Hello Charles/Everyone,
> 1) Why are you loading the ipsec x.509 version of FreeS/WAN when
you're
> not trying to use certificates?
Out of frustration I wish to try out everything and mistakenly backed up
ipsec.lrp along with the x.509 binaries.
I'm now using the plain ipsec.lrp and tried using both PSK then RSA
keying
but the problem still lurks.
Here are the barfs from the two IPSEC machines. I deaply apologize for
this post.
But I'm really stumped now. :o(
===========================
SR3K-VPN1
Tue Jul 30 12:24:07 UTC 2002
+ _________________________
+
+ ipsec --version
Linux FreeS/WAN 1.91
See `ipsec --copyright' for copyright information.
+ _________________________
+
+ cat /proc/version
Linux version 2.2.19-3-DIGIPH (root@zxivlin) (gcc version egcs-2.91.66
19990314/Linux (egcs-1.1.2 release)) #2 Tue Sep 24 11:43:46 PHT 2002
+ _________________________
+
+ cat /proc/net/ipsec_eroute
0 192.168.4.0/24 -> 192.168.5.0/24 => %trap
+ _________________________
+
+ cat /proc/net/ipsec_spi
+ _________________________
+
+ cat /proc/net/ipsec_spigrp
+ _________________________
+
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0
ipsec0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0
eth0
+ _________________________
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c4f33640 1569 c4f13610 0 0 0 0 2 32767 00000000 3
1
+ _________________________
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c4f13610 1569 c4f33640
pf_key_registered: 3 c4f13610 1569 c4f33640
pf_key_registered: 9 c4f13610 1569 c4f33640
pf_key_registered: 10 c4f13610 1569 c4f33640
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________
+
+ cd /proc/sys/net/ipsec
+ egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:0
inbound_policy_check:1
tos:1
+ _________________________
+
+ ipsec auto --status
000 interface ipsec0/eth0 192.168.2.1
000
000 "VPN1-VPN2": 192.168.4.0/24===192.168.2.1---192.168.2.200...
000 "VPN1-VPN2": ...192.168.3.200---192.168.3.1===192.168.5.0/24
000 "VPN1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 25%; keyingtries: 0
000 "VPN1-VPN2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0;
trap erouted
000 "VPN1-VPN2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000 #1: "VPN1-VPN2" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 37s
+ _________________________
+
+ ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:11483 errors:0 dropped:0 overruns:0 frame:0
TX packets:11483 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48
inet addr:192.168.2.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec1 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec2 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec3 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
brg0 Link encap:Ethernet HWaddr FE:FD:06:00:83:E9
unspec addr:[NONE SET] Bcast:[NONE SET] Mask:[NONE SET]
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:04:A7:01:02:47
inet addr:192.168.4.200 Bcast:192.168.4.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xd800
+ _________________________
+
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________
+
+ hostname --fqdn
SR3K-VPN1
+ _________________________
+
+ hostname --ip-address
192.168.2.1
+ _________________________
+
+ uptime
12:24:08 up 0 Days (0h), load average: 0.23 0.27 0.14
+ _________________________
+
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=192.168.2.1
routeaddr=192.168.2.1
routenexthop=192.168.2.200
routenexthop=192.168.2.200
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=192.168.2.1
defaultroutenexthop=192.168.2.200
+ _________________________
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn VPN1-VPN2
auto=start
type=tunnel
left=192.168.2.1
leftsubnet=192.168.4.0/24
leftnexthop=192.168.2.200
right=192.168.3.1
authby=rsasig
#authby=secret
leftid=192.168.2.1
rightid=192.168.3.1
rightsubnet=192.168.5.0/24
rightnexthop=192.168.3.200
leftrsasigkey=[sums to 364c...]
rightrsasigkey=[sums to 1636...]
keyexchange=ike
keylife=8h
keyingtries=0
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
+ _________________________
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# 192.168.2.1 192.168.3.1: PSK "[sums to ff6c...]"
# 192.168.2.1 192.168.3.1: PSK "[sums to 3ef7...]"
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,
# or configuration of other implementations, can be extracted
conveniently
# with "[sums to ef67...]".
: RSA {
# RSA 1024 bits SR3K-VPN1 Mon Sep 9 10:26:23 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[sums to 5154...]
#IN KEY 0x4200 4 1 [sums to 2854...]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________
+
+ ls -l /usr/local/lib/ipsec
-rwxr-xr-x 1 root staff 10884 Jul 19 2001 _confread
-rwxr-xr-x 1 root staff 2163 Jul 19 2001 _include
-rwxr-xr-x 1 root staff 1383 Jul 19 2001 _keycensor
-rwxr-xr-x 1 root staff 3271 Jul 19 2001 _plutoload
-rwxr-xr-x 1 root staff 3404 Jul 19 2001 _plutorun
-rwxr-xr-x 1 root staff 6709 Jul 19 2001 _realsetup
-rwxr-xr-x 1 root staff 1904 Jul 19 2001 _secretcensor
-rwxr-xr-x 1 root staff 6097 Oct 18 2001 _startklips
-rwxr-xr-x 1 root staff 5466 Oct 18 2001 _updown
-rwxr-xr-x 1 root staff 9994 Jul 19 2001 auto
-rwxr-xr-x 1 root staff 4670 Jul 19 2001 barf
-rwxr-xr-x 1 root staff 57332 Jul 19 2001 eroute
-rwxr-xr-x 1 root staff 2846 Jul 19 2001 ipsec
-rwxr-xr-x 1 root staff 39820 Jul 19 2001 klipsdebug
-rwxr-xr-x 1 root staff 2552 Oct 24 2001 look
-rwxr-xr-x 1 root staff 16172 Jul 19 2001 manual
-rwxr-xr-x 1 root staff 277828 Jul 19 2001 pluto
-rwxr-xr-x 1 root staff 6620 Jul 19 2001 ranbits
-rwxr-xr-x 1 root staff 45364 Jul 19 2001 rsasigkey
lrwxrwxrwx 1 root staff 17 Jul 30 12:18 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 root staff 1041 Jul 19 2001 showdefaults
-rwxr-xr-x 1 root staff 3055 Jul 19 2001 showhostkey
-rwxr-xr-x 1 root staff 62220 Jul 19 2001 spi
-rwxr-xr-x 1 root staff 48980 Jul 19 2001 spigrp
-rwxr-xr-x 1 root staff 9240 Jul 19 2001 tncfg
-rwxr-xr-x 1 root staff 29776 Jul 19 2001 whack
+ _________________________
+
+ ls /usr/local/lib/ipsec
+ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify
it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License
# for more details.
#
# RCSID $Id: _updown,v 1.14 2001/04/07 22:42:54 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and
customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
ipfwadm) # caused by (left/right)firewall=yes; for default script only
;;
*) echo "$0: unknown parameter \`$1'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great
care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) route $1 $parms $parms2 ;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`route $1 $parms' failed" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`route del $parms' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -I forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Insert firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -I input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -I input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -D forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Delete firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -D input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -D input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________
+
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 840741 11542 0 0 0 0 0 0
840741 11542 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
brg0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0: 3319 22 0 0 0 0 0 0
2780 20 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ipsec0 0005A8C0 C802A8C0 0003 0 0 0 00FFFFFF 0 0 0
eth1 0004A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 C802A8C0 0003 0 0 0 00000000 0 0 0
+ _________________________
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
+
+ uname -a
Linux SR3K-VPN1 2.2.19-3-DIGIPH #2 Tue Sep 24 11:43:46 PHT 2002 i386
unknown
+ _________________________
+
+ test -r /etc/redhat-release
+ _________________________
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.91
+ _________________________
+
+ ipchains -L -v -n
Chain input (policy ACCEPT: 3 packets, 715 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
9 1836 ACCEPT udp ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 * -> 500
0 0 ACCEPT 50 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.2.1 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.2.1 192.168.4.0/24 n/a
11553 842K ACCEPT all ------ 0xFF 0x00 lo
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.4.0/24 192.168.5.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.5.0/24 192.168.4.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.4.0/24 0.0.0.0/0 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.2.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 11562 packets, 843579 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 - tcp ------ 0x01 0x08 *
0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 21
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 110
+ _________________________
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipchains -M -L -v -n
IP masquerading entries
+ _________________________
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________
+
+ cat /proc/modules
ds 6120 1
i82365 21964 1
pcmcia_core 44928 0 [ds i82365]
ip_masq_vdolive 1180 0 (unused)
ip_masq_user 3708 0 (unused)
ip_masq_raudio 2980 0 (unused)
ip_masq_quake 1220 0 (unused)
ip_masq_pptp 4116 0 (unused)
ip_masq_portfw 2416 0 (unused)
ip_masq_mms 2640 0 (unused)
ip_masq_mfw 3196 0 (unused)
ip_masq_irc 1924 0 (unused)
ip_masq_icq 13096 0 (unused)
ip_masq_h323 6280 0 (unused)
ip_masq_ftp 3576 0 (unused)
ip_masq_cuseeme 964 0 (unused)
ip_masq_autofw 2476 0 (unused)
lp 4508 0 (unused)
parport_pc 7588 2
parport 6956 2 [lp parport_pc]
slip 6196 0 (unused)
ppp 20828 0 (unused)
slhc 4436 0 [slip ppp]
ext2 40548 0 (unused)
rtl8139 10852 2
pci-scan 2296 0 [rtl8139]
+ _________________________
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 126730240 78675968 48054272 14508032 55353344 5996544
Swap: 0 0 0
MemTotal: 123760 kB
MemFree: 46928 kB
MemShared: 14168 kB
Buffers: 54056 kB
Cached: 5856 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jul 30 12:24
/proc/net/ipsec_version
+ _________________________
+
+ test -f /usr/src/linux/.config
+ _________________________
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.* @host.ip.address-or-name.here
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* -/var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
cron.* -/var/log/cron.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#ppp
local2.* -/var/log/ppp.log
#portslave
local6.* -/var/log/pslave.log
+ _________________________
+
+ test -f /var/log/kern.debug
+ _________________________
+
+ egrep -i ipsec|klips|pluto
+ egrep -n Starting FreeS.WAN /var/log/syslog
+ cat
+ sed -n $s/:.*//p
+ sed -n 104,$p /var/log/syslog
Jul 30 12:18:51 SR3K-VPN1 ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Jul 30 12:18:51 SR3K-VPN1 ipsec_setup: KLIPS debug `none'
Jul 30 12:18:51 SR3K-VPN1 ipsec_setup: KLIPS ipsec0 on eth0
192.168.2.1/255.255.255.0 broadcast 192.168.2.255
Jul 30 12:18:52 SR3K-VPN1 ipsec_setup: ...FreeS/WAN IPsec started
Jul 30 12:18:55 SR3K-VPN1 ipsec__plutorun: 104 "VPN1-VPN2" #1:
STATE_MAIN_I1: initiate
+ _________________________
+
+ egrep -i pluto
+ egrep -n Starting Pluto /var/log/auth.log
+ cat
+ sed -n $s/:.*//p
+ sed -n 1,$p /var/log/auth.log
Jul 30 12:18:52 SR3K-VPN1 Pluto[1569]: Starting Pluto (FreeS/WAN Version
1.91)
Jul 30 12:18:54 SR3K-VPN1 Pluto[1569]: added connection description
"VPN1-VPN2"
Jul 30 12:18:54 SR3K-VPN1 Pluto[1569]: listening for IKE messages
Jul 30 12:18:54 SR3K-VPN1 Pluto[1569]: adding interface ipsec0/eth0
192.168.2.1
Jul 30 12:18:54 SR3K-VPN1 Pluto[1569]: loading secrets from
"/etc/ipsec.secrets"
Jul 30 12:18:55 SR3K-VPN1 Pluto[1569]: "VPN1-VPN2" #1: initiating Main
Mode
Jul 30 12:19:05 SR3K-VPN1 Pluto[1569]: some IKE message we sent has been
rejected with ECONNREFUSED (kernel supplied no details)
Jul 30 12:19:06 SR3K-VPN1 Pluto[1569]: packet from 192.168.2.200:61013:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 12:20:15 SR3K-VPN1 Pluto[1569]: packet from 192.168.2.200:61013:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 12:22:15 SR3K-VPN1 Pluto[1569]: packet from 192.168.2.200:61013:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
+ _________________________
+
+ date
Tue Jul 30 12:24:10 UTC 2002
===========================
SR3K-VPN2
Wed Sep 11 06:20:35 UTC 2002
+ _________________________
+
+ ipsec --version
Linux FreeS/WAN 1.91
See `ipsec --copyright' for copyright information.
+ _________________________
+
+ cat /proc/version
Linux version 2.2.19-3-DIGIPH (root@zxivlin) (gcc version egcs-2.91.66
19990314/Linux (egcs-1.1.2 release)) #2 Tue Sep 24 11:43:46 PHT 2002
+ _________________________
+
+ cat /proc/net/ipsec_eroute
0 192.168.5.0/24 -> 192.168.4.0/24 => %trap
+ _________________________
+
+ cat /proc/net/ipsec_spi
+ _________________________
+
+ cat /proc/net/ipsec_spigrp
+ _________________________
+
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.4.0 192.168.3.200 255.255.255.0 UG 0 0 0
ipsec0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
0.0.0.0 192.168.3.200 0.0.0.0 UG 0 0 0
eth0
+ _________________________
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c6680c80 1581 c51d2e68 0 0 0 0 2 32767 00000000 3
1
+ _________________________
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c51d2e68 1581 c6680c80
pf_key_registered: 3 c51d2e68 1581 c6680c80
pf_key_registered: 9 c51d2e68 1581 c6680c80
pf_key_registered: 10 c51d2e68 1581 c6680c80
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________
+
+ cd /proc/sys/net/ipsec
+ egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:0
inbound_policy_check:1
tos:1
+ _________________________
+
+ ipsec auto --status
000 interface ipsec0/eth0 192.168.3.1
000
000 "VPN1-VPN2": 192.168.5.0/24===192.168.3.1---192.168.3.200...
000 "VPN1-VPN2": ...192.168.2.200---192.168.2.1===192.168.4.0/24
000 "VPN1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 25%; keyingtries: 0
000 "VPN1-VPN2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0;
trap erouted
000 "VPN1-VPN2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000 #1: "VPN1-VPN2" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 31s
+ _________________________
+
+ ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1695 errors:0 dropped:0 overruns:0 frame:0
TX packets:1695 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 52:54:39:02:04:93
inet addr:192.168.3.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec1 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec2 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec3 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
brg0 Link encap:Ethernet HWaddr FE:FD:0E:00:E0:49
unspec addr:[NONE SET] Bcast:[NONE SET] Mask:[NONE SET]
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 52:54:39:02:04:93
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 52:54:39:02:04:94
inet addr:192.168.5.200 Bcast:192.168.5.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xd800
+ _________________________
+
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________
+
+ hostname --fqdn
SR3K-VPN2
+ _________________________
+
+ hostname --ip-address
192.168.3.1
+ _________________________
+
+ uptime
06:20:36 up 0 Days (0h), load average: 0.72 0.31 0.11
+ _________________________
+
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=192.168.3.1
routeaddr=192.168.3.1
routenexthop=192.168.3.200
routenexthop=192.168.3.200
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=192.168.3.1
defaultroutenexthop=192.168.3.200
+ _________________________
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn VPN1-VPN2
auto=start
type=tunnel
left=192.168.2.1
leftsubnet=192.168.4.0/24
leftnexthop=192.168.2.200
right=192.168.3.1
authby=rsasig
#authby=secret
leftid=192.168.2.1
rightid=192.168.3.1
rightsubnet=192.168.5.0/24
rightnexthop=192.168.3.200
leftrsasigkey=[sums to 364c...]
rightrsasigkey=[sums to 1636...]
keyexchange=ike
keylife=8h
keyingtries=0
pfs=yes
rekeymargin=9m
rekeyfuzz=25%
+ _________________________
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# 192.168.2.1 192.168.3.1: PSK "[sums to ff6c...]"
# 192.168.3.1 192.168.2.1: PSK "[sums to 3ef7...]"
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,
# or configuration of other implementations, can be extracted
conveniently
# with "[sums to ef67...]".
: RSA {
# RSA 1024 bits SR3K-VPN1 Mon Sep 9 10:26:39 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[sums to 7a9d...]
#IN KEY 0x4200 4 1 [sums to 9640...]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]" # RSA 1024
bits SR3K-VPN2 Mon Aug 5 00:27:45 2002
+ _________________________
+
+ ls -l /usr/local/lib/ipsec
-rwxr-xr-x 1 root staff 10884 Jul 19 2001 _confread
-rwxr-xr-x 1 root staff 2163 Jul 19 2001 _include
-rwxr-xr-x 1 root staff 1383 Jul 19 2001 _keycensor
-rwxr-xr-x 1 root staff 3271 Jul 19 2001 _plutoload
-rwxr-xr-x 1 root staff 3404 Jul 19 2001 _plutorun
-rwxr-xr-x 1 root staff 6709 Jul 19 2001 _realsetup
-rwxr-xr-x 1 root staff 1904 Jul 19 2001 _secretcensor
-rwxr-xr-x 1 root staff 6097 Oct 18 2001 _startklips
-rwxr-xr-x 1 root staff 5466 Oct 18 2001 _updown
-rwxr-xr-x 1 root staff 9994 Jul 19 2001 auto
-rwxr-xr-x 1 root staff 4670 Jul 19 2001 barf
-rwxr-xr-x 1 root staff 57332 Jul 19 2001 eroute
-rwxr-xr-x 1 root staff 2846 Jul 19 2001 ipsec
-rwxr-xr-x 1 root staff 39820 Jul 19 2001 klipsdebug
-rwxr-xr-x 1 root staff 2552 Oct 24 2001 look
-rwxr-xr-x 1 root staff 16172 Jul 19 2001 manual
-rwxr-xr-x 1 root staff 277828 Jul 19 2001 pluto
-rwxr-xr-x 1 root staff 6620 Jul 19 2001 ranbits
-rwxr-xr-x 1 root staff 45364 Jul 19 2001 rsasigkey
lrwxrwxrwx 1 root staff 17 Sep 11 06:19 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 root staff 1041 Jul 19 2001 showdefaults
-rwxr-xr-x 1 root staff 3055 Jul 19 2001 showhostkey
-rwxr-xr-x 1 root staff 62220 Jul 19 2001 spi
-rwxr-xr-x 1 root staff 48980 Jul 19 2001 spigrp
-rwxr-xr-x 1 root staff 9240 Jul 19 2001 tncfg
-rwxr-xr-x 1 root staff 29776 Jul 19 2001 whack
+ _________________________
+
+ ls /usr/local/lib/ipsec
+ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify
it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License
# for more details.
#
# RCSID $Id: _updown,v 1.14 2001/04/07 22:42:54 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and
customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
ipfwadm) # caused by (left/right)firewall=yes; for default script only
;;
*) echo "$0: unknown parameter \`$1'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great
care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) route $1 $parms $parms2 ;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`route $1 $parms' failed" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`route del $parms' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -I forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Insert firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -I input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -I input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -D forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Delete firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -D input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -D input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________
+
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 129509 1734 0 0 0 0 0 0
129509 1734 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
brg0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0: 556 4 0 0 0 0 0 0
1020 6 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 0005A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0004A8C0 C803A8C0 0003 0 0 0 00FFFFFF 0 0 0
eth0 0003A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0003A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 C803A8C0 0003 0 0 0 00000000 0 0 0
+ _________________________
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
+
+ uname -a
Linux SR3K-VPN2 2.2.19-3-DIGIPH #2 Tue Sep 24 11:43:46 PHT 2002 i386
unknown
+ _________________________
+
+ test -r /etc/redhat-release
+ _________________________
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.91
+ _________________________
+
+ ipchains -L -v -n
Chain input (policy ACCEPT: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
2 408 ACCEPT udp ------ 0xFF 0x00 *
0.0.0.0/0 192.168.3.0/24 * -> 500
0 0 ACCEPT 50 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.3.0/24 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.3.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.3.1 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.3.1 192.168.5.0/24 n/a
1738 130K ACCEPT all ------ 0xFF 0x00 lo
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.5.0/24 192.168.4.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.4.0/24 192.168.5.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.5.0/24 0.0.0.0/0 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.3.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 1742 packets, 130647 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 - tcp ------ 0x01 0x08 *
0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 21
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 110
+ _________________________
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipchains -M -L -v -n
IP masquerading entries
+ _________________________
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________
+
+ cat /proc/modules
ds 6120 1
i82365 21964 1
pcmcia_core 44928 0 [ds i82365]
ip_masq_vdolive 1180 0 (unused)
ip_masq_user 3708 0 (unused)
ip_masq_raudio 2980 0 (unused)
ip_masq_quake 1220 0 (unused)
ip_masq_pptp 4116 0 (unused)
ip_masq_portfw 2416 0 (unused)
ip_masq_mms 2640 0 (unused)
ip_masq_mfw 3196 0 (unused)
ip_masq_irc 1924 0 (unused)
ip_masq_icq 13096 0 (unused)
ip_masq_h323 6280 0 (unused)
ip_masq_ftp 3576 0 (unused)
ip_masq_cuseeme 964 0 (unused)
ip_masq_autofw 2476 0 (unused)
lp 4508 0 (unused)
parport_pc 7588 1
parport 6956 1 [lp parport_pc]
slip 6196 0 (unused)
ppp 20828 0 (unused)
slhc 4436 0 [slip ppp]
ext2 40548 0 (unused)
rtl8139 10852 2
pci-scan 2296 0 [rtl8139]
+ _________________________
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 126795776 78491648 48304128 14168064 55312384 5951488
Swap: 0 0 0
MemTotal: 123824 kB
MemFree: 47172 kB
MemShared: 13836 kB
Buffers: 54016 kB
Cached: 5812 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Sep 11 06:20
/proc/net/ipsec_version
+ _________________________
+
+ test -f /usr/src/linux/.config
+ _________________________
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.* @host.ip.address-or-name.here
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* -/var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
cron.* -/var/log/cron.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#ppp
local2.* -/var/log/ppp.log
#portslave
local6.* -/var/log/pslave.log
+ _________________________
+
+ test -f /var/log/kern.debug
+ _________________________
+
+ cat
+ egrep -i ipsec|klips|pluto
+ egrep -n Starting FreeS.WAN /var/log/syslog
+ sed -n $s/:.*//p
+ sed -n 102,$p /var/log/syslog
Sep 11 06:19:53 SR3K-VPN2 ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Sep 11 06:19:53 SR3K-VPN2 ipsec_setup: KLIPS debug `none'
Sep 11 06:19:53 SR3K-VPN2 ipsec_setup: KLIPS ipsec0 on eth0
192.168.3.1/255.255.255.0 broadcast 192.168.3.255
Sep 11 06:19:54 SR3K-VPN2 ipsec_setup: ...FreeS/WAN IPsec started
Sep 11 06:19:57 SR3K-VPN2 ipsec__plutorun: 104 "VPN1-VPN2" #1:
STATE_MAIN_I1: initiate
+ _________________________
+
+ egrep -i pluto
+ egrep -n Starting Pluto /var/log/auth.log
+ cat
+ sed -n $s/:.*//p
+ sed -n 1,$p /var/log/auth.log
Sep 11 06:19:54 SR3K-VPN2 Pluto[1581]: Starting Pluto (FreeS/WAN Version
1.91)
Sep 11 06:19:56 SR3K-VPN2 Pluto[1581]: added connection description
"VPN1-VPN2"
Sep 11 06:19:57 SR3K-VPN2 Pluto[1581]: listening for IKE messages
Sep 11 06:19:57 SR3K-VPN2 Pluto[1581]: adding interface ipsec0/eth0
192.168.3.1
Sep 11 06:19:57 SR3K-VPN2 Pluto[1581]: loading secrets from
"/etc/ipsec.secrets"
Sep 11 06:19:57 SR3K-VPN2 Pluto[1581]: "VPN1-VPN2" #1: initiating Main
Mode
Sep 11 06:20:16 SR3K-VPN2 Pluto[1581]: packet from 192.168.3.200:61012:
initial Main Mode message received on 192.168.3.1:500 but no connection
has been authorized
+ _________________________
+
+ date
Wed Sep 11 06:20:38 UTC 2002
----- Original Message -----
From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
To: "Vic Berdin" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, September 30, 2002 9:06 PM
Subject: Re: [leaf-user] subnet-to-subnet simulation problem
> A couple questions:
>
> 1) Why are you loading the ipsec x.509 version of FreeS/WAN when
you're
> not trying to use certificates? You can use conventional RSA
signature
> keys with the x.509 patched version, but in the "walk before you run"
> catagory, you should probably be using the "plain" version of
FreeS/WAN
> (ie just ipsec.lrp) to get started. The x.509 patches change how
pluto
> responds to connection attempts, and essentially add another layer of
> potential confusion to your debugging attempts.
>
> 2) I've snipped all but the critical errors from your auth.log file
> below. You really need to look at the logs on *BOTH* ends to figure
out
> what's going wrong.
>
> > Jul 30 06:42:11 SR3K-VPN1 Pluto[1737]: "VPN1-VPN2" #1: initiating
Main
> > Mode
> > Jul 30 06:42:21 SR3K-VPN1 Pluto[1737]: some IKE message we sent has
> been
> > rejected with ECONNREFUSED (kernel supplied no details)
>
> > Jul 30 06:42:22 SR3K-VPN1 Pluto[1737]: packet from
> 192.168.2.200:61013:
> > initial Main Mode message received on 192.168.2.1:500 but no
> connection
> > has been authorized
>
> The logs indicate two different problems...the first is the IKE
message
> this system sent was rejected by the remote system. This is VERY BAD.
> There should be a log entry on the remote system indicating *WHY* the
> packet was refused, which should help track down your configuration
> error(s).
>
> The second problem is the reception of a main-mode message from the
> remote system that doesn't match a local connection description. This
> is likely a side-effect of the previous problem.
>
> I strongly suggest working with just the plain ipsec.lrp while trying
to
> test your RSA authenticated connection. Once you get that working,
you
> can step up to x.509 certs if necessary. Also, if you post logs
again,
> please do so from *BOTH* machines.
>
> For what it's worth, FreeS/WAN is kind of like bind (named)...it seems
> really complex at first, but it's really pretty simple once you
> understand how everything works...you should have tunnels up soon!
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
