARGS"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if [ "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}" ]
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev ${PLUTO_INTERFACE%:*}"
parms3="$IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms3="$parms3 table $IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP="${DEFAULTSOURCE%/*}"
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
ip route $1 128.0.0.0/1 $parms2 $parms3"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1"
oops="`ip route delete $parms1 $IPROUTEARGS 2>&1 ; ip route delete $parms2 $IPROUTEARGS 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT $IPROUTEARGS"
if [ -n "$IPROUTETABLE" ]
then
parms="$parms table $IPROUTETABLE"
fi
it="ip route delete $parms 2>&1"
oops="`ip route delete $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
uprule
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
downrule
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
uprule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
downrule
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
#
# IPv6
#
prepare-host-v6:*|prepare-client-v6:*)
;;
route-host-v6:*|route-client-v6:*)
# connection to me or my client subnet being routed
#uproute_v6
;;
unroute-host-v6:*|unroute-client-v6:*)
# connection to me or my client subnet being unrouted
#downroute_v6
;;
up-host-v6:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host-v6:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client-v6:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client-v6:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:135337406 1549724 0 0 0 0 0 0 135337406 1549724 0 0 0 0 0 0
eth0:2923828892 31794008 0 0 0 0 0 373444 2003639750 12735054 0 0 0 0 0 0
eth1:157750611 905154 4294967295 0 0 4294967295 0 0 140155697 942817 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 9813549D 00000000 0001 0 0 0 F8FFFFFF 0 0 0
eth1 0000A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00B31351 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0 0000FFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
eth0 00000000 01B31351 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux hostname 2.6.16.21-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.16.21-0.8-bigsmp) support detected '
NETKEY (2.6.16.21-0.8-bigsmp) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/lib/ipsec/barf: line 297: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 33028 2 - Live 0xf8ea6000
xfrm4_tunnel 19972 0 - Live 0xf8e68000
af_key 64016 0 - Live 0xf8e95000
ipcomp 24072 0 - Live 0xf8e37000
esp4 23680 4 - Live 0xf8cf9000
ah4 22272 0 - Live 0xf8e1f000
deflate 19968 0 - Live 0xf8e29000
zlib_deflate 34200 1 deflate, Live 0xf8e8b000
twofish 59136 0 - Live 0xf8e7b000
serpent 35456 0 - Live 0xf8e52000
aes 44224 4 - Live 0xf8e5c000
blowfish 25472 0 - Live 0xf8e4a000
sha256 27136 0 - Live 0xf8e42000
sha1 18688 4 - Live 0xf8e08000
crypto_null 18816 0 - Live 0xf8e02000
st 50716 0 - Live 0xf8e11000
sr_mod 30884 0 - Live 0xf8df0000
iptable_filter 19200 0 - Live 0xf8dc1000
ip_tables 28996 1 iptable_filter, Live 0xf8df9000
x_tables 28420 1 ip_tables, Live 0xf8de0000
joydev 25280 0 - Live 0xf8de8000
button 22928 0 - Live 0xf8dd9000
battery 25732 0 - Live 0xf8db9000
ac 21252 0 - Live 0xf8db2000
apparmor 66840 0 - Live 0xf8dc7000
aamatch_pcre 29696 1 apparmor, Live 0xf8cea000
loop 31752 0 - Live 0xf8c90000
dm_mod 69968 0 - Live 0xf8c9b000
hw_random 21784 0 - Live 0xf893e000
i2c_i801 24332 0 - Live 0xf8937000
i2c_core 35968 1 i2c_i801, Live 0xf896d000
uhci_hcd 44688 0 - Live 0xf8961000
usbcore 128004 2 uhci_hcd, Live 0xf8c43000
i8xx_tco 23320 0 - Live 0xf88f1000
e1000 121016 0 - Live 0xf8c67000
ide_cd 52000 0 - Live 0xf8953000
cdrom 48800 2 sr_mod,ide_cd, Live 0xf8946000
reiserfs 228864 2 - Live 0xf8977000
edd 24772 0 - Live 0xf88d7000
raid1 36352 1 - Live 0xf88cd000
fan 20868 0 - Live 0xf88af000
thermal 29704 0 - Live 0xf88b9000
processor 44648 1 thermal, Live 0xf8867000
sg 47900 0 - Live 0xf887e000
aic79xx 239576 4 - Live 0xf88fb000
scsi_transport_spi 37120 1 aic79xx, Live 0xf8873000
piix 25604 0 [permanent], Live 0xf885f000
sd_mod 32640 6 - Live 0xf882d000
scsi_mod 140168 6 st,sr_mod,sg,aic79xx,scsi_transport_spi,sd_mod, Live 0xf888b000
ide_disk 31360 0 - Live 0xf8824000
ide_core 134988 3 ide_cd,piix,ide_disk, Live 0xf883d000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 12474660 kB
MemFree: 12009956 kB
Buffers: 73316 kB
Cached: 324520 kB
SwapCached: 0 kB
Active: 211936 kB
Inactive: 194612 kB
HighTotal: 11664832 kB
HighFree: 11323016 kB
LowTotal: 809828 kB
LowFree: 686940 kB
SwapTotal: 4200988 kB
SwapFree: 4200988 kB
Dirty: 76 kB
Writeback: 0 kB
Mapped: 16408 kB
Slab: 40608 kB
CommitLimit: 10438316 kB
Committed_AS: 41052 kB
PageTables: 728 kB
VmallocTotal: 112632 kB
VmallocUsed: 6684 kB
VmallocChunk: 105784 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
Hugepagesize: 2048 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_MATCH_IPV4OPTIONS=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_POLICY=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_DCCP=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_DCCP_CCID3=m
CONFIG_IP_DCCP_TFRC_LIB=m
# CONFIG_IP_DCCP_DEBUG is not set
# CONFIG_IP_DCCP_UNLOAD_HACK is not set
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPW2100=m
CONFIG_IPW2100_MONITOR=y
# CONFIG_IPW2100_DEBUG is not set
CONFIG_IPW2200=m
# CONFIG_IPW2200_DEBUG is not set
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
CONFIG_IPMI_PANIC_EVENT=y
CONFIG_IPMI_PANIC_STRING=y
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver aaa.aaa.aaa.9
nameserver aaa.aaa.aaa.10
search domain.com
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 1
drwxr-xr-x 3 root root 528 Jan 8 2009 2.6.16.21-0.8-bigsmp
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0245fd5 T netif_rx
c0246e29 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.16.21-0.8-bigsmp:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '26421,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Jul 1 17:39:59 hostname ipsec_setup: Starting Openswan IPsec 2.4.4...
Jul 1 17:39:59 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/key/af_key.ko
Jul 1 17:39:59 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 1 17:39:59 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/xfrm/xfrm_user.ko
Jul 1 17:39:59 hostname pluto[25684]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 17:39:59 hostname pluto[25684]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 17:39:59 hostname pluto[25684]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 17:39:59 hostname pluto[25684]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 17:39:59 hostname pluto[25684]: Warning: empty directory
Jul 1 17:39:59 hostname pluto[25684]: added connection description "connname"
Jul 1 17:39:59 hostname pluto[25684]: listening for IKE messages
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface lo/lo 127.0.0.1:500
Jul 1 17:39:59 hostname pluto[25684]: loading secrets from "/etc/ipsec.secrets"
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: initiating Main Mode
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8cbf5a1c <0x1d0e568e xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 17:39:59 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 17:39:59 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 17:39:59 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 17:39:59 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 17:39:59 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 17:39:59 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8cbf5a1c <0x1d0e568e xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1}
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa4aabc59 <0x8842255b xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1}
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xed438bec <0xae4a583d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:07 hostname pluto[25684]: "connname" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#1}
Jul 1 19:57:07 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 25684 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:07 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:07 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:17 hostname ipsec_setup: ...Openswan IPsec stopped
Jul 1 19:57:17 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:17 hostname kernel: Initializing IPsec netlink socket
Jul 1 19:57:17 hostname ipsec_setup: KLIPS ipsec0 on eth0 aaa.aaa.aaa.124/255.255.255.0 broadcast aaa.aaa.aaa.255
Jul 1 19:57:17 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:17 hostname pluto[26786]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:17 hostname pluto[26786]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:17 hostname pluto[26786]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:17 hostname pluto[26786]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:17 hostname ipsec_setup: ...Openswan IPsec started
Jul 1 19:57:17 hostname pluto[26786]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:17 hostname pluto[26786]: starting up 3 cryptographic helpers
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26790 (fd:6)
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26792 (fd:7)
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26795 (fd:8)
Jul 1 19:57:17 hostname pluto[26786]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:17 hostname ipsec_setup: Restarting Openswan IPsec 2.4.4...
Jul 1 19:57:17 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/key/af_key.ko
Jul 1 19:57:17 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 1 19:57:17 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/xfrm/xfrm_user.ko
Jul 1 19:57:17 hostname pluto[26786]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:17 hostname pluto[26786]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:17 hostname pluto[26786]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:17 hostname pluto[26786]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:17 hostname pluto[26786]: Warning: empty directory
Jul 1 19:57:18 hostname pluto[26786]: added connection description "connname"
Jul 1 19:57:18 hostname pluto[26786]: listening for IKE messages
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:18 hostname pluto[26786]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: initiating Main Mode
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09a79604 <0x8b09473d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:18 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:18 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:18 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:18 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:18 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:18 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09a79604 <0x8b09473d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:19 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 26786 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:19 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:19 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:29 hostname ipsec_setup: ...Openswan IPsec stopped
Jul 1 19:57:29 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:29 hostname kernel: Initializing IPsec netlink socket
Jul 1 19:57:29 hostname ipsec_setup: KLIPS ipsec0 on eth0 aaa.aaa.aaa.124/255.255.255.0 broadcast aaa.aaa.aaa.255
Jul 1 19:57:29 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:29 hostname pluto[27074]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:29 hostname pluto[27074]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:29 hostname pluto[27074]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:29 hostname pluto[27074]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:29 hostname pluto[27074]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:29 hostname pluto[27074]: starting up 3 cryptographic helpers
Jul 1 19:57:29 hostname ipsec_setup: ...Openswan IPsec started
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27079 (fd:6)
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27080 (fd:7)
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27082 (fd:8)
Jul 1 19:57:29 hostname pluto[27074]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:29 hostname ipsec_setup: Restarting Openswan IPsec 2.4.4...
Jul 1 19:57:29 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/key/af_key.ko
Jul 1 19:57:29 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 1 19:57:29 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/xfrm/xfrm_user.ko
Jul 1 19:57:30 hostname pluto[27074]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:30 hostname pluto[27074]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:30 hostname pluto[27074]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:30 hostname pluto[27074]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:30 hostname pluto[27074]: Warning: empty directory
Jul 1 19:57:30 hostname pluto[27074]: added connection description "connname"
Jul 1 19:57:30 hostname pluto[27074]: listening for IKE messages
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:30 hostname pluto[27074]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: initiating Main Mode
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5a655a24 <0x853b4350 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:30 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:30 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:30 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:30 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:30 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:30 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5a655a24 <0x853b4350 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:31 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 27074 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:31 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:31 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:41 hostname ipsec_setup: ...Openswan IPsec stopped
Jul 1 19:57:41 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:41 hostname kernel: Initializing IPsec netlink socket
Jul 1 19:57:41 hostname ipsec_setup: KLIPS ipsec0 on eth0 aaa.aaa.aaa.124/255.255.255.0 broadcast aaa.aaa.aaa.255
Jul 1 19:57:41 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:41 hostname pluto[27361]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:41 hostname pluto[27361]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:41 hostname pluto[27361]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:41 hostname pluto[27361]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:41 hostname pluto[27361]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:41 hostname pluto[27361]: starting up 3 cryptographic helpers
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27366 (fd:6)
Jul 1 19:57:41 hostname ipsec_setup: ...Openswan IPsec started
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27368 (fd:7)
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27369 (fd:8)
Jul 1 19:57:41 hostname pluto[27361]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:41 hostname ipsec_setup: Restarting Openswan IPsec 2.4.4...
Jul 1 19:57:41 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/key/af_key.ko
Jul 1 19:57:41 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/ipv4/xfrm4_tunnel.ko
Jul 1 19:57:41 hostname ipsec_setup: insmod /lib/modules/2.6.16.21-0.8-bigsmp/kernel/net/xfrm/xfrm_user.ko
Jul 1 19:57:42 hostname pluto[27361]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:42 hostname pluto[27361]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:42 hostname pluto[27361]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:42 hostname pluto[27361]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:42 hostname pluto[27361]: Warning: empty directory
Jul 1 19:57:42 hostname pluto[27361]: added connection description "connname"
Jul 1 19:57:42 hostname pluto[27361]: listening for IKE messages
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:42 hostname pluto[27361]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: initiating Main Mode
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x29cfe155 <0x27efea54 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:42 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:42 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:42 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:42 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:42 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:42 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x29cfe155 <0x27efea54 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1}
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xefe28097 <0x70866c38 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 21:28:42 hostname pluto[27361]: "connname" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1}
Jul 1 21:28:43 hostname pluto[27361]: "connname" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 21:28:43 hostname pluto[27361]: "connname" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9b34672e <0x0a2a7c57 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#1}
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa4a12814 <0x6771111c xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #5 {using isakmp#1}
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x215aea56 <0xcc4e7bc9 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #6 {using isakmp#1}
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x6afebbf8 <0xbd197efc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #7 {using isakmp#1}
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe3b129b6 <0xdb1db656 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #8 {using isakmp#1}
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa843a5f0 <0x2d4abeab xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #9 {using isakmp#1}
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x6ee5b4ad <0x685b8f34 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #10 {using isakmp#1}
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3aa9bbe2 <0x8c09e091 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #11 {using isakmp#1}
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x06e49676 <0xabf278e0 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #12 {using isakmp#1}
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3043e32c <0xbc2189bc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 05:20:29 hostname pluto[27361]: "connname" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #13 {using isakmp#1}
Jul 2 05:20:30 hostname pluto[27361]: "connname" #14: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 05:20:30 hostname pluto[27361]: "connname" #14: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9e2f9dbe <0x4c2784c1 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #14 {using isakmp#1}
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe7c37dd6 <0xba690728 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #15 {using isakmp#1}
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x72f55472 <0x98a4d8e3 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #16 {using isakmp#1}
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x94edd2d9 <0x54f722fc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #17 {using isakmp#1}
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x68f6a39f <0xa0d483af xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #18 {using isakmp#1}
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x80899fcc <0x259d3f2a xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
+ _________________________ plog
+ sed -n '26409,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Jul 1 17:39:59 hostname ipsec__plutorun: Starting Pluto subsystem...
Jul 1 17:39:59 hostname pluto[25684]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 17:39:59 hostname pluto[25684]: Setting NAT-Traversal port-4500 floating to off
Jul 1 17:39:59 hostname pluto[25684]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 17:39:59 hostname pluto[25684]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 17:39:59 hostname pluto[25684]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 17:39:59 hostname pluto[25684]: starting up 3 cryptographic helpers
Jul 1 17:39:59 hostname pluto[25684]: started helper pid=25689 (fd:6)
Jul 1 17:39:59 hostname pluto[25684]: started helper pid=25690 (fd:7)
Jul 1 17:39:59 hostname pluto[25684]: started helper pid=25692 (fd:8)
Jul 1 17:39:59 hostname pluto[25684]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 17:39:59 hostname pluto[25684]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 17:39:59 hostname pluto[25684]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 17:39:59 hostname pluto[25684]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 17:39:59 hostname pluto[25684]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 17:39:59 hostname pluto[25684]: Warning: empty directory
Jul 1 17:39:59 hostname pluto[25684]: added connection description "connname"
Jul 1 17:39:59 hostname pluto[25684]: listening for IKE messages
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 17:39:59 hostname pluto[25684]: adding interface lo/lo 127.0.0.1:500
Jul 1 17:39:59 hostname pluto[25684]: loading secrets from "/etc/ipsec.secrets"
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: initiating Main Mode
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 17:39:59 hostname pluto[25684]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 17:39:59 hostname pluto[25684]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8cbf5a1c <0x1d0e568e xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 17:39:59 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 17:39:59 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 17:39:59 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 17:39:59 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 17:39:59 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 17:39:59 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8cbf5a1c <0x1d0e568e xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1}
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 18:23:13 hostname pluto[25684]: "connname" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa4aabc59 <0x8842255b xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1}
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:09:28 hostname pluto[25684]: "connname" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xed438bec <0xae4a583d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:07 hostname pluto[25684]: "connname" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#1}
Jul 1 19:57:07 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 25684 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:07 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:07 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:17 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:17 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:17 hostname pluto[26786]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:17 hostname pluto[26786]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:17 hostname pluto[26786]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:17 hostname pluto[26786]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:17 hostname pluto[26786]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:17 hostname pluto[26786]: starting up 3 cryptographic helpers
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26790 (fd:6)
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26792 (fd:7)
Jul 1 19:57:17 hostname pluto[26786]: started helper pid=26795 (fd:8)
Jul 1 19:57:17 hostname pluto[26786]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:17 hostname pluto[26786]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:17 hostname pluto[26786]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:17 hostname pluto[26786]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:17 hostname pluto[26786]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:17 hostname pluto[26786]: Warning: empty directory
Jul 1 19:57:18 hostname pluto[26786]: added connection description "connname"
Jul 1 19:57:18 hostname pluto[26786]: listening for IKE messages
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:18 hostname pluto[26786]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:18 hostname pluto[26786]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: initiating Main Mode
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:18 hostname pluto[26786]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:18 hostname pluto[26786]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09a79604 <0x8b09473d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:18 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:18 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:18 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:18 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:18 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:18 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09a79604 <0x8b09473d xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:19 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 26786 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:19 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:19 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:29 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:29 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:29 hostname pluto[27074]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:29 hostname pluto[27074]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:29 hostname pluto[27074]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:29 hostname pluto[27074]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:29 hostname pluto[27074]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:29 hostname pluto[27074]: starting up 3 cryptographic helpers
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27079 (fd:6)
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27080 (fd:7)
Jul 1 19:57:29 hostname pluto[27074]: started helper pid=27082 (fd:8)
Jul 1 19:57:29 hostname pluto[27074]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:30 hostname pluto[27074]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:30 hostname pluto[27074]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:30 hostname pluto[27074]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:30 hostname pluto[27074]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:30 hostname pluto[27074]: Warning: empty directory
Jul 1 19:57:30 hostname pluto[27074]: added connection description "connname"
Jul 1 19:57:30 hostname pluto[27074]: listening for IKE messages
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:30 hostname pluto[27074]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:30 hostname pluto[27074]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: initiating Main Mode
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:30 hostname pluto[27074]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:30 hostname pluto[27074]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5a655a24 <0x853b4350 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:30 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:30 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:30 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:30 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:30 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:30 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5a655a24 <0x853b4350 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:31 hostname ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 228: 27074 Segmentation fault /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
Jul 1 19:57:31 hostname ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)
Jul 1 19:57:31 hostname ipsec__plutorun: restarting IPsec after pause...
Jul 1 19:57:41 hostname ipsec_setup: Stopping Openswan IPsec...Removing orphaned /var/run/pluto/pluto.pid:
Jul 1 19:57:41 hostname ipsec__plutorun: Restarting Pluto subsystem...
Jul 1 19:57:41 hostname pluto[27361]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 1 19:57:41 hostname pluto[27361]: Setting NAT-Traversal port-4500 floating to off
Jul 1 19:57:41 hostname pluto[27361]: port floating activation criteria nat_t=0/port_fload=1
Jul 1 19:57:41 hostname pluto[27361]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 1 19:57:41 hostname pluto[27361]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 19:57:41 hostname pluto[27361]: starting up 3 cryptographic helpers
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27366 (fd:6)
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27368 (fd:7)
Jul 1 19:57:41 hostname pluto[27361]: started helper pid=27369 (fd:8)
Jul 1 19:57:41 hostname pluto[27361]: Using Linux 2.6 IPsec interface code on 2.6.16.21-0.8-bigsmp
Jul 1 19:57:42 hostname pluto[27361]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 1 19:57:42 hostname pluto[27361]: Could not change to directory '/etc/ipsec.d/aacerts'
Jul 1 19:57:42 hostname pluto[27361]: Could not change to directory '/etc/ipsec.d/ocspcerts'
Jul 1 19:57:42 hostname pluto[27361]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 19:57:42 hostname pluto[27361]: Warning: empty directory
Jul 1 19:57:42 hostname pluto[27361]: added connection description "connname"
Jul 1 19:57:42 hostname pluto[27361]: listening for IKE messages
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth1/eth1 192.168.0.4:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth0:1/eth0:1 aaa.aaa.aaa.201:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface eth0/eth0 aaa.aaa.aaa.124:500
Jul 1 19:57:42 hostname pluto[27361]: adding interface lo/lo 127.0.0.1:500
Jul 1 19:57:42 hostname pluto[27361]: loading secrets from "/etc/ipsec.secrets"
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: initiating Main Mode
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: I did not send a certificate because I do not have one.
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 19:57:42 hostname pluto[27361]: "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 19:57:42 hostname pluto[27361]: "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x29cfe155 <0x27efea54 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 19:57:42 hostname ipsec__plutorun: 104 "connname" #1: STATE_MAIN_I1: initiate
Jul 1 19:57:42 hostname ipsec__plutorun: 106 "connname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 1 19:57:42 hostname ipsec__plutorun: 108 "connname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 1 19:57:42 hostname ipsec__plutorun: 004 "connname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 1 19:57:42 hostname ipsec__plutorun: 117 "connname" #2: STATE_QUICK_I1: initiate
Jul 1 19:57:42 hostname ipsec__plutorun: 004 "connname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x29cfe155 <0x27efea54 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1}
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 20:45:45 hostname pluto[27361]: "connname" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xefe28097 <0x70866c38 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 21:28:42 hostname pluto[27361]: "connname" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1}
Jul 1 21:28:43 hostname pluto[27361]: "connname" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 21:28:43 hostname pluto[27361]: "connname" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9b34672e <0x0a2a7c57 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#1}
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 22:19:31 hostname pluto[27361]: "connname" #5: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa4a12814 <0x6771111c xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #5 {using isakmp#1}
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 23:10:17 hostname pluto[27361]: "connname" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x215aea56 <0xcc4e7bc9 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #6 {using isakmp#1}
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 1 23:56:14 hostname pluto[27361]: "connname" #7: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x6afebbf8 <0xbd197efc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #7 {using isakmp#1}
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 00:38:38 hostname pluto[27361]: "connname" #8: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe3b129b6 <0xdb1db656 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #8 {using isakmp#1}
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 01:28:21 hostname pluto[27361]: "connname" #9: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa843a5f0 <0x2d4abeab xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #9 {using isakmp#1}
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 02:11:05 hostname pluto[27361]: "connname" #10: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x6ee5b4ad <0x685b8f34 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #10 {using isakmp#1}
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 02:59:56 hostname pluto[27361]: "connname" #11: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3aa9bbe2 <0x8c09e091 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #11 {using isakmp#1}
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 03:48:21 hostname pluto[27361]: "connname" #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x06e49676 <0xabf278e0 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #12 {using isakmp#1}
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 04:32:55 hostname pluto[27361]: "connname" #13: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3043e32c <0xbc2189bc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 05:20:29 hostname pluto[27361]: "connname" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #13 {using isakmp#1}
Jul 2 05:20:30 hostname pluto[27361]: "connname" #14: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 05:20:30 hostname pluto[27361]: "connname" #14: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9e2f9dbe <0x4c2784c1 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #14 {using isakmp#1}
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 06:06:07 hostname pluto[27361]: "connname" #15: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe7c37dd6 <0xba690728 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #15 {using isakmp#1}
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 06:55:57 hostname pluto[27361]: "connname" #16: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x72f55472 <0x98a4d8e3 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #16 {using isakmp#1}
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 07:44:25 hostname pluto[27361]: "connname" #17: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x94edd2d9 <0x54f722fc xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #17 {using isakmp#1}
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 08:32:53 hostname pluto[27361]: "connname" #18: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x68f6a39f <0xa0d483af xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #18 {using isakmp#1}
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 2 09:23:31 hostname pluto[27361]: "connname" #19: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x80899fcc <0x259d3f2a xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}
+ _________________________ date
+ date
Fri Jul 2 09:28:36 BST 2010
More information about the Users
mailing list