[Openswan Users] Trying to find why ipsec0 tx dropped occurs
David BENTO
nd.bento at free.fr
Tue Jun 22 05:38:54 EDT 2010
I join the result of ipsec barf and the output of the oops when tcpdump tested
with nat and rules unloaded.
Le mardi 22 juin 2010 11:18:45, David BENTO a écrit :
> Hi,
>
> i'm testing openswan 2.6.26(KLIPS) with kernel 2.6.32.15 and i also got tx
> dropped packets.
> When i send ping from my subnet to the remote, i tcpdump on ipsec0 on my
> gateway, i see the icmp echo packet, then i tcpdump on the remote gateway
> on the internal interface, i see icmp echo/reply packets, and when i try
> to tcpdump ipsec0 on the remote i got an oops.
>
> ifconfig shows that there are tx_dropped packets on ipsec0.
>
> > Hi,
> >
> > I'm having trouble with what appears to be outbound packets being
> > dropped from ipsec0. Incoming packets are fine.
> >
> > My setup is:
> >
> > 192.168.18.254/24 <-> 192.168.25.254
> > I am trying to initiate a ping from 192.168.25.254 to 192.168.18.2 (a
> > device on the network, which has its default gateway set to
> > 192.168.18.254).
> >
> > I can see from the firewall on 192.168.18.254 that the ICMP request
> > from 192.168.25.254 reaches the client (192.168.18.2), and the client
> > sends a response, however the openswan endpoint at 192.168.18.254 is
> > dropping the response from ipsec0 rather than sending it back to
> > 192.168.25.254.
> >
> > Firewall Logs on 192.168.18.254:
> > ACCEPT:IN=ipsec0 OUT=eth0 SRC=192.168.25.254 DST=192.168.18.2 LEN=84
> > TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=54837
> > SEQ=6 MARK=0xf0014
> > ACCEPT:IN=eth0 OUT=ipsec0 SRC=192.168.18.2 DST=192.168.25.254 LEN=84
> > TOS=0x00 PREC=0x00 TTL=63 ID=112 DF PROTO=ICMP TYPE=0 CODE=0 ID=54837
> > SEQ=6
> >
> > # ifconfig ipsec0 (see the TX dropped packets)
> > ipsec0 Link encap:Point-to-Point Protocol
> >
> > inet addr:94.9.157.10 Mask:255.255.255.255
> > UP RUNNING NOARP MTU:16260 Metric:1
> > RX packets:97 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:192 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:6208 (6.0 KiB) TX bytes:0 (0.0 B)
> >
> > Turning klipsdebug on, I see this when I try a different ping - ping
> > 192.168.25.254 (from 192.168.18.254):
> >
> > # ping 192.168.25.254
> > PING 192.168.25.254 (192.168.25.254): 56 data bytes
> > ping: sendto: Invalid argument
> > # Jun 11 09:37:55 testbox user.info kernel:
> > klips_debug:ipsec_tunnel_hard_header: cannot revector dev=ipsec0
> > op=(null) func=(null)
> > Jun 11 09:37:55 testbox user.info kernel:
> > klips_debug:klips_header_cache: cannot revector dev=ipsec0 op=(null)
> > func=(null)
> > Jun 11 09:37:55 testbox user.info kernel:
> > klips_debug:ipsec_tunnel_hard_header: skb->dev=ipsec0 dev=ipsec0.
> >
> > I get these same messages regardless of what machine it is initiated
> > on in the 192.168.18.0/24 network. What is causing the packets to be
> > dropped,and more importantly what needs to be changed?
> >
> > The machine is linux 2.6.32-9, with uClibc and busybox. Perl isn't
> > installed so ipsec verify isn't working.
> >
> > Your help would be much appreciated,
> >
> > Thanks,
> >
> > Mike
> >
> > barf below:
> >
> > Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_init: KLIPS
> > startup, Openswan KLIPS IPsec stack version: 2.6.26
> > Jun 11 09:10:59 testbox user.warn kernel: registered KLIPS /proc/sys/net
> > Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_alg_init:
> > KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
> > Jun 11 09:10:59 testbox user.info kernel: klips_info:ipsec_alg_init:
> > calling ipsec_alg_static_init()
> > Jun 11 09:10:59 testbox user.debug kernel: klips_debug: experimental
> > ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Using KLIPS IPsec
> > interface code on 2.6.32.9-g9b5a066-dirty
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: up-client
> > output: //lib/ipsec/_updown.klips: changesource `ip route change
> > 192.168.25.0/24 dev ipsec0 src 192.168.18.254' failed (RTNETLINK
> > answers: No such file or directory)
> >
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: ignoring unknown Vendor ID payload
> > [4f45685e5c537d65727a5053]
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload [Dead Peer Detection]
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload [RFC 3947] method set
> > to=109
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> > 109
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-00]
> > Jun 11 08:59:44 testbox user.warn pluto[2844]: packet from
> > 118.93.180.109:500: initial Main Mode message received on
> > 94.11.24.57:500 but no connection has been authorized with policy=PSK
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Setting NAT-Traversal
> > port-4500 floating to on
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: port floating
> > activation criteria nat_t=1/port_float=1
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: NAT-Traversal
> > support [enabled] [Force KeepAlive]
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: using /dev/urandom as
> > source of random entropy
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
> > Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
> > Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
> > Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
> > Activating OAKLEY_AES_CBC: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: ike_alg_register_enc():
> > Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]:
> > ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]:
> > ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: no helpers will be
> > started, all cryptographic operations will be done inline
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Using KLIPS IPsec
> > interface code on 2.6.32.9-g9b5a066-dirty
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
> > directory '/etc/ipsec.d/cacerts'
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
> > directory '/etc/ipsec.d/aacerts'
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Changed path to
> > directory '/etc/ipsec.d/ocspcerts'
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Changing to directory
> > '/etc/ipsec.d/crls'
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: Warning: empty directory
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: listening for IKE messages
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: NAT-Traversal: Trying
> > new style NAT-T
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: adding interface
> > ipsec0/ppp0 94.9.157.10:500
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: adding interface
> > ipsec0/ppp0 94.9.157.10:4500
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: loading secrets from
> > "/etc/ipsec.secrets"
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: added connection
> > description "tun1"
> > Jun 11 09:13:01 testbox user.warn pluto[2204]: "tun1" #1: initiating Main
> > Mode Jun 11 09:13:01 testbox user.warn pluto[2204]: attempt to redefine
> > connection "tun1"
> > Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1": deleting
> > connection Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1" #1:
> > deleting state (STATE_MAIN_I1)
> > Jun 11 09:13:41 testbox user.warn pluto[2204]: added connection
> > description "tun1"
> > Jun 11 09:13:41 testbox user.warn pluto[2204]: "tun1" #2: initiating Main
> > Mode Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1": deleting
> > connection Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1" #2:
> > deleting state (STATE_MAIN_I1)
> > Jun 11 09:13:51 testbox user.warn pluto[2204]: added connection
> > description "tun1"
> > Jun 11 09:13:51 testbox user.warn pluto[2204]: "tun1" #3: initiating Main
> > Mode Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: ignoring unknown Vendor ID payload
> > [4f45685e5c537d65727a5053]
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload [Dead Peer Detection]
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload [RFC 3947] method set
> > to=109
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> > 109
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: packet from
> > 118.93.180.109:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-00]
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: responding
> > to Main Mode
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: transition
> > from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
> > STATE_MAIN_R1: sent MR1, expecting MI2
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
> > NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4: transition
> > from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > Jun 11 09:14:18 testbox user.warn pluto[2204]: "tun1" #4:
> > STATE_MAIN_R2: sent MR2, expecting MI3
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: Main mode
> > peer ID is ID_IPV4_ADDR: '118.93.180.109'
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: transition
> > from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4:
> > STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> > group=modp1536}
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: the peer
> > proposed: 192.168.18.0/24:0/0 -> 192.168.25.0/24:0/0
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: responding
> > to Quick Mode proposal {msgid:3f3a872e}
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: us:
> > 192.168.18.0/24===94.9.157.10---89.200.128.42
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: them:
> > 118.93.180.109===192.168.25.0/24
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5: transition
> > from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #5:
> > STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #4: the peer
> > proposed: 192.168.18.0/24:0/0 -> 192.168.25.0/24:0/0
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: responding
> > to Quick Mode proposal {msgid:a677ff3b}
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: us:
> > 192.168.18.0/24===94.9.157.10---89.200.128.42
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: them:
> > 118.93.180.109===192.168.25.0/24
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6: transition
> > from state STATE_QUICK_R0 to state STATE_QUICK_R1
> > Jun 11 09:14:19 testbox user.warn pluto[2204]: "tun1" #6:
> > STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: up-client
> > output: //lib/ipsec/_updown.klips: changesource `ip route change
> > 192.168.25.0/24 dev ipsec0 src 192.168.18.254' failed (RTNETLINK
> > answers: No such file or directory)
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5: transition
> > from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #5:
> > STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x71f2403b
> > <0x84d7d90b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #6: transition
> > from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > Jun 11 09:14:20 testbox user.warn pluto[2204]: "tun1" #6:
> > STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x71f2403c
> > <0x84d7d90c xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: ignoring
> > unknown Vendor ID payload [4f45685e5c537d65727a5053]
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: received
> > Vendor ID payload [Dead Peer Detection]
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: received
> > Vendor ID payload [RFC 3947] method set to=109
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: enabling
> > possible NAT-traversal with method 4
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3: transition
> > from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > Jun 11 09:14:21 testbox user.warn pluto[2204]: "tun1" #3:
> > STATE_MAIN_I2: sent MI2, expecting MR2
> > Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3:
> > NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> > Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3: transition
> > from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > Jun 11 09:14:22 testbox user.warn pluto[2204]: "tun1" #3:
> > STATE_MAIN_I3: sent MI3, expecting MR3
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3: Main mode
> > peer ID is ID_IPV4_ADDR: '118.93.180.109'
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3: transition
> > from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #3:
> > STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > cipher=aes_128 prf=oakley_sha group=modp2048}
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7: initiating
> > Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3 msgid:68db6fa1
> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7: transition
> > from state STATE_QUICK_I1 to state STATE_QUICK_I2
> > Jun 11 09:14:23 testbox user.warn pluto[2204]: "tun1" #7:
> > STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> > {ESP=>0x71f2403d <0x84d7d90d xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
> > DPD=none}
> > Jun 11 09:14:15 testbox user.warn pluto[2204]: time moved backwards 8
> > seconds
> >
> >
> > testbox
> > Fri Jun 11 09:16:10 UTC 2010
> > + _________________________ version
> > +
> > + ipsec --version
> > Linux Openswan 2.6.26 (klips)
> > See `ipsec --copyright' for copyright information.
> > + _________________________ /proc/version
> > +
> > + cat /proc/version
> > Linux version 2.6.32.9-g9b5a066-dirty (test at test) (gcc version 4.4.4
> > (Buildroot 2010.05) ) #3 Thu Jun 10 17:03:30 UTC 2010
> > + _________________________ /proc/net/ipsec_eroute
> > +
> > + test -r /proc/net/ipsec_eroute
> > + sort -sg -k 3 /proc/net/ipsec_eroute
> > 0 192.168.18.0/24 -> 192.168.25.0/24 =>
> > tun0x1005 at 118.93.180.109 + _________________________ netstat-rn
> > +
> > + head -n 100
> > + netstat -nr
> > Kernel IP routing table
> > Destination Gateway Genmask Flags MSS Window irtt
> > Iface 89.200.128.42 0.0.0.0 255.255.255.255 UH 0 0
> >
> > 0 ppp0 89.200.128.42 0.0.0.0 255.255.255.255 UH 0 0
> >
> > 0 ipsec0 192.168.36.0 0.0.0.0 255.255.255.0 U 0
> >
> > 0 0 eth1 192.168.18.0 0.0.0.0 255.255.255.0 U
> >
> > 0 0 0 eth0 192.168.18.0 0.0.0.0 255.255.255.0 U
> >
> > 0 0 0 ipsec0 192.168.25.0 89.200.128.42 255.255.255.0
> >
> > UG 0 0 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0
> >
> > U 0 0 0 lo 0.0.0.0 89.200.128.42 0.0.0.0
> >
> > UG 0 0 0 ppp0 + _________________________
> >
> > /proc/net/ipsec_spi
> > +
> > + test -r /proc/net/ipsec_spi
> > + cat /proc/net/ipsec_spi
> > esp0x71f2403d at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
> > src=94.9.157.10 iv_bits=64bits iv=0x9b32fd94b9f6b1ac ooowin=64
> > alen=128 aklen=128 eklen=192
> > life(c,s,h)=addtime(18446744073705256780,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=10 refhim=0
> > esp0x71f2403c at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
> > src=94.9.157.10 iv_bits=64bits iv=0x722e0e62f025769e ooowin=64
> > alen=128 aklen=128 eklen=192
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=6 refhim=0
> > esp0x71f2403b at 118.93.180.109 ESP_3DES_HMAC_MD5: dir=out
> > src=94.9.157.10 iv_bits=64bits iv=0x11cf4e3eee71cd74 ooowin=64
> > alen=128 aklen=128 eklen=192
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=2 refhim=0
> > tun0x1005 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
> > life(c,s,h)=addtime(18446744073705256780,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=9 refhim=0
> > tun0x1003 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=5 refhim=0
> > tun0x1001 at 118.93.180.109 IPIP: dir=out src=94.9.157.10
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=1 refhim=0
> > esp0x84d7d90d at 94.9.157.10 ESP_3DES_HMAC_MD5: dir=in
> > src=118.93.180.109 iv_bits=64bits iv=0xd80c954a83fae6a2 ooowin=64
> > seq=84 bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
> > life(c,s,h)=bytes(7056,0,0)addtime(18446744073705256780,0,0)usetime(18446
> > 74 4073705256779,0,0)packets(84,0,0) idle=19 natencap=none natsport=0
> > natdport=0 refcount=3 ref=12 refhim=9 esp0x84d7d90c at 94.9.157.10
> > ESP_3DES_HMAC_MD5: dir=in
> > src=118.93.180.109 iv_bits=64bits iv=0x693297db55b20b22 ooowin=64
> > seq=4 bit=0xf alen=128 aklen=128 eklen=192
> > life(c,s,h)=bytes(336,0,0)addtime(18446744073705256783,0,0)usetime(184467
> > 44 073705256783,0,0)packets(4,0,0) idle=-4294836 natencap=none natsport=0
> > natdport=0 refcount=3 ref=8 refhim=5
> > esp0x84d7d90b at 94.9.157.10 ESP_3DES_HMAC_MD5: dir=in
> > src=118.93.180.109 iv_bits=64bits iv=0xa56001251e6afdd2 ooowin=64
> > alen=128 aklen=128 eklen=192
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=4 refhim=1
> > tun0x1006 at 94.9.157.10 IPIP: dir=in src=118.93.180.109
> > policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
> > life(c,s,h)=bytes(7056,0,0)addtime(18446744073705256780,0,0)usetime(18446
> > 74 4073705256779,0,0)packets(84,0,0) idle=19 natencap=none natsport=0
> > natdport=0 refcount=3 ref=11 refhim=9 tun0x1004 at 94.9.157.10 IPIP: dir=in
> > src=118.93.180.109
> > policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
> > life(c,s,h)=bytes(336,0,0)addtime(18446744073705256783,0,0)usetime(184467
> > 44 073705256783,0,0)packets(4,0,0) idle=-4294836 natencap=none natsport=0
> > natdport=0 refcount=3 ref=7 refhim=5
> > tun0x1002 at 94.9.157.10 IPIP: dir=in src=118.93.180.109
> > policy=192.168.25.0/24->192.168.18.0/24 flags=0x8<>
> > life(c,s,h)=addtime(18446744073705256783,0,0) natencap=none natsport=0
> > natdport=0 refcount=3 ref=3 refhim=1
> > + _________________________ /proc/net/ipsec_spigrp
> > +
> > + test -r /proc/net/ipsec_spigrp
> > + cat /proc/net/ipsec_spigrp
> > esp0x71f2403d at 118.93.180.109
> > esp0x71f2403c at 118.93.180.109
> > esp0x71f2403b at 118.93.180.109
> > tun0x1005 at 118.93.180.109 esp0x71f2403d at 118.93.180.109
> > tun0x1003 at 118.93.180.109 esp0x71f2403c at 118.93.180.109
> > tun0x1001 at 118.93.180.109 esp0x71f2403b at 118.93.180.109
> > esp0x84d7d90d at 94.9.157.10 tun0x1006 at 94.9.157.10
> > esp0x84d7d90c at 94.9.157.10 tun0x1004 at 94.9.157.10
> > esp0x84d7d90b at 94.9.157.10 tun0x1002 at 94.9.157.10
> > tun0x1006 at 94.9.157.10
> > tun0x1004 at 94.9.157.10
> > tun0x1002 at 94.9.157.10
> > + _________________________ /proc/net/ipsec_tncfg
> > +
> > + test -r /proc/net/ipsec_tncfg
> > + cat /proc/net/ipsec_tncfg
> > ipsec0 -> ppp0 mtu=16260(1500) -> 1500
> > ipsec1 -> NULL mtu=0(0) -> 0
> > + _________________________ /proc/net/pfkey
> > +
> > + test -r /proc/net/pfkey
> > + _________________________ /proc/crypto
> > +
> > + test -r /proc/crypto
> > + cat /proc/crypto
> > name : cbc(aes)
> > driver : cbc-aes-geode
> > module : geode_aes
> > priority : 400
> > refcnt : 1
> > selftest : passed
> > type : blkcipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> > ivsize : 16
> > geniv : <default>
> >
> > name : ecb(aes)
> > driver : ecb(geode-aes)
> > module : ecb
> > priority : 300
> > refcnt : 1
> > selftest : passed
> > type : blkcipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> > ivsize : 0
> > geniv : <default>
> >
> > name : ecb(aes)
> > driver : ecb-aes-geode
> > module : geode_aes
> > priority : 400
> > refcnt : 1
> > selftest : passed
> > type : blkcipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> > ivsize : 0
> > geniv : <default>
> >
> > name : aes
> > driver : aes-asm
> > module : aes_i586
> > priority : 200
> > refcnt : 1
> > selftest : passed
> > type : cipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> >
> > name : aes
> > driver : aes-generic
> > module : aes_generic
> > priority : 100
> > refcnt : 1
> > selftest : passed
> > type : cipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> >
> > name : aes
> > driver : geode-aes
> > module : geode_aes
> > priority : 300
> > refcnt : 1
> > selftest : passed
> > type : cipher
> > blocksize : 16
> > min keysize : 16
> > max keysize : 32
> >
> > name : sha1
> > driver : sha1-generic
> > module : sha1_generic
> > priority : 0
> > refcnt : 1
> > selftest : passed
> > type : shash
> > blocksize : 64
> > digestsize : 20
> >
> > name : ecb(arc4)
> > driver : ecb(arc4-generic)
> > module : ecb
> > priority : 0
> > refcnt : 1
> > selftest : passed
> > type : blkcipher
> > blocksize : 1
> > min keysize : 1
> > max keysize : 256
> > ivsize : 0
> > geniv : <default>
> >
> > name : arc4
> > driver : arc4-generic
> > module : arc4
> > priority : 0
> > refcnt : 1
> > selftest : passed
> > type : cipher
> > blocksize : 1
> > min keysize : 1
> > max keysize : 256
> >
> > name : stdrng
> > driver : krng
> > module : kernel
> > priority : 200
> > refcnt : 1
> > selftest : passed
> > type : rng
> > seedsize : 0
> >
> > + __________________________/proc/sys/net/core/xfrm-star
> > //libexec/ipsec/barf: line 1:
> > __________________________/proc/sys/net/core/xfrm-star: not found
> > + echo -n /proc/sys/net/core/xfrm_acq_expires:
> > /proc/sys/net/core/xfrm_acq_expires: + cat
> > /proc/sys/net/core/xfrm_acq_expires 30
> > + echo -n /proc/sys/net/core/xfrm_aevent_etime:
> > /proc/sys/net/core/xfrm_aevent_etime: + cat
> > /proc/sys/net/core/xfrm_aevent_etime 10
> > + echo -n /proc/sys/net/core/xfrm_aevent_rseqth:
> > /proc/sys/net/core/xfrm_aevent_rseqth: + cat
> > /proc/sys/net/core/xfrm_aevent_rseqth
> > 2
> > + echo -n /proc/sys/net/core/xfrm_larval_drop:
> > /proc/sys/net/core/xfrm_larval_drop: + cat
> > /proc/sys/net/core/xfrm_larval_drop 1
> > + _________________________ /proc/sys/net/ipsec-star
> > +
> > + test -d /proc/sys/net/ipsec
> > + cd /proc/sys/net/ipsec
> > + egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_mast
> > debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel
> > debug_verbose debug_xform debug_xmit icmp inbound_policy_check
> > pfkey_lossage tos
> > debug_ah:0
> > debug_eroute:0
> > debug_esp:0
> > debug_ipcomp:0
> > debug_mast:0
> > debug_netlink:0
> > debug_pfkey:0
> > debug_radij:0
> > debug_rcv:0
> > debug_spi:0
> > debug_tunnel:0
> > debug_verbose:0
> > debug_xform:0
> > debug_xmit:0
> > icmp:1
> > inbound_policy_check:1
> > pfkey_lossage:0
> > tos:1
> > + _________________________ ipsec/status
> > +
> > + ipsec auto --status
> > 000 using kernel interface: klips
> > 000 interface ipsec0/ppp0 94.9.157.10
> > 000 interface ipsec0/ppp0 94.9.157.10
> > 000 %myid = (none)
> > 000 debug none
> > 000
> > 000 virtual_private (%priv):
> > 000 - allowed 0 subnets:
> > 000 - disallowed 0 subnets:
> > 000 WARNING: Either virtual_private= was not specified, or there was a
> > syntax 000 error in that line. 'left/rightsubnet=%priv' will not
> > work! 000
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> > keysizemin=192, keysizemax=192
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000
> > 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
> > blocksize=8, keydeflen=128
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
> > blocksize=16, keydeflen=128
> > 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
> > blocksize=16, keydeflen=128
> > 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
> > blocksize=16, keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000
> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
> > trans={0,4,72} attrs={0,4,96}
> > 000
> > 000 "tun1":
> > 192.168.18.0/24===94.9.157.10---89.200.128.42...118.93.180.109===192.168.
> > 2 5.0/24; erouted; eroute owner: #7
> > 000 "tun1": myip=192.168.18.254; hisip=unset;
> > myup=/lib/ipsec/_updown; hisup=/lib/ipsec/_updown;
> > 000 "tun1": ike_life: 14400s; ipsec_life: 10800s; rekey_margin:
> > 540s; rekey_fuzz: 100%; keyingtries: 5
> > 000 "tun1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface:
> > ppp0; 000 "tun1": newest ISAKMP SA: #3; newest IPsec SA: #7;
> > 000 "tun1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> > 000 "tun1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
> > pfsgroup=MODP1024(2); flags=-strict
> > 000 "tun1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
> > 000 "tun1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=MODP1024
> > 000
> > 000 #6: "tun1":500 STATE_QUICK_R2 (IPsec SA established);
> > EVENT_SA_REPLACE in 10412s; isakmp#4; idle; import:not set
> > 000 #6: "tun1" esp.71f2403c at 118.93.180.109 esp.84d7d90c at 94.9.157.10
> > tun.1003 at 118.93.180.109 tun.1004 at 94.9.157.10 ref=7 refhim=5
> > 000 #5: "tun1":500 STATE_QUICK_R2 (IPsec SA established);
> > EVENT_SA_REPLACE in 10412s; isakmp#4; idle; import:not set
> > 000 #5: "tun1" esp.71f2403b at 118.93.180.109 esp.84d7d90b at 94.9.157.10
> > tun.1001 at 118.93.180.109 tun.1002 at 94.9.157.10 ref=3 refhim=1
> > 000 #4: "tun1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> > EVENT_SA_REPLACE in 14011s; lastdpd=-1s(seq in:0 out:0); idle;
> > import:not set
> > 000 #7: "tun1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> > EVENT_SA_REPLACE in 9728s; newest IPSEC; eroute owner; isakmp#3; idle;
> > import:admin initiate
> > 000 #7: "tun1" esp.71f2403d at 118.93.180.109 esp.84d7d90d at 94.9.157.10
> > tun.1005 at 118.93.180.109 tun.1006 at 94.9.157.10 ref=11 refhim=9
> > 000 #3: "tun1":500 STATE_MAIN_I4 (ISAKMP SA established);
> > EVENT_SA_REPLACE in 13505s; newest ISAKMP; lastdpd=-1s(seq in:0
> > out:0); idle; import:admin initiate
> > 000
> > + _________________________ ifconfig-a
> > +
> > + ifconfig -a
> > eth0 Link encap:Ethernet HWaddr 00:0A:FA:22:00:40
> >
> > inet addr:192.168.18.254 Bcast:192.168.18.255
> >
> > Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >
> > RX packets:1801 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:1184 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:237632 (232.0 KiB) TX bytes:512692 (500.6 KiB)
> > Interrupt:10 Base address:0x8000
> >
> > eth1 Link encap:Ethernet HWaddr 00:0A:FA:22:00:41
> >
> > inet addr:192.168.36.254 Bcast:192.168.36.255
> >
> > Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1
> >
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > Interrupt:11 Base address:0xc100
> >
> > ipsec0 Link encap:Point-to-Point Protocol
> >
> > inet addr:94.9.157.10 Mask:255.255.255.255
> > UP RUNNING NOARP MTU:16260 Metric:1
> > RX packets:88 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:174 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:5632 (5.5 KiB) TX bytes:0 (0.0 B)
> >
> > ipsec1 Link encap:UNSPEC HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> >
> > NOARP MTU:0 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >
> > lo Link encap:Local Loopback
> >
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > inet6 addr: ::1/128 Scope:Host
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:186 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:41317 (40.3 KiB) TX bytes:41317 (40.3 KiB)
> >
> > mast0 Link encap:UNSPEC HWaddr
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> >
> > NOARP MTU:0 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >
> > ppp0 Link encap:Point-to-Point Protocol
> >
> > inet addr:94.9.157.10 P-t-P:89.200.128.42
> > Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST
> > MTU:1500 Metric:1 RX packets:1288 errors:0 dropped:0
> > overruns:0 frame:0
> > TX packets:1349 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > RX bytes:488772 (477.3 KiB) TX bytes:206346 (201.5 KiB)
> >
> > + _________________________ ip-addr-list
> > +
> > + ip addr list
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> >
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> >
> > valid_lft forever preferred_lft forever
> >
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP qlen 1000
> >
> > link/ether 00:0a:fa:22:00:40 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.18.254/24 brd 192.168.18.255 scope global eth0
> >
> > 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
> > state DOWN qlen 1000
> >
> > link/ether 00:0a:fa:22:00:41 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.36.254/24 brd 192.168.36.255 scope global eth1
> >
> > 4: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN
> > qlen 10 link/ppp
> >
> > inet 94.9.157.10 peer 89.200.128.42/32 scope global ipsec0
> > inet 192.168.18.254/24 scope global ipsec0
> >
> > 5: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> >
> > link/void
> >
> > 6: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
> >
> > link/[65534]
> >
> > 8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb
> > state UNKNOWN qlen 100
> >
> > link/ppp
> > inet 94.9.157.10 peer 89.200.128.42/32 scope global ppp0
> >
> > + _________________________ ip-route-list
> > +
> > + ip route list
> > 89.200.128.42 dev ppp0 proto kernel scope link src 94.9.157.10
> > 89.200.128.42 dev ipsec0 proto kernel scope link src 94.9.157.10
> > 192.168.36.0/24 dev eth1 scope link src 192.168.36.254
> > 192.168.18.0/24 dev eth0 scope link src 192.168.18.254
> > 192.168.18.0/24 dev ipsec0 proto kernel scope link src 192.168.18.254
> > 192.168.25.0/24 via 89.200.128.42 dev ipsec0 src 192.168.18.254
> > 127.0.0.0/8 dev lo scope link
> > default via 89.200.128.42 dev ppp0 src 94.9.157.10
> > + _________________________ ip-rule-list
> > +
> > + ip rule list
> > 0: from all lookup local
> > 32766: from all lookup main
> > 32767: from all lookup default
> > + _________________________ ipsec_verify
> > +
> > + ipsec verify --nocolour
> > //sbin/ipsec: exec: line 142: //libexec/ipsec/verify: not found
> > + _________________________ mii-tool
> > +
> > + [ -x /sbin/mii-tool ]
> > + [ -x /usr/sbin/mii-tool ]
> > + mii-tool -v
> > //libexec/ipsec/barf: line 1: mii-tool: not found
> > + _________________________ ipsec/directory
> > +
> > + ipsec --directory
> > //lib/ipsec
> > + _________________________ hostname/fqdn
> > +
> > + hostname --fqdn
> > hostname: testbox: Unknown host
> > + _________________________ hostname/ipaddress
> > +
> > + hostname --ip-address
> > hostname: unrecognized option `--ip-address'
> > BusyBox v1.16.1 (2010-06-09 14:37:31 UTC) multi-call binary.
> >
> > Usage: hostname [OPTIONS] [HOSTNAME | -F FILE]
> >
> > Get or set hostname or DNS domain name
> >
> > Options:
> > -s Short
> > -i Addresses for the hostname
> > -d DNS domain name
> > -f Fully qualified domain name
> > -F FILE Use FILE's content as hostname
> >
> > + _________________________ uptime
> > +
> > + uptime
> >
> > 09:16:20 up 5 min, load average: 0.05, 0.10, 0.04
> >
> > + _________________________ ps
> > +
> > + egrep -i ppid|pluto|ipsec|klips
> > + ps alxwf
> > ps: invalid option -- a
> > BusyBox v1.16.1 (2010-06-09 14:37:31 UTC) multi-call binary.
> >
> > corrected ps output:
> > 2204 root 1832 S /libexec/ipsec/pluto
> >
> > --secretsfile=/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-klips
> > --uniqueid --no
> >
> > 2207 root 440 S _pluto_adns
> >
> > + _________________________ ipsec/showdefaults
> > +
> > + ipsec showdefaults
> > ipsec showdefaults: cannot find defaults file `/var/run/pluto/ipsec.info'
> > + _________________________ ipsec/conf
> > +
> > + ipsec _keycensor
> > + ipsec _include /etc/ipsec.conf
> > + _________________________ ipsec/secrets
> > +
> > + ipsec _secretcensor
> > + ipsec _include /etc/ipsec.secrets
> >
> > #< /etc/ipsec.secrets 1
> > 94.9.157.10 118.93.180.109 : PSK "[sums to d5d5...]"
> > + _________________________ ipsec/listall
> > +
> > + ipsec auto --listall
> > 000
> > 000 List of Public Keys:
> > 000
> > 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
> > 000 1: PSK 118.93.180.109 94.9.157.10
> > + [ /etc/ipsec.d/policies ]
> > + basename /etc/ipsec.d/policies/block
> > + base=block
> > + _________________________ ipsec/policies/block
> > +
> > + cat /etc/ipsec.d/policies/block
> > # This file defines the set of CIDRs (network/mask-length) to which
> > # communication should never be allowed.
> > #
> > # See //share/doc/openswan/policygroups.html for details.
> > #
> > # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> > #
> >
> > + basename /etc/ipsec.d/policies/clear
> > + base=clear
> > + _________________________ ipsec/policies/clear
> > +
> > + cat /etc/ipsec.d/policies/clear
> > # This file defines the set of CIDRs (network/mask-length) to which
> > # communication should always be in the clear.
> > #
> > # See //share/doc/openswan/policygroups.html for details.
> > #
> >
> > # root name servers should be in the clear
> > 192.58.128.30/32
> > 198.41.0.4/32
> > 192.228.79.201/32
> > 192.33.4.12/32
> > 128.8.10.90/32
> > 192.203.230.10/32
> > 192.5.5.241/32
> > 192.112.36.4/32
> > 128.63.2.53/32
> > 192.36.148.17/32
> > 193.0.14.129/32
> > 199.7.83.42/32
> > 202.12.27.33/32
> > + basename /etc/ipsec.d/policies/clear-or-private
> > + base=clear-or-private
> > + _________________________ ipsec/policies/clear-or-private
> > +
> > + cat /etc/ipsec.d/policies/clear-or-private
> > # This file defines the set of CIDRs (network/mask-length) to which
> > # we will communicate in the clear, or, if the other side initiates
> > IPSEC, # using encryption. This behaviour is also called "Opportunistic
> > Responder". #
> > # See //share/doc/openswan/policygroups.html for details.
> > #
> > # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> > #
> > + basename /etc/ipsec.d/policies/private
> > + base=private
> > + _________________________ ipsec/policies/private
> > +
> > + cat /etc/ipsec.d/policies/private
> > # This file defines the set of CIDRs (network/mask-length) to which
> > # communication should always be private (i.e. encrypted).
> > # See //share/doc/openswan/policygroups.html for details.
> > #
> > # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> > #
> > + basename /etc/ipsec.d/policies/private-or-clear
> > + base=private-or-clear
> > + _________________________ ipsec/policies/private-or-clear
> > +
> > + cat /etc/ipsec.d/policies/private-or-clear
> > # This file defines the set of CIDRs (network/mask-length) to which
> > # communication should be private, if possible, but in the clear
> > otherwise. #
> > # If the target has a TXT (later IPSECKEY) record that specifies
> > # authentication material, we will require private (i.e. encrypted)
> > # communications. If no such record is found, communications will be
> > # in the clear.
> > #
> > # See //share/doc/openswan/policygroups.html for details.
> > #
> > # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
> > #
> >
> > 0.0.0.0/0
> > + _________________________ ipsec/ls-libdir
> > +
> > + ls -l //lib/ipsec
> > -rwxr-xr-x 1 root root 4428 Jun 10 05:35 _copyright
> > -rwxr-xr-x 1 root root 2379 Jun 10 02:21 _include
> > -rwxr-xr-x 1 root root 1475 Jun 10 02:21 _keycensor
> > -rwxr-xr-x 1 root root 2632 Jun 10 02:21 _plutoload
> > -rwxr-xr-x 1 root root 8203 Jun 10 02:21 _plutorun
> > -rwxr-xr-x 1 root root 12952 Jun 10 02:21 _realsetup
> > -rwxr-xr-x 1 root root 1975 Jun 10 02:21 _secretcensor
> > -rwxr-xr-x 1 root root 9277 Jun 10 02:21 _startklips
> > -rwxr-xr-x 1 root root 6042 Jun 10 02:22 _startnetkey
> > -rwxr-xr-x 1 root root 4859 Jun 10 02:21 _updown
> > -rwxr-xr-x 1 root root 16182 Jun 10 02:21 _updown.klips
> > -rwxr-xr-x 1 root root 13909 Jun 10 02:22 _updown.mast
> > -rwxr-xr-x 1 root root 10951 Jun 10 02:22 _updown.netkey
> > + _________________________ ipsec/ls-execdir
> > +
> > + ls -l //libexec/ipsec
> > -rwxr-xr-x 1 root root 8140 Jun 10 05:35 _pluto_adns
> > -rwxr-xr-x 1 root root 8140 Jun 10 05:35 _pluto_adns.old
> > -rwxr-xr-x 1 root root 167076 Jun 10 05:35 addconn
> > -rwxr-xr-x 1 root root 167076 Jun 10 05:35 addconn.old
> > -rwxr-xr-x 1 root root 6015 Jun 10 02:21 auto
> > -rwxr-xr-x 1 root root 10828 Jun 10 02:21 barf
> > -rwxr-xr-x 1 root root 81756 Jun 10 05:35 eroute
> > -rwxr-xr-x 1 root root 17956 Jun 10 05:35 ikeping
> > -rwxr-xr-x 1 root root 65212 Jun 10 05:35 klipsdebug
> > -rwxr-xr-x 1 root root 2591 Jun 10 02:21 look
> > -rwxr-xr-x 1 root root 2182 Jun 10 02:21 newhostkey
> > -rwxr-xr-x 1 root root 56380 Jun 10 05:35 pf_key
> > -rwxr-xr-x 1 root root 924784 Jun 10 05:35 pluto
> > -rwxr-xr-x 1 root root 924784 Jun 10 05:35 pluto.old
> > -rwxr-xr-x 1 root root 6600 Jun 10 05:35 ranbits
> > -rwxr-xr-x 1 root root 18552 Jun 10 05:35 rsasigkey
> > -rwxr-xr-x 1 root root 766 Jun 10 02:21 secrets
> > lrwxrwxrwx 1 root root 17 Jun 10 02:21 setup ->
> > /etc/init.d/ipsec
> > -rwxr-xr-x 1 root root 1054 Jun 10 02:21 showdefaults
> > -rwxr-xr-x 1 root root 234700 Jun 10 05:35 showhostkey
> > -rwxr-xr-x 1 root root 18512 Jun 10 05:35 showpolicy
> > -rwxr-xr-x 1 root root 18512 Jun 10 05:35 showpolicy.old
> > -rwxr-xr-x 1 root root 130972 Jun 10 05:35 spi
> > -rwxr-xr-x 1 root root 72940 Jun 10 05:35 spigrp
> > -rwxr-xr-x 1 root root 64476 Jun 10 05:35 tncfg
> > -rwxr-xr-x 1 root root 13460 Jun 10 02:21 verify
> > -rwxr-xr-x 1 root root 48080 Jun 10 05:35 whack
> > -rwxr-xr-x 1 root root 48080 Jun 10 05:35 whack.old
> > + _________________________ /proc/net/dev
> > +
> > + cat /proc/net/dev
> > Inter-| Receive |
> > Transmit face |bytes packets errs drop fifo frame compressed
> > multicast|bytes packets errs drop fifo colls carrier compressed
> >
> > lo: 41455 188 0 0 0 0 0 0
> >
> > 41455 188 0 0 0 0 0 0
> >
> > eth0: 238581 1812 0 0 0 0 0 0
> >
> > 519266 1193 0 0 0 0 0 0
> >
> > eth1: 0 0 0 0 0 0 0 0
> > 0 0 0 0 0 0 0 0
> >
> > ipsec0: 5632 88 0 0 0 0 0 0
> >
> > 0 0 0 174 0 0 0 0
> >
> > ipsec1: 0 0 0 0 0 0 0 0
> >
> > 0 0 0 0 0 0 0 0
> >
> > mast0: 0 0 0 0 0 0 0 0
> >
> > 0 0 0 0 0 0 0 0
> > ppp0: 488978 1290 0 0 0 0 0 0
> >
> > 206477 1351 0 0 0 0 0 0
> > + _________________________ /proc/net/route
> > +
> > + cat /proc/net/route
> > Iface Destination Gateway
> >
> > Flags RefCnt Use Metric Mask MTU Window IRTT
> >
> > ppp0 2A80C859 00000000 0005 0 0 0 FFFFFFFF 0 0
>
> 0
>
> > ipsec0 2A80C859 00000000 0005 0 0 0 FFFFFFFF 0
0
>
> 0
>
> > eth1 0024A8C0 00000000 0001 0 0 0 00FFFFFF 0 0
>
> 0
>
> > eth0 0012A8C0 00000000 0001 0 0 0 00FFFFFF 0 0
>
> 0
>
> > ipsec0 0012A8C0 00000000 0001 0 0 0 00FFFFFF 0
0
>
> 0
>
> > ipsec0 0019A8C0 2A80C859 0003 0 0 0 00FFFFFF 0
0
>
> 0
>
> > lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0
> > ppp0 00000000 2A80C859 0003 0 0 0 00000000 0 0
>
> 0
>
> > + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
> > +
> > + cat /proc/sys/net/ipv4/ip_no_pmtu_disc
> > 0
> > + _________________________ /proc/sys/net/ipv4/ip_forward
> > +
> > + cat /proc/sys/net/ipv4/ip_forward
> > 1
> > + _________________________ /proc/sys/net/ipv4/tcp_ecn
> > +
> > + cat /proc/sys/net/ipv4/tcp_ecn
> > 0
> > + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
> > +
> > + cd /proc/sys/net/ipv4/conf
> > + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter
> > eth1/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter
> > mast0/rp_filter ppp0/rp_filter
> > all/rp_filter:1
> > default/rp_filter:0
> > eth0/rp_filter:0
> > eth1/rp_filter:0
> > ipsec0/rp_filter:0
> > ipsec1/rp_filter:0
> > lo/rp_filter:0
> > mast0/rp_filter:0
> > ppp0/rp_filter:0
> > + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
> > +
> > + cd /proc/sys/net/ipv4/conf
> > + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects
> > default/accept_redirects default/secure_redirects
> > default/send_redirects eth0/accept_redirects eth0/secure_redirects
> > eth0/send_redirects eth1/accept_redirects eth1/secure_redirects
> > eth1/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects
> > ipsec0/send_redirects ipsec1/accept_redirects ipsec1/secure_redirects
> > ipsec1/send_redirects lo/accept_redirects lo/secure_redirects
> > lo/send_redirects mast0/accept_redirects mast0/secure_redirects
> > mast0/send_redirects ppp0/accept_redirects ppp0/secure_redirects
> > ppp0/send_redirects
> > all/accept_redirects:0
> > all/secure_redirects:1
> > all/send_redirects:1
> > default/accept_redirects:1
> > default/secure_redirects:1
> > default/send_redirects:1
> > eth0/accept_redirects:1
> > eth0/secure_redirects:1
> > eth0/send_redirects:1
> > eth1/accept_redirects:1
> > eth1/secure_redirects:1
> > eth1/send_redirects:1
> > ipsec0/accept_redirects:1
> > ipsec0/secure_redirects:1
> > ipsec0/send_redirects:1
> > ipsec1/accept_redirects:1
> > ipsec1/secure_redirects:1
> > ipsec1/send_redirects:1
> > lo/accept_redirects:1
> > lo/secure_redirects:1
> > lo/send_redirects:1
> > mast0/accept_redirects:1
> > mast0/secure_redirects:1
> > mast0/send_redirects:1
> > ppp0/accept_redirects:1
> > ppp0/secure_redirects:1
> > ppp0/send_redirects:1
> > + _________________________ /proc/sys/net/ipv4/tcp_window_scaling
> > +
> > + cat /proc/sys/net/ipv4/tcp_window_scaling
> > 0
> > + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
> > +
> > + cat /proc/sys/net/ipv4/tcp_adv_win_scale
> > 2
> > + _________________________ uname-a
> > +
> > + uname -a
> > Linux testbox 2.6.32.9-g9b5a066-dirty #3 Thu Jun 10 17:03:30 UTC 2010
> > i586 GNU/Linux
> > + _________________________ config-built-with
> > +
> > + test -r /proc/config_built_with
> > + _________________________ distro-release
> > +
> > + test -f /etc/redhat-release
> > + test -f /etc/debian-release
> > + test -f /etc/SuSE-release
> > + test -f /etc/mandrake-release
> > + test -f /etc/mandriva-release
> > + test -f /etc/gentoo-release
> > + _________________________ /proc/net/ipsec_version
> > +
> > + test -r /proc/net/ipsec_version
> > + cat /proc/net/ipsec_version
> > Openswan version: 2.6.26
> > + _________________________ iptables
> > +
> > + test -r /sbin/iptables
> > [output removed]
> > Packets are definitely being accepted by firewall
> >
> > + _________________________ /proc/modules
> > +
> > + test -f /proc/modules
> > + cat /proc/modules
> > xt_TCPMSS 1524 4 - Live 0xd0a5e000
> > cls_fw 2336 7 - Live 0xd076e000
> > sch_sfq 3348 7 - Live 0xd0764000
> > sch_htb 9468 1 - Live 0xd0758000
> > ipt_REJECT 1304 2 - Live 0xd06df000
> > xt_DSCP 1192 14 - Live 0xd0681000
> > ipt_LOG 3512 15 - Live 0xd05ab000
> > xt_state 688 11 - Live 0xd05a1000
> > ipsec 299172 2 - Live 0xd0539000
> > aes_i586 6524 0 - Live 0xd04d1000
> > aes_generic 25432 1 aes_i586, Live 0xd04b8000
> > geode_aes 3072 0 - Live 0xd04a0000
> > tunnel4 1140 0 - Live 0xd046c000
> > ip_set_macipmap 1728 0 - Live 0xd0462000
> > ip_set_nethash 5672 13 - Live 0xd0457000
> > ip_set_ipportnethash 7340 0 - Live 0xd044b000
> > ip_set_ipmap 1664 0 - Live 0xd0440000
> > ip_set_iphash 4400 7 - Live 0xd0435000
> > ip_set_setlist 1868 0 - Live 0xd042a000
> > ip_set_iptree 3320 0 - Live 0xd0420000
> > ip_set_iptreemap 6128 0 - Live 0xd0415000
> > ip_set_ipporthash 5416 0 - Live 0xd0409000
> > ip_set_portmap 1752 1 - Live 0xd03fe000
> > ipt_set 744 59 - Live 0xd03f4000
> > ip_set 7792 21
> > ip_set_macipmap,ip_set_nethash,ip_set_ipportnethash,ip_set_ipmap,ip_set_i
> > p
> > hash,ip_set_setlist,ip_set_iptree,ip_set_iptreemap,ip_set_ipporthash,ip_
> > set _portmap,ipt_set, Live 0xd03e7000
> > ipt_ULOG 3296 0 - Live 0xd03da000
> > xt_tcpudp 1480 36 - Live 0xd03d0000
> > xt_tcpmss 800 4 - Live 0xd03c7000
> > xt_string 740 0 - Live 0xd03be000
> > xt_statistic 636 0 - Live 0xd03b5000
> > xt_sctp 1484 0 - Live 0xd03ac000
> > xt_realm 440 0 - Live 0xd03a3000
> > xt_quota 612 0 - Live 0xd039a000
> > xt_policy 1544 0 - Live 0xd0391000
> > xt_pkttype 504 0 - Live 0xd0388000
> > xt_physdev 1048 0 - Live 0xd037f000
> > xt_multiport 1428 50 - Live 0xd0376000
> > xt_mark 440 2 - Live 0xd036d000
> > xt_mac 500 0 - Live 0xd0364000
> > xt_limit 760 17 - Live 0xd035b000
> > xt_length 596 3 - Live 0xd0352000
> > xt_hl 744 0 - Live 0xd0349000
> > xt_helper 648 0 - Live 0xd0340000
> > xt_hashlimit 4672 0 - Live 0xd0336000
> > xt_esp 644 0 - Live 0xd032b000
> > xt_dscp 880 0 - Live 0xd0322000
> > xt_dccp 1280 0 - Live 0xd0319000
> > xt_conntrack 1628 0 - Live 0xd0310000
> > xt_connmark 560 0 - Live 0xd0306000
> > xt_connbytes 872 0 - Live 0xd02fd000
> > xt_comment 420 0 - Live 0xd02f4000
> > xt_NFQUEUE 872 0 - Live 0xd02eb000
> > xt_NFLOG 512 0 - Live 0xd02e2000
> > nfnetlink_log 4400 1 xt_NFLOG, Live 0xd02d8000
> > xt_MARK 444 23 - Live 0xd02cd000
> > nf_conntrack_tftp 2140 0 - Live 0xd02c4000
> > nf_conntrack_sip 9000 0 - Live 0xd02b8000
> > nf_conntrack_pptp 2440 0 - Live 0xd02ab000
> > nf_conntrack_proto_gre 1908 1 nf_conntrack_pptp, Live 0xd02a1000
> > nf_conntrack_netlink 10288 0 - Live 0xd0295000
> > nfnetlink 1256 3 nfnetlink_log,nf_conntrack_netlink, Live 0xd0288000
> > nf_conntrack_netbios_ns 716 0 - Live 0xd027e000
> > nf_conntrack_irc 2136 0 - Live 0xd0275000
> > nf_conntrack_h323 28976 0 - Live 0xd0264000
> > nf_conntrack_ftp 3628 0 - Live 0xd0251000
> > iptable_nat 2092 1 - Live 0xd0246000
> > nf_nat 8628 1 iptable_nat, Live 0xd023a000
> > nf_conntrack_ipv4 5840 14 iptable_nat,nf_nat, Live 0xd022c000
> > nf_conntrack 31312 17
> > xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,nf_conntrack_tft
> > p,
> > nf_conntrack_sip,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_n
> > etl
> > ink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntr
> > ack _ftp,iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xd0219000
> > nf_defrag_ipv4 552 1 nf_conntrack_ipv4, Live 0xd0201000
> > iptable_raw 576 0 - Live 0xd01f8000
> > iptable_mangle 864 1 - Live 0xd01ef000
> > iptable_filter 704 1 - Live 0xd01e5000
> > ip_tables 6368 4
> > iptable_nat,iptable_raw,iptable_mangle,iptable_filter, Live 0xd01da000
> > x_tables 6340 37
> > xt_TCPMSS,ipt_REJECT,xt_DSCP,ipt_LOG,xt_state,ipt_set,ipt_ULOG,xt_tcpudp,
> > xt
> > _tcpmss,xt_string,xt_statistic,xt_sctp,xt_realm,xt_quota,xt_policy,xt_pk
> > tty
> > pe,xt_physdev,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_he
> > lpe
> > r,xt_hashlimit,xt_esp,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_connby
> > tes ,xt_comment,xt_NFQUEUE,xt_NFLOG,xt_MARK,iptable_nat,ip_tables, Live
> > 0xd01bd000
> > solos_pci 14108 1 - Live 0xd01b0000
> > firmware_class 3904 1 solos_pci, Live 0xd01a0000
> > br2684 3532 0 - Live 0xd0195000
> > ppp_deflate 2308 0 - Live 0xd018a000
> > sha1_generic 1204 0 - Live 0xd0176000
> > arc4 776 0 - Live 0xd016d000
> > ecb 988 0 - Live 0xd0164000
> > ppp_mppe 3744 0 - Live 0xd015b000
> > pppoe 5244 0 - Live 0xd0150000
> > pppox 844 1 pppoe, Live 0xd0144000
> > pppoatm 1492 1 - Live 0xd013b000
> > ppp_generic 13432 9 ppp_deflate,ppp_mppe,pppoe,pppox,pppoatm, Live
> > 0xd012e000 slhc 3336 1 ppp_generic, Live 0xd0122000
> > atm 20900 5 solos_pci,br2684,pppoatm, Live 0xd0113000
> > ohci_hcd 14612 0 - Live 0xd00fb000
> > ehci_hcd 22516 0 - Live 0xd00e5000
> > usb_storage 26412 0 - Live 0xd00ce000
> > usbcore 76108 4 ohci_hcd,ehci_hcd,usb_storage, Live 0xd00a2000
> > 8139cp 10808 0 - Live 0xd0070000
> > lm90 7032 0 - Live 0xd0062000
> > scx200_acb 2288 0 - Live 0xd0055000
> > cs5535_gpio 1456 0 - Live 0xd004b000
> > geodewdt 1680 2 - Live 0xd0041000
> > + _________________________ /proc/meminfo
> > +
> > + cat /proc/meminfo
> > MemTotal: 248596 kB
> > MemFree: 179688 kB
> > Buffers: 7152 kB
> > Cached: 25728 kB
> > SwapCached: 0 kB
> > Active: 18948 kB
> > Inactive: 26704 kB
> > Active(anon): 13064 kB
> > Inactive(anon): 0 kB
> > Active(file): 5884 kB
> > Inactive(file): 26704 kB
> > Unevictable: 0 kB
> > Mlocked: 0 kB
> > SwapTotal: 0 kB
> > SwapFree: 0 kB
> > Dirty: 24 kB
> > Writeback: 0 kB
> > AnonPages: 12784 kB
> > Mapped: 4408 kB
> > Shmem: 292 kB
> > Slab: 6884 kB
> > SReclaimable: 3140 kB
> > SUnreclaim: 3744 kB
> > KernelStack: 440 kB
> > PageTables: 224 kB
> > NFS_Unstable: 0 kB
> > Bounce: 0 kB
> > WritebackTmp: 0 kB
> > CommitLimit: 124296 kB
> > Committed_AS: 15252 kB
> > VmallocTotal: 786452 kB
> > VmallocUsed: 1992 kB
> > VmallocChunk: 760612 kB
> > DirectMap4k: 8060 kB
> > DirectMap4M: 245760 kB
> > + _________________________ /proc/net/ipsec-ls
> > +
> > + test -f /proc/net/ipsec_version
> > + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
> > /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
> > /proc/net/ipsec_version
> > lrwxrwxrwx 1 root root 16 Jun 11 09:16
> > /proc/net/ipsec_eroute -> ipsec/eroute/all
> > lrwxrwxrwx 1 root root 16 Jun 11 09:16
> > /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
> > lrwxrwxrwx 1 root root 13 Jun 11 09:16
> > /proc/net/ipsec_spi -> ipsec/spi/all
> > lrwxrwxrwx 1 root root 16 Jun 11 09:16
> > /proc/net/ipsec_spigrp -> ipsec/spigrp/all
> > lrwxrwxrwx 1 root root 11 Jun 11 09:16
> > /proc/net/ipsec_tncfg -> ipsec/tncfg
> > lrwxrwxrwx 1 root root 13 Jun 11 09:16
> > /proc/net/ipsec_version -> ipsec/version
> > + _________________________ usr/src/linux/.config
> > +
> > + test -f /proc/config.gz
> > + egrep
> > CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_
> > R ANDOM|CONFIG_CRYPTO_DEV|_XFRM + zcat /proc/config.gz
> > CONFIG_XFRM=y
> > CONFIG_XFRM_USER=m
> > # CONFIG_XFRM_SUB_POLICY is not set
> > # CONFIG_XFRM_MIGRATE is not set
> > # CONFIG_XFRM_STATISTICS is not set
> > CONFIG_XFRM_IPCOMP=m
> > CONFIG_NET_KEY=m
> > # CONFIG_NET_KEY_MIGRATE is not set
> > CONFIG_INET=y
> > CONFIG_IP_MULTICAST=y
> > CONFIG_IP_ADVANCED_ROUTER=y
> > # CONFIG_IP_FIB_TRIE is not set
> > CONFIG_IP_FIB_HASH=y
> > CONFIG_IP_MULTIPLE_TABLES=y
> > CONFIG_IP_ROUTE_MULTIPATH=y
> > CONFIG_IP_ROUTE_VERBOSE=y
> > # CONFIG_IP_PNP is not set
> > CONFIG_IP_MROUTE=y
> > CONFIG_IP_PIMSM_V1=y
> > CONFIG_IP_PIMSM_V2=y
> > CONFIG_INET_AH=m
> > CONFIG_INET_ESP=m
> > CONFIG_INET_IPCOMP=m
> > CONFIG_INET_XFRM_TUNNEL=m
> > CONFIG_INET_TUNNEL=m
> > CONFIG_INET_XFRM_MODE_TRANSPORT=m
> > CONFIG_INET_XFRM_MODE_TUNNEL=m
> > CONFIG_INET_XFRM_MODE_BEET=m
> > # CONFIG_INET_LRO is not set
> > CONFIG_INET_DIAG=m
> > CONFIG_INET_TCP_DIAG=m
> > CONFIG_IPV6=y
> > # CONFIG_IPV6_PRIVACY is not set
> > # CONFIG_IPV6_ROUTER_PREF is not set
> > # CONFIG_IPV6_OPTIMISTIC_DAD is not set
> > # CONFIG_INET6_AH is not set
> > # CONFIG_INET6_ESP is not set
> > # CONFIG_INET6_IPCOMP is not set
> > # CONFIG_IPV6_MIP6 is not set
> > # CONFIG_INET6_XFRM_TUNNEL is not set
> > # CONFIG_INET6_TUNNEL is not set
> > # CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
> > # CONFIG_INET6_XFRM_MODE_TUNNEL is not set
> > # CONFIG_INET6_XFRM_MODE_BEET is not set
> > # CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
> > # CONFIG_IPV6_SIT is not set
> > # CONFIG_IPV6_TUNNEL is not set
> > # CONFIG_IPV6_MULTIPLE_TABLES is not set
> > # CONFIG_IPV6_MROUTE is not set
> > # CONFIG_IP_VS is not set
> > # CONFIG_IP_NF_QUEUE is not set
> > CONFIG_IP_NF_IPTABLES=m
> > CONFIG_IP_NF_MATCH_ADDRTYPE=m
> > CONFIG_IP_NF_MATCH_AH=m
> > CONFIG_IP_NF_MATCH_ECN=m
> > CONFIG_IP_NF_MATCH_TTL=m
> > CONFIG_IP_NF_FILTER=m
> > CONFIG_IP_NF_TARGET_REJECT=m
> > CONFIG_IP_NF_TARGET_LOG=m
> > CONFIG_IP_NF_TARGET_ULOG=m
> > CONFIG_IP_NF_TARGET_MASQUERADE=m
> > CONFIG_IP_NF_TARGET_NETMAP=m
> > CONFIG_IP_NF_TARGET_REDIRECT=m
> > CONFIG_IP_NF_MANGLE=m
> > CONFIG_IP_NF_TARGET_CLUSTERIP=m
> > CONFIG_IP_NF_TARGET_ECN=m
> > CONFIG_IP_NF_TARGET_TTL=m
> > CONFIG_IP_NF_RAW=m
> > CONFIG_IP_NF_SECURITY=m
> > CONFIG_IP_NF_ARPTABLES=m
> > CONFIG_IP_NF_ARPFILTER=m
> > CONFIG_IP_NF_ARP_MANGLE=m
> > # CONFIG_IP6_NF_QUEUE is not set
> > # CONFIG_IP6_NF_IPTABLES is not set
> > # CONFIG_IP_DCCP is not set
> > # CONFIG_IP_SCTP is not set
> > # CONFIG_IPX is not set
> > CONFIG_IPMI_HANDLER=m
> > CONFIG_IPMI_PANIC_EVENT=y
> > # CONFIG_IPMI_PANIC_STRING is not set
> > CONFIG_IPMI_DEVICE_INTERFACE=m
> > CONFIG_IPMI_SI=m
> > CONFIG_IPMI_WATCHDOG=m
> > CONFIG_IPMI_POWEROFF=m
> > CONFIG_HW_RANDOM=y
> > # CONFIG_HW_RANDOM_TIMERIOMEM is not set
> > CONFIG_HW_RANDOM_INTEL=m
> > CONFIG_HW_RANDOM_AMD=m
> > CONFIG_HW_RANDOM_GEODE=m
> > CONFIG_HW_RANDOM_VIA=m
> > CONFIG_SECURITY_NETWORK_XFRM=y
> > CONFIG_CRYPTO_DEV_PADLOCK=m
> > CONFIG_CRYPTO_DEV_PADLOCK_AES=m
> > CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
> > CONFIG_CRYPTO_DEV_GEODE=m
> > # CONFIG_CRYPTO_DEV_HIFN_795X is not set
> > + _________________________ etc/syslog.conf
> > +
> > + _________________________ etc/syslog-ng/syslog-ng.conf
> > +
> > + cat /etc/syslog-ng/syslog-ng.conf
> > cat: can't open '/etc/syslog-ng/syslog-ng.conf': No such file or
> > directory + cat /etc/syslog.conf
> > cat: can't open '/etc/syslog.conf': No such file or directory
> > + _________________________ etc/resolv.conf
> > +
> > + cat /etc/resolv.conf
> > nameserver 127.0.0.1
> > nameserver 202.27.158.40
> > nameserver 202.37.170.4
> > + _________________________ lib/modules-ls
> > +
> > + ls -ltr /lib/modules
> > drwxr-xr-x 4 root root 325 Jun 10 05:34
> > 2.6.32.9-g9b5a066-dirty + _________________________ fipscheck
> > +
> > + cat /proc/sys/crypto/fips_enabled
> > cat: can't open '/proc/sys/crypto/fips_enabled': No such file or
> > directory + _________________________ /proc/ksyms-netif_rx
> > +
> > + test -r /proc/ksyms
> > + test -r /proc/kallsyms
> > + echo broken (redhat/fedora) 2.6 kernel without kallsyms
> > broken (redhat/fedora) 2.6 kernel without kallsyms
> > + _________________________ lib/modules-netif_rx
> > +
> > + modulegoo kernel/net/ipv4/ipip.o netif_rx
> > + set +x
> > 2.6.32.9-g9b5a066-dirty:
> > + _________________________ kern.debug
> > +
> > + test -f /var/log/kern.debug
> > + _________________________ klog
> > +
> > + cat
> > + egrep -i ipsec|klips|pluto
> > + sed -n 1,$p /dev/null
> > + _________________________ plog
> > +
> > + cat
> > + egrep -i pluto
> > + sed -n 1,$p /dev/null
> > + _________________________ date
> > +
> > + date
> > Fri Jun 11 09:16:20 UTC 2010
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
Fw-STEP:~# tcpdump -ni ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
Killed
Fw-STEP:~#
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: last sysfs file: /sys/module/ipsec/parameters/natt_available
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: Process tcpdump (pid: 4561, ti=dba68000 task=db930b60 task.ti=dba68000)
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: Stack:
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: Call Trace:
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: Code: Bad EIP value.
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: EIP: [<00000bf9>] 0xbf9 SS:ESP 0068:dba69f7c
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: Oops: 0000 [#1]
Message from syslogd at Fw-STEP at Tue Jun 22 11:52:12 2010 ...
Fw-STEP kernel: CR2: 0000000000000bf9
device ipsec0 entered promiscuous mode
device ipsec0 left promiscuous mode
BUG: unable to handle kernel NULL pointer dereference at 00000bf9
IP: [<00000bf9>] 0xbf9
*pde = 00000000
Oops: 0000 [#1]
last sysfs file: /sys/module/ipsec/parameters/natt_available
Modules linked in: iptable_mangle xt_TCPMSS pppoe pppox ppp_generic slhc xt_tcpudp ipsec ccm ecb sha512_generic deflate zlib_deflate ctr twofish twofish_common camellia serpent blowfish cast5 des_generic padlock_aes aes_i586 aes_generic xcbc rmd160 sha256_generic padlock_sha sha1_generic md5 crypto_null nf_nat_ftp iptable_nat xt_conntrack ipt_MASQUERADE nf_nat ipt_ULOG ipt_LOG xt_state xt_limit iptable_filter nf_conntrack_h323 nf_conntrack_irc nf_conntrack_ftp nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables x_tables i2c_viapro processor button ext3 jbd fan uhci_hcd 8139too thermal thermal_sys [last unloaded: af_key]
Pid: 4561, comm: tcpdump Not tainted (2.6.32.15-bbone #4)
EIP: 0060:[<00000bf9>] EFLAGS: 00210292 CPU: 0
EIP is at 0xbf9
EAX: 0000003c EBX: 00000000 ECX: 00000022 EDX: db80e628
ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: dba69f7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process tcpdump (pid: 4561, ti=dba68000 task=db930b60 task.ti=dba68000)
Stack:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<0> 00000000 00000000 00000000 00000050 00000000 00000000 00000000 bf818ff0
<0> b76c9114 00000010 00000000 bf819058 00000066 0000007b 0000007b 00000000
Call Trace:
Code: Bad EIP value.
EIP: [<00000bf9>] 0xbf9 SS:ESP 0068:dba69f7c
CR2: 0000000000000bf9
---[ end trace d1a8e98755c6df1e ]---
VFS: Close: file count is 0
-------------- next part --------------
Fw-STEP.cat.local
Tue Jun 22 11:51:03 CEST 2010
+ _________________________ version
+ ipsec --version
Linux Openswan 2.6.26 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.32.15-bbone (root at dell-db) (gcc version 4.4.4 (Debian 4.4.4-5) ) #4 Tue Jun 22 09:08:42 CEST 2010
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg -k 3 /proc/net/ipsec_eroute
0 192.168.17.0/28 -> 192.168.50.0/24 => tun0x1003 at 86.65.145.114
0 192.168.17.0/28 -> 192.168.150.0/24 => tun0x1001 at 86.65.145.114
+ _________________________ netstat-rn
+ head -n 100
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
212.30.97.108 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
212.30.97.108 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
86.65.145.112 0.0.0.0 255.255.255.240 U 0 0 0 ppp0
192.168.17.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.50.0 212.30.97.108 255.255.255.0 UG 0 0 0 ipsec0
192.168.150.0 212.30.97.108 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1003 at 86.65.145.114 IPIP: dir=out src=86.66.57.152 life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=5 refhim=0
tun0x1001 at 86.65.145.114 IPIP: dir=out src=86.66.57.152 life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=1 refhim=0
esp0x440f944 at 86.66.57.152 ESP_AES_HMAC_SHA1: dir=in src=86.65.145.114 iv_bits=128bits iv=0x0d22c172e5f397e10f875a919b106f76 ooowin=64 seq=27 bit=0x7ffffff alen=160 aklen=160 eklen=128 life(c,s,h)=bytes(2268,0,0)addtime(49,0,0)usetime(27,0,0)packets(27,0,0) idle=0 natencap=none natsport=0 natdport=0 refcount=3 ref=8 refhim=5
esp0x440f943 at 86.66.57.152 ESP_AES_HMAC_SHA1: dir=in src=86.65.145.114 iv_bits=128bits iv=0xb9ced335685b04b5e40765192b11755c ooowin=64 alen=160 aklen=160 eklen=128 life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=4 refhim=1
esp0xce3e78f6 at 86.65.145.114 ESP_AES_HMAC_SHA1: dir=out src=86.66.57.152 iv_bits=128bits iv=0xf67994994986f28749e7a10f95a74583 ooowin=64 alen=160 aklen=160 eklen=128 life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=6 refhim=0
esp0xce3e78f5 at 86.65.145.114 ESP_AES_HMAC_SHA1: dir=out src=86.66.57.152 iv_bits=128bits iv=0x10aa2722d2ce543df41646a5b9c20def ooowin=64 alen=160 aklen=160 eklen=128 life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=2 refhim=0
tun0x1004 at 86.66.57.152 IPIP: dir=in src=86.65.145.114 policy=192.168.50.0/24->192.168.17.0/28 flags=0x8<> life(c,s,h)=bytes(2268,0,0)addtime(49,0,0)usetime(27,0,0)packets(27,0,0) idle=0 natencap=none natsport=0 natdport=0 refcount=3 ref=7 refhim=5
tun0x1002 at 86.66.57.152 IPIP: dir=in src=86.65.145.114 policy=192.168.150.0/24->192.168.17.0/28 flags=0x8<> life(c,s,h)=addtime(49,0,0) natencap=none natsport=0 natdport=0 refcount=3 ref=3 refhim=1
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1003 at 86.65.145.114 esp0xce3e78f6 at 86.65.145.114
tun0x1001 at 86.65.145.114 esp0xce3e78f5 at 86.65.145.114
esp0x440f944 at 86.66.57.152 tun0x1004 at 86.66.57.152
esp0x440f943 at 86.66.57.152 tun0x1002 at 86.66.57.152
esp0xce3e78f6 at 86.65.145.114
esp0xce3e78f5 at 86.65.145.114
tun0x1004 at 86.66.57.152
tun0x1002 at 86.66.57.152
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1492) -> 1492
ipsec1 -> NULL mtu=0(0) -> 0
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ /proc/crypto
+ test -r /proc/crypto
+ cat /proc/crypto
name : sha512
driver : sha512-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : sha384
driver : sha384-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : deflate
driver : deflate-generic
module : deflate
priority : 0
refcnt : 1
selftest : passed
type : compression
name : rfc3686(ctr(aes))
driver : rfc3686(ctr(aes-padlock))
module : ctr
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 20
max keysize : 36
ivsize : 8
geniv : seqiv
name : ctr(aes)
driver : ctr(aes-padlock)
module : ctr
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(twofish)
driver : cbc(twofish-generic)
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : twofish
driver : twofish-generic
module : twofish
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : cbc(camellia)
driver : cbc(camellia-generic)
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : camellia
driver : camellia-generic
module : camellia
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : cbc(serpent)
driver : cbc(serpent-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : tnepres
driver : tnepres-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : serpent
driver : serpent-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : cbc(blowfish)
driver : cbc(blowfish-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>
name : blowfish
driver : blowfish-generic
module : blowfish
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56
name : cbc(cast5)
driver : cbc(cast5-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>
name : cast5
driver : cast5-generic
module : cast5
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 5
max keysize : 16
name : cbc(des3_ede)
driver : cbc(des3_ede-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>
name : cbc(des)
driver : cbc(des-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 8
max keysize : 8
ivsize : 8
geniv : <default>
name : des3_ede
driver : des3_ede-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24
name : des
driver : des-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8
name : xcbc(aes)
driver : xcbc(aes-padlock)
module : xcbc
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16
name : cbc(aes)
driver : cbc-aes-padlock
module : padlock_aes
priority : 400
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(aes)
driver : ecb-aes-padlock
module : padlock_aes
priority : 400
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : aes
driver : aes-padlock
module : padlock_aes
priority : 300
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-asm
module : aes_i586
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : aes_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : hmac(rmd160)
driver : hmac(rmd160-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : rmd160
driver : rmd160-generic
module : rmd160
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(sha256)
driver : hmac(sha256-padlock)
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : hmac(sha1)
driver : hmac(sha1-padlock)
module : kernel
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : sha256
driver : sha256-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha224
driver : sha224-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28
name : sha256
driver : sha256-padlock
module : padlock_sha
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha1
driver : sha1-padlock
module : padlock_sha
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : sha1
driver : sha1-generic
module : sha1_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(md5)
driver : hmac(md5-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : md5
driver : md5-generic
module : md5
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : compress_null
driver : compress_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : compression
name : digest_null
driver : digest_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 0
name : ecb(cipher_null)
driver : ecb-cipher_null
module : crypto_null
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
geniv : <default>
name : cipher_null
driver : cipher_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : rng
seedsize : 0
+ __________________________/proc/sys/net/core/xfrm-star
/usr/lib/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: No such file or directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop
1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_mast debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform debug_xmit icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_mast:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
debug_xmit:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:0
+ _________________________ ipsec/status
+ ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/ppp0 86.66.57.152
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "tunnel_606367472_606129818": 192.168.17.0/28===86.66.57.152<86.66.57.152>[@Fw-STEP.cat.local,+S=C]---212.30.97.108...86.65.145.114<86.65.145.114>[@Fw-CAT.cat.local,+S=C]===192.168.50.0/24; erouted; eroute owner: #3
000 "tunnel_606367472_606129818": myip=unset; hisip=unset;
000 "tunnel_606367472_606129818": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnel_606367472_606129818": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 28,24; interface: ppp0;
000 "tunnel_606367472_606129818": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "tunnel_606367472_606129818": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "tunnel_606367472_606334982": 192.168.17.0/28===86.66.57.152<86.66.57.152>[@Fw-STEP.cat.local,+S=C]---212.30.97.108...86.65.145.114<86.65.145.114>[@Fw-CAT.cat.local,+S=C]===192.168.150.0/24; erouted; eroute owner: #2
000 "tunnel_606367472_606334982": myip=unset; hisip=unset;
000 "tunnel_606367472_606334982": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnel_606367472_606334982": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 28,24; interface: ppp0;
000 "tunnel_606367472_606334982": newest ISAKMP SA: #0; newest IPsec SA: #2;
000
000 #3: "tunnel_606367472_606129818":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27885s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "tunnel_606367472_606129818" esp.ce3e78f6 at 86.65.145.114 esp.440f944 at 86.66.57.152 tun.1003 at 86.65.145.114 tun.1004 at 86.66.57.152 ref=7 refhim=5
000 #1: "tunnel_606367472_606129818":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2659s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #2: "tunnel_606367472_606334982":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28079s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "tunnel_606367472_606334982" esp.ce3e78f5 at 86.65.145.114 esp.440f943 at 86.66.57.152 tun.1001 at 86.65.145.114 tun.1002 at 86.66.57.152 ref=3 refhim=1
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:18:4a:a3:d7
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:209 errors:0 dropped:0 overruns:0 frame:0
TX packets:117 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:24604 (24.0 KiB) TX bytes:21214 (20.7 KiB)
Interrupt:16 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:30:18:4a:a3:d6
inet addr:192.168.17.1 Bcast:192.168.17.15 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2766 (2.7 KiB) TX bytes:2766 (2.7 KiB)
Interrupt:17 Base address:0x2000
eth2 Link encap:Ethernet HWaddr 00:30:18:4a:a3:d5
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:18 Base address:0x6000
eth3 Link encap:Ethernet HWaddr 00:30:18:4a:a3:d4
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Base address:0xa000
ipsec0 Link encap:Point-to-Point Protocol
inet addr:86.66.57.152 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:54 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:1728 (1.6 KiB) TX bytes:0 (0.0 B)
ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:904 (904.0 B) TX bytes:904 (904.0 B)
mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ppp0 Link encap:Point-to-Point Protocol
inet addr:86.66.57.152 P-t-P:212.30.97.108 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:177 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:18702 (18.2 KiB) TX bytes:18050 (17.6 KiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/ether 00:30:18:4a:a3:d7 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:30:18:4a:a3:d6 brd ff:ff:ff:ff:ff:ff
inet 192.168.17.1/28 brd 192.168.17.15 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:30:18:4a:a3:d5 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:30:18:4a:a3:d4 brd ff:ff:ff:ff:ff:ff
6: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
link/ppp
inet 86.66.57.152 peer 212.30.97.108/32 scope global ipsec0
7: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
8: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/[65534]
9: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 86.66.57.152 peer 212.30.97.108/32 scope global ppp0
+ _________________________ ip-route-list
+ ip route list
212.30.97.108 dev ppp0 proto kernel scope link src 86.66.57.152
212.30.97.108 dev ipsec0 proto kernel scope link src 86.66.57.152
86.65.145.112/28 dev ppp0 scope link metric 1
192.168.17.0/28 dev eth1 proto kernel scope link src 192.168.17.1
192.168.50.0/24 via 212.30.97.108 dev ipsec0
192.168.150.0/24 via 212.30.97.108 dev ipsec0
default dev ppp0 scope link
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.6.26 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [OK]
Hardware RNG detected, testing if used properly [FAILED]
Hardware RNG is present but 'rngd' or 'clrngd' is not running.
No harware random used!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: Fw-STEP.cat.local [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 152.57.66.86.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
SIOCGMIIPHY on 'eth2' failed: Invalid argument
SIOCGMIIPHY on 'eth3' failed: Invalid argument
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Host name lookup failure
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Host name lookup failure
+ _________________________ uptime
+ uptime
11:51:34 up 1 min, 1 user, load average: 0.21, 0.13, 0.05
+ _________________________ ps
+ egrep -i 'ppid|pluto|ipsec|klips'
+ ps alxwf
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 4372 4353 20 0 2592 1160 - S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
0 0 4473 4372 20 0 1820 508 - S+ pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips
1 0 4235 1 20 0 2832 468 - S ? 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive no --disable_port_floating no --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
1 0 4237 4235 20 0 2832 608 - S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal no --keep_alive --protostack klips --force_keepalive no --disable_port_floating no --virtual_private --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
4 0 4242 4237 20 0 8492 2752 - S ? 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-klips --uniqueids
1 0 4259 4242 30 10 8488 1012 - SN ? 0:00 | \_ pluto helper # 0
0 0 4260 4242 20 0 1688 296 - S ? 0:00 | \_ _pluto_adns
0 0 4238 4235 20 0 2800 1268 - S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 4236 1 20 0 1744 520 - S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _keycensor
+ ipsec _include /etc/ipsec.conf
#< /etc/ipsec.conf 1
version 2.0
config setup
protostack=klips
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
pluto=yes
plutowait=no
fragicmp=yes
hidetos=no
uniqueids=yes
conn tunnel_606367472_606129818 # 192.168.17.0/28.Fw-STEP-Fw-CAT.192.168.50.0/24
type=tunnel
auto=start
left=86.66.57.152
leftnexthop=212.30.97.108
leftsubnet=192.168.17.0/28
right=86.65.145.114
rightsubnet=192.168.50.0/24
pfs=yes
auth=esp
keyexchange=ike
keyingtries=0
keylife=480m
authby=rsasig
leftid=@Fw-STEP.cat.local
leftrsasigkey=[keyid AQOgKi2vo]
rightid=@Fw-CAT.cat.local
rightrsasigkey=[keyid AQNcFgqh4]
compress=no
conn tunnel_606367472_606334982 # 192.168.17.0/28.Fw-STEP-Fw-CAT.192.168.150.0/24
type=tunnel
auto=start
left=86.66.57.152
leftnexthop=212.30.97.108
leftsubnet=192.168.17.0/28
right=86.65.145.114
rightsubnet=192.168.150.0/24
pfs=yes
auth=esp
keyexchange=ike
keyingtries=0
keylife=480m
authby=rsasig
leftid=@Fw-STEP.cat.local
leftrsasigkey=[keyid AQOgKi2vo]
rightid=@Fw-CAT.cat.local
rightrsasigkey=[keyid AQNcFgqh4]
compress=no
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
@Fw-STEP.cat.local: rsa {
#pubkey: 0sAQOgKi2vo6zebxQdDE39epmK8Wjy/BI6xYjlYunJ0HqffS6eKgWUsremQgcOwGaU01ycVaf8NILU48+SFp9+pVHKFVszuMeCf7E0bGCvEUTBV9/cOKWIbKAIsjx3Gm98gW5x58q09BNjs8eteKN2l3/OFyQfY2STCxFmB2DiQsHioQ==
Modulus: [...]
PublicExponent: [...]
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Jun 22 11:50:13 2010, 2048 RSA Key AQNcFgqh4 (no private key), until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@Fw-CAT.cat.local'
000 Jun 22 11:50:13 2010, 1024 RSA Key AQOgKi2vo (has private key), until --- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@Fw-STEP.cat.local'
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: RSA @Fw-STEP.cat.local
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# root name servers should be in the clear
192.58.128.30/32
198.41.0.4/32
192.228.79.201/32
192.33.4.12/32
128.8.10.90/32
192.203.230.10/32
192.5.5.241/32
192.112.36.4/32
128.63.2.53/32
192.36.148.17/32
193.0.14.129/32
199.7.83.42/32
202.12.27.33/32
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 2212
-rwxr-xr-x 1 root root 4892 Jun 1 01:12 _copyright
-rwxr-xr-x 1 root root 2379 Jun 1 01:12 _include
-rwxr-xr-x 1 root root 1475 Jun 1 01:12 _keycensor
-rwxr-xr-x 1 root root 8604 Jun 1 01:12 _pluto_adns
-rwxr-xr-x 1 root root 2632 Jun 1 01:12 _plutoload
-rwxr-xr-x 1 root root 8205 Jun 1 01:12 _plutorun
-rwxr-xr-x 1 root root 12952 Jun 1 01:12 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 1 01:12 _secretcensor
-rwxr-xr-x 1 root root 9277 Jun 1 01:12 _startklips
-rwxr-xr-x 1 root root 6042 Jun 1 01:12 _startnetkey
-rwxr-xr-x 1 root root 4868 Jun 1 01:12 _updown
-rwxr-xr-x 1 root root 16182 Jun 1 01:12 _updown.klips
-rwxr-xr-x 1 root root 13909 Jun 1 01:12 _updown.mast
-rwxr-xr-x 1 root root 10951 Jun 1 01:12 _updown.netkey
-rwxr-xr-x 1 root root 175568 Jun 1 01:12 addconn
-rwxr-xr-x 1 root root 6015 Jun 1 01:12 auto
-rwxr-xr-x 1 root root 10828 Jun 1 01:12 barf
-rwxr-xr-x 1 root root 86120 Jun 1 01:12 eroute
-rwxr-xr-x 1 root root 19756 Jun 1 01:12 ikeping
-rwxr-xr-x 1 root root 65484 Jun 1 01:12 klipsdebug
-rwxr-xr-x 1 root root 2591 Jun 1 01:12 look
-rwxr-xr-x 1 root root 2182 Jun 1 01:12 newhostkey
-rwxr-xr-x 1 root root 57256 Jun 1 01:12 pf_key
-rwxr-xr-x 1 root root 983100 Jun 1 01:12 pluto
-rwxr-xr-x 1 root root 7444 Jun 1 01:12 ranbits
-rwxr-xr-x 1 root root 18824 Jun 1 01:12 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 1 01:12 secrets
lrwxrwxrwx 1 root root 17 Jun 21 20:37 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jun 1 01:12 showdefaults
-rwxr-xr-x 1 root root 240604 Jun 1 01:12 showhostkey
-rwxr-xr-x 1 root root 20064 Jun 1 01:12 showpolicy
-rwxr-xr-x 1 root root 139428 Jun 1 01:12 spi
-rwxr-xr-x 1 root root 77304 Jun 1 01:12 spigrp
-rwxr-xr-x 1 root root 66408 Jun 1 01:12 tncfg
-rwxr-xr-x 1 root root 13463 Jun 1 01:12 verify
-rwxr-xr-x 1 root root 50556 Jun 1 01:12 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 2212
-rwxr-xr-x 1 root root 4892 Jun 1 01:12 _copyright
-rwxr-xr-x 1 root root 2379 Jun 1 01:12 _include
-rwxr-xr-x 1 root root 1475 Jun 1 01:12 _keycensor
-rwxr-xr-x 1 root root 8604 Jun 1 01:12 _pluto_adns
-rwxr-xr-x 1 root root 2632 Jun 1 01:12 _plutoload
-rwxr-xr-x 1 root root 8205 Jun 1 01:12 _plutorun
-rwxr-xr-x 1 root root 12952 Jun 1 01:12 _realsetup
-rwxr-xr-x 1 root root 1975 Jun 1 01:12 _secretcensor
-rwxr-xr-x 1 root root 9277 Jun 1 01:12 _startklips
-rwxr-xr-x 1 root root 6042 Jun 1 01:12 _startnetkey
-rwxr-xr-x 1 root root 4868 Jun 1 01:12 _updown
-rwxr-xr-x 1 root root 16182 Jun 1 01:12 _updown.klips
-rwxr-xr-x 1 root root 13909 Jun 1 01:12 _updown.mast
-rwxr-xr-x 1 root root 10951 Jun 1 01:12 _updown.netkey
-rwxr-xr-x 1 root root 175568 Jun 1 01:12 addconn
-rwxr-xr-x 1 root root 6015 Jun 1 01:12 auto
-rwxr-xr-x 1 root root 10828 Jun 1 01:12 barf
-rwxr-xr-x 1 root root 86120 Jun 1 01:12 eroute
-rwxr-xr-x 1 root root 19756 Jun 1 01:12 ikeping
-rwxr-xr-x 1 root root 65484 Jun 1 01:12 klipsdebug
-rwxr-xr-x 1 root root 2591 Jun 1 01:12 look
-rwxr-xr-x 1 root root 2182 Jun 1 01:12 newhostkey
-rwxr-xr-x 1 root root 57256 Jun 1 01:12 pf_key
-rwxr-xr-x 1 root root 983100 Jun 1 01:12 pluto
-rwxr-xr-x 1 root root 7444 Jun 1 01:12 ranbits
-rwxr-xr-x 1 root root 18824 Jun 1 01:12 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 1 01:12 secrets
lrwxrwxrwx 1 root root 17 Jun 21 20:37 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1054 Jun 1 01:12 showdefaults
-rwxr-xr-x 1 root root 240604 Jun 1 01:12 showhostkey
-rwxr-xr-x 1 root root 20064 Jun 1 01:12 showpolicy
-rwxr-xr-x 1 root root 139428 Jun 1 01:12 spi
-rwxr-xr-x 1 root root 77304 Jun 1 01:12 spigrp
-rwxr-xr-x 1 root root 66408 Jun 1 01:12 tncfg
-rwxr-xr-x 1 root root 13463 Jun 1 01:12 verify
-rwxr-xr-x 1 root root 50556 Jun 1 01:12 whack
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 3172 40 0 0 0 0 0 0 3172 40 0 0 0 0 0 0
eth0: 29822 254 0 0 0 0 0 0 22272 129 0 0 0 0 0 0
eth1: 4688 49 0 0 0 0 0 0 4688 49 0 0 0 0 0 0
eth2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 2944 46 0 0 0 0 0 0 0 0 0 92 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
mast0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ppp0: 22246 204 0 0 0 0 0 0 18654 111 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ppp0 6C611ED4 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ipsec0 6C611ED4 00000000 0005 0 0 0 FFFFFFFF 0 0 0
ppp0 70914156 00000000 0001 0 0 1 F0FFFFFF 0 0 0
eth1 0011A8C0 00000000 0001 0 0 0 F0FFFFFF 0 0 0
ipsec0 0032A8C0 6C611ED4 0003 0 0 0 00FFFFFF 0 0 0
ipsec0 0096A8C0 6C611ED4 0003 0 0 0 00FFFFFF 0 0 0
ppp0 00000000 00000000 0001 0 0 0 00000000 0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
0
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter eth2/rp_filter eth3/rp_filter ipsec0/rp_filter ipsec1/rp_filter lo/rp_filter mast0/rp_filter ppp0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:0
eth2/rp_filter:1
eth3/rp_filter:1
ipsec0/rp_filter:1
ipsec1/rp_filter:1
lo/rp_filter:0
mast0/rp_filter:1
ppp0/rp_filter:1
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects eth1/accept_redirects eth1/secure_redirects eth1/send_redirects eth2/accept_redirects eth2/secure_redirects eth2/send_redirects eth3/accept_redirects eth3/secure_redirects eth3/send_redirects ipsec0/accept_redirects ipsec0/secure_redirects ipsec0/send_redirects ipsec1/accept_redirects ipsec1/secure_redirects ipsec1/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects mast0/accept_redirects mast0/secure_redirects mast0/send_redirects ppp0/accept_redirects ppp0/secure_redirects ppp0/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
eth2/accept_redirects:0
eth2/secure_redirects:1
eth2/send_redirects:1
eth3/accept_redirects:0
eth3/secure_redirects:1
eth3/send_redirects:1
ipsec0/accept_redirects:0
ipsec0/secure_redirects:1
ipsec0/send_redirects:1
ipsec1/accept_redirects:0
ipsec1/secure_redirects:1
ipsec1/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
mast0/accept_redirects:0
mast0/secure_redirects:1
mast0/send_redirects:1
ppp0/accept_redirects:0
ppp0/secure_redirects:1
ppp0/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux Fw-STEP.cat.local 2.6.32.15-bbone #4 Tue Jun 22 09:08:42 CEST 2010 i686 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.6.26
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 139 packets, 14212 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 92 packets, 7728 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 69 packets, 11148 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 5 packets, 464 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14 packets, 969 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 1405 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ iptables-mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 1173 0 - Live 0xded62000
xt_TCPMSS 1723 0 - Live 0xdcdec000
pppoe 6189 2 - Live 0xdcdc9000
pppox 1138 1 pppoe, Live 0xdcdbc000
ppp_generic 14814 6 pppoe,pppox, Live 0xdcdae000
slhc 3695 1 ppp_generic, Live 0xdcd9e000
xt_tcpudp 1727 0 - Live 0xdcbbf000
ipsec 299548 2 - Live 0xdcb41000
ccm 5793 0 - Live 0xdcadb000
ecb 1377 0 - Live 0xdcad0000
sha512_generic 7945 0 - Live 0xdcac5000
deflate 1279 0 - Live 0xdca76000
zlib_deflate 15922 1 deflate, Live 0xdca69000
ctr 2571 0 - Live 0xdca5c000
twofish 5325 0 - Live 0xdca51000
twofish_common 12588 1 twofish, Live 0xdca44000
camellia 17293 0 - Live 0xdca33000
serpent 17043 0 - Live 0xdca21000
blowfish 7132 0 - Live 0xdca13000
cast5 15093 0 - Live 0xdca05000
des_generic 15095 0 - Live 0xdc9f5000
padlock_aes 3815 0 - Live 0xdc9e7000
aes_i586 6792 0 - Live 0xdc9dc000
aes_generic 25730 2 padlock_aes,aes_i586, Live 0xdc9ca000
xcbc 1837 0 - Live 0xdc9b9000
rmd160 6196 0 - Live 0xdc9ae000
sha256_generic 9033 0 - Live 0xdc9a1000
padlock_sha 2633 0 - Live 0xdc996000
sha1_generic 1367 0 - Live 0xdc98c000
md5 3245 0 - Live 0xdc983000
crypto_null 1856 0 - Live 0xdc979000
nf_nat_ftp 1295 0 - Live 0xdc959000
iptable_nat 2934 0 - Live 0xdc94f000
xt_conntrack 1895 0 - Live 0xdc944000
ipt_MASQUERADE 1174 0 - Live 0xdc93a000
nf_nat 10227 3 nf_nat_ftp,iptable_nat,ipt_MASQUERADE, Live 0xdc92d000
ipt_ULOG 3673 0 - Live 0xdc91f000
ipt_LOG 3767 0 - Live 0xdc914000
xt_state 895 0 - Live 0xdc90a000
xt_limit 984 0 - Live 0xdc901000
iptable_filter 950 0 - Live 0xdc8f7000
nf_conntrack_h323 30146 0 - Live 0xdc8e3000
nf_conntrack_irc 2367 0 - Live 0xdc8cf000
nf_conntrack_ftp 4068 1 nf_nat_ftp, Live 0xdc8c4000
nf_conntrack_ipv4 7383 3 iptable_nat,nf_nat, Live 0xdc8b7000
nf_conntrack 37163 10 nf_nat_ftp,iptable_nat,xt_conntrack,ipt_MASQUERADE,nf_nat,xt_state,nf_conntrack_h323,nf_conntrack_irc,nf_conntrack_ftp,nf_conntrack_ipv4, Live 0xdc89a000
nf_defrag_ipv4 759 1 nf_conntrack_ipv4, Live 0xdc87f000
ip_tables 7305 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xdc875000
x_tables 7696 10 xt_TCPMSS,xt_tcpudp,iptable_nat,xt_conntrack,ipt_MASQUERADE,ipt_ULOG,ipt_LOG,xt_state,xt_limit,ip_tables, Live 0xdc866000
i2c_viapro 4187 0 - Live 0xdc817000
processor 22633 1 - Live 0xdc805000
button 3506 0 - Live 0xdc7f2000
ext3 92895 3 - Live 0xdc7cc000
jbd 33002 1 ext3, Live 0xdc795000
fan 2562 0 - Live 0xdc774000
uhci_hcd 15204 0 - Live 0xdc766000
8139too 12802 0 - Live 0xdc744000
thermal 9107 0 - Live 0xdc731000
thermal_sys 8353 3 processor,fan,thermal, Live 0xdc720000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 449872 kB
MemFree: 392032 kB
Buffers: 4176 kB
Cached: 35248 kB
SwapCached: 0 kB
Active: 21144 kB
Inactive: 23948 kB
Active(anon): 8324 kB
Inactive(anon): 0 kB
Active(file): 12820 kB
Inactive(file): 23948 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 506036 kB
SwapFree: 506036 kB
Dirty: 128 kB
Writeback: 0 kB
AnonPages: 5688 kB
Mapped: 4964 kB
Shmem: 2656 kB
Slab: 8952 kB
SReclaimable: 3732 kB
SUnreclaim: 5220 kB
KernelStack: 512 kB
PageTables: 492 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 730972 kB
Committed_AS: 18440 kB
VmallocTotal: 582408 kB
VmallocUsed: 1660 kB
VmallocChunk: 542968 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 4096 kB
DirectMap4k: 11136 kB
DirectMap4M: 446464 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jun 22 11:51 /proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jun 22 11:51 /proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jun 22 11:51 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jun 22 11:51 /proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jun 22 11:51 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jun 22 11:51 /proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP|CONFIG_HW_RANDOM|CONFIG_CRYPTO_DEV|_XFRM'
+ zcat /proc/config.gz
# CONFIG_IPC_NS is not set
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_TUNNEL=m
# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET_XFRM_MODE_TUNNEL is not set
# CONFIG_INET_XFRM_MODE_BEET is not set
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_IPV6 is not set
# CONFIG_IP_VS is not set
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
CONFIG_KLIPS=m
CONFIG_KLIPS_ESP=y
# CONFIG_KLIPS_AH is not set
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ALG=y
# CONFIG_KLIPS_ENC_CRYPTOAPI is not set
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
CONFIG_KLIPS_IPCOMP=y
# CONFIG_KLIPS_OCF is not set
CONFIG_KLIPS_DEBUG=y
CONFIG_KLIPS_IF_MAX=64
# CONFIG_IPMI_HANDLER is not set
CONFIG_HW_RANDOM=y
# CONFIG_HW_RANDOM_TIMERIOMEM is not set
# CONFIG_HW_RANDOM_INTEL is not set
# CONFIG_HW_RANDOM_AMD is not set
# CONFIG_HW_RANDOM_GEODE is not set
CONFIG_HW_RANDOM_VIA=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
CONFIG_CRYPTO_DEV_GEODE=m
# CONFIG_CRYPTO_DEV_HIFN_795X is not set
+ _________________________ etc/syslog.conf
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
#nameserver 212.30.96.123
#nameserver 213.203.124.147
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 20
drwxr-sr-x 3 root root 4096 Apr 18 2008 2.6.18.4-bbone
drwxr-sr-x 3 root root 4096 Sep 22 2008 2.6.18-6-686
drwxr-xr-x 3 root root 4096 Jun 21 13:51 2.6.26-2-686
drwxr-sr-x 3 root root 4096 Jun 21 14:04 2.6.22.18-bbone
drwxr-xr-x 3 root root 4096 Jun 22 09:45 2.6.32.15-bbone
+ _________________________ fipscheck
+ cat /proc/sys/crypto/fips_enabled
cat: /proc/sys/crypto/fips_enabled: No such file or directory
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c11a425a T netif_rx
c11a4328 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.18-6-686:
2.6.18.4-bbone:
2.6.22.18-bbone:
2.6.26-2-686:
2.6.32.15-bbone:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ case "$1" in
+ cat
+ egrep -i 'ipsec|klips|pluto'
+ sed -n '14138,$p' /var/log/syslog
Jun 22 11:50:12 Fw-STEP pppd: ipsec_setup: Starting Openswan IPsec 2.6.26...
Jun 22 11:50:12 Fw-STEP ipsec_setup: Using KLIPS/legacy stack
Jun 22 11:50:12 Fw-STEP ipsec_setup: KLIPS debug `none'
Jun 22 11:50:12 Fw-STEP ipsec_setup: KLIPS ipsec0 on ppp0 86.66.57.152/255.255.255.255 pointopoint 212.30.97.108
Jun 22 11:50:12 Fw-STEP ipsec_setup: ...Openswan IPsec started
Jun 22 11:50:12 Fw-STEP pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 22 11:50:12 Fw-STEP ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jun 22 11:50:13 Fw-STEP ipsec__plutorun: 002 added connection description "tunnel_606367472_606129818"
Jun 22 11:50:13 Fw-STEP ipsec__plutorun: 002 added connection description "tunnel_606367472_606334982"
Jun 22 11:50:13 Fw-STEP ipsec__plutorun: 104 "tunnel_606367472_606129818" #1: STATE_MAIN_I1: initiate
+ _________________________ plog
+ case "$1" in
+ cat
+ egrep -i pluto
+ sed -n '29513,$p' /var/log/auth.log
Jun 22 11:50:12 Fw-STEP ipsec__plutorun: Starting Pluto subsystem...
Jun 22 11:50:12 Fw-STEP pluto[4242]: Starting Pluto (Openswan Version 2.6.26; Vendor ID OEPK~zvMNd_W) pid:4242
Jun 22 11:50:13 Fw-STEP pluto[4242]: Setting NAT-Traversal port-4500 floating to off
Jun 22 11:50:13 Fw-STEP pluto[4242]: port floating activation criteria nat_t=0/port_float=1
Jun 22 11:50:13 Fw-STEP pluto[4242]: NAT-Traversal support [disabled]
Jun 22 11:50:13 Fw-STEP pluto[4242]: using /dev/urandom as source of random entropy
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 22 11:50:13 Fw-STEP pluto[4242]: starting up 1 cryptographic helpers
Jun 22 11:50:13 Fw-STEP pluto[4242]: started helper pid=4259 (fd:7)
Jun 22 11:50:13 Fw-STEP pluto[4242]: Using KLIPS IPsec interface code on 2.6.32.15-bbone
Jun 22 11:50:13 Fw-STEP pluto[4259]: using /dev/urandom as source of random entropy
Jun 22 11:50:13 Fw-STEP pluto[4242]: Changed path to directory '/etc/ipsec.d/cacerts'
Jun 22 11:50:13 Fw-STEP pluto[4242]: Changed path to directory '/etc/ipsec.d/aacerts'
Jun 22 11:50:13 Fw-STEP pluto[4242]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jun 22 11:50:13 Fw-STEP pluto[4242]: Changing to directory '/etc/ipsec.d/crls'
Jun 22 11:50:13 Fw-STEP pluto[4242]: Warning: empty directory
Jun 22 11:50:13 Fw-STEP pluto[4242]: added connection description "tunnel_606367472_606129818"
Jun 22 11:50:13 Fw-STEP pluto[4242]: added connection description "tunnel_606367472_606334982"
Jun 22 11:50:13 Fw-STEP pluto[4242]: listening for IKE messages
Jun 22 11:50:13 Fw-STEP pluto[4242]: adding interface ipsec0/ppp0 86.66.57.152:500
Jun 22 11:50:13 Fw-STEP pluto[4242]: loading secrets from "/etc/ipsec.secrets"
Jun 22 11:50:13 Fw-STEP pluto[4242]: loaded private key for keyid: PPK_RSA:AQOgKi2vo
Jun 22 11:50:13 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: initiating Main Mode
Jun 22 11:50:13 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: ignoring unknown Vendor ID payload [4f45606c50487c5662707575]
Jun 22 11:50:13 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: received Vendor ID payload [Dead Peer Detection]
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: Main mode peer ID is ID_FQDN: '@Fw-CAT.cat.local'
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606334982" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:97040ba5 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:e4ecbbd3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606334982" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606334982" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xce3e78f5 <0x0440f943 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 22 11:50:14 Fw-STEP pluto[4242]: "tunnel_606367472_606129818" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xce3e78f6 <0x0440f944 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
+ _________________________ date
+ date
Tue Jun 22 11:51:35 CEST 2010
More information about the Users
mailing list