I am trying to set up a VPN with IPsec - Dachstein v1.0.2-ipsec (modified by
Lynn Avant). I am using VmWare on a W2000 for the test environment.
My test configuration is (192.168.1.254 /
12.247.85.201) -----(VMnet2)----- (212.247.85.202 / 192.168.2.254)
ping from 212.247.85.201 to 212.247.85.201 and v.v. OK - I am using PSK
Problem: Cannot ping from one side of the tunnel to the other
So far I understand everything works as it should. The ports 50, 51 and udp
500 are open, the tunnel goes up and IPsec creates the route as it should.
As I cannot use eth0_DEFAULT_GW in the networks script and
leftnexthop/rightnexthop in IPsec this uncomment.
I have been trying to get this to work for some weeks and am now starting to
be really frustrated and would be very thankful for any help.
Regards
Lars
************************************************
I am here sending a barf from one of the machines (212.247.85.202)
firewall
Tue Oct 22 12:12:55 UTC 2002
+ _________________________
+
+ ipsec --version
Linux FreeS/WAN 1.91
See `ipsec --copyright' for copyright information.
+ _________________________
+
+ cat /proc/version
Linux version 2.2.19-3-LEAF (root@debian) (gcc version 2.7.2.3) #2 Sat Dec 1
12:34:52 CST 2001
+ _________________________
+
+ cat /proc/net/ipsec_eroute
0 192.168.2.0/24 -> 192.168.1.0/24 =>
[EMAIL PROTECTED]
+ _________________________
+
+ cat /proc/net/ipsec_spi
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=212.247.85.202
iv_bits=64bits iv=0x2ab26f7a35a8289c ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(22,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=212.247.85.202
life(c,s,h)=add(22,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=212.247.85.201
life(c,s,h)=add(22,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=212.247.85.201
iv_bits=64bits iv=0x7966a33267e2161a ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(22,0,0)
+ _________________________
+
+ cat /proc/net/ipsec_spigrp
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
+ _________________________
+
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.1.0 212.247.85.201 255.255.255.0 UG 0 0 0
ipsec0
212.247.85.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
212.247.85.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
+ _________________________
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c05d54f0 823 c04f9aa8 0 0 0 0 2 32767 00000000 3 1
+ _________________________
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c04f9aa8 823 c05d54f0
pf_key_registered: 3 c04f9aa8 823 c05d54f0
pf_key_registered: 9 c04f9aa8 823 c05d54f0
pf_key_registered: 10 c04f9aa8 823 c05d54f0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________
+
+ cd /proc/sys/net/ipsec
+ egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:0
inbound_policy_check:1
tos:1
+ _________________________
+
+ ipsec auto --status
000 interface ipsec0/eth0 212.247.85.202
000
000 "test":
192.168.2.0/24===212.247.85.202...212.247.85.201===192.168.1.0/24
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "test": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000
000 #2: "test" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28025s; newest IPSEC; eroute owner
000 #2: "test" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "test" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
2584s; newest ISAKMP
+ _________________________
+
+ ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:50:56:42:B2:F5
inet addr:212.247.85.202 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec1 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec2 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec3 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:50:56:42:B2:F5
inet addr:212.247.85.202 Bcast:212.247.85.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:9 Base address:0x1060
eth1 Link encap:Ethernet HWaddr 00:50:56:42:B2:F6
inet addr:192.168.2.254 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0x1080
+ _________________________
+
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________
+
+ hostname --fqdn
hostname: invalid option -- -
BusyBox v0.60.1 (2001.10.18-21:35+0000) multi-call binary
Usage: hostname [OPTION] {hostname | -F FILE}
+ _________________________
+
+ hostname --ip-address
hostname: invalid option -- -
BusyBox v0.60.1 (2001.10.18-21:35+0000) multi-call binary
Usage: hostname [OPTION] {hostname | -F FILE}
+ _________________________
+
+ uptime
12:12:55 up 0 Days (0h), load average: 0.13 0.05 0.02
+ _________________________
+
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
type=tunnel
keyexchange=ike
keylife=8h
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
#disablearrivalcheck=yes
# RSA authentication with keys from DNS.
#authby=rsasig
#leftrsasigkey=%dns
#rightrsasigkey=%dns
# Preshared Secret Key authentication.
authby=secret
#pfs=no
pfs=yes
# Left security gateway, subnet behind it, next hope toward right.
left=212.247.85.201
leftsubnet=192.168.1.0/24
#leftnexthop=212.247.85.202
leftfirewall=yes
#leftfirewall=no
auto=add
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
# left=%defaultroute
# right=%opportunistic
# # uncomment to enable incoming; change to auto=route for outgoing
# #auto=add
# sample VPN connection
conn test
# Right security gateway, subnet behind it, next hop toward left.
right=212.247.85.202
rightsubnet=192.168.2.0/24
#rightnexthop=10.101.102.103
rightfirewall=yes
# To authorize this connection, but not actually start it, at startup,
# uncomment this. To start the connection, change "add" to "start".
auto=add
#conn sample-roadwarrior
# Right Roadwarrior.
# right=0.0.0.0
# rightnexthop=
# rightfirewall=no
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
# auto=add
+ _________________________
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
md5sum: not found
# with "[sums to #...]".
md5sum: not found
# # -- Create your own RSA key with "[sums to #...]"
# }
md5sum: not found
# do not change the indenting of that "[sums to #...]"
# Preshared Secret Key authentication. You can have ipsec create a
md5sum: not found
# secret key with the "[sums to #...]" command.
md5sum: not found
212.247.85.201 212.247.85.202: PSK "[sums to 212....]"
+ _________________________
+
+ ls -l /usr/local/lib/ipsec
-rwxr-xr-x 1 root staff 10884 Jul 19 2001 _confread
-rwxr-xr-x 1 root staff 2163 Jul 19 2001 _include
-rwxr-xr-x 1 root staff 1383 Jul 19 2001 _keycensor
-rwxr-xr-x 1 root staff 3271 Jul 19 2001 _plutoload
-rwxr-xr-x 1 root staff 3404 Jul 19 2001 _plutorun
-rwxr-xr-x 1 root staff 6709 Jul 19 2001 _realsetup
-rwxr-xr-x 1 root staff 1904 Jul 19 2001 _secretcensor
-rwxr-xr-x 1 root staff 6097 Oct 18 2001 _startklips
-rwxr-xr-x 1 root staff 5466 Oct 18 2001 _updown
-rwxr-xr-x 1 root staff 9994 Jul 19 2001 auto
-rwxr-xr-x 1 root staff 4670 Jul 19 2001 barf
-rwxr-xr-x 1 root staff 57332 Jul 19 2001 eroute
-rwxr-xr-x 1 root staff 2846 Jul 19 2001 ipsec
-rwxr-xr-x 1 root staff 39820 Jul 19 2001 klipsdebug
-rwxr-xr-x 1 root staff 2552 Oct 24 2001 look
-rwxr-xr-x 1 root staff 16172 Jul 19 2001 manual
-rwxr-xr-x 1 root staff 277828 Jul 19 2001 pluto
-rwxr-xr-x 1 root staff 6620 Jul 19 2001 ranbits
-rwxr-xr-x 1 root staff 45364 Jul 19 2001 rsasigkey
lrwxrwxrwx 1 root staff 17 Oct 22 12:11 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 root staff 1041 Jul 19 2001 showdefaults
-rwxr-xr-x 1 root staff 3055 Jul 19 2001 showhostkey
-rwxr-xr-x 1 root staff 62220 Jul 19 2001 spi
-rwxr-xr-x 1 root staff 48980 Jul 19 2001 spigrp
-rwxr-xr-x 1 root staff 9240 Jul 19 2001 tncfg
-rwxr-xr-x 1 root staff 29776 Jul 19 2001 whack
+ _________________________
+
+ ls /usr/local/lib/ipsec
+ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.14 2001/04/07 22:42:54 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
ipfwadm) # caused by (left/right)firewall=yes; for default script only
;;
*) echo "$0: unknown parameter \`$1'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) route $1 $parms $parms2 ;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`route $1 $parms' failed" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`route del $parms' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -I forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Insert firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -I input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -I input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -D forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Delete firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -D input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -D input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
eth0: 908 6 0 0 0 0 0 0 1086
7 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
+ _________________________
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0001A8C0 C955F7D4 0003 0 0 0 00FFFFFF 0 0 0
eth0 0055F7D4 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0055F7D4 00000000 0001 0 0 0 00FFFFFF 0 0 0
+ _________________________
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
+
+ uname -a
Linux firewall 2.2.19-3-LEAF #2 Sat Dec 1 12:34:52 CST 2001 i386 unknown
+ _________________________
+
+ test -r /etc/redhat-release
+ _________________________
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.91
+ _________________________
+
+ ipchains -L -v -n
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 ACCEPT 51 ------ 0xFF 0x00 *
212.247.85.201 212.247.85.202 n/a
0 0 ACCEPT 50 ------ 0xFF 0x00 *
212.247.85.201 212.247.85.202 n/a
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
212.247.85.202 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.2.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 68
4 732 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 500
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 ACCEPT 50 ------ 0xFF 0x00 eth0
0.0.0.0/0 212.247.85.202 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00 eth0
0.0.0.0/0 212.247.85.202 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
0 0 ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.1.0/24 192.168.2.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.2.0/24 192.168.1.0/24 n/a
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 MASQ all ------ 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
5 932 fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
5 932 ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
+ _________________________
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________
+
+ ipchains -M -L -v -n
IP masquerading entries
+ _________________________
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________
+
+ cat /proc/modules
ip_masq_vdolive 1180 0 (unused)
ip_masq_user 3708 0 (unused)
ip_masq_mfw 3196 0 (unused)
ip_masq_autofw 2476 0 (unused)
pcnet32 10520 2
pci-scan 2296 0
isofs 17680 0 (unused)
ide-probe-mod 6428 0
ide-cd 22684 0
ide-disk 6260 0
ide-mod 28964 0 [ide-probe-mod ide-cd ide-disk]
cdrom 26712 0 [ide-cd]
+ _________________________
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 10792960 10248192 544768 5849088 4157440 2166784
Swap: 0 0 0
MemTotal: 10540 kB
MemFree: 532 kB
MemShared: 5712 kB
Buffers: 4060 kB
Cached: 2116 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Oct 22 12:12
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Oct 22 12:12
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Oct 22 12:12 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Oct 22 12:12
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Oct 22 12:12
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Oct 22 12:12
/proc/net/ipsec_version
+ _________________________
+
+ test -f /usr/src/linux/.config
+ _________________________
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.* @host.ip.address-or-name.here
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#cron.* /var/log/cron.log
#lpr.* -/var/log/lpr.log
#mail.* /var/log/mail.log
#user.* -/var/log/user.log
#uucp.* -/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#ppp
local2.* -/var/log/ppp.log
#portslave
local6.* -/var/log/pslave.log
+ _________________________
+
+ test -f /var/log/kern.debug
+ _________________________
+
+ cat
+ egrep -i ipsec|klips|pluto
+ egrep -n Starting FreeS.WAN /var/log/syslog
+ sed -n $s/:.*//p
+ sed -n 78,$p /var/log/syslog
Oct 22 12:12:07 firewall ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Oct 22 12:12:07 firewall ipsec_setup: KLIPS debug `none'
Oct 22 12:12:07 firewall ipsec_setup: KLIPS ipsec0 on eth0
212.247.85.202/255.255.255.0 broadcast 212.247.85.255
Oct 22 12:12:07 firewall ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________
+
+ egrep -i pluto
+ egrep -n Starting Pluto /var/log/auth.log
+ cat
+ sed -n $s/:.*//p
+ sed -n 1,$p /var/log/auth.log
Oct 22 12:12:07 firewall Pluto[823]: Starting Pluto (FreeS/WAN Version 1.91)
Oct 22 12:12:08 firewall Pluto[823]: added connection description "test"
Oct 22 12:12:08 firewall Pluto[823]: listening for IKE messages
Oct 22 12:12:08 firewall Pluto[823]: adding interface ipsec0/eth0
212.247.85.202
Oct 22 12:12:08 firewall Pluto[823]: loading secrets from
"/etc/ipsec.secrets"
Oct 22 12:12:32 firewall Pluto[823]: "test" #1: initiating Main Mode
Oct 22 12:12:32 firewall Pluto[823]: "test" #1: STATE_MAIN_I4: ISAKMP SA
established
Oct 22 12:12:32 firewall Pluto[823]: "test" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS
Oct 22 12:12:32 firewall Pluto[823]: "test" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established
+ _________________________
+
+ date
Tue Oct 22 12:12:55 UTC 2002
-------------------------------------------------------
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
