[Openswan Users] SA Established, no ping
Nick Howitt
n1ck.h0w1tt at gmail.com
Tue May 7 07:34:49 UTC 2013
Add left/rightsourceip to your conns
Nick
On 2013-05-07 02:34,
Patrick Naubert wrote:
> Rescued from the Spam bucket. Please remember
to subscribe to the mailing list before posting to it.
>
> Begin
forwarded message:
>
> FROM: "serzer at gmail.com" <serzer at gmail.com>
>
SUBJECT: SA ESTABLISHED, NO PING
>
> DATE: 3 May, 2013 8:59:36 PM EDT
>
> TO: users at lists.openswan.org
>
> Hello, I am trying to establish
connection between my mikrotik router and CentOS 6.4 server
>
> Looks
like ipsec tunnel is establishing, but i am not able to ping my router:
>
> [root at ks3307690 ~]# ping 192.168.0.1
> PING 192.168.0.1
(192.168.0.1) 56(84) bytes of data.
> ^C
> --- 192.168.0.1 ping
statistics ---
> 3 packets transmitted, 0 received, 100% packet loss,
time 2285ms
>
> [root at ks3307690 ~]# traceroute 192.168.0.1
>
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
>
1 178.32.223.253 (178.32.223.253) 0.842 ms^C
>
> here is the barf log:
>
> [root at ks3307690 ~]# ipsec barf
> ks3307690.kimsufi.com [4]
> Sat
May 4 02:55:49 CEST 2013
> + _________________________ version
> +
ipsec --version
> Linux Openswan U2.6.32/K2.6.32-358.6.1.el6.x86_64
(netkey)
> See `ipsec --copyright' for copyright information.
> +
_________________________ /proc/version
> + cat /proc/version
> Linux
version 2.6.32-358.6.1.el6.x86_64 (mockbuild at c6b9.bsys.dev.centos.org)
(gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) ) #1 SMP Tue Apr 23
19:29:00 UTC 2013
> + _________________________ /proc/net/ipsec_eroute
> + test -r /proc/net/ipsec_eroute
> + _________________________
netstat-rn
> + netstat -nr
> + head -n 100
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
>
178.32.223.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 0.0.0.0
178.32.223.254 0.0.0.0 UG 0 0 0 eth0
> + _________________________
/proc/net/ipsec_spi
> + test -r /proc/net/ipsec_spi
> +
_________________________ /proc/net/ipsec_spigrp
> + test -r
/proc/net/ipsec_spigrp
> + _________________________
/proc/net/ipsec_tncfg
> + test -r /proc/net/ipsec_tncfg
> +
_________________________ /proc/net/pfkey
> + test -r /proc/net/pfkey
> + cat /proc/net/pfkey
> sk RefCnt Rmem Wmem User Inode
> +
_________________________ ip-xfrm-state
> + ip xfrm state
> src
82.198.121.45 dst 179.34.222.31
> proto esp spi 0x743427d2 reqid 16389
mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1)
0x0ec98333b7b35011dd556775706927fb24bc91b4
> enc cbc(des3_ede)
0x5acc8c5560d040f567ead8e79977da51e0c50db968e4aa15
> src 179.34.222.31
dst 82.198.121.45
> proto esp spi 0x01eea26a reqid 16389 mode tunnel
>
replay-window 32 flag 20
> auth hmac(sha1)
0x2564bcea5b8774578011ab4ab09bd9323f436f16
> enc cbc(des3_ede)
0x059e52c2b2dd0dbca0342ff5be47c5a908f1be5bb4de6447
> +
_________________________ ip-xfrm-policy
> + ip xfrm policy
> src
192.168.1.0/24 [5] dst 192.168.0.0/24 [6]
> dir out priority 2344 ptype
main
> tmpl src 179.34.222.31 dst 82.198.121.45
> proto esp reqid
16389 mode tunnel
> src 192.168.0.0/24 [6] dst 192.168.1.0/24 [5]
>
dir fwd priority 2344 ptype main
> tmpl src 82.198.121.45 dst
179.34.222.31
> proto esp reqid 16389 mode tunnel
> src 192.168.0.0/24
[6] dst 192.168.1.0/24 [5]
> dir in priority 2344 ptype main
> tmpl
src 82.198.121.45 dst 179.34.222.31
> proto esp reqid 16389 mode tunnel
> src ::/0 dst ::/0
> dir 4 priority 0 ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src ::/0 dst ::/0
> dir 4 priority 0
ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 4 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 3 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 4 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 3 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 4 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 3 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 4 priority 0 ptype main
> src
0.0.0.0/0 [7] dst 0.0.0.0/0 [7]
> dir 3 priority 0 ptype main
> +
_________________________ /proc/crypto
> + test -r /proc/crypto
> +
cat /proc/crypto
> name : authenc(hmac(sha1),cbc(des3_ede))
> driver :
authenc(hmac(sha1-generic),cbc(des3_ede-generic))
> module : authenc
>
priority : 0
> refcnt : 3
> selftest : passed
> type : aead
> async
: no
> blocksize : 8
> ivsize : 8
> maxauthsize : 20
> geniv :
<built-in>
>
> name : cbc(des3_ede)
> driver : cbc(des3_ede-generic)
> module : kernel
> priority : 0
> refcnt : 3
> selftest : passed
>
type : givcipher
> async : no
> blocksize : 8
> min keysize : 24
>
max keysize : 24
> ivsize : 8
> geniv : eseqiv
>
> name : deflate
>
driver : deflate-generic
> module : deflate
> priority : 0
> refcnt :
1
> selftest : passed
> type : compression
>
> name :
rfc3686(ctr(aes))
> driver : rfc3686(ctr(aes-asm))
> module : ctr
>
priority : 200
> refcnt : 1
> selftest : passed
> type : blkcipher
>
blocksize : 1
> min keysize : 20
> max keysize : 36
> ivsize : 8
>
geniv : seqiv
>
> name : ctr(aes)
> driver : ctr(aes-asm)
> module :
ctr
> priority : 200
> refcnt : 1
> selftest : passed
> type :
blkcipher
> blocksize : 1
> min keysize : 16
> max keysize : 32
>
ivsize : 16
> geniv : chainiv
>
> name : cbc(twofish)
> driver :
cbc(twofish-asm)
> module : cbc
> priority : 200
> refcnt : 1
>
selftest : passed
> type : blkcipher
> blocksize : 16
> min keysize :
16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name :
cbc(camellia)
> driver : cbc(camellia-generic)
> module : cbc
>
priority : 100
> refcnt : 1
> selftest : passed
> type : blkcipher
>
blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 16
>
geniv : <default>
>
> name : camellia
> driver : camellia-generic
>
module : camellia
> priority : 100
> refcnt : 1
> selftest : passed
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize :
32
>
> name : cbc(serpent)
> driver : cbc(serpent-generic)
> module
: cbc
> priority : 0
> refcnt : 1
> selftest : passed
> type :
blkcipher
> blocksize : 16
> min keysize : 0
> max keysize : 32
>
ivsize : 16
> geniv : <default>
>
> name : cbc(aes)
> driver :
cbc(aes-asm)
> module : cbc
> priority : 200
> refcnt : 1
> selftest
: passed
> type : blkcipher
> blocksize : 16
> min keysize : 16
>
max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name :
cbc(blowfish)
> driver : cbc(blowfish-generic)
> module : cbc
>
priority : 0
> refcnt : 1
> selftest : passed
> type : blkcipher
>
blocksize : 8
> min keysize : 4
> max keysize : 56
> ivsize : 8
>
geniv : <default>
>
> name : cbc(cast5)
> driver : cbc(cast5-generic)
> module : cbc
> priority : 0
> refcnt : 1
> selftest : passed
>
type : blkcipher
> blocksize : 8
> min keysize : 5
> max keysize : 16
> ivsize : 8
> geniv : <default>
>
> name : cast5
> driver :
cast5-generic
> module : cast5
> priority : 0
> refcnt : 1
>
selftest : passed
> type : cipher
> blocksize : 8
> min keysize : 5
> max keysize : 16
>
> name : cbc(des3_ede)
> driver :
cbc(des3_ede-generic)
> module : cbc
> priority : 0
> refcnt : 3
>
selftest : passed
> type : blkcipher
> blocksize : 8
> min keysize :
24
> max keysize : 24
> ivsize : 8
> geniv : <default>
>
> name :
cbc(des)
> driver : cbc(des-generic)
> module : cbc
> priority : 0
>
refcnt : 1
> selftest : passed
> type : blkcipher
> blocksize : 8
>
min keysize : 8
> max keysize : 8
> ivsize : 8
> geniv : <default>
>
> name : xcbc(aes)
> driver : xcbc(aes-asm)
> module : xcbc
>
priority : 200
> refcnt : 1
> selftest : passed
> type : shash
>
blocksize : 16
> digestsize : 16
>
> name : hmac(rmd160)
> driver :
hmac(rmd160-generic)
> module : kernel
> priority : 0
> refcnt : 1
>
selftest : passed
> type : shash
> blocksize : 64
> digestsize : 20
>
> name : rmd160
> driver : rmd160-generic
> module : rmd160
>
priority : 0
> refcnt : 1
> selftest : passed
> type : shash
>
blocksize : 64
> digestsize : 20
>
> name : hmac(sha512)
> driver :
hmac(sha512-generic)
> module : kernel
> priority : 0
> refcnt : 1
>
selftest : passed
> type : shash
> blocksize : 128
> digestsize : 64
>
> name : hmac(sha384)
> driver : hmac(sha384-generic)
> module :
kernel
> priority : 0
> refcnt : 1
> selftest : passed
> type :
shash
> blocksize : 128
> digestsize : 48
>
> name : hmac(sha256)
>
driver : hmac(sha256-generic)
> module : kernel
> priority : 0
>
refcnt : 1
> selftest : passed
> type : shash
> blocksize : 64
>
digestsize : 32
>
> name : hmac(sha1)
> driver : hmac(sha1-generic)
> module : kernel
> priority : 0
> refcnt : 5
> selftest : passed
>
type : shash
> blocksize : 64
> digestsize : 20
>
> name : hmac(md5)
> driver : hmac(md5-generic)
> module : kernel
> priority : 0
>
refcnt : 1
> selftest : passed
> type : shash
> blocksize : 64
>
digestsize : 16
>
> name : compress_null
> driver :
compress_null-generic
> module : crypto_null
> priority : 0
> refcnt
: 1
> selftest : passed
> type : compression
>
> name : digest_null
> driver : digest_null-generic
> module : crypto_null
> priority : 0
> refcnt : 1
> selftest : passed
> type : shash
> blocksize : 1
>
digestsize : 0
>
> name : ecb(cipher_null)
> driver : ecb-cipher_null
> module : crypto_null
> priority : 100
> refcnt : 1
> selftest :
passed
> type : blkcipher
> blocksize : 1
> min keysize : 0
> max
keysize : 0
> ivsize : 0
> geniv : <default>
>
> name : cipher_null
> driver : cipher_null-generic
> module : crypto_null
> priority : 0
> refcnt : 1
> selftest : passed
> type : cipher
> blocksize : 1
>
min keysize : 0
> max keysize : 0
>
> name : tnepres
> driver :
tnepres-generic
> module : serpent
> priority : 0
> refcnt : 1
>
selftest : passed
> type : cipher
> blocksize : 16
> min keysize : 0
> max keysize : 32
>
> name : serpent
> driver : serpent-generic
>
module : serpent
> priority : 0
> refcnt : 1
> selftest : passed
>
type : cipher
> blocksize : 16
> min keysize : 0
> max keysize : 32
>
> name : blowfish
> driver : blowfish-generic
> module : blowfish
> priority : 0
> refcnt : 1
> selftest : passed
> type : cipher
>
blocksize : 8
> min keysize : 4
> max keysize : 56
>
> name :
twofish
> driver : twofish-asm
> module : twofish_x86_64
> priority :
200
> refcnt : 1
> selftest : passed
> type : cipher
> blocksize :
16
> min keysize : 16
> max keysize : 32
>
> name : sha256
> driver
: sha256-generic
> module : sha256_generic
> priority : 0
> refcnt :
1
> selftest : passed
> type : shash
> blocksize : 64
> digestsize :
32
>
> name : sha224
> driver : sha224-generic
> module :
sha256_generic
> priority : 0
> refcnt : 1
> selftest : passed
>
type : shash
> blocksize : 64
> digestsize : 28
>
> name : sha512
>
driver : sha512-generic
> module : sha512_generic
> priority : 0
>
refcnt : 1
> selftest : passed
> type : shash
> blocksize : 128
>
digestsize : 64
>
> name : sha384
> driver : sha384-generic
> module
: sha512_generic
> priority : 0
> refcnt : 1
> selftest : passed
>
type : shash
> blocksize : 128
> digestsize : 48
>
> name : des3_ede
> driver : des3_ede-generic
> module : des_generic
> priority : 0
>
refcnt : 3
> selftest : passed
> type : cipher
> blocksize : 8
> min
keysize : 24
> max keysize : 24
>
> name : des
> driver :
des-generic
> module : des_generic
> priority : 0
> refcnt : 1
>
selftest : passed
> type : cipher
> blocksize : 8
> min keysize : 8
> max keysize : 8
>
> name : aes
> driver : aes-asm
> module :
aes_x86_64
> priority : 200
> refcnt : 1
> selftest : passed
> type
: cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
>
name : aes
> driver : aes-generic
> module : aes_generic
> priority :
100
> refcnt : 1
> selftest : passed
> type : cipher
> blocksize :
16
> min keysize : 16
> max keysize : 32
>
> name : stdrng
> driver
: krng
> module : kernel
> priority : 200
> refcnt : 2
> selftest :
passed
> type : rng
> seedsize : 0
>
> name : crc32c
> driver :
crc32c-generic
> module : kernel
> priority : 100
> refcnt : 1
>
selftest : passed
> type : shash
> blocksize : 1
> digestsize : 4
>
> name : sha1
> driver : sha1-generic
> module : kernel
> priority :
0
> refcnt : 3
> selftest : passed
> type : shash
> blocksize : 64
> digestsize : 20
>
> name : md5
> driver : md5-generic
> module :
kernel
> priority : 0
> refcnt : 1
> selftest : passed
> type :
shash
> blocksize : 64
> digestsize : 16
>
> +
__________________________/proc/sys/net/core/xfrm-star
>
/usr/libexec/ipsec/barf: line 190:
__________________________/proc/sys/net/core/xfrm-star: No such file or
directory
> + for i in '/proc/sys/net/core/xfrm_*'
> + echo -n
'/proc/sys/net/core/xfrm_acq_expires: '
>
/proc/sys/net/core/xfrm_acq_expires: + cat
/proc/sys/net/core/xfrm_acq_expires
> 30
> + for i in
'/proc/sys/net/core/xfrm_*'
> + echo -n
'/proc/sys/net/core/xfrm_aevent_etime: '
>
/proc/sys/net/core/xfrm_aevent_etime: + cat
/proc/sys/net/core/xfrm_aevent_etime
> 10
> + for i in
'/proc/sys/net/core/xfrm_*'
> + echo -n
'/proc/sys/net/core/xfrm_aevent_rseqth: '
>
/proc/sys/net/core/xfrm_aevent_rseqth: + cat
/proc/sys/net/core/xfrm_aevent_rseqth
> 2
> + for i in
'/proc/sys/net/core/xfrm_*'
> + echo -n
'/proc/sys/net/core/xfrm_larval_drop: '
>
/proc/sys/net/core/xfrm_larval_drop: + cat
/proc/sys/net/core/xfrm_larval_drop
> 1
> + _________________________
/proc/sys/net/ipsec-star
> + test -d /proc/sys/net/ipsec
> +
_________________________ ipsec/status
> + ipsec auto --status
> 000
using kernel interface: netkey
> 000 interface eth0/eth0
2001:41d0:8:e242::1
> 000 interface lo/lo ::1
> 000 interface lo/lo
127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0
179.34.222.31
> 000 interface eth0/eth0 179.34.222.31
> 000 %myid =
(none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 -
allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either
virtual_private= is not specified, or there is a syntax
> 000 error in
that line. 'left/rightsubnet=vhost:%priv' will not work!
> 000 WARNING:
Disallowed subnets in virtual_private= is empty. If you have
> 000
private address space in internal use, it should be excluded!
> 000
>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt:
id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
> 000
algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12,
name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm
ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128,
keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt:
id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
>
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18,
name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000
algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20,
name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000
algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> 000
algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000
algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000
algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
> 000
algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> 000
algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
> 000 algorithm IKE encrypt: id=3,
name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
> 000 algorithm
IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
> 000 algorithm IKE encrypt: id=65004,
name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
> 000 algorithm
IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
> 000 algorithm IKE encrypt: id=65289,
name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> 000
algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm
IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash:
id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6,
name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group:
id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh
group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE
dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm
IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000
algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "mikrotik":
192.168.1.0/24===179.34.222.31
[8]<179.34.222.31>[+S=C]...192.168.0.1---82.198.121.45<82.198.121.45>[+S=C]===192.168.0.0/24
[6]; erouted; eroute owner: #7
> 000 "mikrotik": myip=unset;
hisip=unset;
> 000 "mikrotik": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "mikrotik":
policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
24,24; interface: eth0;
> 000 "mikrotik": newest ISAKMP SA: #6; newest
IPsec SA: #7;
> 000 "mikrotik": IKE algorithm newest:
3DES_CBC_192-SHA1-MODP1024
> 000
> 000 #7: "mikrotik":500
STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
27750s; newest IPSEC; eroute owner; isakmp#6; idle; import:admin
initiate
> 000 #7: "mikrotik" esp.1eea26a at 82.198.121.45
esp.743427d2 at 179.34.222.31 tun.0 at 82.198.121.45 tun.0 at 179.34.222.31 ref=0
refhim=4294901761
> 000 #6: "mikrotik":500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2625s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:admin initiate
> 000
> +
_________________________ ifconfig-a
> + ifconfig -a
> eth0 Link
encap:Ethernet HWaddr 4C:72:B9:D1:C4:25
> inet addr:179.34.222.31
Bcast:178.32.223.255 Mask:255.255.255.0
> inet6 addr:
2001:41d0:8:e242::1/64 Scope:Global
> inet6 addr:
fe80::4e72:b9ff:fed1:c425/64 Scope:Link
> UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1
> RX packets:17969 errors:0 dropped:0
overruns:0 frame:0
> TX packets:48900 errors:0 dropped:0 overruns:0
carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1532137 (1.4 MiB)
TX bytes:14568681 (13.8 MiB)
> Interrupt:20 Memory:fe500000-fe520000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
>
inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:248 errors:0 dropped:0 overruns:0 frame:0
> TX
packets:248 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0
txqueuelen:0
> RX bytes:39867 (38.9 KiB) TX bytes:39867 (38.9 KiB)
>
> + _________________________ ip-addr-list
> + ip addr list
> 1: lo:
<LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet
127.0.0.1/8 [9] scope host lo
> inet6 ::1/128 scope host
> valid_lft
forever preferred_lft forever
> 2: eth0:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
> link/ether 4c:72:b9:d1:c4:25 brd ff:ff:ff:ff:ff:ff
> inet
179.34.222.31/24 [10] brd 178.32.223.255 scope global eth0
> inet6
2001:41d0:8:e242::1/64 scope global
> valid_lft forever preferred_lft
forever
> inet6 fe80::4e72:b9ff:fed1:c425/64 scope link
> valid_lft
forever preferred_lft forever
> + _________________________
ip-route-list
> + ip route list
> 178.32.223.0/24 [11] dev eth0 proto
kernel scope link src 179.34.222.31
> default via 178.32.223.254 dev
eth0
> + _________________________ ip-rule-list
> + ip rule list
> 0:
from all lookup local
> 32766: from all lookup main
> 32767: from all
lookup default
> + _________________________ ipsec_verify
> + ipsec
verify --nocolour
> Checking your system to see if IPsec got installed
and started correctly:
> Version check and ipsec on-path [OK]
> Linux
Openswan U2.6.32/K2.6.32-358.6.1.el6.x86_64 (netkey)
> Checking for
IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY:
Testing for disabled ICMP send_redirects [OK]
> NETKEY detected,
testing for disabled ICMP accept_redirects [OK]
> Testing against
enforced SElinux mode [OK]
> Checking that pluto is running [OK]
>
Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on
udp 4500 [OK]
> Checking for 'ip' command [OK]
> Checking /bin/sh is
not /bin/dash [OK]
> Checking for 'iptables' command [OK]
>
Opportunistic Encryption Support [DISABLED]
> +
_________________________ mii-tool
> + '[' -x /sbin/mii-tool ']'
> +
/sbin/mii-tool -v
> No interface specified
> usage: /sbin/mii-tool
[-VvRrwl] [-A media,... | -F media] <interface> ...
> -V, --version
display version information
> -v, --verbose more verbose output
> -R,
--reset reset MII to poweron state
> -r, --restart restart
autonegotiation
> -w, --watch monitor for link status changes
> -l,
--log with -w, write events to syslog
> -A, --advertise=media,...
advertise only specified media
> -F, --force=media force specified
media technology
> media: 100baseT4, 100baseTx-FD, 100baseTx-HD,
10baseT-FD, 10baseT-HD,
> (to advertise both HD and FD) 100baseTx,
10baseT
> + _________________________ ipsec/directory
> + ipsec
--directory
> /usr/libexec/ipsec
> + _________________________
hostname/fqdn
> + hostname --fqdn
> ks3307690.kimsufi.com [4]
> +
_________________________ hostname/ipaddress
> + hostname --ip-address
> 179.34.222.31
> + _________________________ uptime
> + uptime
>
02:55:49 up 1:09, 2 users, load average: 0.06, 0.03, 0.00
> +
_________________________ ps
> + ps alxwf
> + egrep -i
'ppid|pluto|ipsec|klips'
> F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY
TIME COMMAND
> 4 0 7913 1701 20 0 106064 1480 wait S+ pts/0 0:00 | _
/bin/sh /usr/libexec/ipsec/barf
> 0 0 7978 7913 20 0 4148 672 pipe_w S+
pts/0 0:00 | _ egrep -i ppid|pluto|ipsec|klips
> 1 0 4897 1 20 0 9192
524 wait S pts/0 0:00 /bin/sh /usr/libexec/ipsec/_plutorun --debug
--uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no
--nat_traversal yes --keep_alive --protostack netkey --force_keepalive
no --disable_port_floating no --virtual_private oe=off --listen
--crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump
--opts --stderrlog --wait no --pre --post --log daemon.error
--plutorestartoncrash true --pid /var/run/pluto/pluto.pid
> 1 0 4899
4897 20 0 9192 692 wait S pts/0 0:00 _ /bin/sh
/usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no
--nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive
--protostack netkey --force_keepalive no --disable_port_floating no
--virtual_private oe=off --listen --crlcheckinterval 0 --ocspuri
--nhelpers --secctx_attr_value --dump --opts --stderrlog --wait no --pre
--post --log daemon.error --plutorestartoncrash true --pid
/var/run/pluto/pluto.pid
> 4 0 4903 4899 20 0 313724 7860 poll_s Sl
pts/0 0:00 | _ /usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids
--nat_traversal --virtual_private oe=off
> 0 0 4934 4903 20 0 6080 404
poll_s S pts/0 0:00 | _ _pluto_adns
> 0 0 4900 4897 20 0 9192 1316
pipe_w S pts/0 0:00 _ /bin/sh /usr/libexec/ipsec/_plutoload --wait no
--post
> 0 0 4898 1 20 0 4056 664 pipe_w S pts/0 0:00 logger -s -p
daemon.error -t ipsec__plutorun
> + _________________________
ipsec/showdefaults
> + ipsec showdefaults
> routephys=eth0
>
routevirt=none
> routeaddr=179.34.222.31
> routenexthop=178.32.223.254
> + _________________________ ipsec/conf
> + ipsec _include
/etc/ipsec.conf
> + ipsec _keycensor
>
> #< /etc/ipsec.conf 1
> #
/etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:
ipsec.conf.5
> #
> # Please place your own config files in
/etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second
version of ipsec.conf specification
>
> # basic configuration
>
config setup
> # Debug-logging controls: "none" for (almost) none,
"all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>
#protostack=klips
> interfaces=%defaultroute
> protostack=netkey
>
>
nat_traversal=yes
> virtual_private=
> oe=off
> # Enable this if you
see "failed to find any available worker"
> # nhelpers=0
>
> conn
mikrotik
> left=179.34.222.31
> leftsubnet=192.168.1.0/24 [5]
>
#leftnexthop=%defaultroute
>
> right=82.198.121.45
>
rightsubnet=192.168.0.0/24 [6]
> rightnexthop=192.168.0.1
>
>
type=tunnel
> authby=secret
> auto=start
> #You may put your
configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
>
#include /etc/ipsec.d/*.conf
> + _________________________
ipsec/secrets
> + ipsec _include /etc/ipsec.secrets
> + ipsec
_secretcensor
>
> #< /etc/ipsec.secrets 1
> #:cannot open
configuration file '/etc/ipsec.d/*.secrets'
>
> #> /etc/ipsec.secrets
2
> 179.34.222.31 82.198.121.45 [12]: PSK "[sums to 354c...]"
> +
_________________________ ipsec/listall
> + ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 List of Pre-shared secrets
(from /etc/ipsec.secrets)
> 000 2: PSK 82.198.121.45 179.34.222.31
> +
'[' /etc/ipsec.d/policies ']'
> + for policy in '$POLICIES/*'
> ++
basename /etc/ipsec.d/policies/block
> + base=block
> +
_________________________ ipsec/policies/block
> + cat
/etc/ipsec.d/policies/block
> # This file defines the set of CIDRs
(network/mask-length) to which
> # communication should never be
allowed.
> #
> # See /usr/share/doc/openswan/policygroups.html for
details.
> #
> # $Id: block.in [13],v 1.4 2003/02/17 02:22:15 mcr Exp
$
> #
>
> + for policy in '$POLICIES/*'
> ++ basename
/etc/ipsec.d/policies/clear
> + base=clear
> +
_________________________ ipsec/policies/clear
> + cat
/etc/ipsec.d/policies/clear
> # This file defines the set of CIDRs
(network/mask-length) to which
> # communication should always be in
the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html for
details.
> #
>
> # root name servers should be in the clear
>
192.58.128.30/32 [14]
> 198.41.0.4/32 [15]
> 192.228.79.201/32 [16]
>
192.33.4.12/32 [17]
> 128.8.10.90/32 [18]
> 192.203.230.10/32 [19]
>
192.5.5.241/32 [20]
> 192.112.36.4/32 [21]
> 128.63.2.53/32 [22]
>
192.36.148.17/32 [23]
> 193.0.14.129/32 [24]
> 199.7.83.42/32 [25]
>
202.12.27.33/32 [26]
> + for policy in '$POLICIES/*'
> ++ basename
/etc/ipsec.d/policies/clear-or-private
> + base=clear-or-private
> +
_________________________ ipsec/policies/clear-or-private
> + cat
/etc/ipsec.d/policies/clear-or-private
> # This file defines the set of
CIDRs (network/mask-length) to which
> # we will communicate in the
clear, or, if the other side initiates IPSEC,
> # using encryption.
This behaviour is also called "Opportunistic Responder".
> #
> # See
/usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id:
clear-or-private.in [27],v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> +
for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/private
> + base=private
> + _________________________ ipsec/policies/private
> + cat /etc/ipsec.d/policies/private
> # This file defines the set of
CIDRs (network/mask-length) to which
> # communication should always be
private (i.e. encrypted).
> # See
/usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id:
private.in [28],v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> + for policy
in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/private-or-clear
> + base=private-or-clear
> + _________________________
ipsec/policies/private-or-clear
> + cat
/etc/ipsec.d/policies/private-or-clear
> # This file defines the set of
CIDRs (network/mask-length) to which
> # communication should be
private, if possible, but in the clear otherwise.
> #
> # If the
target has a TXT (later IPSECKEY) record that specifies
> #
authentication material, we will require private (i.e. encrypted)
> #
communications. If no such record is found, communications will be
> #
in the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html
for details.
> #
> # $Id: private-or-clear.in [29],v 1.5 2003/02/17
02:22:15 mcr Exp $
> #
>
> 0.0.0.0/0 [7]
> +
_________________________ ipsec/ls-libdir
> + ls -l /usr/libexec/ipsec
> total 2676
> -rwxr-xr-x. 1 root root 10592 Sep 24 2012 _copyright
>
-rwxr-xr-x. 1 root root 2430 Sep 24 2012 _include
> -rwxr-xr-x. 1 root
root 1475 Sep 24 2012 _keycensor
> -rwxr-xr-x. 1 root root 14528 Sep 24
2012 _pluto_adns
> -rwxr-xr-x. 1 root root 2567 Sep 24 2012 _plutoload
> -rwxr-xr-x. 1 root root 8474 Sep 24 2012 _plutorun
> -rwxr-xr-x. 1
root root 13671 Sep 24 2012 _realsetup
> -rwxr-xr-x. 1 root root 1975
Sep 24 2012 _secretcensor
> -rwxr-xr-x. 1 root root 11507 Sep 24 2012
_startklips
> -rwxr-xr-x. 1 root root 6096 Sep 24 2012 _startnetkey
>
-rwxr-xr-x. 1 root root 4923 Sep 24 2012 _updown
> -rwxr-xr-x. 1 root
root 16227 Sep 24 2012 _updown.klips
> -rwxr-xr-x. 1 root root 16583
Sep 24 2012 _updown.mast
> -rwxr-xr-x. 1 root root 13745 Sep 24 2012
_updown.netkey
> -rwxr-xr-x. 1 root root 226704 Sep 24 2012 addconn
>
-rwxr-xr-x. 1 root root 6015 Sep 24 2012 auto
> -rwxr-xr-x. 1 root root
10978 Sep 24 2012 barf
> -rwxr-xr-x. 1 root root 93840 Sep 24 2012
eroute
> -rwxr-xr-x. 1 root root 26736 Sep 24 2012 ikeping
>
-rwxr-xr-x. 1 root root 69552 Sep 24 2012 klipsdebug
> -rwxr-xr-x. 1
root root 2455 Sep 24 2012 look
> -rwxr-xr-x. 1 root root 2189 Sep 24
2012 newhostkey
> -rwxr-xr-x. 1 root root 64976 Sep 24 2012 pf_key
>
-rwxr-xr-x. 1 root root 1093328 Sep 24 2012 pluto
> -rwxr-xr-x. 1 root
root 12349 Sep 24 2012 policy
> -rwxr-xr-x. 1 root root 10576 Sep 24
2012 ranbits
> -rwxr-xr-x. 1 root root 27376 Sep 24 2012 rsasigkey
>
-rwxr-xr-x. 1 root root 704 Sep 24 2012 secrets
> lrwxrwxrwx. 1 root
root 30 May 4 01:15 setup -> ../../../etc/rc.d/init.d/ipsec
>
-rwxr-xr-x. 1 root root 1126 Sep 24 2012 showdefaults
> -rwxr-xr-x. 1
root root 267584 Sep 24 2012 showhostkey
> -rwxr-xr-x. 1 root root
26736 Sep 24 2012 showpolicy
> -rwxr-xr-x. 1 root root 176552 Sep 24
2012 spi
> -rwxr-xr-x. 1 root root 81504 Sep 24 2012 spigrp
>
-rwxr-xr-x. 1 root root 77032 Sep 24 2012 tncfg
> -rwxr-xr-x. 1 root
root 14828 Sep 24 2012 verify
> -rwxr-xr-x. 1 root root 59904 Sep 24
2012 whack
> + _________________________ ipsec/ls-execdir
> + ls -l
/usr/libexec/ipsec
> total 2676
> -rwxr-xr-x. 1 root root 10592 Sep 24
2012 _copyright
> -rwxr-xr-x. 1 root root 2430 Sep 24 2012 _include
>
-rwxr-xr-x. 1 root root 1475 Sep 24 2012 _keycensor
> -rwxr-xr-x. 1
root root 14528 Sep 24 2012 _pluto_adns
> -rwxr-xr-x. 1 root root 2567
Sep 24 2012 _plutoload
> -rwxr-xr-x. 1 root root 8474 Sep 24 2012
_plutorun
> -rwxr-xr-x. 1 root root 13671 Sep 24 2012 _realsetup
>
-rwxr-xr-x. 1 root root 1975 Sep 24 2012 _secretcensor
> -rwxr-xr-x. 1
root root 11507 Sep 24 2012 _startklips
> -rwxr-xr-x. 1 root root 6096
Sep 24 2012 _startnetkey
> -rwxr-xr-x. 1 root root 4923 Sep 24 2012
_updown
> -rwxr-xr-x. 1 root root 16227 Sep 24 2012 _updown.klips
>
-rwxr-xr-x. 1 root root 16583 Sep 24 2012 _updown.mast
> -rwxr-xr-x. 1
root root 13745 Sep 24 2012 _updown.netkey
> -rwxr-xr-x. 1 root root
226704 Sep 24 2012 addconn
> -rwxr-xr-x. 1 root root 6015 Sep 24 2012
auto
> -rwxr-xr-x. 1 root root 10978 Sep 24 2012 barf
> -rwxr-xr-x. 1
root root 93840 Sep 24 2012 eroute
> -rwxr-xr-x. 1 root root 26736 Sep
24 2012 ikeping
> -rwxr-xr-x. 1 root root 69552 Sep 24 2012 klipsdebug
> -rwxr-xr-x. 1 root root 2455 Sep 24 2012 look
> -rwxr-xr-x. 1 root
root 2189 Sep 24 2012 newhostkey
> -rwxr-xr-x. 1 root root 64976 Sep 24
2012 pf_key
> -rwxr-xr-x. 1 root root 1093328 Sep 24 2012 pluto
>
-rwxr-xr-x. 1 root root 12349 Sep 24 2012 policy
> -rwxr-xr-x. 1 root
root 10576 Sep 24 2012 ranbits
> -rwxr-xr-x. 1 root root 27376 Sep 24
2012 rsasigkey
> -rwxr-xr-x. 1 root root 704 Sep 24 2012 secrets
>
lrwxrwxrwx. 1 root root 30 May 4 01:15 setup ->
../../../etc/rc.d/init.d/ipsec
> -rwxr-xr-x. 1 root root 1126 Sep 24
2012 showdefaults
> -rwxr-xr-x. 1 root root 267584 Sep 24 2012
showhostkey
> -rwxr-xr-x. 1 root root 26736 Sep 24 2012 showpolicy
>
-rwxr-xr-x. 1 root root 176552 Sep 24 2012 spi
> -rwxr-xr-x. 1 root
root 81504 Sep 24 2012 spigrp
> -rwxr-xr-x. 1 root root 77032 Sep 24
2012 tncfg
> -rwxr-xr-x. 1 root root 14828 Sep 24 2012 verify
>
-rwxr-xr-x. 1 root root 59904 Sep 24 2012 whack
> +
_________________________ /proc/net/dev
> + cat /proc/net/dev
>
Inter-| Receive | Transmit
> face |bytes packets errs drop fifo frame
compressed multicast|bytes packets errs drop fifo colls carrier
compressed
> lo: 40474 252 0 0 0 0 0 0 40474 252 0 0 0 0 0 0
> eth0:
1532197 17970 0 0 0 0 0 41 14568681 48900 0 0 0 0 0 0
> +
_________________________ /proc/net/route
> + cat /proc/net/route
>
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
> eth0 00DF20B2 00000000 0001 0 0 0 00FFFFFF 0 0 0
> eth0 00000000
FEDF20B2 0003 0 0 0 00000000 0 0 0
> + _________________________
/proc/sys/net/ipv4/ip_no_pmtu_disc
> + cat
/proc/sys/net/ipv4/ip_no_pmtu_disc
> 0
> + _________________________
/proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
>
1
> + _________________________ /proc/sys/net/ipv4/tcp_ecn
> + cat
/proc/sys/net/ipv4/tcp_ecn
> 2
> + _________________________
/proc/sys/net/ipv4/conf/star-rp_filter
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
lo/rp_filter
> all/rp_filter:0
> default/rp_filter:0
>
eth0/rp_filter:0
> lo/rp_filter:0
> + _________________________
/proc/sys/net/ipv4/conf/star-star-redirects
> + cd
/proc/sys/net/ipv4/conf
> + egrep '^' all/accept_redirects
all/secure_redirects all/send_redirects default/accept_redirects
default/secure_redirects default/send_redirects eth0/accept_redirects
eth0/secure_redirects eth0/send_redirects lo/accept_redirects
lo/secure_redirects lo/send_redirects
> all/accept_redirects:0
>
all/secure_redirects:1
> all/send_redirects:0
>
default/accept_redirects:0
> default/secure_redirects:1
>
default/send_redirects:0
> eth0/accept_redirects:0
>
eth0/secure_redirects:1
> eth0/send_redirects:0
>
lo/accept_redirects:0
> lo/secure_redirects:1
> lo/send_redirects:0
>
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
> +
cat /proc/sys/net/ipv4/tcp_window_scaling
> 1
> +
_________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
> + cat
/proc/sys/net/ipv4/tcp_adv_win_scale
> 2
> + _________________________
uname-a
> + uname -a
> Linux ks3307690.kimsufi.com [4]
2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC 2013 x86_64
x86_64 x86_64 GNU/Linux
> + _________________________ config-built-with
> + test -r /proc/config_built_with
> + _________________________
distro-release
> + for distro in /etc/redhat-release
/etc/debian-release /etc/SuSE-release /etc/mandrake-release
/etc/mandriva-release /etc/gentoo-release
> + test -f
/etc/redhat-release
> + cat /etc/redhat-release
> CentOS release 6.4
(Final)
> + for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
> + test -f /etc/debian-release
> + for distro in
/etc/redhat-release /etc/debian-release /etc/SuSE-release
/etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> +
test -f /etc/SuSE-release
> + for distro in /etc/redhat-release
/etc/debian-release /etc/SuSE-release /etc/mandrake-release
/etc/mandriva-release /etc/gentoo-release
> + test -f
/etc/mandrake-release
> + for distro in /etc/redhat-release
/etc/debian-release /etc/SuSE-release /etc/mandrake-release
/etc/mandriva-release /etc/gentoo-release
> + test -f
/etc/mandriva-release
> + for distro in /etc/redhat-release
/etc/debian-release /etc/SuSE-release /etc/mandrake-release
/etc/mandriva-release /etc/gentoo-release
> + test -f
/etc/gentoo-release
> + _________________________
/proc/net/ipsec_version
> + test -r /proc/net/ipsec_version
> + test
-r /proc/net/pfkey
> ++ uname -r
> + echo 'NETKEY
(2.6.32-358.6.1.el6.x86_64) support detected '
> NETKEY
(2.6.32-358.6.1.el6.x86_64) support detected
> +
_________________________ iptables
> + test -r /sbin/iptables-save
> +
iptables-save
> # Generated by iptables-save v1.4.7 on Sat May 4
02:55:49 2013
> *mangle
> :PREROUTING ACCEPT [4726:242681]
> :INPUT
ACCEPT [4725:242553]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT
[12292:3653325]
> :POSTROUTING ACCEPT [12292:3653325]
> COMMIT
> #
Completed on Sat May 4 02:55:49 2013
> # Generated by iptables-save
v1.4.7 on Sat May 4 02:55:49 2013
> *nat
> :PREROUTING ACCEPT
[22:2083]
> :POSTROUTING ACCEPT [14:1473]
> :OUTPUT ACCEPT [221:34157]
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Sat
May 4 02:55:49 2013
> + _________________________ iptables-nat
> +
iptables-save -t nat
> # Generated by iptables-save v1.4.7 on Sat May 4
02:55:49 2013
> *nat
> :PREROUTING ACCEPT [22:2083]
> :POSTROUTING
ACCEPT [14:1473]
> :OUTPUT ACCEPT [221:34157]
> -A POSTROUTING -o eth0
-j MASQUERADE
> COMMIT
> # Completed on Sat May 4 02:55:49 2013
> +
_________________________ iptables-mangle
> + iptables-save -t mangle
> # Generated by iptables-save v1.4.7 on Sat May 4 02:55:49 2013
>
*mangle
> :PREROUTING ACCEPT [4726:242681]
> :INPUT ACCEPT
[4725:242553]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [12292:3653325]
> :POSTROUTING ACCEPT [12292:3653325]
> COMMIT
> # Completed on Sat
May 4 02:55:49 2013
> + _________________________ /proc/modules
> +
test -f /proc/modules
> + cat /proc/modules
> ipt_MASQUERADE 2466 1 -
Live 0xffffffffa0331000
> iptable_mangle 3349 0 - Live
0xffffffffa0326000
> iptable_nat 6158 1 - Live 0xffffffffa03df000
>
nf_nat 22759 2 ipt_MASQUERADE,iptable_nat, Live 0xffffffffa03d4000
>
nf_conntrack_ipv4 9506 3 iptable_nat,nf_nat, Live 0xffffffffa03cd000
>
nf_defrag_ipv4 1483 1 nf_conntrack_ipv4, Live 0xffffffffa031e000
>
ip_tables 17831 2 iptable_mangle,iptable_nat, Live 0xffffffffa03c4000
>
bluetooth 99239 0 - Live 0xffffffffa03a0000
> rfkill 19255 1 bluetooth,
Live 0xffffffffa0396000
> ah6 5191 0 - Live 0xffffffffa030a000
> ah4
4320 0 - Live 0xffffffffa0305000
> esp6 4979 0 - Live
0xffffffffa0300000
> esp4 5358 2 - Live 0xffffffffa02f0000
>
xfrm4_mode_beet 2069 0 - Live 0xffffffffa02ec000
> xfrm4_tunnel 1981 0
- Live 0xffffffffa02dc000
> xfrm4_mode_tunnel 2002 4 - Live
0xffffffffa02d6000
> xfrm4_mode_transport 1449 0 - Live
0xffffffffa02d0000
> xfrm6_mode_transport 1545 0 - Live
0xffffffffa02ca000
> xfrm6_mode_ro 1318 0 - Live 0xffffffffa02c4000
>
xfrm6_mode_beet 2020 0 - Live 0xffffffffa02bc000
> xfrm6_mode_tunnel
1906 2 - Live 0xffffffffa02ad000
> ipcomp 2073 0 - Live
0xffffffffa02a3000
> ipcomp6 2138 0 - Live 0xffffffffa015a000
>
xfrm6_tunnel 7969 1 ipcomp6, Live 0xffffffffa0285000
> af_key 29685 0 -
Live 0xffffffffa026c000
> authenc 6651 2 - Live 0xffffffffa0374000
>
deflate 2107 0 - Live 0xffffffffa0370000
> zlib_deflate 21629 1
deflate, Live 0xffffffffa0367000
> ctr 4063 0 - Live 0xffffffffa0363000
> camellia 18334 0 - Live 0xffffffffa035b000
> cast5 15242 0 - Live
0xffffffffa0354000
> rmd160 8154 0 - Live 0xffffffffa034f000
>
crypto_null 2952 0 - Live 0xffffffffa034b000
> ccm 8247 0 - Live
0xffffffffa0345000
> serpent 18455 0 - Live 0xffffffffa033d000
>
blowfish 7884 0 - Live 0xffffffffa0338000
> twofish_x86_64 5297 0 -
Live 0xffffffffa0333000
> twofish_common 14633 1 twofish_x86_64, Live
0xffffffffa032c000
> ecb 2209 0 - Live 0xffffffffa0328000
> xcbc 2849
0 - Live 0xffffffffa0324000
> cbc 3083 2 - Live 0xffffffffa0320000
>
sha256_generic 10361 0 - Live 0xffffffffa031a000
> sha512_generic 4974
0 - Live 0xffffffffa0315000
> des_generic 16604 2 - Live
0xffffffffa030d000
> cryptd 8006 0 - Live 0xffffffffa02fa000
>
aes_x86_64 7961 0 - Live 0xffffffffa02f5000
> aes_generic 27609 1
aes_x86_64, Live 0xffffffffa02e2000
> tunnel4 2943 1 xfrm4_tunnel, Live
0xffffffffa02c2000
> xfrm_ipcomp 4610 2 ipcomp,ipcomp6, Live
0xffffffffa0275000
> tunnel6 2714 1 xfrm6_tunnel, Live
0xffffffffa0042000
> ip6t_REJECT 4628 2 - Live 0xffffffffa02b7000
>
nf_conntrack_ipv6 8748 2 - Live 0xffffffffa02b0000
> nf_defrag_ipv6
11182 1 nf_conntrack_ipv6, Live 0xffffffffa02a9000
> xt_state 1492 2 -
Live 0xffffffffa015e000
> nf_conntrack 79645 6
ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state,
Live 0xffffffffa0288000
> ip6table_filter 2889 1 - Live
0xffffffffa0055000
> ip6_tables 19458 1 ip6table_filter, Live
0xffffffffa027f000
> ipv6 321454 40
ah6,esp6,xfrm6_mode_beet,xfrm6_mode_tunnel,ipcomp6,xfrm6_tunnel,tunnel6,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6,
Live 0xffffffffa021c000
> sg 29350 0 - Live 0xffffffffa0151000
>
serio_raw 4594 0 - Live 0xffffffffa0032000
> i2c_i801 11167 0 - Live
0xffffffffa0019000
> xhci_hcd 142149 0 - Live 0xffffffffa01ef000
>
iTCO_wdt 14990 0 - Live 0xffffffffa00bb000
> iTCO_vendor_support 3088 1
iTCO_wdt, Live 0xffffffffa0037000
> ext3 232456 2 - Live
0xffffffffa01b5000
> jbd 79071 1 ext3, Live 0xffffffffa01a0000
>
mbcache 8193 1 ext3, Live 0xffffffffa004d000
> raid1 31657 2 - Live
0xffffffffa00a4000
> sd_mod 38976 8 - Live 0xffffffffa0099000
>
crc_t10dif 1541 1 sd_mod, Live 0xffffffffa0023000
> ahci 41127 6 - Live
0xffffffffa0145000
> e1000e 253849 0 - Live 0xffffffffa0161000
> wmi
6287 0 - Live 0xffffffffa0016000
> i915 537570 1 - Live
0xffffffffa00c0000
> drm_kms_helper 40087 1 i915, Live
0xffffffffa00b0000
> drm 265638 2 i915,drm_kms_helper, Live
0xffffffffa0057000
> i2c_algo_bit 5935 1 i915, Live 0xffffffffa0052000
> i2c_core 31084 5 i2c_i801,i915,drm_kms_helper,drm,i2c_algo_bit, Live
0xffffffffa0044000
> video 20674 1 i915, Live 0xffffffffa0039000
>
output 2409 1 video, Live 0xffffffffa0035000
> dm_mirror 14133 0 - Live
0xffffffffa002d000
> dm_region_hash 12085 1 dm_mirror, Live
0xffffffffa0026000
> dm_log 9930 2 dm_mirror,dm_region_hash, Live
0xffffffffa001f000
> dm_mod 82839 2 dm_mirror,dm_log, Live
0xffffffffa0000000
> + _________________________ /proc/meminfo
> + cat
/proc/meminfo
> MemTotal: 8089016 kB
> MemFree: 7839892 kB
> Buffers:
8560 kB
> Cached: 61384 kB
> SwapCached: 0 kB
> Active: 61012 kB
>
Inactive: 46064 kB
> Active(anon): 37288 kB
> Inactive(anon): 3540 kB
> Active(file): 23724 kB
> Inactive(file): 42524 kB
> Unevictable: 0
kB
> Mlocked: 0 kB
> SwapTotal: 8386544 kB
> SwapFree: 8386544 kB
>
Dirty: 4 kB
> Writeback: 0 kB
> AnonPages: 37224 kB
> Mapped: 10824
kB
> Shmem: 3688 kB
> Slab: 64536 kB
> SReclaimable: 11388 kB
>
SUnreclaim: 53148 kB
> KernelStack: 1104 kB
> PageTables: 2464 kB
>
NFS_Unstable: 0 kB
> Bounce: 0 kB
> WritebackTmp: 0 kB
> CommitLimit:
12431052 kB
> Committed_AS: 191160 kB
> VmallocTotal: 34359738367 kB
> VmallocUsed: 366072 kB
> VmallocChunk: 34359366644 kB
>
HardwareCorrupted: 0 kB
> AnonHugePages: 16384 kB
> HugePages_Total: 0
> HugePages_Free: 0
> HugePages_Rsvd: 0
> HugePages_Surp: 0
>
Hugepagesize: 2048 kB
> DirectMap4k: 8192 kB
> DirectMap2M: 8288256 kB
> + _________________________ /proc/net/ipsec-ls
> + test -f
/proc/net/ipsec_version
> + _________________________
usr/src/linux/.config
> + test -f /proc/config.gz
> ++ uname -r
> +
test -f /lib/modules/2.6.32-358.6.1.el6.x86_64/build/.config
> + echo
'no .config file found, cannot list kernel properties'
> no .config
file found, cannot list kernel properties
> + _________________________
etc/syslog.conf
> + _________________________
etc/syslog-ng/syslog-ng.conf
> + cat /etc/syslog-ng/syslog-ng.conf
>
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
> + cat
/etc/syslog.conf
> cat: /etc/syslog.conf: No such file or directory
>
+ _________________________ etc/resolv.conf
> + cat /etc/resolv.conf
>
nameserver 127.0.0.1
> nameserver 213.186.33.99
> search ovh.net [30]
> + _________________________ lib/modules-ls
> + ls -ltr /lib/modules
> total 8
> drwxr-xr-x. 7 root root 4096 May 4 01:05
2.6.32-358.6.1.el6.x86_64
> + _________________________ fipscheck
> +
cat /proc/sys/crypto/fips_enabled
> 0
> + _________________________
/proc/ksyms-netif_rx
> + test -r /proc/ksyms
> + test -r
/proc/kallsyms
> + egrep netif_rx /proc/kallsyms
> ffffffff8144d2b0 T
netif_rx
> ffffffff8144d520 T netif_rx_ni
> ffffffff814611e0 t
ftrace_raw_output_netif_rx
> ffffffff81461750 t
ftrace_profile_disable_netif_rx
> ffffffff81461770 t
ftrace_raw_unreg_event_netif_rx
> ffffffff81461e10 t
ftrace_profile_enable_netif_rx
> ffffffff81461e30 t
ftrace_raw_reg_event_netif_rx
> ffffffff81462700 t
ftrace_raw_init_event_netif_rx
> ffffffff81462e20 t
ftrace_profile_netif_rx
> ffffffff81463760 t ftrace_raw_event_netif_rx
> ffffffff818162d2 r __tpstrtab_netif_rx
> ffffffff81829720 r
__ksymtab_netif_rx_ni
> ffffffff81829730 r __ksymtab_netif_rx
>
ffffffff818395e8 r __kcrctab_netif_rx_ni
> ffffffff818395f0 r
__kcrctab_netif_rx
> ffffffff81853fb4 r __kstrtab_netif_rx_ni
>
ffffffff81853fc0 r __kstrtab_netif_rx
> ffffffff81b186a0 d
ftrace_event_type_netif_rx
> ffffffff81bcddc0 D __tracepoint_netif_rx
> ffffffff81bf8250 d event_netif_rx
> + _________________________
lib/modules-netif_rx
> + modulegoo kernel/net/ipv4/ipip.o netif_rx
> +
set +x
> 2.6.32-358.6.1.el6.x86_64:
> + _________________________
kern.debug
> + test -f /var/log/kern.debug
> +
_________________________ klog
> + sed -n '1542,$p' /var/log/messages
> + egrep -i 'ipsec|klips|pluto'
> + case "$1" in
> + cat
> May 4
02:09:47 ks3307690 ipsec_setup: Starting Openswan IPsec
U2.6.32/K2.6.32-358.6.1.el6.x86_64...
> May 4 02:09:47 ks3307690
ipsec_setup: Using NETKEY(XFRM) stack
> May 4 02:09:47 ks3307690
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
> May 4 02:09:47 ks3307690 ipsec_setup:
...Openswan IPsec started
> May 4 02:09:47 ks3307690 ipsec__plutorun:
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
> May 4 02:09:47 ks3307690
ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> May 4 02:09:47
ks3307690 pluto: adjusting ipsec.d to /etc/ipsec.d
> May 4 02:09:47
ks3307690 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set
in /proc/sys/crypto/fips_enabled
> May 4 02:09:47 ks3307690
ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
> May 4 02:09:47 ks3307690
ipsec__plutorun: 002 added connection description "mikrotik"
> May 4
02:09:47 ks3307690 ipsec__plutorun: 003 no secrets filename matched
"/etc/ipsec.d/*.secrets"
> May 4 02:09:47 ks3307690 ipsec__plutorun:
104 "mikrotik" #1: STATE_MAIN_I1: initiate
> +
_________________________ plog
> + sed -n '889,$p' /var/log/secure
> +
egrep -i pluto
> + case "$1" in
> + cat
> May 4 02:09:47 ks3307690
ipsec__plutorun: Starting Pluto subsystem...
> May 4 02:09:47 ks3307690
pluto[4903]: nss directory plutomain: /etc/ipsec.d
> May 4 02:09:47
ks3307690 pluto[4903]: NSS Initialized
> May 4 02:09:47 ks3307690
pluto[4903]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> May 4
02:09:47 ks3307690 pluto[4903]: Starting Pluto (Openswan Version 2.6.32;
Vendor ID OEhyLdACecfa) pid:4903
> May 4 02:09:47 ks3307690
pluto[4903]: Non-fips mode set in /proc/sys/crypto/fips_enabled
> May 4
02:09:47 ks3307690 pluto[4903]: LEAK_DETECTIVE support [disabled]
> May
4 02:09:47 ks3307690 pluto[4903]: OCF support for IKE [disabled]
> May
4 02:09:47 ks3307690 pluto[4903]: SAref support [disabled]: Protocol not
available
> May 4 02:09:47 ks3307690 pluto[4903]: SAbind support
[disabled]: Protocol not available
> May 4 02:09:47 ks3307690
pluto[4903]: NSS support [enabled]
> May 4 02:09:47 ks3307690
pluto[4903]: HAVE_STATSD notification support not compiled in
> May 4
02:09:47 ks3307690 pluto[4903]: Setting NAT-Traversal port-4500 floating
to on
> May 4 02:09:47 ks3307690 pluto[4903]: port floating activation
criteria nat_t=1/port_float=1
> May 4 02:09:47 ks3307690 pluto[4903]:
NAT-Traversal support [enabled]
> May 4 02:09:47 ks3307690 pluto[4903]:
1 bad entries in virtual_private - none loaded
> May 4 02:09:47
ks3307690 pluto[4903]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> May 4 02:09:47 ks3307690
pluto[4903]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
(ret=0)
> May 4 02:09:47 ks3307690 pluto[4903]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> May 4 02:09:47 ks3307690
pluto[4903]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
> May 4 02:09:47 ks3307690 pluto[4903]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> May 4 02:09:47 ks3307690
pluto[4903]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
(ret=0)
> May 4 02:09:47 ks3307690 pluto[4903]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> May 4
02:09:47 ks3307690 pluto[4903]: starting up 3 cryptographic helpers
>
May 4 02:09:47 ks3307690 pluto[4903]: started helper (thread)
pid=140013406775040 (fd:10)
> May 4 02:09:47 ks3307690 pluto[4903]:
started helper (thread) pid=140013396285184 (fd:12)
> May 4 02:09:47
ks3307690 pluto[4903]: started helper (thread) pid=140013316601600
(fd:14)
> May 4 02:09:47 ks3307690 pluto[4903]: Using Linux 2.6 IPsec
interface code on 2.6.32-358.6.1.el6.x86_64 (experimental code)
> May 4
02:09:47 ks3307690 pluto[4903]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
> May 4 02:09:47 ks3307690 pluto[4903]:
ike_alg_add(): ERROR: Algorithm already exists
> May 4 02:09:47
ks3307690 pluto[4903]: ike_alg_register_enc(): Activating aes_ccm_12:
FAILED (ret=-17)
> May 4 02:09:47 ks3307690 pluto[4903]: ike_alg_add():
ERROR: Algorithm already exists
> May 4 02:09:47 ks3307690 pluto[4903]:
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> May 4
02:09:47 ks3307690 pluto[4903]: ike_alg_add(): ERROR: Algorithm already
exists
> May 4 02:09:47 ks3307690 pluto[4903]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
> May 4 02:09:47 ks3307690
pluto[4903]: ike_alg_add(): ERROR: Algorithm already exists
> May 4
02:09:47 ks3307690 pluto[4903]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
> May 4 02:09:47 ks3307690 pluto[4903]:
ike_alg_add(): ERROR: Algorithm already exists
> May 4 02:09:47
ks3307690 pluto[4903]: ike_alg_register_enc(): Activating aes_gcm_16:
FAILED (ret=-17)
> May 4 02:09:47 ks3307690 pluto[4903]: Could not
change to directory '/etc/ipsec.d/cacerts': /
> May 4 02:09:47
ks3307690 pluto[4903]: Could not change to directory
'/etc/ipsec.d/aacerts': /
> May 4 02:09:47 ks3307690 pluto[4903]: Could
not change to directory '/etc/ipsec.d/ocspcerts': /
> May 4 02:09:47
ks3307690 pluto[4903]: Could not change to directory '/etc/ipsec.d/crls'
> May 4 02:09:47 ks3307690 pluto[4903]: | selinux support is enabled.
> May 4 02:09:47 ks3307690 pluto[4903]: added connection description
"mikrotik"
> May 4 02:09:47 ks3307690 pluto[4903]: listening for IKE
messages
> May 4 02:09:47 ks3307690 pluto[4903]: adding interface
eth0/eth0 179.34.222.31:500 [31]
> May 4 02:09:47 ks3307690
pluto[4903]: adding interface eth0/eth0 179.34.222.31:4500 [32]
> May 4
02:09:47 ks3307690 pluto[4903]: adding interface lo/lo 127.0.0.1:500
[33]
> May 4 02:09:47 ks3307690 pluto[4903]: adding interface lo/lo
127.0.0.1:4500 [34]
> May 4 02:09:47 ks3307690 pluto[4903]: adding
interface lo/lo ::1:500
> May 4 02:09:47 ks3307690 pluto[4903]: adding
interface eth0/eth0 2001:41d0:8:e242::1:500
> May 4 02:09:47 ks3307690
pluto[4903]: loading secrets from "/etc/ipsec.secrets"
> May 4 02:09:47
ks3307690 pluto[4903]: no secrets filename matched
"/etc/ipsec.d/*.secrets"
> May 4 02:09:47 ks3307690 pluto[4903]:
"mikrotik" #1: initiating Main Mode
> May 4 02:09:47 ks3307690
pluto[4903]: "mikrotik" #1: received Vendor ID payload [Dead Peer
Detection]
> May 4 02:09:47 ks3307690 pluto[4903]: "mikrotik" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 4
02:09:47 ks3307690 pluto[4903]: "mikrotik" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
> May 4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 4
02:09:48 ks3307690 pluto[4903]: "mikrotik" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
> May 4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #1:
next payload type of ISAKMP Hash Payload has an unknown value: 184
>
May 4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #1: malformed payload
in packet
> May 4 02:09:48 ks3307690 pluto[4903]: | payload malformed
after IV
> May 4 02:09:48 ks3307690 pluto[4903]: | d5 e9 80 46 c0 88 41
e9
> May 4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #1: sending
notification PAYLOAD_MALFORMED to 82.198.121.45:500 [35]
> May 4
02:09:48 ks3307690 pluto[4903]: "mikrotik" #1: byte 2 of ISAKMP Hash
Payload must be zero, but is not
> May 4 02:09:48 ks3307690
pluto[4903]: "mikrotik" #1: malformed payload in packet
> May 4
02:09:48 ks3307690 pluto[4903]: "mikrotik" #1: Main mode peer ID is
ID_IPV4_ADDR: '82.198.121.45'
> May 4 02:09:48 ks3307690 pluto[4903]:
"mikrotik" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
> May 4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> May 4
02:09:48 ks3307690 pluto[4903]: "mikrotik" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:121009cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May
4 02:09:48 ks3307690 pluto[4903]: "mikrotik" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
> May 4 02:09:48 ks3307690
pluto[4903]: "mikrotik" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x08ab66a0 <0xc0d22436
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> May 4 02:10:08
ks3307690 pluto[4903]: "mikrotik" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:8eb8d24a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May
4 02:10:08 ks3307690 pluto[4903]: "mikrotik" #3: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
> May 4 02:10:08 ks3307690
pluto[4903]: "mikrotik" #3: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x03d0e567 <0x8b2ece14
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> May 4 02:48:10
ks3307690 pluto[4903]: "mikrotik": terminating SAs using this connection
> May 4 02:48:10 ks3307690 pluto[4903]: "mikrotik" #3: deleting state
(STATE_QUICK_I2)
> May 4 02:48:10 ks3307690 pluto[4903]: "mikrotik" #2:
deleting state (STATE_QUICK_I2)
> May 4 02:48:10 ks3307690 pluto[4903]:
"mikrotik" #1: deleting state (STATE_MAIN_I4)
> May 4 02:48:18
ks3307690 pluto[4903]: "mikrotik" #4: initiating Main Mode
> May 4
02:48:18 ks3307690 pluto[4903]: "mikrotik" #4: received Vendor ID
payload [Dead Peer Detection]
> May 4 02:48:18 ks3307690 pluto[4903]:
"mikrotik" #4: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
> May 4 02:48:18 ks3307690 pluto[4903]: "mikrotik" #4:
STATE_MAIN_I2: sent MI2, expecting MR2
> May 4 02:48:18 ks3307690
pluto[4903]: "mikrotik" #4: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
> May 4 02:48:18 ks3307690 pluto[4903]: "mikrotik" #4:
STATE_MAIN_I3: sent MI3, expecting MR3
> May 4 02:48:19 ks3307690
pluto[4903]: "mikrotik" #4: Main mode peer ID is ID_IPV4_ADDR:
'82.198.121.45'
> May 4 02:48:19 ks3307690 pluto[4903]: "mikrotik" #4:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 4
02:48:19 ks3307690 pluto[4903]: "mikrotik" #4: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
> May 4 02:48:19 ks3307690 pluto[4903]:
"mikrotik" #5: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#4
msgid:3eac258b proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
> May
4 02:48:19 ks3307690 pluto[4903]: "mikrotik" #5: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
> May 4 02:48:19 ks3307690
pluto[4903]: "mikrotik" #5: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x06fb8921 <0x112666f8
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> May 4 02:50:11
ks3307690 pluto[4903]: "mikrotik": deleting connection
> May 4 02:50:11
ks3307690 pluto[4903]: "mikrotik" #5: deleting state (STATE_QUICK_I2)
>
May 4 02:50:11 ks3307690 pluto[4903]: "mikrotik" #4: deleting state
(STATE_MAIN_I4)
> May 4 02:50:11 ks3307690 pluto[4903]: added
connection description "mikrotik"
> May 4 02:50:19 ks3307690
pluto[4903]: "mikrotik" #6: initiating Main Mode
> May 4 02:50:20
ks3307690 pluto[4903]: "mikrotik" #6: received Vendor ID payload [Dead
Peer Detection]
> May 4 02:50:20 ks3307690 pluto[4903]: "mikrotik" #6:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 4
02:50:20 ks3307690 pluto[4903]: "mikrotik" #6: STATE_MAIN_I2: sent MI2,
expecting MR2
> May 4 02:50:20 ks3307690 pluto[4903]: "mikrotik" #6:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 4
02:50:20 ks3307690 pluto[4903]: "mikrotik" #6: STATE_MAIN_I3: sent MI3,
expecting MR3
> May 4 02:50:20 ks3307690 pluto[4903]: "mikrotik" #6:
Main mode peer ID is ID_IPV4_ADDR: '82.198.121.45'
> May 4 02:50:20
ks3307690 pluto[4903]: "mikrotik" #6: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
> May 4 02:50:20 ks3307690
pluto[4903]: "mikrotik" #6: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
> May 4 02:50:20 ks3307690 pluto[4903]: "mikrotik" #7:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
{using isakmp#6 msgid:aae4f37f proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP1024}
> May 4 02:50:20 ks3307690 pluto[4903]:
"mikrotik" #7: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
> May 4 02:50:20 ks3307690 pluto[4903]: "mikrotik" #7:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x01eea26a <0x743427d2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
> + _________________________ date
> + date
> Sat May 4
02:55:49 CEST 2013
>
> Is it possible to solve this problem?
> Thanks
in advance.
>
> _______________________________________________
>
Users at lists.openswan.org
>
https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments:
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building
and Integrating Virtual Private Networks with Openswan:
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[3]
Links:
------
[1]
https://lists.openswan.org/mailman/listinfo/users
[2]
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[4]
http://ks3307690.kimsufi.com/
[5] http://192.168.1.0/24
[6]
http://192.168.0.0/24
[7] http://0.0.0.0/0
[8]
http://192.168.1.0/24===179.34.222.31
[9] http://127.0.0.1/8
[10]
http://179.34.222.31/24
[11] http://178.32.223.0/24
[12]
http://82.198.121.45/
[13] http://block.in/
[14]
http://192.58.128.30/32
[15] http://198.41.0.4/32
[16]
http://192.228.79.201/32
[17] http://192.33.4.12/32
[18]
http://128.8.10.90/32
[19] http://192.203.230.10/32
[20]
http://192.5.5.241/32
[21] http://192.112.36.4/32
[22]
http://128.63.2.53/32
[23] http://192.36.148.17/32
[24]
http://193.0.14.129/32
[25] http://199.7.83.42/32
[26]
http://202.12.27.33/32
[27] http://clear-or-private.in/
[28]
http://private.in/
[29] http://private-or-clear.in/
[30]
http://ovh.net/
[31] http://179.34.222.31:500/
[32]
http://179.34.222.31:4500/
[33] http://127.0.0.1:500/
[34]
http://127.0.0.1:4500/
[35] http://82.198.121.45:500/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130507/60b23315/attachment-0001.html>
More information about the Users
mailing list