[Openswan Users] Trying to find why ipsec0 tx dropped occurs
Mike C
smith.not.western at gmail.com
Fri Jun 11 05:43:19 EDT 2010
Hi,
I'm having trouble with what appears to be outbound packets being
dropped from ipsec0. Incoming packets are fine.
My setup is:
192.168.18.254/24 <-> 192.168.25.254
I am trying to initiate a ping from 192.168.25.254 to 192.168.18.2 (a
device on the network, which has its default gateway set to
192.168.18.254).
I can see from the firewall on 192.168.18.254 that the ICMP request
from 192.168.25.254 reaches the client (192.168.18.2), and the client
sends a response, however the openswan endpoint at 192.168.18.254 is
dropping the response from ipsec0 rather than sending it back to
192.168.25.254.
Firewall Logs on 192.168.18.254:
ACCEPT:IN=ipsec0 OUT=eth0 SRC=192.168.25.254 DST=192.168.18.2 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=54837
SEQ=6 MARK=0xf0014
ACCEPT:IN=eth0 OUT=ipsec0 SRC=192.168.18.2 DST=192.168.25.254 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=112 DF PROTO=ICMP TYPE=0 CODE=0 ID=54837
SEQ=6
# ifconfig ipsec0 (see the TX dropped packets)
ipsec0 Link encap:Point-to-Point Protocol
inet addr:94.9.157.10 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:97 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:192 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:6208 (6.0 KiB) TX bytes:0 (0.0 B)
Turning klipsdebug on, I see this when I try a different ping - ping
192.168.25.254 (from 192.168.18.254):
# ping 192.168.25.254
PING 192.168.25.254 (192.168.25.254): 56 data bytes
ping: sendto: Invalid argument
# Jun 11 09:37:55 testbox user.info kernel:
klips_debug:ipsec_tunnel_hard_header: cannot revector dev=ipsec0
op=(null) func=(null)
Jun 11 09:37:55 testbox user.info kernel:
klips_debug:klips_header_cache: cannot revector dev=ipsec0 op=(null)
func=(null)
Jun 11 09:37:55 testbox user.info kernel:
klips_debug:ipsec_tunnel_hard_header: skb->dev=ipsec0 dev=ipsec0.
I get these same messages regardless of what machine it is initiated
on in the 192.168.18.0/24 network. What is causing the packets to be
dropped,and more importantly what needs to be changed?
The machine is linux 2.6.32-9, with uClibc and busybox. Perl isn't
installed so ipsec verify isn't working.
Your help would be much appreciated,
Thanks,
Mike
barf below:
Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_init: KLIPS
startup, Openswan KLIPS IPsec stack version: 2.6.26
Jun 11 09:10:59 testbox user.warn kernel: registered KLIPS /proc/sys/net
Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_alg_init:
KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_alg_init:
calling ipsec_alg_static_init()
Jun 11 09:10:59 testbox user.debug kernel: klips_debug: experimental
ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: Using KLIPS IPsec
interface code on 2.6.32.9-g9b5a066-dirty
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: up-client
output: //lib/ipsec/_updown.klips: changesource `ip route change
192.168.25.0/24 dev ipsec0 src 192.168.18.254' failed (RTNETLINK
answers: No such file or directory)
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: ignoring unknown Vendor ID payload
[4f45685e5c537d65727a5053]
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload [Dead Peer Detection]
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
109
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
118.93.180.109:500: initial Main Mode message received on
94.11.24.57:500 but no connection has been authorized with policy=PSK
Jun 11 09:13:01 testbox user.warn pluto[2204]: Setting NAT-Traversal
port-4500 floating to on
Jun 11 09:13:01 testbox user.warn pluto[2204]: port floating
activation criteria nat_t=1/port_float=1
Jun 11 09:13:01 testbox user.warn pluto[2204]: NAT-Traversal
support [enabled] [Force KeepAlive]
Jun 11 09:13:01 testbox user.warn pluto[2204]: using /dev/urandom as
source of random entropy
Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 11 09:13:01 testbox user.warn pluto[2204]: no helpers will be
started, all cryptographic operations will be done inline
Jun 11 09:13:01 testbox user.warn pluto[2204]: Using KLIPS IPsec
interface code on 2.6.32.9-g9b5a066-dirty
Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
directory '/etc/ipsec.d/cacerts'
Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
directory '/etc/ipsec.d/aacerts'
Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
Jun 11 09:13:01 testbox user.warn pluto[2204]: Changing to directory
'/etc/ipsec.d/crls'
Jun 11 09:13:01 testbox user.warn pluto[2204]: Warning: empty directory
Jun 11 09:13:01 testbox user.warn pluto[2204]: listening for IKE messages
Jun 11 09:13:01 testbox user.warn pluto[2204]: NAT-Traversal: Trying
new style NAT-T
Jun 11 09:13:01 testbox user.warn pluto[2204]: adding interface
ipsec0/ppp0 94.9.157.10:500
Jun 11 09:13:01 testbox user.warn pluto[2204]: adding interface
ipsec0/ppp0 94.9.157.10:4500
Jun 11 09:13:01 testbox user.warn pluto[2204]: loading secrets from
"/etc/ipsec.secrets"
Jun 11 09:13:01 testbox user.warn pluto[2204]: added connection
description "tun1"
Jun 11 09:13:01 testbox user.warn pluto[2204]: "tun1" #1: initiating Main Mode
Jun 11 09:13:01 testbox user.warn pluto[2204]: attempt to redefine
connection "tun1"
Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1": deleting connection
Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1" #1: deleting
state (STATE_MAIN_I1)
Jun 11 09:13:41 testbox user.warn pluto[2204]: added connection
description "tun1"
Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1" #2: initiating Main Mode
Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1": deleting connection
Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1" #2: deleting
state (STATE_MAIN_I1)
Jun 11 09:13:51 testbox user.warn pluto[2204]: added connection
description "tun1"
Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1" #3: initiating Main Mode
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: ignoring unknown Vendor ID payload
[4f45685e5c537d65727a5053]
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload [Dead Peer Detection]
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload [RFC 3947] method set
to=109
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
109
Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
118.93.180.109:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: responding
to Main Mode
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: Main mode
peer ID is ID_IPV4_ADDR: '118.93.180.109'
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: the peer
proposed: 192.168.18.0/24:0/0 -> 192.168.25.0/24:0/0
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: responding
to Quick Mode proposal {msgid:3f3a872e}
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: us:
192.168.18.0/24===94.9.157.10---89.200.128.42
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: them:
118.93.180.109===192.168.25.0/24
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: the peer
proposed: 192.168.18.0/24:0/0 -> 192.168.25.0/24:0/0
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: responding
to Quick Mode proposal {msgid:a677ff3b}
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: us:
192.168.18.0/24===94.9.157.10---89.200.128.42
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: them:
118.93.180.109===192.168.25.0/24
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: up-client
output: //lib/ipsec/_updown.klips: changesource `ip route change
192.168.25.0/24 dev ipsec0 src 192.168.18.254' failed (RTNETLINK
answers: No such file or directory)
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x71f2403b
<0x84d7d90b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #6: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #6:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x71f2403c
<0x84d7d90c xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: ignoring
unknown Vendor ID payload [4f45685e5c537d65727a5053]
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: received
Vendor ID payload [Dead Peer Detection]
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: received
Vendor ID payload [RFC 3947] method set to=109
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: enabling
possible NAT-traversal with method 4
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3:
STATE_MAIN_I2: sent MI2, expecting MR2
Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3:
STATE_MAIN_I3: sent MI3, expecting MR3
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3: Main mode
peer ID is ID_IPV4_ADDR: '118.93.180.109'
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3 msgid:68db6fa1
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x71f2403d <0x84d7d90d xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
Jun 11 09:14:15 testbox user.warn pluto[2204]: time moved backwards 8 seconds
testbox
Fri Jun 11 09:16:10 UTC 2010
+ _________________________ version
+
+ ipsec --version
Linux Openswan 2.6.26 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+
+ cat /proc/version
Linux version 2.6.32.9-g9b5a066-dirty (test at test) (gcc version 4.4.4
(Buildroot 2010.05) ) #3 Thu Jun 10 17:03:30 UTC 2010
+ _________________________ /proc/net/ipsec_eroute
+
+ test -r /proc/net/ipsec_eroute
+ sort -sg -k 3 /proc/net/ipsec_eroute
0 192.168.18.0/24 -> 192.168.25.0/24 => tun0x1005 at 118.93.180.109
+ _________________________ netstat-rn
+
+ head -n 100
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
89.200.128.42 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
89.200.128.42 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
192.168.36.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.18.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.18.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.25.0 89.200.128.42 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 89.200.128.42 0.0.0.0 UG 0 0 0 ppp0
+ _________________________ /proc/net/ipsec_spi
+
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0x71f2403d at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
src=94.9.157.10 iv_bits=64bits iv=0x9b32fd94b9f6b1ac ooowin=64
alen=128 aklen=128 eklen=192
life(c,s,h)=addtime(18446744073705256780,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=10 refhim=0
esp0x71f2403c at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
src=94.9.157.10 iv_bits=64bits iv=0x722e0e62f025769e ooowin=64
alen=128 aklen=128 eklen=192
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=6 refhim=0
esp0x71f2403b at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
src=94.9.157.10 iv_bits=64bits iv=0x11cf4e3eee71cd74 ooowin=64
alen=128 aklen=128 eklen=192
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=2 refhim=0
tun0x1005 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
life(c,s,h)=addtime(18446744073705256780,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=9 refhim=0
tun0x1003 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=5 refhim=0
tun0x1001 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=1 refhim=0
esp0x84d7d90d at 94.9.157.10 ESP_3DES_HMAC_MD5: dir=in
src=118.93.180.109 iv_bits=64bits iv=0xd80c954a83fae6a2 ooowin=64
seq=84 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(7056,0,0)addtime(18446744073705256780,0,0)usetime(18446744073705256779,0,0)packets(84,0,0)
idle=19 natencap=none natsport=0 natdport=0 refcount=3 ref=12 refhim=9
esp0x84d7d90c at 94.9.157.10 ESP_3DES_HMAC_MD5: dir=in
src=118.93.180.109 iv_bits=64bits iv=0x693297db55b20b22 ooowin=64
seq=4 bit=0xf alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(336,0,0)addtime(18446744073705256783,0,0)usetime(18446744073705256783,0,0)packets(4,0,0)
idle=-4294836 natencap=none natsport=0 natdport=0 refcount=3 ref=8
refhim=5
esp0x84d7d90b at 94.9.157.10 ESP_3DES_HMAC_MD5: dir=in
src=118.93.180.109 iv_bits=64bits iv=0xa56001251e6afdd2 ooowin=64
alen=128 aklen=128 eklen=192
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=4 refhim=1
tun0x1006 at 94.9.157.10 IPIP: dir=in src=118.93.180.109
policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
life(c,s,h)=bytes(7056,0,0)addtime(18446744073705256780,0,0)usetime(18446744073705256779,0,0)packets(84,0,0)
idle=19 natencap=none natsport=0 natdport=0 refcount=3 ref=11 refhim=9
tun0x1004 at 94.9.157.10 IPIP: dir=in src=118.93.180.109
policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
life(c,s,h)=bytes(336,0,0)addtime(18446744073705256783,0,0)usetime(18446744073705256783,0,0)packets(4,0,0)
idle=-4294836 natencap=none natsport=0 natdport=0 refcount=3 ref=7
refhim=5
tun0x1002 at 94.9.157.10 IPIP: dir=in src=118.93.180.109
policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
natdport=0 refcount=3 ref=3 refhim=1
+ _________________________ /proc/net/ipsec_spigrp
+
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
esp0x71f2403d at 118.93.180.109
esp0x71f2403c at 118.93.180.109
esp0x71f2403b at 118.93.180.109
tun0x1005 at 118.93.180.109 esp0x71f2403d at 118.93.180.109
tun0x1003 at 118.93.180.109 esp0x71f2403c at 118.93.180.109
tun0x1001 at 118.93.180.109 esp0x71f2403b at 118.93.180.109
esp0x84d7d90d at 94.9.157.10 tun0x1006 at 94.9.157.10
esp0x84d7d90c at 94.9.157.10 tun0x1004 at 94.9.157.10
esp0x84d7d90b at 94.9.157.10 tun0x1002 at 94.9.157.10
tun0x1006 at 94.9.157.10
tun0x1004 at 94.9.157.10
tun0x1002 at 94.9.157.10
+ _________________________ /proc/net/ipsec_tncfg
+
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+
+ test -r /proc/net/pfkey
+ _________________________ /proc/crypto
+
+ test -r /proc/crypto
+ cat /proc/crypto
name : cbc(aes)
driver : cbc-aes-geode
module : geode_aes
priority : 400
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(aes)
driver : ecb(geode-aes)
module : ecb
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(aes)
driver : ecb-aes-geode
module : geode_aes
priority : 400
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : aes
driver : aes-asm
module : aes_i586
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : aes_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : geode-aes
module : geode_aes
priority : 300
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : sha1
driver : sha1-generic
module : sha1_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : ecb(arc4)
driver : ecb(arc4-generic)
module : ecb
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 1
max keysize : 256
ivsize : 0
geniv : <default>
name : arc4
driver : arc4-generic
module : arc4
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 1
max keysize : 256
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : rng
seedsize : 0
+ __________________________/proc/sys/net/core/xfrm-star
//libexec/ipsec/barf: line 1:
__________________________/proc/sys/net/core/xfrm-star: not found
+ echo -n /proc/sys/net/core/xfrm_acq_expires:
/proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires
30
+ echo -n /proc/sys/net/core/xfrm_aevent_etime:
/proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime
10
+ echo -n /proc/sys/net/core/xfrm_aevent_rseqth:
/proc/sys/net/core/xfrm_aevent_rseqth: + cat
/proc/sys/net/core/xfrm_aevent_rseqth
2
+ echo -n /proc/sys/net/core/xfrm_larval_drop:
/proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop
1
+ _________________________ /proc/sys/net/ipsec-star
+
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_mast
debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel
debug_verbose debug_xform debug_xmit icmp inbound_policy_check
pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_mast:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
debug_xmit:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/ppp0 94.9.157.10
000 interface ipsec0/ppp0 94.9.157.10
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,72} attrs={0,4,96}
000
000 "tun1": 192.168.18.0/24===94.9.157.10---89.200.128.42...118.93.180.109===192.168.25.0/24;
erouted; eroute owner: #7
000 "tun1": myip=192.168.18.254; hisip=unset;
myup=/lib/ipsec/_updown; hisup=/lib/ipsec/_updown;
000 "tun1": ike_life: 14400s; ipsec_life: 10800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 5
000 "tun1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: ppp0;
000 "tun1": newest ISAKMP SA: #3; newest IPsec SA: #7;
000 "tun1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "tun1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
pfsgroup=MODP1024(2); flags=-strict
000 "tun1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "tun1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=MODP1024
000
000 #6: "tun1":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 10412s; isakmp#4; idle; import:not set
000 #6: "tun1" esp.71f2403c at 118.93.180.109 esp.84d7d90c at 94.9.157.10
tun.1003 at 118.93.180.109 tun.1004 at 94.9.157.10 ref=7 refhim=5
000 #5: "tun1":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 10412s; isakmp#4; idle; import:not set
000 #5: "tun1" esp.71f2403b at 118.93.180.109 esp.84d7d90b at 94.9.157.10
tun.1001 at 118.93.180.109 tun.1002 at 94.9.157.10 ref=3 refhim=1
000 #4: "tun1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 14011s; lastdpd=-1s(seq in:0 out:0); idle;
import:not set
000 #7: "tun1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 9728s; newest IPSEC; eroute owner; isakmp#3; idle;
import:admin initiate
000 #7: "tun1" esp.71f2403d at 118.93.180.109 esp.84d7d90d at 94.9.157.10
tun.1005 at 118.93.180.109 tun.1006 at 94.9.157.10 ref=11 refhim=9
000 #3: "tun1":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 13505s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
000
+ _________________________ ifconfig-a
+
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0A:FA:22:00:40
inet addr:192.168.18.254 Bcast:192.168.18.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1801 errors:0 dropped:0 overruns:0 frame:0
TX packets:1184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:237632 (232.0 KiB) TX bytes:512692 (500.6 KiB)
Interrupt:10 Base address:0x8000
eth1 Link encap:Ethernet HWaddr 00:0A:FA:22:00:41
inet addr:192.168.36.254 Bcast:192.168.36.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:11 Base address:0xc100
ipsec0 Link encap:Point-to-Point Protocol
inet addr:94.9.157.10 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:88 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:174 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:5632 (5.5 KiB) TX bytes:0 (0.0 B)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:186 errors:0 dropped:0 overruns:0 frame:0
TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:41317 (40.3 KiB) TX bytes:41317 (40.3 KiB)
mast0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ppp0 Link encap:Point-to-Point Protocol
inet addr:94.9.157.10 P-t-P:89.200.128.42 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1288 errors:0 dropped:0 overruns:0 frame:0
TX packets:1349 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:488772 (477.3 KiB) TX bytes:206346 (201.5 KiB)
+ _________________________ ip-addr-list
+
+ ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:0a:fa:22:00:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.18.254/24 brd 192.168.18.255 scope global eth0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN qlen 1000
link/ether 00:0a:fa:22:00:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.36.254/24 brd 192.168.36.255 scope global eth1
4: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
link/ppp
inet 94.9.157.10 peer 89.200.128.42/32 scope global ipsec0
inet 192.168.18.254/24 scope global ipsec0
5: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
6: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/[65534]
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb
state UNKNOWN qlen 100
link/ppp
inet 94.9.157.10 peer 89.200.128.42/32 scope global ppp0
+ _________________________ ip-route-list
+
+ ip route list
89.200.128.42 dev ppp0 proto kernel scope link src 94.9.157.10
89.200.128.42 dev ipsec0 proto kernel scope link src 94.9.157.10
192.168.36.0/24 dev eth1 scope link src 192.168.36.254
192.168.18.0/24 dev eth0 scope link src 192.168.18.254
192.168.18.0/24 dev ipsec0 proto kernel scope link src 192.168.18.254
192.168.25.0/24 via 89.200.128.42 dev ipsec0 src 192.168.18.254
127.0.0.0/8 dev lo scope link
default via 89.200.128.42 dev ppp0 src 94.9.157.10
+ _________________________ ip-rule-list
+
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+
+ ipsec verify --nocolour
//sbin/ipsec: exec: line 142: //libexec/ipsec/verify: not found
+ _________________________ mii-tool
+
+ [ -x /sbin/mii-tool ]
+ [ -x /usr/sbin/mii-tool ]
+ mii-tool -v
//libexec/ipsec/barf: line 1: mii-tool: not found
+ _________________________ ipsec/directory
+
+ ipsec --directory
//lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname --fqdn
hostname: testbox: Unknown host
+ _________________________ hostname/ipaddress
+
+ hostname --ip-address
hostname: unrecognized option `--ip-address'
BusyBox v1.16.1 (2010-06-09 14:37:31 UTC) multi-call binary.
Usage: hostname [OPTIONS] [HOSTNAME | -F FILE]
Get or set hostname or DNS domain name
Options:
-s Short
-i Addresses for the hostname
-d DNS domain name
-f Fully qualified domain name
-F FILE Use FILE's content as hostname
+ _________________________ uptime
+
+ uptime
09:16:20 up 5 min, load average: 0.05, 0.10, 0.04
+ _________________________ ps
+
+ egrep -i ppid|pluto|ipsec|klips
+ ps alxwf
ps: invalid option -- a
BusyBox v1.16.1 (2010-06-09 14:37:31 UTC) multi-call binary.
corrected ps output:
2204 root 1832 S /libexec/ipsec/pluto
--secretsfile=/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-klips
--uniqueid --no
2207 root 440 S _pluto_adns
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
ipsec showdefaults: cannot find defaults file `/var/run/pluto/ipsec.info'
+ _________________________ ipsec/conf
+
+ ipsec _keycensor
+ ipsec _include /etc/ipsec.conf
+ _________________________ ipsec/secrets
+
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
94.9.157.10 118.93.180.109 : PSK "[sums to d5d5...]"
+ _________________________ ipsec/listall
+
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: PSK 118.93.180.109 94.9.157.10
+ [ /etc/ipsec.d/policies ]
+ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See //share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See //share/doc/openswan/policygroups.html for details.
#
# root name servers should be in the clear
192.58.128.30/32
198.41.0.4/32
192.228.79.201/32
192.33.4.12/32
128.8.10.90/32
192.203.230.10/32
192.5.5.241/32
192.112.36.4/32
128.63.2.53/32
192.36.148.17/32
193.0.14.129/32
199.7.83.42/32
202.12.27.33/32
+ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See //share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See //share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See //share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+
+ ls -l //lib/ipsec
-rwxr-xr-x 1 root root 4428 Jun 10 05:35 _copyright
-rwxr-xr-x 1 root root 2379 Jun 10 02:21 _include
-rwxr-xr-x 1 root root 1475 Jun 10 02:21 _keycensor
-rwxr-xr-x 1 root root 2632 Jun 10 02:21 _plutoload
-rwxr-xr-x 1 root root 8203 Jun 10 02:21 _plutorun
-rwxr-xr-x 1 root root 12952 Jun 10 02:21 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 10 02:21 _secretcensor
-rwxr-xr-x 1 root root 9277 Jun 10 02:21 _startklips
-rwxr-xr-x 1 root root 6042 Jun 10 02:22 _startnetkey
-rwxr-xr-x 1 root root 4859 Jun 10 02:21 _updown
-rwxr-xr-x 1 root root 16182 Jun 10 02:21 _updown.klips
-rwxr-xr-x 1 root root 13909 Jun 10 02:22 _updown.mast
-rwxr-xr-x 1 root root 10951 Jun 10 02:22 _updown.netkey
+ _________________________ ipsec/ls-execdir
+
+ ls -l //libexec/ipsec
-rwxr-xr-x 1 root root 8140 Jun 10 05:35 _pluto_adns
-rwxr-xr-x 1 root root 8140 Jun 10 05:35 _pluto_adns.old
-rwxr-xr-x 1 root root 167076 Jun 10 05:35 addconn
-rwxr-xr-x 1 root root 167076 Jun 10 05:35 addconn.old
-rwxr-xr-x 1 root root 6015 Jun 10 02:21 auto
-rwxr-xr-x 1 root root 10828 Jun 10 02:21 barf
-rwxr-xr-x 1 root root 81756 Jun 10 05:35 eroute
-rwxr-xr-x 1 root root 17956 Jun 10 05:35 ikeping
-rwxr-xr-x 1 root root 65212 Jun 10 05:35 klipsdebug
-rwxr-xr-x 1 root root 2591 Jun 10 02:21 look
-rwxr-xr-x 1 root root 2182 Jun 10 02:21 newhostkey
-rwxr-xr-x 1 root root 56380 Jun 10 05:35 pf_key
-rwxr-xr-x 1 root root 924784 Jun 10 05:35 pluto
-rwxr-xr-x 1 root root 924784 Jun 10 05:35 pluto.old
-rwxr-xr-x 1 root root 6600 Jun 10 05:35 ranbits
-rwxr-xr-x 1 root root 18552 Jun 10 05:35 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 10 02:21 secrets
lrwxrwxrwx 1 root root 17 Jun 10 02:21 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jun 10 02:21 showdefaults
-rwxr-xr-x 1 root root 234700 Jun 10 05:35 showhostkey
-rwxr-xr-x 1 root root 18512 Jun 10 05:35 showpolicy
-rwxr-xr-x 1 root root 18512 Jun 10 05:35 showpolicy.old
-rwxr-xr-x 1 root root 130972 Jun 10 05:35 spi
-rwxr-xr-x 1 root root 72940 Jun 10 05:35 spigrp
-rwxr-xr-x 1 root root 64476 Jun 10 05:35 tncfg
-rwxr-xr-x 1 root root 13460 Jun 10 02:21 verify
-rwxr-xr-x 1 root root 48080 Jun 10 05:35 whack
-rwxr-xr-x 1 root root 48080 Jun 10 05:35 whack.old
+ _________________________ /proc/net/dev
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 41455 188 0 0 0 0 0 0
41455 188 0 0 0 0 0 0
eth0: 238581 1812 0 0 0 0 0 0
519266 1193 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec0: 5632 88 0 0 0 0 0 0
0 0 0 174 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
mast0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ppp0: 488978 1290 0 0 0 0 0 0
206477 1351 0 0 0 0 0 0
+ _________________________ /proc/net/route
+
+ cat /proc/net/route
Iface Destination Gateway
Flags RefCnt Use Metric Mask MTU Window IRTT
ppp0 2A80C859 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ipsec0 2A80C859 00000000 0005 0 0 0 FFFFFFFF 0 0 0
eth1 0024A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0012A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0012A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0019A8C0 2A80C859 0003 0 0 0 00FFFFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
ppp0 00000000 2A80C859 0003 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter
mast0/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
ipsec1/rp_filter:0
lo/rp_filter:0
mast0/rp_filter:0
ppp0/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects
default/send_redirects eth0/accept_redirects eth0/secure_redirects
eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects
ipsec0/send_redirects ipsec1/accept_redirects ipsec1/secure_redirects
ipsec1/send_redirects lo/accept_redirects lo/secure_redirects
lo/send_redirects mast0/accept_redirects mast0/secure_redirects
mast0/send_redirects ppp0/accept_redirects ppp0/secure_redirects
ppp0/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
ipsec0/accept_redirects:1
ipsec0/secure_redirects:1
ipsec0/send_redirects:1
ipsec1/accept_redirects:1
ipsec1/secure_redirects:1
ipsec1/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
mast0/accept_redirects:1
mast0/secure_redirects:1
mast0/send_redirects:1
ppp0/accept_redirects:1
ppp0/secure_redirects:1
ppp0/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+
+ cat /proc/sys/net/ipv4/tcp_window_scaling
0
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+
+ uname -a
Linux testbox 2.6.32.9-g9b5a066-dirty #3 Thu Jun 10 17:03:30 UTC 2010
i586 GNU/Linux
+ _________________________ config-built-with
+
+ test -r /proc/config_built_with
+ _________________________ distro-release
+
+ test -f /etc/redhat-release
+ test -f /etc/debian-release
+ test -f /etc/SuSE-release
+ test -f /etc/mandrake-release
+ test -f /etc/mandriva-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.6.26
+ _________________________ iptables
+
+ test -r /sbin/iptables
[output removed]
Packets are definitely being accepted by firewall
+ _________________________ /proc/modules
+
+ test -f /proc/modules
+ cat /proc/modules
xt_TCPMSS 1524 4 - Live 0xd0a5e000
cls_fw 2336 7 - Live 0xd076e000
sch_sfq 3348 7 - Live 0xd0764000
sch_htb 9468 1 - Live 0xd0758000
ipt_REJECT 1304 2 - Live 0xd06df000
xt_DSCP 1192 14 - Live 0xd0681000
ipt_LOG 3512 15 - Live 0xd05ab000
xt_state 688 11 - Live 0xd05a1000
ipsec 299172 2 - Live 0xd0539000
aes_i586 6524 0 - Live 0xd04d1000
aes_generic 25432 1 aes_i586, Live 0xd04b8000
geode_aes 3072 0 - Live 0xd04a0000
tunnel4 1140 0 - Live 0xd046c000
ip_set_macipmap 1728 0 - Live 0xd0462000
ip_set_nethash 5672 13 - Live 0xd0457000
ip_set_ipportnethash 7340 0 - Live 0xd044b000
ip_set_ipmap 1664 0 - Live 0xd0440000
ip_set_iphash 4400 7 - Live 0xd0435000
ip_set_setlist 1868 0 - Live 0xd042a000
ip_set_iptree 3320 0 - Live 0xd0420000
ip_set_iptreemap 6128 0 - Live 0xd0415000
ip_set_ipporthash 5416 0 - Live 0xd0409000
ip_set_portmap 1752 1 - Live 0xd03fe000
ipt_set 744 59 - Live 0xd03f4000
ip_set 7792 21 ip_set_macipmap,ip_set_nethash,ip_set_ipportnethash,ip_set_ipmap,ip_set_iphash,ip_set_setlist,ip_set_iptree,ip_set_iptreemap,ip_set_ipporthash,ip_set_portmap,ipt_set,
Live 0xd03e7000
ipt_ULOG 3296 0 - Live 0xd03da000
xt_tcpudp 1480 36 - Live 0xd03d0000
xt_tcpmss 800 4 - Live 0xd03c7000
xt_string 740 0 - Live 0xd03be000
xt_statistic 636 0 - Live 0xd03b5000
xt_sctp 1484 0 - Live 0xd03ac000
xt_realm 440 0 - Live 0xd03a3000
xt_quota 612 0 - Live 0xd039a000
xt_policy 1544 0 - Live 0xd0391000
xt_pkttype 504 0 - Live 0xd0388000
xt_physdev 1048 0 - Live 0xd037f000
xt_multiport 1428 50 - Live 0xd0376000
xt_mark 440 2 - Live 0xd036d000
xt_mac 500 0 - Live 0xd0364000
xt_limit 760 17 - Live 0xd035b000
xt_length 596 3 - Live 0xd0352000
xt_hl 744 0 - Live 0xd0349000
xt_helper 648 0 - Live 0xd0340000
xt_hashlimit 4672 0 - Live 0xd0336000
xt_esp 644 0 - Live 0xd032b000
xt_dscp 880 0 - Live 0xd0322000
xt_dccp 1280 0 - Live 0xd0319000
xt_conntrack 1628 0 - Live 0xd0310000
xt_connmark 560 0 - Live 0xd0306000
xt_connbytes 872 0 - Live 0xd02fd000
xt_comment 420 0 - Live 0xd02f4000
xt_NFQUEUE 872 0 - Live 0xd02eb000
xt_NFLOG 512 0 - Live 0xd02e2000
nfnetlink_log 4400 1 xt_NFLOG, Live 0xd02d8000
xt_MARK 444 23 - Live 0xd02cd000
nf_conntrack_tftp 2140 0 - Live 0xd02c4000
nf_conntrack_sip 9000 0 - Live 0xd02b8000
nf_conntrack_pptp 2440 0 - Live 0xd02ab000
nf_conntrack_proto_gre 1908 1 nf_conntrack_pptp, Live 0xd02a1000
nf_conntrack_netlink 10288 0 - Live 0xd0295000
nfnetlink 1256 3 nfnetlink_log,nf_conntrack_netlink, Live 0xd0288000
nf_conntrack_netbios_ns 716 0 - Live 0xd027e000
nf_conntrack_irc 2136 0 - Live 0xd0275000
nf_conntrack_h323 28976 0 - Live 0xd0264000
nf_conntrack_ftp 3628 0 - Live 0xd0251000
iptable_nat 2092 1 - Live 0xd0246000
nf_nat 8628 1 iptable_nat, Live 0xd023a000
nf_conntrack_ipv4 5840 14 iptable_nat,nf_nat, Live 0xd022c000
nf_conntrack 31312 17
xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,
Live 0xd0219000
nf_defrag_ipv4 552 1 nf_conntrack_ipv4, Live 0xd0201000
iptable_raw 576 0 - Live 0xd01f8000
iptable_mangle 864 1 - Live 0xd01ef000
iptable_filter 704 1 - Live 0xd01e5000
ip_tables 6368 4
iptable_nat,iptable_raw,iptable_mangle,iptable_filter, Live 0xd01da000
x_tables 6340 37
xt_TCPMSS,ipt_REJECT,xt_DSCP,ipt_LOG,xt_state,ipt_set,ipt_ULOG,xt_tcpudp,xt_tcpmss,xt_string,xt_statistic,xt_sctp,xt_realm,xt_quota,xt_policy,xt_pkttype,xt_physdev,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_helper,xt_hashlimit,xt_esp,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_connbytes,xt_comment,xt_NFQUEUE,xt_NFLOG,xt_MARK,iptable_nat,ip_tables,
Live 0xd01bd000
solos_pci 14108 1 - Live 0xd01b0000
firmware_class 3904 1 solos_pci, Live 0xd01a0000
br2684 3532 0 - Live 0xd0195000
ppp_deflate 2308 0 - Live 0xd018a000
sha1_generic 1204 0 - Live 0xd0176000
arc4 776 0 - Live 0xd016d000
ecb 988 0 - Live 0xd0164000
ppp_mppe 3744 0 - Live 0xd015b000
pppoe 5244 0 - Live 0xd0150000
pppox 844 1 pppoe, Live 0xd0144000
pppoatm 1492 1 - Live 0xd013b000
ppp_generic 13432 9 ppp_deflate,ppp_mppe,pppoe,pppox,pppoatm, Live 0xd012e000
slhc 3336 1 ppp_generic, Live 0xd0122000
atm 20900 5 solos_pci,br2684,pppoatm, Live 0xd0113000
ohci_hcd 14612 0 - Live 0xd00fb000
ehci_hcd 22516 0 - Live 0xd00e5000
usb_storage 26412 0 - Live 0xd00ce000
usbcore 76108 4 ohci_hcd,ehci_hcd,usb_storage, Live 0xd00a2000
8139cp 10808 0 - Live 0xd0070000
lm90 7032 0 - Live 0xd0062000
scx200_acb 2288 0 - Live 0xd0055000
cs5535_gpio 1456 0 - Live 0xd004b000
geodewdt 1680 2 - Live 0xd0041000
+ _________________________ /proc/meminfo
+
+ cat /proc/meminfo
MemTotal: 248596 kB
MemFree: 179688 kB
Buffers: 7152 kB
Cached: 25728 kB
SwapCached: 0 kB
Active: 18948 kB
Inactive: 26704 kB
Active(anon): 13064 kB
Inactive(anon): 0 kB
Active(file): 5884 kB
Inactive(file): 26704 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 24 kB
Writeback: 0 kB
AnonPages: 12784 kB
Mapped: 4408 kB
Shmem: 292 kB
Slab: 6884 kB
SReclaimable: 3140 kB
SUnreclaim: 3744 kB
KernelStack: 440 kB
PageTables: 224 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 124296 kB
Committed_AS: 15252 kB
VmallocTotal: 786452 kB
VmallocUsed: 1992 kB
VmallocChunk: 760612 kB
DirectMap4k: 8060 kB
DirectMap4M: 245760 kB
+ _________________________ /proc/net/ipsec-ls
+
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jun 11 09:16
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jun 11 09:16
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jun 11 09:16
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jun 11 09:16
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jun 11 09:16
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jun 11 09:16
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+
+ test -f /proc/config.gz
+ egrep CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM
+ zcat /proc/config.gz
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_XFRM_IPCOMP=m
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
# CONFIG_INET_LRO is not set
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_IPV6=y
# CONFIG_IPV6_PRIVACY is not set
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
# CONFIG_INET6_AH is not set
# CONFIG_INET6_ESP is not set
# CONFIG_INET6_IPCOMP is not set
# CONFIG_IPV6_MIP6 is not set
# CONFIG_INET6_XFRM_TUNNEL is not set
# CONFIG_INET6_TUNNEL is not set
# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
# CONFIG_INET6_XFRM_MODE_BEET is not set
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
# CONFIG_IPV6_SIT is not set
# CONFIG_IPV6_TUNNEL is not set
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_IP_VS is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP6_NF_QUEUE is not set
# CONFIG_IP6_NF_IPTABLES is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
CONFIG_IPMI_HANDLER=m
CONFIG_IPMI_PANIC_EVENT=y
# CONFIG_IPMI_PANIC_STRING is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=y
# CONFIG_HW_RANDOM_TIMERIOMEM is not set
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
CONFIG_HW_RANDOM_GEODE=m
CONFIG_HW_RANDOM_VIA=m
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
CONFIG_CRYPTO_DEV_GEODE=m
# CONFIG_CRYPTO_DEV_HIFN_795X is not set
+ _________________________ etc/syslog.conf
+
+ _________________________ etc/syslog-ng/syslog-ng.conf
+
+ cat /etc/syslog-ng/syslog-ng.conf
cat: can't open '/etc/syslog-ng/syslog-ng.conf': No such file or directory
+ cat /etc/syslog.conf
cat: can't open '/etc/syslog.conf': No such file or directory
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 202.27.158.40
nameserver 202.37.170.4
+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
drwxr-xr-x 4 root root 325 Jun 10 05:34 2.6.32.9-g9b5a066-dirty
+ _________________________ fipscheck
+
+ cat /proc/sys/crypto/fips_enabled
cat: can't open '/proc/sys/crypto/fips_enabled': No such file or directory
+ _________________________ /proc/ksyms-netif_rx
+
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ echo broken (redhat/fedora) 2.6 kernel without kallsyms
broken (redhat/fedora) 2.6 kernel without kallsyms
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.32.9-g9b5a066-dirty:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ cat
+ egrep -i ipsec|klips|pluto
+ sed -n 1,$p /dev/null
+ _________________________ plog
+
+ cat
+ egrep -i pluto
+ sed -n 1,$p /dev/null
+ _________________________ date
+
+ date
Fri Jun 11 09:16:20 UTC 2010
More information about the Users
mailing list