On Fri, 2002-07-12 at 16:43, Chad Carr wrote: > On 12 Jul 2002 12:48:01 +0200 > "Ronny Aasen" <[EMAIL PROTECTED]> wrote: > > > Hello > > > > i have a a testing setup with ipsec between 3 linux bering firewalls and > > a zywall 10 router, all on static ip address i also have roadwarrior > > support from dhcp clients on isdn/modem line using windows 98/ssh > > sentinel and windows 2000/xp (with the aid of vpn.ebootis.de) > > > > my problem arises when i try to setup a lan-lan tunnel between my master > > vpn bering firewall and a adsl gateway > > > > {worklan}----[Bering1 static 194.248.214.187]----{NET}----[Bering2 adsl > > dynamic 880.212.112.*]----{homelan} > > > > I realise i can't get ipsec on startup since the adsl ppp0 isn't up yet. > > > > but running ipsec setup i expected the tunnel to come up > > > > ipsec_setup: Stopping FreeS/WAN IPsec... > > ipsec_setup: stop ordered, but IPsec does not appear to be running! > > ipsec_setup: doing cleanup anyway... > > ipsec_setup: Starting FreeS/WAN IPsec 1.97... > > ipsec_setup: Using /lib/modules/ipsec.o > > ipsec_setup: unable to determine address of `ppp0' > > Is the above output the result of "/etc/init.d/ipsec restart"? > > Can you post the output of ipsec barf?
Mon Jul 15 10:17:34 UTC 2002 + _________________________ version + + ipsec --version Linux FreeS/WAN 1.97 See `ipsec --copyright' for copyright information. + _________________________ proc/version + + cat /proc/version Linux version 2.4.18 (root@debian) (gcc version 2.95.2 20000220 (Debian GNU/Linux)) #4 Sun Jun 9 09:46:15 CEST 2002 + _________________________ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute + _________________________ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi + _________________________ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp + _________________________ ip/route + + ip route 80.212.112.0 dev ppp0 proto kernel scope link src 80.212.112.52 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.254 default via 80.212.112.0 dev ppp0 + _________________________ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 -> NULL mtu=0(0) -> 0 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ proc/net/pf_key + + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St c1820b40 32315 c1152d50 0 0 0 0 2 65535 00000000 3 1 + _________________________ proc/net/pf_key-star + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c1152d50 32315 c1820b40 pf_key_registered: 3 c1152d50 32315 c1820b40 pf_key_registered: 9 c1152d50 32315 c1820b40 pf_key_registered: 10 c1152d50 32315 c1820b40 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ proc/sys/net/ipsec-star + + cd /proc/sys/net/ipsec + egrep ^ icmp inbound_policy_check tos icmp:1 inbound_policy_check:1 tos:1 + _________________________ ipsec/status + + ipsec auto --status 000 000 "rw-to-li1": 192.168.1.0/24===194.248.214.187---194.248.214.1...%any 000 "rw-to-li1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "rw-to-li1": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ; unrouted 000 "rw-to-li1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 + _________________________ ip/address + + ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:0a:1c brd ff:ff:ff:ff:ff:ff 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:7c:02:0a brd ff:ff:ff:ff:ff:ff inet 192.168.20.254/24 brd 192.168.20.255 scope global eth1 5: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 9: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 80.212.112.52 peer 80.212.112.0/32 scope global ppp0 + _________________________ ipsec/directory + + ipsec --directory /lib/ipsec + _________________________ hostname/fqdn + + hostname -f hostname: frodeadsl: Unknown host + _________________________ hostname/ipaddress + + hostname -i hostname: frodeadsl: Unknown host + _________________________ uptime + + uptime 10:17am up 1:35, load average: 0.00, 0.01, 0.00 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips 22324 root 832 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid 4437 root 948 S logger -p daemon.error -t ipsec__plutorun 32600 root 832 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid 17648 root 832 S /bin/sh /lib/ipsec/_plutoload --load %search --start 24603 root 832 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid 32315 root 1192 S /lib/ipsec/pluto --nofork --debug-none --uniqueids 2747 root 788 S _pluto_adns 7 10 511 root 832 S /bin/sh /sbin/ipsec barf 16461 root 844 S /bin/sh /lib/ipsec/barf 10817 root 844 R /bin/sh /lib/ipsec/barf + _________________________ ipsec/showdefaults + + ipsec showdefaults ipsec showdefaults: cannot find defaults file `/var/run/ipsec.info' + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=ppp0" # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret #leftrsasigkey=%dns #rightrsasigkey=%dns # connection description for (experimental!) opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) #conn me-to-dpart # left=%defaultroute # right=%opportunistic # # uncomment to enable incoming; change to auto=route for outgoing # #auto=add # sample VPN connection conn rw-to-li1 # Left security gateway, subnet behind it, next hop toward right. left=%any # Right security gateway, subnet behind it, next hop toward left. right=194.248.214.187 rightsubnet=192.168.1.0/24 rightnexthop=194.248.214.1 # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=start + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently md5sum: not found # with "[sums to #...]". md5sum: not found # # -- Create your own RSA key with "[sums to #...]" # } md5sum: not found # do not change the indenting of that "[sums to #...]" md5sum: not found %any 194.248.214.187 : PSK "[sums to %any...]" + _________________________ ipsec/ls-dir + + ls -l /lib/ipsec -rwxr-xr-x 1 501 501 11085 Apr 21 16:59 _confread -rwxr-xr-x 1 501 501 4132 Apr 21 17:00 _copyright -rwxr-xr-x 1 501 501 2163 Apr 21 16:59 _include -rwxr-xr-x 1 501 501 1472 Apr 21 16:59 _keycensor -rwxr-xr-x 1 501 501 9356 Apr 21 17:00 _pluto_adns -rwxr-xr-x 1 501 501 3495 Apr 21 16:59 _plutoload -rwxr-xr-x 1 501 501 4265 Apr 21 16:59 _plutorun -rwxr-xr-x 1 501 501 7435 Apr 21 20:45 _realsetup -rwxr-xr-x 1 501 501 1971 Apr 21 16:59 _secretcensor -rwxr-xr-x 1 501 501 7636 Apr 21 20:45 _startklips -rwxr-xr-x 1 501 501 7575 Apr 21 20:45 _updown -rwxr-xr-x 1 501 501 10912 Apr 21 16:59 auto -rwxr-xr-x 1 501 501 7107 Apr 23 17:24 barf -rwxr-xr-x 1 501 501 59360 Apr 21 17:00 eroute -rwxr-xr-x 1 501 501 18020 Apr 21 17:00 ikeping -rwxr-xr-x 1 501 501 2905 Apr 21 16:59 ipsec -rw-r--r-- 1 501 501 1950 Apr 21 16:59 ipsec_pr.template -rwxr-xr-x 1 501 501 41308 Apr 21 17:00 klipsdebug -rwxr-xr-x 1 501 501 2649 Apr 22 09:34 look -rwxr-xr-x 1 501 501 16157 Apr 21 16:59 manual -rwxr-xr-x 1 501 501 1847 Apr 21 16:59 newhostkey -rwxr-xr-x 1 501 501 34556 Apr 21 17:00 pf_key -rwxr-xr-x 1 501 501 310652 Apr 21 17:00 pluto -rwxr-xr-x 1 501 501 6484 Apr 21 17:00 ranbits -rwxr-xr-x 1 501 501 64220 Apr 21 17:00 rsasigkey -rwxr-xr-x 1 501 501 16641 Apr 21 16:59 send-pr lrwxrwxrwx 1 root root 17 Jul 15 08:42 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 501 501 1041 Apr 21 16:59 showdefaults -rwxr-xr-x 1 501 501 3484 Apr 21 16:59 showhostkey -rwxr-xr-x 1 501 501 68812 Apr 21 17:00 spi -rwxr-xr-x 1 501 501 51208 Apr 21 17:00 spigrp -rwxr-xr-x 1 501 501 9544 Apr 21 17:00 tncfg -rwxr-xr-x 1 501 501 32000 Apr 21 17:00 whack + _________________________ ipsec/updowns + + ls /lib/ipsec + egrep updown + cat /lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } # <CTC> convert to iproute2 - add mask2bits function #------------------------------------------------------------------------- # mask2bits function, returns the number of bits in the netmask parameter. # borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib #------------------------------------------------------------------------- #No external apps needed. mask2bits () { case $1 in 255.255.255.255) echo 32 ;; 255.255.255.254) echo 31 ;; 255.255.255.252) echo 30 ;; 255.255.255.248) echo 29 ;; 255.255.255.240) echo 28 ;; 255.255.255.224) echo 27 ;; 255.255.255.192) echo 26 ;; 255.255.255.128) echo 25 ;; 255.255.255.0) echo 24 ;; 255.255.254.0) echo 23 ;; 255.255.252.0) echo 22 ;; 255.255.248.0) echo 21 ;; 255.255.240.0) echo 20 ;; 255.255.224.0) echo 19 ;; 255.255.192.0) echo 18 ;; 255.255.128.0) echo 17 ;; 255.255.0.0) echo 16 ;; 255.254.0.0) echo 15 ;; 255.252.0.0) echo 14 ;; 255.248.0.0) echo 13 ;; 255.240.0.0) echo 12 ;; 255.224.0.0) echo 11 ;; 255.192.0.0) echo 10 ;; 255.128.0.0) echo 9 ;; 255.0.0.0) echo 8 ;; 254.0.0.0) echo 7 ;; 252.0.0.0) echo 6 ;; 248.0.0.0) echo 5 ;; 240.0.0.0) echo 4 ;; 224.0.0.0) echo 3 ;; 192.0.0.0) echo 2 ;; 128.0.0.0) echo 1 ;; 0.0.0.0) echo 0 ;; *) echo 32 ;; esac } #End of mask2bits doroute() { # parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" # parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK` parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS" parms2="dev $PLUTO_INTERFACE via $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic # it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && # route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" it="ip route $1 0.0.0.0/1 $parms2 &&" it="$it ip route $1 128.0.0.0/1 $parms2" ;; # *) it="route $1 $parms $parms2" *) it="ip route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic # it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; # route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" it="ip route del 0.0.0.0/1 2>&1 ; ip route del 128.0.0.0/1 2>&1" ;; *) # it="route del -net $PLUTO_PEER_CLIENT_NET \ # netmask $PLUTO_PEER_CLIENT_MASK 2>&1" PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK` parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS" it="ip route del $parms 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in # <CTC> iproute2 gives a _different_ incomprehensible answer # 'SIOCDELRT: No such process'*) 'RTNETLINK answers: No such process'*) # </CTC> # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. # <CTC> replace with iptables commands # ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ # -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT # </CTC> ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. # <CTC> replace with iptables commands # ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ # -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK iptables -D FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -D FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT # </CTC> ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 1308 9 0 0 0 0 0 0 1308 9 0 0 0 0 0 0 dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth0: 5565174 8486 0 0 0 0 0 0 1261133 6168 0 0 0 3 0 0 eth1: 469477 3974 0 0 0 0 0 0 5150590 4880 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ppp0: 5367340 8193 0 0 0 0 0 0 1114257 5876 0 0 0 0 0 0 + _________________________ proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT ppp0 0070D450 00000000 0005 0 0 0 FFFFFFFF 40 0 0 eth1 0014A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0 ppp0 00000000 0070D450 0003 0 0 0 00000000 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth1/rp_filter lo/rp_filter ppp0/rp_filter all/rp_filter:0 default/rp_filter:0 eth1/rp_filter:0 lo/rp_filter:0 ppp0/rp_filter:0 + _________________________ uname-a + + uname -a Linux frodeadsl 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown + _________________________ redhat-release + + test -r /etc/redhat-release + _________________________ proc/net/ipsec_version + + cat /proc/net/ipsec_version FreeS/WAN version: 1.97 + _________________________ iptables/list + + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 952 86132 ppp0_in ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 9 1163 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 9 packets, 3320 bytes) pkts bytes target prot opt in out source destination 107 5124 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 1876 2166K ppp0_fwd ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 1221 103K eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_fwd ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 658 218K fw2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 all2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 1163 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 16 18064 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 9 1163 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP ah -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4 2 120 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP ah -- * * 0.0.0.0/0 192.168.20.255 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 1221 103K loc2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 loc2gw ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 9 1163 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 655 218K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT esp -- * * 0.0.0.0/0 194.248.214.187 state NEW 0 0 ACCEPT 51 -- * * 0.0.0.0/0 194.248.214.187 state NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 194.248.214.187 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 2 119 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 1 60 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain gw2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 Chain ipsec0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 all2all ah -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 gw2loc ah -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ipsec0_in (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 9 1163 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2gw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 1138 97793 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 83 5316 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (7 references) pkts bytes target prot opt in out source destination 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:' 0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 1876 2166K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 18 18184 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 934 67948 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT esp -- * * 194.248.214.187 0.0.0.0/0 state NEW 0 0 ACCEPT 51 -- * * 194.248.214.187 0.0.0.0/0 state NEW 0 0 ACCEPT udp -- * * 194.248.214.187 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 18 18184 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 1876 2166K rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0 1876 2166K net2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 net2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 952 86132 rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 952 86132 net2fw ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 2 120 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN ah -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP ah -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop ah -- * * 0.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop ah -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop ah -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop ah -- * * 240.0.0.0/4 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination + _________________________ ipchains/list + + ipchains -L -v -n ipchains: not found + _________________________ ipfwadm/forward + + ipfwadm -F -l -n -e ipfwadm: not found + _________________________ ipfwadm/input + + ipfwadm -I -l -n -e ipfwadm: not found + _________________________ ipfwadm/output + + ipfwadm -O -l -n -e ipfwadm: not found + _________________________ iptables/nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 464 packets, 56053 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 24 packets, 1120 bytes) pkts bytes target prot opt in out source destination 58 3132 MASQUERADE ah -- * ppp0 192.168.20.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 16 packets, 1784 bytes) pkts bytes target prot opt in out source destination + _________________________ ipchains/masq + + ipchains -M -L -v -n ipchains: not found + _________________________ ipfwadm/masq + + ipfwadm -M -l -n -e ipfwadm: not found + _________________________ iptables/mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 12084 packets, 5764K bytes) pkts bytes target prot opt in out source destination 2857 2254K rfc1918 ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 4065 2357K pretos ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 3522 packets, 313K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 8557 packets, 5450K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2193 packets, 746K bytes) pkts bytes target prot opt in out source destination 660 219K outtos ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 10732 packets, 6192K bytes) pkts bytes target prot opt in out source destination Chain logdrop (7 references) pkts bytes target prot opt in out source destination 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:' 0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 626 217K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 922 66376 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain rfc1918 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN ah -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP ah -- * * 0.0.0.0/0 169.254.0.0/16 0 0 logdrop ah -- * * 0.0.0.0/0 0.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 10.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 127.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 192.0.2.0/24 0 0 logdrop ah -- * * 0.0.0.0/0 192.168.0.0/16 0 0 logdrop ah -- * * 0.0.0.0/0 172.16.0.0/12 0 0 logdrop ah -- * * 0.0.0.0/0 240.0.0.0/4 + _________________________ proc/modules + + cat /proc/modules ipsec 133360 1 ip_nat_irc 2384 0 (unused) ip_nat_ftp 2960 0 (unused) ip_conntrack_irc 3056 1 ip_conntrack_ftp 3824 1 pppoe 6636 1 pppox 912 1 [pppoe] ppp_synctty 4376 0 (unused) ppp_generic 14920 3 [pppoe pppox ppp_synctty] n_hdlc 5760 0 (unused) slhc 4264 0 [ppp_generic] 3c59x 24696 2 ide-probe-mod 7496 0 ide-disk 6544 0 ide-mod 50888 0 [ide-probe-mod ide-disk] + _________________________ proc/meminfo + + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 31318016 12189696 19128320 0 49152 6774784 Swap: 0 0 0 MemTotal: 30584 kB MemFree: 18680 kB MemShared: 0 kB Buffers: 48 kB Cached: 6616 kB SwapCached: 0 kB Active: 0 kB Inactive: 8620 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 30584 kB LowFree: 18680 kB SwapTotal: 0 kB SwapFree: 0 kB + _________________________ dev/ipsec-ls + + ls -l /dev/ipsec* ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi /proc/net/ipsec_spigrp +/proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root wheel 0 Jul 15 10:17 /proc/net/ipsec_eroute -r--r--r-- 1 root wheel 0 Jul 15 10:17 /proc/net/ipsec_spi -r--r--r-- 1 root wheel 0 Jul 15 10:17 /proc/net/ipsec_spigrp -r--r--r-- 1 root wheel 0 Jul 15 10:17 /proc/net/ipsec_tncfg -r--r--r-- 1 root wheel 0 Jul 15 10:17 /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /usr/src/linux/.config + _________________________ etc/syslog.conf + + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # Log everything remotely. The other machine must run syslog with '-r'. # WARNING: Doing this is unsecure and can open you up to a DoS attack. # #*.* @host.ip.address-or-name.here *.* /dev/tty9 # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log auth,authpriv.* /dev/tty8 *.*;auth,authpriv.none -/var/log/syslog daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #cron.* /var/log/cron.log #lpr.* -/var/log/lpr.log #mail.* /var/log/mail.log #user.* -/var/log/user.log #uucp.* -/var/log/uucp.log # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * #ppp local2.* -/var/log/ppp.log #portslave local6.* -/var/log/pslave.log + _________________________ lib/modules-ls + + ls -ltr /lib/modules -rw-r--r-- 1 root root 39428 Jun 9 09:02 ppp_deflate.o -rw-r--r-- 1 root root 9968 Jun 9 09:02 ppp_async.o -rw-r--r-- 1 root root 26320 Jun 9 09:02 eepro100.o -rw-r--r-- 1 root root 8880 Jun 9 09:02 8390.o -rw-r--r-- 1 root root 36120 Jun 9 09:02 3c59x.o -rw-r--r-- 1 root root 6744 Jun 9 09:02 slhc.o -rw-r--r-- 1 root root 3616 Jun 9 09:02 pppox.o -rw-r--r-- 1 root root 11648 Jun 9 09:02 pppoe.o -rw-r--r-- 1 root root 7920 Jun 9 09:02 ppp_synctty.o -rw-r--r-- 1 root root 22536 Jun 9 09:02 ppp_mppe.o -rw-r--r-- 1 root root 23736 Jun 9 09:02 ppp_generic.o -rw-r--r-- 1 root root 8528 Jun 9 09:02 ne2k-pci.o -rw-r--r-- 1 root root 8144 Jun 9 09:02 ne.o -rw-r--r-- 1 root root 9816 Jun 9 09:02 n_hdlc.o -rw-r--r-- 1 root root 4200 Jun 9 09:03 ip_nat_irc.o -rw-r--r-- 1 root root 4748 Jun 9 09:03 ip_nat_ftp.o -rw-r--r-- 1 root root 5720 Jun 9 09:03 ip_conntrack_irc.o -rw-r--r-- 1 root root 5928 Jun 9 09:03 ip_conntrack_ftp.o -rwxr-xr-x 1 root root 164982 Jul 11 11:25 ipsec.o lrwxrwxrwx 1 root root 12 Jul 15 08:42 2.4.18 -> /lib/modules + _________________________ proc/ksyms-netif_rx + + egrep netif_rx /proc/ksyms c0188160 netif_rx + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.18: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + sed -n 97,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Jul 15 08:42:35 frodeadsl ipsec_setup: Starting FreeS/WAN IPsec 1.97... Jul 15 08:42:36 frodeadsl ipsec_setup: unable to determine address of `ppp0' Jul 15 08:42:36 frodeadsl ipsec_setup: ...FreeS/WAN IPsec started Jul 15 08:42:37 frodeadsl ipsec__plutorun: 003 no public interfaces found Jul 15 08:42:37 frodeadsl ipsec__plutorun: 022 "rw-to-li1": we have no ipsecN interface for either end of this connection Jul 15 08:42:37 frodeadsl ipsec__plutorun: ...could not route conn "rw-to-li1" Jul 15 08:42:37 frodeadsl ipsec__plutorun: 022 "rw-to-li1": we have no ipsecN interface for either end of this connection Jul 15 08:42:37 frodeadsl ipsec__plutorun: ...could not start conn "rw-to-li1" + _________________________ plog + + sed -n 1,$p /var/log/auth.log + egrep -i pluto + cat Jul 15 08:42:36 frodeadsl ipsec__plutorun: Starting Pluto subsystem... Jul 15 08:42:36 frodeadsl Pluto[32315]: Starting Pluto (FreeS/WAN Version 1.97) Jul 15 08:42:37 frodeadsl Pluto[32315]: added connection description "rw-to-li1" Jul 15 08:42:37 frodeadsl Pluto[32315]: listening for IKE messages Jul 15 08:42:37 frodeadsl Pluto[32315]: no public interfaces found Jul 15 08:42:37 frodeadsl Pluto[32315]: loading secrets from "/etc/ipsec.secrets" Jul 15 08:42:37 frodeadsl Pluto[32315]: "rw-to-li1": we have no ipsecN interface for either end of this connection + _________________________ date + + date Mon Jul 15 10:17:35 UTC 2002 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html