[Openswan Users] netkey not grabbing packets?
Mike Gauthier
mikeg at 3cx.org
Sun Oct 19 11:22:08 EDT 2014
I have two host with network behind each I'm trying to build a site to
site VPN between.
netA --- hostA ... hostB --- netB
Pretty straintforward.
hostA is multihomed. eth0 is the public facing interface. A public IP is
bound directly to eth0 and a private IP on eth1 that's in netA.
hostB is an Amazon EC2 instance. It has a single interface (eth0) and an
elastic IP assigned (NAT to public). The private IP assigned to eth0 is
in a subnet of netB.
netA is 10.5.22.0/24.
netB is 10.103.0.0/21 (IP on hostB is in 10.103.7.0/25).
For the life of me, I cannot seem to get things flowing over the tunnel.
I beleive the tunnel is up (both phase 1 and phase 2), but I simply
cannot get anything to go over the tunnel. As I am using EC2 on hostB
(and CentOS on hostA), I need to use netkey. I'm not quite sure how the
packets are "grabbed" and encrypted, but it doesn't seem to be happening
to me. I would expect, were this working the way I expect, that I would
not be able to see packets on hostA's eth0 interface with a src of netA
and a dest of netB as they would be encapsulated. But that's what I'm
seeing. I'm tried numerous different configs, but noting seems to get it
to work.
Any help in pointing me in the right direction would be greatly
appreciated. The following will be a dump of as much information as I
think someone may need to help. Thanks.
/// hostA ///
[root at hostA ipsec.d]# ifconfig
eth0 Link encap:Ethernet HWaddr 2C:76:8A:AD:E9:29
inet addr:50.180.204.192 Bcast:255.255.255.255
Mask:255.255.254.0
inet6 addr: fe80::2e76:8aff:fead:e929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2722124 errors:0 dropped:0 overruns:0 frame:0
TX packets:1040343 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2914328384 (2.7 GiB) TX bytes:284580770 (271.3 MiB)
Interrupt:18
eth1 Link encap:Ethernet HWaddr 68:05:CA:17:7F:B1
inet addr:10.5.22.1 Bcast:10.5.22.255 Mask:255.255.255.0
inet6 addr: fe80::6a05:caff:fe17:7fb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95794476 errors:0 dropped:0 overruns:0 frame:0
TX packets:168855501 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30809707874 (28.6 GiB) TX bytes:225940546145 (210.4
GiB)
Interrupt:16 Memory:fe8e0000-fe900000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3515863 errors:0 dropped:0 overruns:0 frame:0
TX packets:3515863 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:396899539 (378.5 MiB) TX bytes:396899539 (378.5 MiB)
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# wget -O - -q http://3cx.org/ipaddr.php
50.180.204.192
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.29.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# ip route
10.5.23.0/24 via 10.5.22.20 dev eth1
10.5.22.0/24 dev eth1 proto kernel scope link src 10.5.22.1
50.180.204.0/23 dev eth0 proto kernel scope link src 50.180.204.192
10.103.0.0/21 via 50.180.204.1 dev eth0 src 10.5.22.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
default via 50.180.204.1 dev eth0
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
plutodebug=all
plutostderrlog=/var/log/pluto.log
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.5.22.0/24
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
# disable_port_floating=yes
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# cat /etc/ipsec.d/AWS_TEST.conf
conn aws-test-net
authby=secret
auto=start
pfs=yes
type=tunnel
left=%defaultroute
leftid=50.180.204.192
leftsourceip=10.5.22.1
leftnexthop=%defaultroute
leftsubnet=10.55.22.0/24
right=54.172.115.219
rightsubnet=10.103.0.0/21
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# service ipsec status
IPsec running - pluto pid: 22836
pluto pid 22836
2 tunnels up
some eroutes exist
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 50.180.204.192
000 interface eth0/eth0 50.180.204.192
000 interface eth1/eth1 10.5.22.1
000 interface eth1/eth1 10.5.22.1
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 1 subnet: 10.5.22.0/24
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "aws-test-net":
10.55.22.0/24===50.180.204.192[+S=C]---50.180.204.1...54.172.115.219<54.172.115.219>[+S=C]===10.103.0.0/21;
erouted; eroute owner: #4
000 "aws-test-net": myip=10.5.22.1; hisip=unset;
000 "aws-test-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "aws-test-net": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,21;
interface: eth0;
000 "aws-test-net": dpd: action:clear; delay:0; timeout:0;
000 "aws-test-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "aws-test-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "aws-test-net":4500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28475s; newest IPSEC; eroute owner; isakmp#3; idle;
import:not set
000 #4: "aws-test-net" esp.33836f94 at 54.172.115.219
esp.804754cc at 50.180.204.192 tun.0 at 54.172.115.219 tun.0 at 50.180.204.192
ref=0 refhim=4294901761
000 #3: "aws-test-net":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3275s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:not set
000 #2: "aws-test-net":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27987s; isakmp#1; idle; import:admin
initiate
000 #2: "aws-test-net" esp.313a5104 at 54.172.115.219
esp.b8091b5 at 50.180.204.192 tun.0 at 54.172.115.219 tun.0 at 50.180.204.192
ref=0 refhim=4294901761
000 #1: "aws-test-net":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2546s; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate
000
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# ipsec barf
reagan.intranet
Sun Oct 19 15:14:19 UTC 2014
+ _________________________ version
+ ipsec --version
Linux Openswan U2.6.32/K2.6.32-431.29.2.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 2.6.32-431.29.2.el6.x86_64
(mockbuild at c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red
Hat 4.4.7-4) (GCC) ) #1 SMP Tue Sep 9 21:36:05 UTC 2014
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.5.23.0 10.5.22.20 255.255.255.0 UG 0 0 0
eth1
10.5.22.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
50.180.204.0 0.0.0.0 255.255.254.0 U 0 0 0
eth0
10.103.0.0 50.180.204.1 255.255.248.0 UG 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
0.0.0.0 50.180.204.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip xfrm state
src 50.180.204.192 dst 54.172.115.219
proto esp spi 0x33836f94 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x1529cb112923457d4418998670cb84e6b60953a3
enc cbc(aes) 0x80c7ca28fac7bc89f36dbbcbed7c7837
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 54.172.115.219 dst 50.180.204.192
proto esp spi 0x804754cc reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xbb203f72d15be04600b84ec7b44515e6eabded06
enc cbc(aes) 0xe720380f19515c09ad1cd94faab6e2af
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 54.172.115.219 dst 50.180.204.192
proto esp spi 0x0b8091b5 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x417d4b34386f032f35a90e8f8e8f2783c3dd64b3
enc cbc(aes) 0xe57a433a591ab0c9d82a26026b7326f8
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 50.180.204.192 dst 54.172.115.219
proto esp spi 0x313a5104 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xedfda17b73aa3a474f5f872a65c5ae791d31564b
enc cbc(aes) 0x7909bd0462714360c8b35e77aed0fe9b
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src 10.55.22.0/24 dst 10.103.0.0/21
dir out priority 2347 ptype main
tmpl src 50.180.204.192 dst 54.172.115.219
proto esp reqid 16385 mode tunnel
src 10.103.0.0/21 dst 10.55.22.0/24
dir fwd priority 2347 ptype main
tmpl src 54.172.115.219 dst 50.180.204.192
proto esp reqid 16385 mode tunnel
src 10.103.0.0/21 dst 10.55.22.0/24
dir in priority 2347 ptype main
tmpl src 54.172.115.219 dst 50.180.204.192
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
+ _________________________ /proc/crypto
+ test -r /proc/crypto
+ cat /proc/crypto
name : authenc(hmac(sha1),cbc(aes))
driver : authenc(hmac(sha1-generic),cbc(aes-asm))
module : authenc
priority : 2000
refcnt : 5
selftest : passed
type : aead
async : no
blocksize : 16
ivsize : 16
maxauthsize : 20
geniv : <built-in>
name : cbc(aes)
driver : cbc(aes-asm)
module : kernel
priority : 200
refcnt : 5
selftest : passed
type : givcipher
async : no
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
name : deflate
driver : deflate-generic
module : deflate
priority : 0
refcnt : 1
selftest : passed
type : compression
name : rfc3686(ctr(aes))
driver : rfc3686(ctr(aes-asm))
module : ctr
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 20
max keysize : 36
ivsize : 8
geniv : seqiv
name : ctr(aes)
driver : ctr(aes-asm)
module : kernel
priority : 200
refcnt : 1
selftest : passed
type : givcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : ctr(aes)
driver : ctr(aes-asm)
module : ctr
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(twofish)
driver : cbc(twofish-asm)
module : cbc
priority : 200
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(camellia)
driver : cbc(camellia-generic)
module : cbc
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : camellia
driver : camellia-generic
module : camellia
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : cbc(serpent)
driver : cbc(serpent-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(aes)
driver : cbc(aes-asm)
module : cbc
priority : 200
refcnt : 5
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(blowfish)
driver : cbc(blowfish-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>
name : cbc(cast5)
driver : cbc(cast5-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>
name : cast5
driver : cast5-generic
module : cast5
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 5
max keysize : 16
name : cbc(des3_ede)
driver : cbc(des3_ede-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>
name : cbc(des)
driver : cbc(des-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 8
max keysize : 8
ivsize : 8
geniv : <default>
name : xcbc(aes)
driver : xcbc(aes-asm)
module : xcbc
priority : 200
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16
name : hmac(rmd160)
driver : hmac(rmd160-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : rmd160
driver : rmd160-generic
module : rmd160
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(sha512)
driver : hmac(sha512-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : hmac(sha384)
driver : hmac(sha384-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : hmac(sha256)
driver : hmac(sha256-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : hmac(sha1)
driver : hmac(sha1-generic)
module : kernel
priority : 0
refcnt : 9
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(md5)
driver : hmac(md5-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : compress_null
driver : compress_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : compression
name : digest_null
driver : digest_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 0
name : ecb(cipher_null)
driver : ecb-cipher_null
module : crypto_null
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
geniv : <default>
name : cipher_null
driver : cipher_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0
name : tnepres
driver : tnepres-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : serpent
driver : serpent-generic
module : serpent
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : blowfish
driver : blowfish-generic
module : blowfish
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56
name : twofish
driver : twofish-asm
module : twofish_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : sha256
driver : sha256-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha224
driver : sha224-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28
name : sha512
driver : sha512-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : sha384
driver : sha384-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : des3_ede
driver : des3_ede-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24
name : des
driver : des-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8
name : aes
driver : aes-asm
module : aes_x86_64
priority : 200
refcnt : 5
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : aes_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : rng
seedsize : 0
name : crc32c
driver : crc32c-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 4
name : sha1
driver : sha1-generic
module : kernel
priority : 0
refcnt : 5
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
+ __________________________/proc/sys/net/core/xfrm-star
/usr/libexec/ipsec/barf: line 190:
__________________________/proc/sys/net/core/xfrm-star: No such file or
directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat
/proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat
/proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat
/proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat
/proc/sys/net/core/xfrm_larval_drop
1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 50.180.204.192
000 interface eth0/eth0 50.180.204.192
000 interface eth1/eth1 10.5.22.1
000 interface eth1/eth1 10.5.22.1
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 1 subnet: 10.5.22.0/24
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "aws-test-net":
10.55.22.0/24===50.180.204.192[+S=C]---50.180.204.1...54.172.115.219<54.172.115.219>[+S=C]===10.103.0.0/21;
erouted; eroute owner: #4
000 "aws-test-net": myip=10.5.22.1; hisip=unset;
000 "aws-test-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "aws-test-net": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,21;
interface: eth0;
000 "aws-test-net": dpd: action:clear; delay:0; timeout:0;
000 "aws-test-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "aws-test-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "aws-test-net":4500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28470s; newest IPSEC; eroute owner; isakmp#3; idle;
import:not set
000 #4: "aws-test-net" esp.33836f94 at 54.172.115.219
esp.804754cc at 50.180.204.192 tun.0 at 54.172.115.219 tun.0 at 50.180.204.192
ref=0 refhim=4294901761
000 #3: "aws-test-net":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3270s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:not set
000 #2: "aws-test-net":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27982s; isakmp#1; idle; import:admin
initiate
000 #2: "aws-test-net" esp.313a5104 at 54.172.115.219
esp.b8091b5 at 50.180.204.192 tun.0 at 54.172.115.219 tun.0 at 50.180.204.192
ref=0 refhim=4294901761
000 #1: "aws-test-net":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2541s; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 2C:76:8A:AD:E9:29
inet addr:50.180.204.192 Bcast:255.255.255.255
Mask:255.255.254.0
inet6 addr: fe80::2e76:8aff:fead:e929/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2747077 errors:0 dropped:0 overruns:0 frame:0
TX packets:1048979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2949033220 (2.7 GiB) TX bytes:286893858 (273.6 MiB)
Interrupt:18
eth1 Link encap:Ethernet HWaddr 68:05:CA:17:7F:B1
inet addr:10.5.22.1 Bcast:10.5.22.255 Mask:255.255.255.0
inet6 addr: fe80::6a05:caff:fe17:7fb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95803408 errors:0 dropped:0 overruns:0 frame:0
TX packets:168880179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30812044320 (28.6 GiB) TX bytes:225975154418 (210.4
GiB)
Interrupt:16 Memory:fe8e0000-fe900000
gretap0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
gre0 Link encap:UNSPEC HWaddr
32-B4-CC-C0-FF-FF-60-D0-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3515951 errors:0 dropped:0 overruns:0 frame:0
TX packets:3515951 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:396908184 (378.5 MiB) TX bytes:396908184 (378.5 MiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
qlen 1000
link/ether 2c:76:8a:ad:e9:29 brd ff:ff:ff:ff:ff:ff
inet 50.180.204.192/23 brd 255.255.255.255 scope global eth0
inet6 fe80::2e76:8aff:fead:e929/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 68:05:ca:17:7f:b1 brd ff:ff:ff:ff:ff:ff
inet 10.5.22.1/24 brd 10.5.22.255 scope global eth1
inet6 fe80::6a05:caff:fe17:7fb1/64 scope link
valid_lft forever preferred_lft forever
4: gre0: <NOARP> mtu 1476 qdisc noop state DOWN
link/gre 50.180.204.192 brd 65.99.241.216
5: gretap0: <BROADCAST,MULTICAST> mtu 1476 qdisc noop state DOWN qlen
1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
+ _________________________ ip-route-list
+ ip route list
10.5.23.0/24 via 10.5.22.20 dev eth1
10.5.22.0/24 dev eth1 proto kernel scope link src 10.5.22.1
50.180.204.0/23 dev eth0 proto kernel scope link src 50.180.204.192
10.103.0.0/21 via 50.180.204.1 dev eth0 src 10.5.22.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
default via 50.180.204.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.29.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
No interface specified
usage: /sbin/mii-tool [-VvRrwl] [-A media,... | -F media] <interface>
...
-V, --version display version information
-v, --verbose more verbose output
-R, --reset reset MII to poweron state
-r, --restart restart autonegotiation
-w, --watch monitor for link status changes
-l, --log with -w, write events to syslog
-A, --advertise=media,... advertise only specified media
-F, --force=media force specified media technology
media: 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD,
(to advertise both HD and FD) 100baseTx, 10baseT
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/libexec/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
reagan.intranet
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.5.22.1
+ _________________________ uptime
+ uptime
15:14:20 up 23 days, 12:18, 1 user, load average: 0.02, 0.01, 0.00
+ _________________________ ps
+ egrep -i 'ppid|pluto|ipsec|klips'
+ ps alxwf
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 23072 20188 20 0 106068 1440 wait S+ pts/0 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
0 0 23144 23072 20 0 4152 652 - S+ pts/0 0:00
\_ egrep -i ppid|pluto|ipsec|klips
1 0 22829 1 20 0 11304 532 wait S pts/0 0:00
/bin/sh /usr/libexec/ipsec/_plutorun --debug all raw crypt parsing
emitting control lifecycle klips dns oppo oppoinfo controlmore x509 dpd
pfkey natt nattraversal --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive --protostack
netkey --force_keepalive no --disable_port_floating no --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.5.22.0/24
--listen --crlcheckinterval 0 --ocspuri --nhelpers
--secctx_attr_value --dump --opts --stderrlog /var/log/pluto.log
--wait no --pre --post --log daemon.error --plutorestartoncrash true
--pid /var/run/pluto/pluto.pid
1 0 22831 22829 20 0 11304 712 wait S pts/0 0:00 \_
/bin/sh /usr/libexec/ipsec/_plutorun --debug all raw crypt parsing
emitting control lifecycle klips dns oppo oppoinfo controlmore x509 dpd
pfkey natt nattraversal --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive --protostack
netkey --force_keepalive no --disable_port_floating no --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.5.22.0/24
--listen --crlcheckinterval 0 --ocspuri --nhelpers
--secctx_attr_value --dump --opts --stderrlog /var/log/pluto.log
--wait no --pre --post --log daemon.error --plutorestartoncrash true
--pid /var/run/pluto/pluto.pid
4 0 22836 22831 20 0 162600 5532 poll_s Sl pts/0 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-all --debug-raw --debug-crypt
--debug-parsing --debug-emitting --debug-control --debug-lifecycle
--debug-klips --debug-dns --debug-oppo --debug-oppoinfo
--debug-controlmore --debug-x509 --debug-dpd --debug-pfkey --debug-natt
--debug-nattraversal --use-netkey --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.5.22.0/24
--stderrlog
0 0 22865 22836 20 0 6084 396 poll_s S pts/0 0:00 |
\_ _pluto_adns -d
0 0 22832 22829 20 0 11300 1364 pipe_w S pts/0 0:00 \_
/bin/sh /usr/libexec/ipsec/_plutoload --wait no --post
0 0 22830 1 20 0 4060 644 pipe_w S pts/0 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=none
routeaddr=50.180.204.192
routenexthop=50.180.204.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
plutodebug=all
plutostderrlog=/var/log/pluto.log
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.5.22.0/24
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
# disable_port_floating=yes
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#< /etc/ipsec.d/AWS_TEST.conf 1
conn aws-test-net
authby=secret
auto=start
pfs=yes
type=tunnel
left=%defaultroute
leftid=50.180.204.192
leftsourceip=10.5.22.1
leftnexthop=%defaultroute
leftsubnet=10.55.22.0/24
right=54.172.115.219
rightsubnet=10.103.0.0/21
#> /etc/ipsec.conf 27
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
#< /etc/ipsec.d/AWS_TEST.secrets 1
50.180.204.192 54.172.115.219: PSK "[sums to 73c5...]"
#> /etc/ipsec.secrets 2
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: PSK 54.172.115.219 50.180.204.192
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# root name servers should be in the clear
192.58.128.30/32
198.41.0.4/32
192.228.79.201/32
192.33.4.12/32
128.8.10.90/32
192.203.230.10/32
192.5.5.241/32
192.112.36.4/32
128.63.2.53/32
192.36.148.17/32
193.0.14.129/32
199.7.83.42/32
202.12.27.33/32
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/libexec/ipsec
total 2476
-rwxr-xr-x 1 root root 10592 May 20 11:07 _copyright
-rwxr-xr-x 1 root root 2430 May 20 11:07 _include
-rwxr-xr-x 1 root root 1475 May 20 11:07 _keycensor
-rwxr-xr-x 1 root root 14528 May 20 11:07 _pluto_adns
-rwxr-xr-x 1 root root 2567 May 20 11:07 _plutoload
-rwxr-xr-x 1 root root 8474 May 20 11:07 _plutorun
-rwxr-xr-x 1 root root 13783 May 20 11:07 _realsetup
-rwxr-xr-x 1 root root 1975 May 20 11:07 _secretcensor
-rwxr-xr-x 1 root root 11507 May 20 11:07 _startklips
-rwxr-xr-x 1 root root 6108 May 20 11:07 _startnetkey
-rwxr-xr-x 1 root root 4923 May 20 11:07 _updown
-rwxr-xr-x 1 root root 16227 May 20 11:07 _updown.klips
-rwxr-xr-x 1 root root 16583 May 20 11:07 _updown.mast
-rwxr-xr-x 1 root root 13779 May 20 11:07 _updown.netkey
-rwxr-xr-x 1 root root 227312 May 20 11:07 addconn
-rwxr-xr-x 1 root root 6015 May 20 11:07 auto
-rwxr-xr-x 1 root root 11137 May 20 11:07 barf
-rwxr-xr-x 1 root root 93840 May 20 11:07 eroute
-rwxr-xr-x 1 root root 26736 May 20 11:07 ikeping
-rwxr-xr-x 1 root root 69552 May 20 11:07 klipsdebug
-rwxr-xr-x 1 root root 2520 May 20 11:07 look
-rwxr-xr-x 1 root root 2189 May 20 11:07 newhostkey
-rwxr-xr-x 1 root root 64976 May 20 11:07 pf_key
-rwxr-xr-x 1 root root 1097424 May 20 11:07 pluto
-rwxr-xr-x 1 root root 10576 May 20 11:07 ranbits
-rwxr-xr-x 1 root root 27376 May 20 11:07 rsasigkey
-rwxr-xr-x 1 root root 704 May 20 11:07 secrets
lrwxrwxrwx 1 root root 30 Aug 27 01:32 setup ->
../../../etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1126 May 20 11:07 showdefaults
-rwxr-xr-x 1 root root 271680 May 20 11:07 showhostkey
-rwxr-xr-x 1 root root 26736 May 20 11:07 showpolicy
-rwxr-xr-x 1 root root 172456 May 20 11:07 spi
-rwxr-xr-x 1 root root 81504 May 20 11:07 spigrp
-rwxr-xr-x 1 root root 77032 May 20 11:07 tncfg
-rwxr-xr-x 1 root root 14828 May 20 11:07 verify
-rwxr-xr-x 1 root root 59904 May 20 11:07 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 2476
-rwxr-xr-x 1 root root 10592 May 20 11:07 _copyright
-rwxr-xr-x 1 root root 2430 May 20 11:07 _include
-rwxr-xr-x 1 root root 1475 May 20 11:07 _keycensor
-rwxr-xr-x 1 root root 14528 May 20 11:07 _pluto_adns
-rwxr-xr-x 1 root root 2567 May 20 11:07 _plutoload
-rwxr-xr-x 1 root root 8474 May 20 11:07 _plutorun
-rwxr-xr-x 1 root root 13783 May 20 11:07 _realsetup
-rwxr-xr-x 1 root root 1975 May 20 11:07 _secretcensor
-rwxr-xr-x 1 root root 11507 May 20 11:07 _startklips
-rwxr-xr-x 1 root root 6108 May 20 11:07 _startnetkey
-rwxr-xr-x 1 root root 4923 May 20 11:07 _updown
-rwxr-xr-x 1 root root 16227 May 20 11:07 _updown.klips
-rwxr-xr-x 1 root root 16583 May 20 11:07 _updown.mast
-rwxr-xr-x 1 root root 13779 May 20 11:07 _updown.netkey
-rwxr-xr-x 1 root root 227312 May 20 11:07 addconn
-rwxr-xr-x 1 root root 6015 May 20 11:07 auto
-rwxr-xr-x 1 root root 11137 May 20 11:07 barf
-rwxr-xr-x 1 root root 93840 May 20 11:07 eroute
-rwxr-xr-x 1 root root 26736 May 20 11:07 ikeping
-rwxr-xr-x 1 root root 69552 May 20 11:07 klipsdebug
-rwxr-xr-x 1 root root 2520 May 20 11:07 look
-rwxr-xr-x 1 root root 2189 May 20 11:07 newhostkey
-rwxr-xr-x 1 root root 64976 May 20 11:07 pf_key
-rwxr-xr-x 1 root root 1097424 May 20 11:07 pluto
-rwxr-xr-x 1 root root 10576 May 20 11:07 ranbits
-rwxr-xr-x 1 root root 27376 May 20 11:07 rsasigkey
-rwxr-xr-x 1 root root 704 May 20 11:07 secrets
lrwxrwxrwx 1 root root 30 Aug 27 01:32 setup ->
../../../etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1126 May 20 11:07 showdefaults
-rwxr-xr-x 1 root root 271680 May 20 11:07 showhostkey
-rwxr-xr-x 1 root root 26736 May 20 11:07 showpolicy
-rwxr-xr-x 1 root root 172456 May 20 11:07 spi
-rwxr-xr-x 1 root root 81504 May 20 11:07 spigrp
-rwxr-xr-x 1 root root 77032 May 20 11:07 tncfg
-rwxr-xr-x 1 root root 14828 May 20 11:07 verify
-rwxr-xr-x 1 root root 59904 May 20 11:07 whack
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo:396908576 3515955 0 0 0 0 0 0
396908576 3515955 0 0 0 0 0 0
eth0:2949033220 2747077 0 0 0 0 0 23967
286893858 1048979 0 0 0 0 0 0
eth1:30812078921 95803480 0 0 0 0 0 516408
225975677139 168880592 0 0 0 0 0 0
gre0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
gretap0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
eth1 0017050A 1416050A 0003 0 0 0
00FFFFFF0 0 0
eth1 0016050A 00000000 0001 0 0 0
00FFFFFF0 0 0
eth0 00CCB432 00000000 0001 0 0 0
00FEFFFF0 0 0
eth0 0000670A 01CCB432 0003 0 0 0
00F8FFFF0 0 0
eth0 0000FEA9 00000000 0001 0 0 1002
0000FFFF0 0 0
eth1 0000FEA9 00000000 0001 0 0 1003
0000FFFF0 0 0
eth0 00000000 01CCB432 0003 0 0 0
000000000 0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
2
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter gre0/rp_filter gretap0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
gre0/rp_filter:1
gretap0/rp_filter:1
lo/rp_filter:1
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects default/send_redirects
eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
eth1/accept_redirects eth1/secure_redirects eth1/send_redirects
gre0/accept_redirects gre0/secure_redirects gre0/send_redirects
gretap0/accept_redirects gretap0/secure_redirects gretap0/send_redirects
lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
eth1/accept_redirects:0
eth1/secure_redirects:1
eth1/send_redirects:0
gre0/accept_redirects:0
gre0/secure_redirects:1
gre0/send_redirects:0
gretap0/accept_redirects:0
gretap0/secure_redirects:1
gretap0/send_redirects:0
lo/accept_redirects:0
lo/secure_redirects:1
lo/send_redirects:0
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
2
+ _________________________ uname-a
+ uname -a
Linux reagan.intranet 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9
21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ cat /etc/redhat-release
CentOS release 6.5 (Final)
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (2.6.32-431.29.2.el6.x86_64) support detected '
NETKEY (2.6.32-431.29.2.el6.x86_64) support detected
+ _________________________ iptables
+ test -r /sbin/iptables-save -a -e /proc/net/ip_tables_names
+ iptables-save --modprobe=/dev/null
# Generated by iptables-save v1.4.7 on Sun Oct 19 15:14:20 2014
*nat
:PREROUTING ACCEPT [26885:2953753]
:POSTROUTING ACCEPT [30921:2779634]
:OUTPUT ACCEPT [30922:2779718]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 32444 -j DNAT
--to-destination 10.5.22.50:32400
-A PREROUTING -i eth0 -p tcp -m tcp --dport 32445 -j REDIRECT --to-ports
32400
-A POSTROUTING -d 10.103.0.0/21 -j ACCEPT
-A POSTROUTING -s 10.5.22.0/23 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Oct 19 15:14:20 2014
# Generated by iptables-save v1.4.7 on Sun Oct 19 15:14:20 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [3882611:4133707051]
:OUTPUT ACCEPT [324386:43183050]
-A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 255.255.255.255/32 ! -i eth0 -p udp -m udp --sport 68
--dport 67 -j ACCEPT
-A INPUT -s 10.5.22.0/23 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -s 54.172.115.219/32 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-admin-prohibited
-A FORWARD -d 10.5.22.50/32 -p tcp -m tcp --dport 32400 -j ACCEPT
COMMIT
# Completed on Sun Oct 19 15:14:20 2014
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
authenc 6869 4 - Live 0xffffffffa05cf000
deflate 2107 0 - Live 0xffffffffa04df000
zlib_deflate 21629 1 deflate, Live 0xffffffffa04d6000
ctr 4331 0 - Live 0xffffffffa04d1000
camellia 18334 0 - Live 0xffffffffa04c9000
cast5 15242 0 - Live 0xffffffffa04c2000
rmd160 8154 0 - Live 0xffffffffa04bd000
crypto_null 2952 0 - Live 0xffffffffa04b9000
ccm 8247 0 - Live 0xffffffffa04b3000
serpent 18455 0 - Live 0xffffffffa04ab000
blowfish 7884 0 - Live 0xffffffffa04a6000
twofish_x86_64 5297 0 - Live 0xffffffffa04a1000
twofish_common 14633 1 twofish_x86_64, Live 0xffffffffa049a000
ecb 2209 0 - Live 0xffffffffa0496000
xcbc 2849 0 - Live 0xffffffffa0492000
cbc 3083 4 - Live 0xffffffffa048e000
sha256_generic 10361 0 - Live 0xffffffffa0488000
sha512_generic 4974 0 - Live 0xffffffffa0483000
des_generic 16604 0 - Live 0xffffffffa047b000
ablk_helper 3183 0 - Live 0xffffffffa044e000
cryptd 10040 1 ablk_helper, Live 0xffffffffa0447000
lrw 4216 0 - Live 0xffffffffa0442000
gf128mul 7961 1 lrw, Live 0xffffffffa043d000
glue_helper 6691 0 - Live 0xffffffffa0438000
aes_x86_64 7837 4 - Live 0xffffffffa0433000
aes_generic 27609 1 aes_x86_64, Live 0xffffffffa0420000
ah6 5191 0 - Live 0xffffffffa041b000
ah4 4320 0 - Live 0xffffffffa0416000
esp6 4979 0 - Live 0xffffffffa0411000
esp4 5390 4 - Live 0xffffffffa040c000
xfrm4_mode_beet 2069 0 - Live 0xffffffffa0408000
xfrm4_tunnel 1981 0 - Live 0xffffffffa0404000
tunnel4 2943 1 xfrm4_tunnel, Live 0xffffffffa0400000
xfrm4_mode_tunnel 2002 8 - Live 0xffffffffa03fc000
xfrm4_mode_transport 1449 0 - Live 0xffffffffa03f8000
xfrm6_mode_transport 1545 0 - Live 0xffffffffa03f4000
xfrm6_mode_ro 1318 0 - Live 0xffffffffa03f0000
xfrm6_mode_beet 2020 0 - Live 0xffffffffa03ec000
xfrm6_mode_tunnel 1906 4 - Live 0xffffffffa03e8000
ipcomp 2105 0 - Live 0xffffffffa03e4000
ipcomp6 2170 0 - Live 0xffffffffa03e0000
xfrm_ipcomp 4610 2 ipcomp,ipcomp6, Live 0xffffffffa03db000
xfrm6_tunnel 7969 1 ipcomp6, Live 0xffffffffa03d6000
tunnel6 2714 1 xfrm6_tunnel, Live 0xffffffffa03d2000
af_key 30123 0 - Live 0xffffffffa03bc000
ip_gre 9575 0 - Live 0xffffffffa03b5000
ip_tunnel 12597 1 ip_gre, Live 0xffffffffa03ad000
ipv6 318183 68
ah6,esp6,xfrm6_mode_beet,xfrm6_mode_tunnel,ipcomp6,xfrm6_tunnel,tunnel6,ip_tunnel,
Live 0xffffffffa034b000
ipt_MASQUERADE 2466 1 - Live 0xffffffffa0347000
ipt_REDIRECT 1840 1 - Live 0xffffffffa0343000
iptable_nat 6158 1 - Live 0xffffffffa033e000
nf_nat 22759 3 ipt_MASQUERADE,ipt_REDIRECT,iptable_nat, Live
0xffffffffa0333000
ipt_REJECT 2351 1 - Live 0xffffffffa032f000
nf_conntrack_ipv4 9506 4 iptable_nat,nf_nat, Live 0xffffffffa0328000
nf_defrag_ipv4 1483 1 nf_conntrack_ipv4, Live 0xffffffffa0324000
xt_state 1492 1 - Live 0xffffffffa0273000
nf_conntrack 79758 5
ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state, Live
0xffffffffa0303000
iptable_filter 2793 1 - Live 0xffffffffa0259000
ip_tables 17831 2 iptable_nat,iptable_filter, Live 0xffffffffa02fd000
k10temp 3609 0 - Live 0xffffffffa0032000
amd64_edac_mod 21913 0 - Live 0xffffffffa029f000
edac_core 46581 3 amd64_edac_mod, Live 0xffffffffa02e9000
edac_mce_amd 14705 1 amd64_edac_mod, Live 0xffffffffa024f000
i2c_piix4 12608 0 - Live 0xffffffffa00b3000
shpchp 32778 0 - Live 0xffffffffa01db000
e1000e 267701 0 - Live 0xffffffffa02a6000
tg3 161896 0 - Live 0xffffffffa0276000
ptp 9614 2 e1000e,tg3, Live 0xffffffffa026f000
pps_core 11458 1 ptp, Live 0xffffffffa0268000
sg 29350 0 - Live 0xffffffffa025b000
ext4 374405 4 - Live 0xffffffffa01e5000
jbd2 93427 1 ext4, Live 0xffffffffa01c3000
mbcache 8193 1 ext4, Live 0xffffffffa00d0000
sd_mod 40217 5 - Live 0xffffffffa009c000
crc_t10dif 1541 1 sd_mod, Live 0xffffffffa0046000
ata_generic 3837 0 - Live 0xffffffffa003e000
pata_acpi 3701 0 - Live 0xffffffffa002a000
pata_atiixp 4211 0 - Live 0xffffffffa001c000
ahci 42247 3 - Live 0xffffffffa008e000
radeon 960781 1 - Live 0xffffffffa00d7000
ttm 80590 1 radeon, Live 0xffffffffa00b9000
drm_kms_helper 44321 1 radeon, Live 0xffffffffa00a7000
drm 280012 3 radeon,ttm,drm_kms_helper, Live 0xffffffffa0048000
i2c_algo_bit 5935 1 radeon, Live 0xffffffffa0043000
i2c_core 31084 5 i2c_piix4,radeon,drm_kms_helper,drm,i2c_algo_bit, Live
0xffffffffa0035000
dm_mirror 14384 0 - Live 0xffffffffa002d000
dm_region_hash 12085 1 dm_mirror, Live 0xffffffffa0026000
dm_log 9930 2 dm_mirror,dm_region_hash, Live 0xffffffffa001f000
dm_mod 84337 11 dm_mirror,dm_log, Live 0xffffffffa0000000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 7930408 kB
MemFree: 165316 kB
Buffers: 296880 kB
Cached: 5468840 kB
SwapCached: 28272 kB
Active: 2075200 kB
Inactive: 5211500 kB
Active(anon): 704060 kB
Inactive(anon): 817144 kB
Active(file): 1371140 kB
Inactive(file): 4394356 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 10174460 kB
SwapFree: 10007800 kB
Dirty: 176 kB
Writeback: 0 kB
AnonPages: 1494376 kB
Mapped: 45248 kB
Shmem: 228 kB
Slab: 377648 kB
SReclaimable: 337228 kB
SUnreclaim: 40420 kB
KernelStack: 2400 kB
PageTables: 19992 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 14139664 kB
Committed_AS: 3320820 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 299352 kB
VmallocChunk: 34359432272 kB
HardwareCorrupted: 0 kB
AnonHugePages: 1347584 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
DirectMap4k: 9792 kB
DirectMap2M: 1955840 kB
DirectMap1G: 6291456 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.32-431.29.2.el6.x86_64/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search hsd1.ga.comcast.net. intranet
nameserver 127.0.0.1
nameserver 75.75.76.76
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 20
drwxr-xr-x 7 root root 4096 Jan 24 2014 2.6.32-431.3.1.el6.x86_64
drwxr-xr-x 7 root root 4096 Apr 13 2014 2.6.32-431.11.2.el6.x86_64
drwxr-xr-x 7 root root 4096 Jun 8 21:50 2.6.32-431.17.1.el6.x86_64
drwxr-xr-x 7 root root 4096 Aug 15 02:23 2.6.32-431.23.3.el6.x86_64
drwxr-xr-x 7 root root 4096 Sep 26 02:47 2.6.32-431.29.2.el6.x86_64
+ _________________________ fipscheck
+ cat /proc/sys/crypto/fips_enabled
0
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
ffffffff81461bd0 T netif_rx
ffffffff81461e40 T netif_rx_ni
ffffffff814764c0 t ftrace_raw_output_netif_rx
ffffffff81476a30 t ftrace_profile_disable_netif_rx
ffffffff81476a50 t ftrace_raw_unreg_event_netif_rx
ffffffff81476cf0 t ftrace_profile_enable_netif_rx
ffffffff81476d10 t ftrace_raw_reg_event_netif_rx
ffffffff814775e0 t ftrace_raw_init_event_netif_rx
ffffffff81478150 t ftrace_raw_event_netif_rx
ffffffff81478960 t ftrace_profile_netif_rx
ffffffff8182b0f2 r __tpstrtab_netif_rx
ffffffff8183ea30 r __ksymtab_netif_rx_ni
ffffffff8183ea40 r __ksymtab_netif_rx
ffffffff8184ef40 r __kcrctab_netif_rx_ni
ffffffff8184ef48 r __kcrctab_netif_rx
ffffffff8186a218 r __kstrtab_netif_rx_ni
ffffffff8186a224 r __kstrtab_netif_rx
ffffffff81b1a500 d ftrace_event_type_netif_rx
ffffffff81bd0280 D __tracepoint_netif_rx
ffffffff81bfb830 d event_netif_rx
ffffffff81d26df0 t __event_netif_rx
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.32-431.11.2.el6.x86_64:
2.6.32-431.17.1.el6.x86_64:
2.6.32-431.23.3.el6.x86_64:
2.6.32-431.29.2.el6.x86_64:
2.6.32-431.3.1.el6.x86_64:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '4443,$p' /var/log/messages
+ case "$1" in
+ egrep -i 'ipsec|klips|pluto'
+ cat
Oct 19 15:13:12 reagan ipsec_setup: Starting Openswan IPsec
U2.6.32/K2.6.32-431.29.2.el6.x86_64...
Oct 19 15:13:12 reagan ipsec_setup: Using NETKEY(XFRM) stack
Oct 19 15:13:12 reagan ipsec_setup: /usr/libexec/ipsec/addconn Non-fips
mode set in /proc/sys/crypto/fips_enabled
Oct 19 15:13:12 reagan ipsec_setup: ...Openswan IPsec started
Oct 19 15:13:12 reagan ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 19 15:13:12 reagan pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 19 15:13:12 reagan ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 19 15:13:12 reagan ipsec__plutorun: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 19 15:13:12 reagan ipsec__plutorun: 002 added connection description
"aws-test-net"
Oct 19 15:13:13 reagan ipsec__plutorun: 104 "aws-test-net" #1:
STATE_MAIN_I1: initiate
+ _________________________ plog
+ sed -n '83,$p' /var/log/secure
+ case "$1" in
+ cat
+ egrep -i pluto
Oct 19 15:13:12 reagan ipsec__plutorun: Starting Pluto subsystem...
+ _________________________ date
+ date
Sun Oct 19 15:14:20 UTC 2014
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:32444 to:10.5.22.50:32400
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:32445 redir ports 32400
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 10.103.0.0/21
MASQUERADE all -- 10.5.22.0/23 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at hostA ipsec.d]#
[root at hostA ipsec.d]#
[root at hostA ipsec.d]# iptables -n -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 255.255.255.255 udp spt:68
dpt:67
ACCEPT all -- 10.5.22.0/23 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
12
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:60022
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:25565
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:32400
ACCEPT all -- 54.172.115.219 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-admin-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 10.5.22.50 tcp
dpt:32400
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at hostA ipsec.d]#
/// hostB ///
[root at hostB ipsec.d]# ifconfig
eth0 Link encap:Ethernet HWaddr 12:1D:47:AD:6F:6C
inet addr:10.103.7.4 Bcast:10.103.7.127 Mask:255.255.255.128
inet6 addr: fe80::101d:47ff:fead:6f6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:22874 errors:0 dropped:0 overruns:0 frame:0
TX packets:18249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5824689 (5.5 MiB) TX bytes:2603460 (2.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:125 errors:0 dropped:0 overruns:0 frame:0
TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14544 (14.2 KiB) TX bytes:14544 (14.2 KiB)
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# wget -O - -q http://3cx.org/ipaddr.php
54.172.115.219
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.14.20-20.44.amzn1.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# ip route
default via 10.103.7.1 dev eth0
10.55.22.0/24 via 10.103.7.1 dev eth0 src 10.103.7.4
10.103.7.0/25 dev eth0 proto kernel scope link src 10.103.7.4
10.103.7.0/24 dev eth0 proto kernel scope link src 10.103.7.4
169.254.169.254 dev eth0
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
plutodebug=all
plutostderrlog=/var/log/pluto.log
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.103.0.0/21
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
# disable_port_floating=yes
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# cat /etc/ipsec.d/mike_home.conf
conn mike-home-net
authby=secret
auto=start
pfs=yes
type=tunnel
left=%defaultroute
leftid=54.172.115.219
leftsourceip=10.103.7.4
leftnexthop=%defaultroute
leftsubnet=10.103.0.0/21
right=50.180.204.192
rightsubnet=10.55.22.0/24
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# service ipsec status
IPsec running - pluto pid: 31416
pluto pid 31416
2 tunnels up
some eroutes exist
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.103.7.4
000 interface eth0/eth0 10.103.7.4
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 1 subnet: 10.103.0.0/21
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "mike-home-net":
10.103.0.0/21===10.103.7.4[54.172.115.219,+S=C]---10.103.7.1...50.180.204.192<50.180.204.192>[+S=C]===10.55.22.0/24;
erouted; eroute owner: #4
000 "mike-home-net": myip=10.103.7.4; hisip=unset;
000 "mike-home-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mike-home-net": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 21,24;
interface: eth0;
000 "mike-home-net": dpd: action:clear; delay:0; timeout:0;
000 "mike-home-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "mike-home-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "mike-home-net":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27829s; newest IPSEC; eroute owner;
isakmp#1; idle; import:admin initiate
000 #4: "mike-home-net" esp.804754cc at 50.180.204.192
esp.33836f94 at 10.103.7.4 tun.0 at 50.180.204.192 tun.0 at 10.103.7.4 ref=0
refhim=4294901761
000 #1: "mike-home-net":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2388s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #3: "mike-home-net":4500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28305s; isakmp#2; idle; import:not set
000 #3: "mike-home-net" esp.b8091b5 at 50.180.204.192
esp.313a5104 at 10.103.7.4 tun.0 at 50.180.204.192 tun.0 at 10.103.7.4 ref=0
refhim=4294901761
000 #2: "mike-home-net":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3105s; lastdpd=-1s(seq in:0 out:0);
idle; import:not set
000
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# ipsec barf
ip-10-103-7-4
Sun Oct 19 15:17:02 UTC 2014
+ _________________________ version
+ ipsec --version
Linux Openswan U2.6.37/K3.14.20-20.44.amzn1.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
+ _________________________ /proc/version
+ cat /proc/version
Linux version 3.14.20-20.44.amzn1.x86_64 (mockbuild at gobi-build-60001)
(gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Oct 6
22:52:46 UTC 2014
+ _________________________ /proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ head -n 100
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 10.103.7.1 0.0.0.0 UG 0 0 0
eth0
10.55.22.0 10.103.7.1 255.255.255.0 UG 0 0 0
eth0
10.103.7.0 0.0.0.0 255.255.255.128 U 0 0 0
eth0
10.103.7.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.169.254 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
+ _________________________ /proc/net/ipsec_spi
+ test -r /proc/net/ipsec_spi
+ _________________________ /proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ /proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip xfrm state
src 50.180.204.192 dst 10.103.7.4
proto esp spi 0x33836f94 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x1529cb112923457d4418998670cb84e6b60953a3
96
enc cbc(aes) 0x80c7ca28fac7bc89f36dbbcbed7c7837
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 10.103.7.4 dst 50.180.204.192
proto esp spi 0x804754cc reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xbb203f72d15be04600b84ec7b44515e6eabded06
96
enc cbc(aes) 0xe720380f19515c09ad1cd94faab6e2af
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 50.180.204.192 dst 10.103.7.4
proto esp spi 0x313a5104 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xedfda17b73aa3a474f5f872a65c5ae791d31564b
96
enc cbc(aes) 0x7909bd0462714360c8b35e77aed0fe9b
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 10.103.7.4 dst 50.180.204.192
proto esp spi 0x0b8091b5 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x417d4b34386f032f35a90e8f8e8f2783c3dd64b3
96
enc cbc(aes) 0xe57a433a591ab0c9d82a26026b7326f8
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src 10.103.0.0/21 dst 10.55.22.0/24
dir out priority 2440 ptype main
tmpl src 10.103.7.4 dst 50.180.204.192
proto esp reqid 16385 mode tunnel
src 10.55.22.0/24 dst 10.103.0.0/21
dir fwd priority 2440 ptype main
tmpl src 50.180.204.192 dst 10.103.7.4
proto esp reqid 16385 mode tunnel
src 10.55.22.0/24 dst 10.103.0.0/21
dir in priority 2440 ptype main
tmpl src 50.180.204.192 dst 10.103.7.4
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
+ _________________________ /proc/crypto
+ test -r /proc/crypto
+ cat /proc/crypto
name : authenc(hmac(sha1),cbc(aes))
driver : authenc(hmac(sha1-generic),cbc-aes-aesni)
module : authenc
priority : 4000
refcnt : 5
selftest : passed
type : aead
async : yes
blocksize : 16
ivsize : 16
maxauthsize : 20
geniv : <built-in>
name : __cbc-aes-aesni
driver : cryptd(__driver-cbc-aes-aesni)
module : cryptd
priority : 50
refcnt : 5
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : cbc(aes)
driver : cbc-aes-aesni
module : kernel
priority : 400
refcnt : 5
selftest : passed
type : givcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : eseqiv
name : rfc3686(ctr(aes))
driver : rfc3686(ctr-aes-aesni)
module : ctr
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 20
max keysize : 36
ivsize : 8
geniv : seqiv
name : __ctr-aes-aesni
driver : cryptd(__driver-ctr-aes-aesni)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ctr(aes)
driver : ctr-aes-aesni
module : kernel
priority : 400
refcnt : 1
selftest : passed
type : givcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(des3_ede)
driver : cbc(des3_ede-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>
name : cbc(des)
driver : cbc(des-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 8
max keysize : 8
ivsize : 8
geniv : <default>
name : cmac(aes)
driver : cmac(aes-aesni)
module : cmac
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16
name : xcbc(aes)
driver : xcbc(aes-aesni)
module : xcbc
priority : 300
refcnt : 1
selftest : passed
type : shash
blocksize : 16
digestsize : 16
name : hmac(rmd160)
driver : hmac(rmd160-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : rmd160
driver : rmd160-generic
module : rmd160
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(sha512)
driver : hmac(sha512-ssse3)
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : hmac(sha384)
driver : hmac(sha384-ssse3)
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : hmac(sha256)
driver : hmac(sha256-ssse3)
module : kernel
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : hmac(sha1)
driver : hmac(sha1-generic)
module : kernel
priority : 0
refcnt : 9
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(md5)
driver : hmac(md5-generic)
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : digest_null
driver : digest_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 0
name : compress_null
driver : compress_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : compression
name : ecb(cipher_null)
driver : ecb-cipher_null
module : crypto_null
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
geniv : <default>
name : cipher_null
driver : cipher_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0
name : camellia
driver : camellia-generic
module : camellia_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : xts(camellia)
driver : xts-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(camellia)
driver : lrw-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(camellia)
driver : ctr-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(camellia)
driver : cbc-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-camellia-aesni
driver : cryptd(__driver-ecb-camellia-aesni)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(camellia)
driver : ecb-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __xts-camellia-aesni
driver : __driver-xts-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-camellia-aesni
driver : __driver-lrw-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : __ctr-camellia-aesni
driver : __driver-ctr-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __cbc-camellia-aesni
driver : __driver-cbc-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-camellia-aesni
driver : __driver-ecb-camellia-aesni
module : camellia_aesni_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : xts(camellia)
driver : xts-camellia-asm
module : camellia_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(camellia)
driver : lrw-camellia-asm
module : camellia_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(camellia)
driver : ctr-camellia-asm
module : camellia_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(camellia)
driver : cbc-camellia-asm
module : camellia_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(camellia)
driver : ecb-camellia-asm
module : camellia_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : camellia
driver : camellia-asm
module : camellia_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : xts(cast6)
driver : xts-cast6-avx
module : cast6_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(cast6)
driver : lrw-cast6-avx
module : cast6_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(cast6)
driver : ctr-cast6-avx
module : cast6_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(cast6)
driver : cbc-cast6-avx
module : cast6_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-cast6-avx
driver : cryptd(__driver-ecb-cast6-avx)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(cast6)
driver : ecb-cast6-avx
module : cast6_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __xts-cast6-avx
driver : __driver-xts-cast6-avx
module : cast6_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-cast6-avx
driver : __driver-lrw-cast6-avx
module : cast6_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : __ctr-cast6-avx
driver : __driver-ctr-cast6-avx
module : cast6_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __cbc-cast6-avx
driver : __driver-cbc-cast6-avx
module : cast6_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-cast6-avx
driver : __driver-ecb-cast6-avx
module : cast6_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : cast6
driver : cast6-generic
module : cast6_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : ctr(cast5)
driver : ctr-cast5-avx
module : cast5_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 5
max keysize : 16
ivsize : 8
geniv : chainiv
name : cbc(cast5)
driver : cbc-cast5-avx
module : cast5_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>
name : __ecb-cast5-avx
driver : cryptd(__driver-ecb-cast5-avx)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>
name : ecb(cast5)
driver : ecb-cast5-avx
module : cast5_avx_x86_64
priority : 200
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>
name : __ctr-cast5-avx
driver : __driver-ctr-cast5-avx
module : cast5_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 5
max keysize : 16
ivsize : 8
geniv : <default>
name : __cbc-cast5-avx
driver : __driver-cbc-cast5-avx
module : cast5_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>
name : __ecb-cast5-avx
driver : __driver-ecb-cast5-avx
module : cast5_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 5
max keysize : 16
ivsize : 0
geniv : <default>
name : cast5
driver : cast5-generic
module : cast5_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 5
max keysize : 16
name : deflate
driver : deflate-generic
module : deflate
priority : 0
refcnt : 1
selftest : passed
type : compression
name : xts(serpent)
driver : xts-serpent-avx
module : serpent_avx_x86_64
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(serpent)
driver : lrw-serpent-avx
module : serpent_avx_x86_64
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(serpent)
driver : ctr-serpent-avx
module : serpent_avx_x86_64
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(serpent)
driver : cbc-serpent-avx
module : serpent_avx_x86_64
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-serpent-avx
driver : cryptd(__driver-ecb-serpent-avx)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(serpent)
driver : ecb-serpent-avx
module : serpent_avx_x86_64
priority : 500
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : __xts-serpent-avx
driver : __driver-xts-serpent-avx
module : serpent_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-serpent-avx
driver : __driver-lrw-serpent-avx
module : serpent_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>
name : __ctr-serpent-avx
driver : __driver-ctr-serpent-avx
module : serpent_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : __cbc-serpent-avx
driver : __driver-cbc-serpent-avx
module : serpent_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-serpent-avx
driver : __driver-ecb-serpent-avx
module : serpent_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : xts(serpent)
driver : xts-serpent-sse2
module : serpent_sse2_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(serpent)
driver : lrw-serpent-sse2
module : serpent_sse2_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(serpent)
driver : ctr-serpent-sse2
module : serpent_sse2_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(serpent)
driver : cbc-serpent-sse2
module : serpent_sse2_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-serpent-sse2
driver : cryptd(__driver-ecb-serpent-sse2)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(serpent)
driver : ecb-serpent-sse2
module : serpent_sse2_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : __xts-serpent-sse2
driver : __driver-xts-serpent-sse2
module : serpent_sse2_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-serpent-sse2
driver : __driver-lrw-serpent-sse2
module : serpent_sse2_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 48
ivsize : 16
geniv : <default>
name : __ctr-serpent-sse2
driver : __driver-ctr-serpent-sse2
module : serpent_sse2_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 32
ivsize : 16
geniv : <default>
name : __cbc-serpent-sse2
driver : __driver-cbc-serpent-sse2
module : serpent_sse2_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-serpent-sse2
driver : __driver-ecb-serpent-sse2
module : serpent_sse2_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 0
max keysize : 32
ivsize : 0
geniv : <default>
name : tnepres
driver : tnepres-generic
module : serpent_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : serpent
driver : serpent-generic
module : serpent_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 0
max keysize : 32
name : blowfish
driver : blowfish-generic
module : blowfish_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56
name : ctr(blowfish)
driver : ctr-blowfish-asm
module : blowfish_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>
name : cbc(blowfish)
driver : cbc-blowfish-asm
module : blowfish_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 8
geniv : <default>
name : ecb(blowfish)
driver : ecb-blowfish-asm
module : blowfish_x86_64
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 4
max keysize : 56
ivsize : 0
geniv : <default>
name : blowfish
driver : blowfish-asm
module : blowfish_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56
name : twofish
driver : twofish-generic
module : twofish_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : xts(twofish)
driver : xts-twofish-avx
module : twofish_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(twofish)
driver : lrw-twofish-avx
module : twofish_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(twofish)
driver : ctr-twofish-avx
module : twofish_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(twofish)
driver : cbc-twofish-avx
module : twofish_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-twofish-avx
driver : cryptd(__driver-ecb-twofish-avx)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(twofish)
driver : ecb-twofish-avx
module : twofish_avx_x86_64
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __xts-twofish-avx
driver : __driver-xts-twofish-avx
module : twofish_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-twofish-avx
driver : __driver-lrw-twofish-avx
module : twofish_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : __ctr-twofish-avx
driver : __driver-ctr-twofish-avx
module : twofish_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __cbc-twofish-avx
driver : __driver-cbc-twofish-avx
module : twofish_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-twofish-avx
driver : __driver-ecb-twofish-avx
module : twofish_avx_x86_64
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : xts(twofish)
driver : xts-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(twofish)
driver : lrw-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : ctr(twofish)
driver : ctr-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(twofish)
driver : cbc-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : ecb(twofish)
driver : ecb-twofish-3way
module : twofish_x86_64_3way
priority : 300
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : twofish
driver : twofish-asm
module : twofish_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : sha224
driver : sha224-ssse3
module : sha256_ssse3
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28
name : sha256
driver : sha256-ssse3
module : sha256_ssse3
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha384
driver : sha384-ssse3
module : sha512_ssse3
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : sha512
driver : sha512-ssse3
module : sha512_ssse3
priority : 150
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : sha384
driver : sha384-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 48
name : sha512
driver : sha512-generic
module : sha512_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 128
digestsize : 64
name : des3_ede
driver : des3_ede-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24
name : des
driver : des-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 8
max keysize : 8
name : xts(aes)
driver : xts-aes-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : lrw(aes)
driver : lrw-aes-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : __xts-aes-aesni
driver : __driver-xts-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 64
ivsize : 16
geniv : <default>
name : __lrw-aes-aesni
driver : __driver-lrw-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 32
max keysize : 48
ivsize : 16
geniv : <default>
name : pcbc(aes)
driver : pcbc-aes-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : rfc4106(gcm(aes))
driver : rfc4106-gcm-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : nivaead
async : yes
blocksize : 1
ivsize : 8
maxauthsize : 16
geniv : seqiv
name : __gcm-aes-aesni
driver : __driver-gcm-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : aead
async : no
blocksize : 1
ivsize : 0
maxauthsize : 0
geniv : <built-in>
name : ctr(aes)
driver : ctr-aes-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : __ctr-aes-aesni
driver : __driver-ctr-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : cbc(aes)
driver : cbc-aes-aesni
module : aesni_intel
priority : 400
refcnt : 5
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : __ecb-aes-aesni
driver : cryptd(__driver-ecb-aes-aesni)
module : cryptd
priority : 50
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : ecb(aes)
driver : ecb-aes-aesni
module : aesni_intel
priority : 400
refcnt : 1
selftest : passed
type : ablkcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __cbc-aes-aesni
driver : __driver-cbc-aes-aesni
module : aesni_intel
priority : 0
refcnt : 5
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __ecb-aes-aesni
driver : __driver-ecb-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 0
geniv : <default>
name : __aes-aesni
driver : __driver-aes-aesni
module : aesni_intel
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-aesni
module : aesni_intel
priority : 300
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-asm
module : aes_x86_64
priority : 200
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : rng
seedsize : 0
name : lzo
driver : lzo-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : compression
name : crc32c
driver : crc32c-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 4
name : aes
driver : aes-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : sha224
driver : sha224-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 28
name : sha256
driver : sha256-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 32
name : sha1
driver : sha1-generic
module : kernel
priority : 0
refcnt : 5
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
+ __________________________/proc/sys/net/core/xfrm-star
/usr/libexec/ipsec/barf: line 190:
__________________________/proc/sys/net/core/xfrm-star: No such file or
directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat
/proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat
/proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat
/proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat
/proc/sys/net/core/xfrm_larval_drop
1
+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.103.7.4
000 interface eth0/eth0 10.103.7.4
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 1 subnet: 10.103.0.0/21
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "mike-home-net":
10.103.0.0/21===10.103.7.4[54.172.115.219,+S=C]---10.103.7.1...50.180.204.192<50.180.204.192>[+S=C]===10.55.22.0/24;
erouted; eroute owner: #4
000 "mike-home-net": myip=10.103.7.4; hisip=unset;
000 "mike-home-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mike-home-net": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 21,24;
interface: eth0;
000 "mike-home-net": dpd: action:clear; delay:0; timeout:0;
000 "mike-home-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "mike-home-net": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "mike-home-net":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27825s; newest IPSEC; eroute owner;
isakmp#1; idle; import:admin initiate
000 #4: "mike-home-net" esp.804754cc at 50.180.204.192
esp.33836f94 at 10.103.7.4 tun.0 at 50.180.204.192 tun.0 at 10.103.7.4 ref=0
refhim=4294901761
000 #1: "mike-home-net":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2384s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #3: "mike-home-net":4500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28301s; isakmp#2; idle; import:not set
000 #3: "mike-home-net" esp.b8091b5 at 50.180.204.192
esp.313a5104 at 10.103.7.4 tun.0 at 50.180.204.192 tun.0 at 10.103.7.4 ref=0
refhim=4294901761
000 #2: "mike-home-net":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3101s; lastdpd=-1s(seq in:0 out:0);
idle; import:not set
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 12:1D:47:AD:6F:6C
inet addr:10.103.7.4 Bcast:10.103.7.127 Mask:255.255.255.128
inet6 addr: fe80::101d:47ff:fead:6f6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:23114 errors:0 dropped:0 overruns:0 frame:0
TX packets:18405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5841471 (5.5 MiB) TX bytes:2631693 (2.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:125 errors:0 dropped:0 overruns:0 frame:0
TX packets:125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14544 (14.2 KiB) TX bytes:14544 (14.2 KiB)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast
state UP qlen 1000
link/ether 12:1d:47:ad:6f:6c brd ff:ff:ff:ff:ff:ff
inet 10.103.7.4/25 brd 10.103.7.127 scope global eth0
valid_lft forever preferred_lft forever
inet 10.103.7.4/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::101d:47ff:fead:6f6c/64 scope link
valid_lft forever preferred_lft forever
+ _________________________ ip-route-list
+ ip route list
default via 10.103.7.1 dev eth0
10.55.22.0/24 via 10.103.7.1 dev eth0 src 10.103.7.4
10.103.7.0/25 dev eth0 proto kernel scope link src 10.103.7.4
10.103.7.0/24 dev eth0 proto kernel scope link src 10.103.7.4
169.254.169.254 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.14.20-20.44.amzn1.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
No interface specified
usage: /sbin/mii-tool [-VvRrwl] [-A media,... | -F media] <interface>
...
-V, --version display version information
-v, --verbose more verbose output
-R, --reset reset MII to poweron state
-r, --restart restart autonegotiation
-w, --watch monitor for link status changes
-l, --log with -w, write events to syslog
-A, --advertise=media,... advertise only specified media
-F, --force=media force specified media technology
media: 100baseT4, 100baseTx-FD, 100baseTx-HD, 10baseT-FD, 10baseT-HD,
(to advertise both HD and FD) 100baseTx, 10baseT
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/libexec/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Unknown host
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Unknown host
+ _________________________ uptime
+ uptime
15:17:02 up 14:11, 1 user, load average: 0.00, 0.02, 0.05
+ _________________________ ps
+ egrep -i 'ppid|pluto|ipsec|klips'
+ ps alxwf
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 31596 30658 20 0 112920 1524 wait S+ pts/0 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
0 0 31655 31596 20 0 4268 608 pipe_w S+ pts/0 0:00
\_ egrep -i ppid|pluto|ipsec|klips
1 0 31409 1 20 0 11408 544 wait S pts/0 0:00
/bin/sh /usr/libexec/ipsec/_plutorun --debug all raw crypt parsing
emitting control lifecycle klips dns oppo oppoinfo controlmore x509 dpd
pfkey natt nattraversal --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive --protostack
netkey --force_keepalive no --disable_port_floating no --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.103.0.0/21
--listen --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts
--stderrlog /var/log/pluto.log --wait no --pre --post --log
daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
1 0 31413 31409 20 0 11408 652 wait S pts/0 0:00 \_
/bin/sh /usr/libexec/ipsec/_plutorun --debug all raw crypt parsing
emitting control lifecycle klips dns oppo oppoinfo controlmore x509 dpd
pfkey natt nattraversal --uniqueids yes --force_busy no --nocrsend no
--strictcrlpolicy no --nat_traversal yes --keep_alive --protostack
netkey --force_keepalive no --disable_port_floating no --virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.103.0.0/21
--listen --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts
--stderrlog /var/log/pluto.log --wait no --pre --post --log
daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
4 0 31416 31413 20 0 117960 3960 poll_s Sl pts/0 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-all --debug-raw --debug-crypt
--debug-parsing --debug-emitting --debug-control --debug-lifecycle
--debug-klips --debug-dns --debug-oppo --debug-oppoinfo
--debug-controlmore --debug-x509 --debug-dpd --debug-pfkey --debug-natt
--debug-nattraversal --use-netkey --uniqueids --nat_traversal
--virtual_private
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.103.0.0/21
--stderrlog
0 0 31444 31416 20 0 6188 376 poll_s S pts/0 0:00 |
\_ _pluto_adns -d
0 0 31414 31409 20 0 11404 1424 pipe_w S pts/0 0:00 \_
/bin/sh /usr/libexec/ipsec/_plutoload --wait no --post
0 0 31410 1 20 0 4188 624 pipe_w S pts/0 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=none
routeaddr=10.103.7.4
routenexthop=10.103.7.1
+ _________________________ ipsec/conf
+ ipsec _keycensor
+ ipsec _include /etc/ipsec.conf
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
plutodebug=all
plutostderrlog=/var/log/pluto.log
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.103.0.0/21
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
# disable_port_floating=yes
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#< /etc/ipsec.d/mike_home.conf 1
conn mike-home-net
authby=secret
auto=start
pfs=yes
type=tunnel
left=%defaultroute
leftid=54.172.115.219
leftsourceip=10.103.7.4
leftnexthop=%defaultroute
leftsubnet=10.103.0.0/21
right=50.180.204.192
rightsubnet=10.55.22.0/24
#> /etc/ipsec.conf 27
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
#< /etc/ipsec.d/mike_home.secrets 1
54.172.115.219 50.180.204.192: PSK "[sums to 73c5...]"
#> /etc/ipsec.secrets 2
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000 1: PSK 50.180.204.192 54.172.115.219
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# root name servers should be in the clear
192.58.128.30/32
198.41.0.4/32
192.228.79.201/32
192.33.4.12/32
128.8.10.90/32
192.203.230.10/32
192.5.5.241/32
192.112.36.4/32
128.63.2.53/32
192.36.148.17/32
193.0.14.129/32
199.7.83.42/32
202.12.27.33/32
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/libexec/ipsec
total 2400
-rwxr-xr-x 1 root root 10592 Mar 10 2014 _copyright
-rwxr-xr-x 1 root root 2430 Mar 10 2014 _include
-rwxr-xr-x 1 root root 1475 Mar 10 2014 _keycensor
-rwxr-xr-x 1 root root 14528 Mar 10 2014 _pluto_adns
-rwxr-xr-x 1 root root 2567 Mar 10 2014 _plutoload
-rwxr-xr-x 1 root root 8307 Mar 10 2014 _plutorun
-rwxr-xr-x 1 root root 13684 Mar 10 2014 _realsetup
-rwxr-xr-x 1 root root 1975 Mar 10 2014 _secretcensor
-rwxr-xr-x 1 root root 12347 Mar 10 2014 _startklips
-rwxr-xr-x 1 root root 6188 Mar 10 2014 _startnetkey
-rwxr-xr-x 1 root root 4923 Mar 10 2014 _updown
-rwxr-xr-x 1 root root 17776 Mar 10 2014 _updown.klips
-rwxr-xr-x 1 root root 17537 Mar 10 2014 _updown.mast
-rwxr-xr-x 1 root root 14058 Mar 10 2014 _updown.netkey
-rwxr-xr-x 1 root root 225840 Mar 10 2014 addconn
-rwxr-xr-x 1 root root 6167 Mar 10 2014 auto
-rwxr-xr-x 1 root root 11317 Mar 10 2014 barf
-rwxr-xr-x 1 root root 93840 Mar 10 2014 eroute
-rwxr-xr-x 1 root root 26736 Mar 10 2014 ikeping
-rwxr-xr-x 1 root root 73648 Mar 10 2014 klipsdebug
-rwxr-xr-x 1 root root 2783 Mar 10 2014 look
-rwxr-xr-x 1 root root 2189 Mar 10 2014 newhostkey
-rwxr-xr-x 1 root root 69072 Mar 10 2014 pf_key
-rwxr-xr-x 1 root root 986600 Mar 10 2014 pluto
-rwxr-xr-x 1 root root 12349 Mar 10 2014 policy
-rwxr-xr-x 1 root root 10576 Mar 10 2014 ranbits
-rwxr-xr-x 1 root root 27376 Mar 10 2014 rsasigkey
-rwxr-xr-x 1 root root 704 Mar 10 2014 secrets
lrwxrwxrwx 1 root root 30 Oct 18 21:29 setup ->
../../../etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1126 Mar 10 2014 showdefaults
-rwxr-xr-x 1 root root 263520 Mar 10 2014 showhostkey
-rwxr-xr-x 1 root root 26736 Mar 10 2014 showpolicy
-rwxr-xr-x 1 root root 176552 Mar 10 2014 spi
-rwxr-xr-x 1 root root 81504 Mar 10 2014 spigrp
-rwxr-xr-x 1 root root 81128 Mar 10 2014 tncfg
-rwxr-xr-x 1 root root 14674 Mar 10 2014 verify
-rwxr-xr-x 1 root root 59904 Mar 10 2014 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 2400
-rwxr-xr-x 1 root root 10592 Mar 10 2014 _copyright
-rwxr-xr-x 1 root root 2430 Mar 10 2014 _include
-rwxr-xr-x 1 root root 1475 Mar 10 2014 _keycensor
-rwxr-xr-x 1 root root 14528 Mar 10 2014 _pluto_adns
-rwxr-xr-x 1 root root 2567 Mar 10 2014 _plutoload
-rwxr-xr-x 1 root root 8307 Mar 10 2014 _plutorun
-rwxr-xr-x 1 root root 13684 Mar 10 2014 _realsetup
-rwxr-xr-x 1 root root 1975 Mar 10 2014 _secretcensor
-rwxr-xr-x 1 root root 12347 Mar 10 2014 _startklips
-rwxr-xr-x 1 root root 6188 Mar 10 2014 _startnetkey
-rwxr-xr-x 1 root root 4923 Mar 10 2014 _updown
-rwxr-xr-x 1 root root 17776 Mar 10 2014 _updown.klips
-rwxr-xr-x 1 root root 17537 Mar 10 2014 _updown.mast
-rwxr-xr-x 1 root root 14058 Mar 10 2014 _updown.netkey
-rwxr-xr-x 1 root root 225840 Mar 10 2014 addconn
-rwxr-xr-x 1 root root 6167 Mar 10 2014 auto
-rwxr-xr-x 1 root root 11317 Mar 10 2014 barf
-rwxr-xr-x 1 root root 93840 Mar 10 2014 eroute
-rwxr-xr-x 1 root root 26736 Mar 10 2014 ikeping
-rwxr-xr-x 1 root root 73648 Mar 10 2014 klipsdebug
-rwxr-xr-x 1 root root 2783 Mar 10 2014 look
-rwxr-xr-x 1 root root 2189 Mar 10 2014 newhostkey
-rwxr-xr-x 1 root root 69072 Mar 10 2014 pf_key
-rwxr-xr-x 1 root root 986600 Mar 10 2014 pluto
-rwxr-xr-x 1 root root 12349 Mar 10 2014 policy
-rwxr-xr-x 1 root root 10576 Mar 10 2014 ranbits
-rwxr-xr-x 1 root root 27376 Mar 10 2014 rsasigkey
-rwxr-xr-x 1 root root 704 Mar 10 2014 secrets
lrwxrwxrwx 1 root root 30 Oct 18 21:29 setup ->
../../../etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1126 Mar 10 2014 showdefaults
-rwxr-xr-x 1 root root 263520 Mar 10 2014 showhostkey
-rwxr-xr-x 1 root root 26736 Mar 10 2014 showpolicy
-rwxr-xr-x 1 root root 176552 Mar 10 2014 spi
-rwxr-xr-x 1 root root 81504 Mar 10 2014 spigrp
-rwxr-xr-x 1 root root 81128 Mar 10 2014 tncfg
-rwxr-xr-x 1 root root 14674 Mar 10 2014 verify
-rwxr-xr-x 1 root root 59904 Mar 10 2014 whack
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
eth0: 5842928 23133 0 0 0 0 0 0
2701277 18444 0 0 0 0 0 0
lo: 14544 125 0 0 0 0 0 0
14544 125 0 0 0 0 0 0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
eth0 00000000 0107670A 0003 0 0 0
000000000 0 0
eth0 0016370A 0107670A 0003 0 0 0
00FFFFFF0 0 0
eth0 0007670A 00000000 0001 0 0 0
80FFFFFF0 0 0
eth0 0007670A 00000000 0001 0 0 0
00FFFFFF0 0 0
eth0 FEA9FEA9 00000000 0005 0 0 0
FFFFFFFF0 0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
2
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
lo/rp_filter:0
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
default/accept_redirects default/secure_redirects default/send_redirects
eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
lo/accept_redirects lo/secure_redirects lo/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:0
default/accept_redirects:0
default/secure_redirects:1
default/send_redirects:0
eth0/accept_redirects:0
eth0/secure_redirects:1
eth0/send_redirects:0
lo/accept_redirects:0
lo/secure_redirects:1
lo/send_redirects:0
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
1
+ _________________________ uname-a
+ uname -a
Linux ip-10-103-7-4 3.14.20-20.44.amzn1.x86_64 #1 SMP Mon Oct 6 22:52:46
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/redhat-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/debian-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/SuSE-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandrake-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/mandriva-release
+ for distro in /etc/redhat-release /etc/debian-release
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release
/etc/gentoo-release
+ test -f /etc/gentoo-release
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (3.14.20-20.44.amzn1.x86_64) support detected '
NETKEY (3.14.20-20.44.amzn1.x86_64) support detected
+ _________________________ iptables
+ test -r /sbin/iptables-save
+ iptables-save
+ _________________________ iptables-nat
+ iptables-save -t nat
# Generated by iptables-save v1.4.18 on Sun Oct 19 15:17:02 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Oct 19 15:17:02 2014
+ _________________________ iptables-mangle
+ iptables-save -t mangle
# Generated by iptables-save v1.4.18 on Sun Oct 19 15:17:02 2014
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Oct 19 15:17:02 2014
+ _________________________ ip6tables
+ test -r /sbin/ip6tables-save
+ ip6tables-save
+ _________________________ ip6tables-mangle
+ ip6tables-save -t mangle
# Generated by ip6tables-save v1.4.18 on Sun Oct 19 15:17:02 2014
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Oct 19 15:17:02 2014
+ _________________________ ip6tables
+ _________________________ /proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ip6table_mangle 1780 0 - Live 0xffffffffa10a7000
ip6_tables 17737 1 ip6table_mangle, Live 0xffffffffa109e000
iptable_mangle 1743 0 - Live 0xffffffffa109a000
iptable_nat 3010 0 - Live 0xffffffffa1096000
nf_conntrack_ipv4 14205 1 - Live 0xffffffffa108e000
nf_defrag_ipv4 1742 1 nf_conntrack_ipv4, Live 0xffffffffa108a000
nf_nat_ipv4 3855 1 iptable_nat, Live 0xffffffffa1086000
nf_nat 15515 2 iptable_nat,nf_nat_ipv4, Live 0xffffffffa107d000
nf_conntrack 90792 4 iptable_nat,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat,
Live 0xffffffffa1059000
ip_tables 17308 2 iptable_mangle,iptable_nat, Live 0xffffffffa1050000
x_tables 23563 4 ip6table_mangle,ip6_tables,iptable_mangle,ip_tables,
Live 0xffffffffa1044000
xfrm_user 25533 2 - Live 0xffffffffa1022000
ah6 5838 0 - Live 0xffffffffa101d000
ah4 5580 0 - Live 0xffffffffa1018000
esp6 6023 0 - Live 0xffffffffa1013000
esp4 6434 4 - Live 0xffffffffa100e000
xfrm4_mode_beet 2091 0 - Live 0xffffffffa100a000
xfrm4_tunnel 2129 0 - Live 0xffffffffa1006000
xfrm4_mode_tunnel 3107 8 - Live 0xffffffffa1002000
xfrm4_mode_transport 1487 0 - Live 0xffffffffa0ffe000
xfrm6_mode_transport 1551 0 - Live 0xffffffffa0ffa000
xfrm6_mode_ro 1292 0 - Live 0xffffffffa0ff6000
xfrm6_mode_beet 1994 0 - Live 0xffffffffa0ff2000
xfrm6_mode_tunnel 3011 4 - Live 0xffffffffa0fee000
ipcomp 2157 0 - Live 0xffffffffa0fea000
ipcomp6 2254 0 - Live 0xffffffffa0fe6000
xfrm6_tunnel 4189 1 ipcomp6, Live 0xffffffffa0fe1000
tunnel6 2782 1 xfrm6_tunnel, Live 0xffffffffa0fdd000
xfrm_ipcomp 4685 2 ipcomp,ipcomp6, Live 0xffffffffa0fd8000
af_key 30795 0 - Live 0xffffffffa0fc2000
authenc 7048 4 - Live 0xffffffffa0617000
cmac 2764 0 - Live 0xffffffffa040b000
rmd160 7808 0 - Live 0xffffffffa0406000
crypto_null 2816 0 - Live 0xffffffffa0402000
camellia_generic 18500 0 - Live 0xffffffffa03fa000
camellia_aesni_avx_x86_64 21278 0 - Live 0xffffffffa03e6000
camellia_x86_64 47226 1 camellia_aesni_avx_x86_64, Live
0xffffffffa03d6000
cast6_avx_x86_64 61371 0 - Live 0xffffffffa03c4000
cast6_generic 11371 1 cast6_avx_x86_64, Live 0xffffffffa03be000
cast5_avx_x86_64 40392 0 - Live 0xffffffffa03b1000
cast5_generic 10701 1 cast5_avx_x86_64, Live 0xffffffffa03ab000
cast_common 5583 4
cast6_avx_x86_64,cast6_generic,cast5_avx_x86_64,cast5_generic, Live
0xffffffffa03a6000
deflate 1985 0 - Live 0xffffffffa03a2000
cts 4206 0 - Live 0xffffffffa039d000
ctr 3921 0 - Live 0xffffffffa0399000
gcm 13652 0 - Live 0xffffffffa0391000
ccm 8037 0 - Live 0xffffffffa038c000
serpent_avx_x86_64 42170 0 - Live 0xffffffffa0370000
serpent_sse2_x86_64 45184 0 - Live 0xffffffffa0361000
serpent_generic 21559 2 serpent_avx_x86_64,serpent_sse2_x86_64, Live
0xffffffffa0358000
blowfish_generic 3242 0 - Live 0xffffffffa0354000
blowfish_x86_64 13856 0 - Live 0xffffffffa034d000
blowfish_common 6587 2 blowfish_generic,blowfish_x86_64, Live
0xffffffffa0348000
twofish_generic 5779 0 - Live 0xffffffffa0343000
twofish_avx_x86_64 42285 0 - Live 0xffffffffa0335000
twofish_x86_64_3way 20842 1 twofish_avx_x86_64, Live 0xffffffffa032b000
xts 3242 3 camellia_x86_64,serpent_sse2_x86_64,twofish_x86_64_3way, Live
0xffffffffa0327000
twofish_x86_64 5699 2 twofish_avx_x86_64,twofish_x86_64_3way, Live
0xffffffffa0322000
twofish_common 13425 4
twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64,
Live 0xffffffffa031b000
ecb 2151 0 - Live 0xffffffffa0317000
xcbc 2695 0 - Live 0xffffffffa0313000
cbc 2814 0 - Live 0xffffffffa030f000
sha256_ssse3 17170 0 - Live 0xffffffffa0306000
sha512_ssse3 37358 0 - Live 0xffffffffa02f9000
sha512_generic 5382 1 sha512_ssse3, Live 0xffffffffa02f4000
des_generic 16702 0 - Live 0xffffffffa02ec000
aesni_intel 144578 8 - Live 0xffffffffa02c0000
aes_x86_64 7811 1 aesni_intel, Live 0xffffffffa02bb000
lrw 4062 8
camellia_aesni_avx_x86_64,camellia_x86_64,cast6_avx_x86_64,serpent_avx_x86_64,serpent_sse2_x86_64,twofish_avx_x86_64,twofish_x86_64_3way,aesni_intel,
Live 0xffffffffa02b7000
gf128mul 7839 2 xts,lrw, Live 0xffffffffa02b1000
glue_helper 5502 8
camellia_aesni_avx_x86_64,camellia_x86_64,cast6_avx_x86_64,serpent_avx_x86_64,serpent_sse2_x86_64,twofish_avx_x86_64,twofish_x86_64_3way,aesni_intel,
Live 0xffffffffa02ac000
ablk_helper 2997 7
camellia_aesni_avx_x86_64,cast6_avx_x86_64,cast5_avx_x86_64,serpent_avx_x86_64,serpent_sse2_x86_64,twofish_avx_x86_64,aesni_intel,
Live 0xffffffffa02a8000
cryptd 9863 6 aesni_intel,ablk_helper, Live 0xffffffffa02a1000
tunnel4 2876 1 xfrm4_tunnel, Live 0xffffffffa0276000
rng_core 4483 0 - Live 0xffffffffa023a000
xfrm_algo 7130 7 xfrm_user,ah6,ah4,esp6,esp4,xfrm_ipcomp,af_key, Live
0xffffffffa0227000
ipv6 353059 51
ip6table_mangle,ah6,esp6,xfrm6_mode_beet,xfrm6_mode_tunnel,ipcomp6,xfrm6_tunnel,[permanent],
Live 0xffffffffa01b9000
binfmt_misc 7167 1 - Live 0xffffffffa01b4000
evbug 2125 0 - Live 0xffffffffa01b0000
evdev 11276 0 - Live 0xffffffffa01a9000
i2c_piix4 9435 0 - Live 0xffffffffa01a3000
psmouse 92613 0 - Live 0xffffffffa0183000
button 5503 0 - Live 0xffffffffa0177000
i2c_core 27053 1 i2c_piix4, Live 0xffffffffa016a000
ext4 538232 1 - Live 0xffffffffa0068000
crc16 1691 1 ext4, Live 0xffffffffa0064000
jbd2 106020 1 ext4, Live 0xffffffffa003e000
mbcache 7950 1 ext4, Live 0xffffffffa0038000
dm_mirror 13871 0 - Live 0xffffffffa0030000
dm_region_hash 11254 1 dm_mirror, Live 0xffffffffa0029000
dm_log 9451 2 dm_mirror,dm_region_hash, Live 0xffffffffa0022000
dm_mod 92854 2 dm_mirror,dm_log, Live 0xffffffffa0000000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal: 1020140 kB
MemFree: 791356 kB
MemAvailable: 852756 kB
Buffers: 25424 kB
Cached: 137056 kB
SwapCached: 0 kB
Active: 107488 kB
Inactive: 70808 kB
Active(anon): 15824 kB
Inactive(anon): 52 kB
Active(file): 91664 kB
Inactive(file): 70756 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 16 kB
Writeback: 0 kB
AnonPages: 15852 kB
Mapped: 8848 kB
Shmem: 60 kB
Slab: 31100 kB
SReclaimable: 23208 kB
SUnreclaim: 7892 kB
KernelStack: 776 kB
PageTables: 2556 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 510068 kB
Committed_AS: 71212 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 2448 kB
VmallocChunk: 34359719467 kB
AnonHugePages: 0 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
DirectMap4k: 8192 kB
DirectMap2M: 1040384 kB
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/3.14.20-20.44.amzn1.x86_64/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ _________________________ etc/syslog-ng/syslog-ng.conf
+ cat /etc/syslog-ng/syslog-ng.conf
cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ec2.internal
nameserver 10.103.0.2
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 4
drwxr-xr-x 7 root root 4096 Oct 8 01:25 3.14.20-20.44.amzn1.x86_64
+ _________________________ fipscheck
+ cat /proc/sys/crypto/fips_enabled
0
+ _________________________ /proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
ffffffff813c7db0 t netif_rx_internal
ffffffff813c8010 T netif_rx
ffffffff813c8220 T netif_rx_ni
ffffffff817d8758 r __tracepoint_ptr_netif_rx_ni_entry
ffffffff817d8760 r __tracepoint_ptr_netif_rx_entry
ffffffff817d8780 r __tracepoint_ptr_netif_rx
ffffffff817da020 r __tpstrtab_netif_rx_ni_entry
ffffffff817da032 r __tpstrtab_netif_rx_entry
ffffffff817da0a5 r __tpstrtab_netif_rx
ffffffff817e9a70 R __ksymtab_netif_rx
ffffffff817e9a80 R __ksymtab_netif_rx_ni
ffffffff817fb6b0 r __kcrctab_netif_rx
ffffffff817fb6b8 r __kcrctab_netif_rx_ni
ffffffff81817d27 r __kstrtab_netif_rx_ni
ffffffff81817d33 r __kstrtab_netif_rx
ffffffff81aa8520 d event_netif_rx_ni_entry
ffffffff81aa85c0 d event_netif_rx_entry
ffffffff81aa8840 d event_netif_rx
ffffffff81abd440 D __tracepoint_netif_rx_ni_entry
ffffffff81abd480 D __tracepoint_netif_rx_entry
ffffffff81abd580 D __tracepoint_netif_rx
ffffffff81bcbf80 t __event_netif_rx_ni_entry
ffffffff81bcbf88 t __event_netif_rx_entry
ffffffff81bcbfa8 t __event_netif_rx
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
3.14.20-20.44.amzn1.x86_64:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ case "$1" in
+ cat
+ egrep -i 'ipsec|klips|pluto'
+ sed -n '1250,$p' /var/log/messages
Oct 19 15:13:09 ip-10-103-7-4 ipsec_setup: Starting Openswan IPsec
U2.6.37/K3.14.20-20.44.amzn1.x86_64...
Oct 19 15:13:09 ip-10-103-7-4 ipsec_setup: Using NETKEY(XFRM) stack
Oct 19 15:13:09 ip-10-103-7-4 ipsec_setup: /usr/libexec/ipsec/addconn
Non-fips mode set in /proc/sys/crypto/fips_enabled
Oct 19 15:13:09 ip-10-103-7-4 ipsec_setup: ...Openswan IPsec started
Oct 19 15:13:09 ip-10-103-7-4 pluto: adjusting ipsec.d to /etc/ipsec.d
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun:
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun:
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun:
/usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun: 002 added connection
description "mike-home-net"
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun: 104 "mike-home-net" #1:
STATE_MAIN_I1: initiate
+ _________________________ plog
+ case "$1" in
+ cat
+ egrep -i pluto
+ sed -n '219,$p' /var/log/secure
Oct 19 15:13:09 ip-10-103-7-4 ipsec__plutorun: Starting Pluto
subsystem...
+ _________________________ date
+ date
Sun Oct 19 15:17:02 UTC 2014
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root at hostB ipsec.d]#
[root at hostB ipsec.d]#
[root at hostB ipsec.d]# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at hostB ipsec.d]#
More information about the Users
mailing list