As you ask me, i put below the output of ipsec barf and the output of auth.log :
The ipsec barf command was launch after i try to initiate the tunnel from my
road-warrior (using a RAS connection to an ISP).
The problem seems to come from the 3 lines from auth.log :
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.113.146/32 dev
ipsec0 via 62.147.113.146' failed
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client command exited with status 2
Thanks in advance.
Stephane
IPSEC BARF output :
firewall
Sat Nov 16 13:40:35 UTC 2002
+ _________________________ version
+
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@samsung) (gcc version 2.95.4 20011002 (Debian
prerelease)) #6 Sun Oct 20 15:06:22 CEST 2002
+ _________________________ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
+ _________________________ ip/route
+
+ ip route
ip.pub.lik.1 dev ppp0 proto kernel scope link src ip.pub.lik.254
ip.pub.lik.1 dev ipsec0 proto kernel scope link src ip.pub.lik.254
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.230
default via ip.pub.lik.1 dev ppp0
+ _________________________ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1492) -> 1492
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c159c400 24215 c118c1b0 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c118c1b0 24215 c159c400
pf_key_registered: 3 c118c1b0 24215 c159c400
pf_key_registered: 9 c118c1b0 24215 c159c400
pf_key_registered: 10 c118c1b0 24215 c159c400
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 interface ipsec0/ppp0 ip.pub.lik.254
000
000 "w2k-road-warriors"[2]: 192.168.0.0/24===ip.pub.lik.254...62.147.113.146
000 "w2k-road-warriors"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors"[2]: policy:
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ppp0; unrouted
000 "w2k-road-warriors"[2]: newest ISAKMP SA: #3; newest IPsec SA: #0; eroute
owner: #0
000 "w2k-road-warriors"[1]: 192.168.0.0/24===ip.pub.lik.254...62.147.151.223
000 "w2k-road-warriors"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors"[1]: policy:
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ppp0; unrouted
000 "w2k-road-warriors"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0; eroute
owner: #0
000 "w2k-road-warriors": 192.168.0.0/24===ip.pub.lik.254...%any
000 "w2k-road-warriors": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: ppp0; unrouted
000 "w2k-road-warriors": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "sample":
172.16.0.0/24===10.0.0.1---10.22.33.44...10.101.102.103---10.12.12.1===192.168.0.0/24
000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "sample": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ;
unrouted
000 "sample": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #3: "w2k-road-warriors"[2] 62.147.113.146 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3255s; newest ISAKMP
000 #1: "w2k-road-warriors"[1] 62.147.151.223 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3211s; newest ISAKMP
000
+ _________________________ ip/address
+
+ ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:37:9f:cd brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:fc:6c:56:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.0.230/24 brd 192.168.0.255 scope global eth1
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet ip.pub.lik.254 peer ip.pub.lik.1/32 scope global ppp0
6: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ppp
inet ip.pub.lik.254 peer ip.pub.lik.1/32 scope global ipsec0
7: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
8: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
9: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
+ _________________________ ipsec/directory
+
+ ipsec --directory
/lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname -f
firewall
+ _________________________ hostname/ipaddress
+
+ hostname -i
192.168.1.230
+ _________________________ uptime
+
+ uptime
1:40pm up 5 min, load average: 0.00, 0.10, 0.06
+ _________________________ ps
+
+ ps alxwf
+ egrep -i ppid|pluto|ipsec|klips
25347 root 1040 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
28421 root 1548 S logger -p daemon.error -t ipsec__plutorun
14970 root 1040 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
6524 root 1156 S /bin/sh /lib/ipsec/_plutoload --load %search --start
1648 root 1040 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
24215 root 1856 S /lib/ipsec/pluto --nofork --debug-none --uniqueids
15102 root 1372 S _pluto_adns 7 10
7351 root 1036 S /bin/sh /sbin/ipsec barf
13813 root 1452 S /bin/sh /lib/ipsec/barf
30820 root 1576 S egrep -i ppid|pluto|ipsec|klips
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
routephys=ppp0
routephys=ppp0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=ip.pub.lik.254
routeaddr=ip.pub.lik.254
routenexthop=ip.pub.lik.1
routenexthop=ip.pub.lik.1
defaultroutephys=ppp0
defaultroutevirt=ipsec0
defaultrouteaddr=ip.pub.lik.254
defaultroutenexthop=ip.pub.lik.1
+ _________________________ ipsec/conf
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
# authby=rsasig
# leftrsasigkey=%dns
# rightrsasigkey=%dns
authby=secret
left=ip.pub.lik.254
leftsubnet=192.168.0.0/24
leftfirewall=yes
pfs=yes
auto=add
conn w2k-road-warriors
right=%any
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
#
left=%defaultroute
#
right=%opportunistic
# uncomment to enable incoming; change to auto=route for outgoing
#auto=add
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add
+ _________________________ ipsec/secrets
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
md5sum: not found
%any ip.pub.lik.254 : PSK "[sums to %any...]"
+ _________________________ ipsec/ls-dir
+
+ ls -l /lib/ipsec
-rwxr-xr-x 1 root root 11167 Jul 9 07:06 _confread
-rwxr-xr-x 1 root root 4136 Jul 9 07:06 _copyright
-rwxr-xr-x 1 root root 2163 Jul 9 07:06 _include
-rwxr-xr-x 1 root root 1472 Jul 9 07:06 _keycensor
-rwxr-xr-x 1 root root 9360 Jul 9 07:06 _pluto_adns
-rwxr-xr-x 1 root root 3495 Jul 9 07:06 _plutoload
-rwxr-xr-x 1 root root 4553 Jul 9 07:06 _plutorun
-rwxr-xr-x 1 root root 7624 Jul 9 07:09 _realsetup
-rwxr-xr-x 1 root root 1971 Jul 9 07:06 _secretcensor
-rwxr-xr-x 1 root root 7687 Sep 2 17:35 _startklips
-rwxr-xr-x 1 root root 7575 Jul 9 07:09 _updown
-rwxr-xr-x 1 root root 7838 Jul 9 07:06 _updown.dhcp
-rwxr-xr-x 1 root root 13327 Jul 9 07:06 auto
-rwxr-xr-x 1 root root 7172 Jul 9 07:09 barf
-rwxr-xr-x 1 root root 59360 Jul 9 07:06 eroute
-rwxr-xr-x 1 root root 18024 Jul 9 07:06 ikeping
-rwxr-xr-x 1 root root 2906 Jul 9 07:06 ipsec
-rw-r--r-- 1 root root 1950 Jul 9 07:06 ipsec_pr.template
-rwxr-xr-x 1 root root 41312 Jul 9 07:06 klipsdebug
-rwxr-xr-x 1 root root 2659 Oct 13 08:02 look
-rwxr-xr-x 1 root root 16450 Oct 13 08:02 manual
-rwxr-xr-x 1 root root 1847 Jul 9 07:06 newhostkey
-rwxr-xr-x 1 root root 34556 Jul 9 07:06 pf_key
-rwxr-xr-x 1 root root 351956 Jul 9 07:06 pluto
-rwxr-xr-x 1 root root 6484 Jul 9 07:06 ranbits
-rwxr-xr-x 1 root root 64220 Jul 9 07:06 rsasigkey
-rwxr-xr-x 1 root root 16641 Jul 9 07:06 send-pr
lrwxrwxrwx 1 root root 17 Nov 16 13:35 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Jul 9 07:06 showdefaults
-rwxr-xr-x 1 root root 4205 Jul 9 07:06 showhostkey
-rwxr-xr-x 1 root root 68812 Jul 9 07:06 spi
-rwxr-xr-x 1 root root 51212 Jul 9 07:06 spigrp
-rwxr-xr-x 1 root root 9544 Jul 9 07:06 tncfg
-rwxr-xr-x 1 root root 34380 Jul 9 07:06 whack
+ _________________________ ipsec/updowns
+
+ ls /lib/ipsec
+ egrep updown
+ cat /lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0])
# Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*)
;;
*)
echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':')
# no parameters
;;
ipfwadm:ipfwadm)
# due to (left/right)firewall; for default script only
;;
custom:*)
# custom parameters (see above CAUTION comment)
;;
*)
echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
# <CTC> convert to iproute2 - add mask2bits function
#-------------------------------------------------------------------------
# mask2bits function, returns the number of bits in the netmask parameter.
# borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib
#-------------------------------------------------------------------------
#No external apps needed.
mask2bits () {
case $1 in
255.255.255.255) echo 32 ;;
255.255.255.254) echo 31 ;;
255.255.255.252) echo 30 ;;
255.255.255.248) echo 29 ;;
255.255.255.240) echo 28 ;;
255.255.255.224) echo 27 ;;
255.255.255.192) echo 26 ;;
255.255.255.128) echo 25 ;;
255.255.255.0) echo 24 ;;
255.255.254.0) echo 23 ;;
255.255.252.0) echo 22 ;;
255.255.248.0) echo 21 ;;
255.255.240.0) echo 20 ;;
255.255.224.0) echo 19 ;;
255.255.192.0) echo 18 ;;
255.255.128.0) echo 17 ;;
255.255.0.0) echo 16 ;;
255.254.0.0) echo 15 ;;
255.252.0.0) echo 14 ;;
255.248.0.0) echo 13 ;;
255.240.0.0) echo 12 ;;
255.224.0.0) echo 11 ;;
255.192.0.0) echo 10 ;;
255.128.0.0) echo 9 ;;
255.0.0.0) echo 8 ;;
254.0.0.0) echo 7 ;;
252.0.0.0) echo 6 ;;
248.0.0.0) echo 5 ;;
240.0.0.0) echo 4 ;;
224.0.0.0) echo 3 ;;
192.0.0.0) echo 2 ;;
128.0.0.0) echo 1 ;;
0.0.0.0) echo 0 ;;
*) echo 32 ;;
esac
} #End of mask2bits
doroute() {
#
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
#
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
parms2="dev $PLUTO_INTERFACE via $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
#
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
#
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
it="ip route $1 0.0.0.0/1 $parms2 &&"
it="$it ip route $1 128.0.0.0/1 $parms2"
;;
#
*)
it="route $1 $parms $parms2"
*) it="ip route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
#
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
#
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
it="ip route del 0.0.0.0/1 2>&1 ; ip route del 128.0.0.0/1 2>&1"
;;
*)
#
it="route del -net $PLUTO_PEER_CLIENT_NET \
#
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
it="ip route del $parms 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
# <CTC> iproute2 gives a _different_ incomprehensible answer
#
'SIOCDELRT: No such process'*)
'RTNETLINK answers: No such process'*)
# </CTC>
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
#
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
#
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
#
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
#
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -D FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
*)
echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /lib/ipsec/_updown.dhcp
#! /bin/sh
#
# customized updown script
#
# check interface version
case "$PLUTO_VERSION" in
1.[0])
# Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*)
;;
*)
echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':')
# no parameters
;;
ipfwadm:ipfwadm)
# due to (left/right)firewall; for default script only
;;
custom:*)
# custom parameters (see above CAUTION comment)
;;
*)
echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT
\
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j
ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT
-j
ACCEPT
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT
-j
ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT
\
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j
ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" == "17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT
\
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j
ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT
-j
ACCEPT
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport $PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport $PLUTO_PEER_PORT
-j
ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport $PLUTO_PEER_PORT
\
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport $PLUTO_MY_PORT -j
ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*)
echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
eth0: 389852 2474 0 0 0 0 0 0 297221
3277 0 0 0 1 0 0
eth1: 294840 3377 0 0 0 0 0 0 367644
2337 0 0 0 0 0 0
ppp0: 334547 2451 0 0 0 0 0 0 224053
3252 0 0 0 0 0 0
ipsec0: 209 27 0 24 0 0 0 0 0
0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
+ _________________________ proc/net/route
+
+ cat /proc/net/route
Iface
Destination
Gateway Flags RefCnt Use Metric Mask MTU Window
IRTT
ppp0
01809AC3
00000000
0005
0
0
0
FFFFFFFF
40
0
0
ipsec0
01809AC3
00000000
0005
0
0
0
FFFFFFFF
40
0
0
eth1
0000A8C0
00000000
0001
0
0
0
00FFFFFF
40
0
0
ppp0
00000000
01809AC3
0003
0
0
0
00000000
40
0
0
+ _________________________ proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth1/rp_filter ipsec0/rp_filter
lo/rp_filter ppp0/rp_filter
all/rp_filter:0
default/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
ppp0/rp_filter:0
+ _________________________ uname-a
+
+ uname -a
Linux firewall 2.4.18 #6 Sun Oct 20 15:06:22 CEST 2002 i586 unknown
+ _________________________ redhat-release
+
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.98b
+ _________________________ iptables/list
+
+ iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
116 9026 ppp0_in ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0
54 9536 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 62.147.113.146
192.168.0.0/24
0 0 ACCEPT ah -- * * 192.168.0.0/24
62.147.113.146
0 0 ACCEPT ah -- * * 62.147.113.146
192.168.0.0/24
0 0 ACCEPT ah -- * * 192.168.0.0/24
62.147.113.146
0 0 ACCEPT ah -- * * 62.147.151.223
192.168.0.0/24
0 0 ACCEPT ah -- * * 192.168.0.0/24
62.147.151.223
0 0 ACCEPT ah -- * * 62.147.151.223
192.168.0.0/24
0 0 ACCEPT ah -- * * 192.168.0.0/24
62.147.151.223
1435 68084 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2327 325K ppp0_fwd ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0
3236 221K eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
3 209 common ah -- * * 0.0.0.0/0 0.0.0.0/0
1 89 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
1 89 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0
4 1845 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED
12 2800 fw2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
54 9536 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
2 120 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
23 4466 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
12 1926 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
19 3144 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
192.168.0.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
3236 221K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
3236 221K loc2net ah -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
54 9536 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
54 9536 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2gw (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
12 2800 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
2 120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
54 9536 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
2114 167K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 192.168.0.0/28 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 192.168.0.0/28 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT ah -- * * 192.168.0.0/28
193.252.242.0/24 state NEW
0 0 ACCEPT tcp -- * * 192.168.0.12 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.0.12 0.0.0.0/0
state NEW tcp dpt:110
0 0 reject ah -- * * 192.168.0.0/28 0.0.0.0/0
state NEW
1122 53648 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
2327 325K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
72 3278 common ah -- * * 0.0.0.0/0 0.0.0.0/0
72 3278 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
72 3278 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
10 1608 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
5 220 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
27 3432 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0
2 488 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:500 dpt:500 state NEW
72 3278 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out source destination
5 220 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
2327 325K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
2327 325K net2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
116 9026 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
116 9026 net2fw ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
1 89 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/list
+
+ ipchains -L -v -n
ipchains: not found
+ _________________________ ipfwadm/forward
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/input
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/output
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________ iptables/nat
+
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 953 packets, 52965 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
814 38938 ppp0_masq ah -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
814 38938 MASQUERADE ah -- * * 192.168.0.0/24 0.0.0.0/0
+ _________________________ ipchains/masq
+
+ ipchains -M -L -v -n
ipchains: not found
+ _________________________ ipfwadm/masq
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________ iptables/mangle
+
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5741 packets, 570K bytes)
pkts bytes target prot opt in out source destination
5740 570K pretos ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 171 packets, 18602 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 5567 packets, 547K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 4645 bytes)
pkts bytes target prot opt in out source destination
16 4645 outtos ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 5582 packets, 551K bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
+ _________________________ proc/modules
+
+ cat /proc/modules
ipsec 133648 2
ip_nat_irc 2400 0 (unused)
ip_nat_ftp 3008 0 (unused)
ip_conntrack_irc 3104 1
ip_conntrack_ftp 3840 1
pppoe 6656 1
pppox 916 1 [pppoe]
ppp_synctty 4408 0 (unused)
ppp_generic 14932 3 [pppoe pppox ppp_synctty]
n_hdlc 5792 0 (unused)
slhc 4288 0 [ppp_generic]
rtl8139 11836 2
pci-scan 3820 1 [rtl8139]
ide-probe-mod 7520 0
ide-disk 6560 0
ide-mod 50948 0 [ide-probe-mod ide-disk]
+ _________________________ proc/meminfo
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 31248384 12533760 18714624 0 81920 7434240
Swap: 0 0 0
MemTotal: 30516 kB
MemFree: 18276 kB
MemShared: 0 kB
Buffers: 80 kB
Cached: 7260 kB
SwapCached: 0 kB
Active: 20 kB
Inactive: 8872 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 30516 kB
LowFree: 18276 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________ dev/ipsec-ls
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi /proc/net/ipsec_spigrp
/proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root wheel 0 Nov 16 13:40 /proc/net/ipsec_eroute
-r--r--r-- 1 root wheel 0 Nov 16 13:40 /proc/net/ipsec_spi
-r--r--r-- 1 root wheel 0 Nov 16 13:40 /proc/net/ipsec_spigrp
-r--r--r-- 1 root wheel 0 Nov 16 13:40 /proc/net/ipsec_tncfg
-r--r--r-- 1 root wheel 0 Nov 16 13:40 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
#
For more information see syslog.conf(5)
#
manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.*
@host.ip.address-or-name.here
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.*
/var/log/auth.log
*.*;auth,authpriv.none
-/var/log/syslog
daemon.*
-/var/log/daemon.log
kern.*
-/var/log/kern.log
#cron.*
/var/log/cron.log
#lpr.*
-/var/log/lpr.log
#mail.*
/var/log/mail.log
#user.*
-/var/log/user.log
#uucp.*
-/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg
*
#ppp
local2.*
-/var/log/ppp.log
#portslave
local6.*
-/var/log/pslave.log
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.1.254
nameserver 194.149.160.1
+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
-rw-r--r-- 1 root root 6744 Oct 20 16:12 slhc.o
-rw-r--r-- 1 root root 3636 Oct 20 16:12 pppox.o
-rw-r--r-- 1 root root 11732 Oct 20 16:12 pppoe.o
-rw-r--r-- 1 root root 7908 Oct 20 16:12 ppp_synctty.o
-rw-r--r-- 1 root root 22352 Oct 20 16:12 ppp_mppe.o
-rw-r--r-- 1 root root 23712 Oct 20 16:12 ppp_generic.o
-rw-r--r-- 1 root root 39424 Oct 20 16:12 ppp_deflate.o
-rw-r--r-- 1 root root 9948 Oct 20 16:12 ppp_async.o
-rw-r--r-- 1 root root 8516 Oct 20 16:12 ne2k-pci.o
-rw-r--r-- 1 root root 8144 Oct 20 16:12 ne.o
-rw-r--r-- 1 root root 9816 Oct 20 16:12 n_hdlc.o
-rw-r--r-- 1 root root 4200 Oct 20 16:12 ip_nat_irc.o
-rw-r--r-- 1 root root 4748 Oct 20 16:12 ip_nat_ftp.o
-rw-r--r-- 1 root root 5716 Oct 20 16:12 ip_conntrack_irc.o
-rw-r--r-- 1 root root 5936 Oct 20 16:12 ip_conntrack_ftp.o
-rw-r--r-- 1 root root 26328 Oct 20 16:12 eepro100.o
-rw-r--r-- 1 root root 8872 Oct 20 16:12 8390.o
-rw-r--r-- 1 root root 36120 Oct 20 16:12 3c59x.o
-rwxr-xr-x 1 root root 165214 Nov 13 15:08 ipsec.o
-rwxr-xr-x 1 root root 17544 Nov 13 18:53 rtl8139.o
-rwxr-xr-x 1 root root 7816 Nov 13 19:07 pci-scan.o
lrwxrwxrwx 1 root root 12 Nov 16 13:35 2.4.18 -> /lib/modules
+ _________________________ proc/ksyms-netif_rx
+
+ egrep netif_rx /proc/ksyms
c018d710 netif_rx
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ sed -n 88,$p /var/log/syslog
+ egrep -i ipsec|klips|pluto
+ cat
Nov 16 13:35:34 firewall ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
Nov 16 13:35:35 firewall ipsec_setup: Using /lib/modules/ipsec.o
Nov 16 13:35:35 firewall ipsec_setup: KLIPS ipsec0 on ppp0 ip.pub.lik.254 peer
ip.pub.lik.1/32
Nov 16 13:35:35 firewall ipsec_setup: ...FreeS/WAN IPsec started
Nov 16 13:38:37 firewall kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1
SRC=62.147.151.223 DST=192.168.0.201 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=60576
PROTO=UDP SPT=3309 DPT=161 LEN=69
+ _________________________ plog
+
+ sed -n 2,$p /var/log/auth.log
+ egrep -i pluto
+ cat
Nov 16 13:35:35 firewall ipsec__plutorun: Starting Pluto subsystem...
Nov 16 13:35:35 firewall pluto[24215]: Starting Pluto (FreeS/WAN Version 1.98b)
Nov 16 13:35:35 firewall pluto[24215]: including X.509 patch (Version 0.9.13)
Nov 16 13:35:35 firewall pluto[24215]: Could not change to directory
'/etc/ipsec.d/cacerts'
Nov 16 13:35:35 firewall pluto[24215]: Could not change to directory
'/etc/ipsec.d/crls'
Nov 16 13:35:35 firewall pluto[24215]: loaded my default X.509 cert file
'/etc/x509cert.der' (7 bytes)
Nov 16 13:35:35 firewall pluto[24215]: file coded in unknown format, discarded
Nov 16 13:35:35 firewall pluto[24215]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Nov 16 13:35:36 firewall pluto[24215]: added connection description "sample"
Nov 16 13:35:37 firewall pluto[24215]: added connection description
"w2k-road-warriors"
Nov 16 13:35:37 firewall pluto[24215]: listening for IKE messages
Nov 16 13:35:37 firewall pluto[24215]: adding interface ipsec0/ppp0 ip.pub.lik.254
Nov 16 13:35:37 firewall pluto[24215]: loading secrets from "/etc/ipsec.secrets"
Nov 16 13:38:36 firewall pluto[24215]: packet from 62.147.151.223:500: ignoring
Vendor ID payload
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
responding to Main Mode from unknown peer 62.147.151.223
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
Peer ID is ID_IPV4_ADDR: '62.147.151.223'
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
sent MR3, ISAKMP SA established
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
responding to Quick Mode
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.151.223/32 dev
ipsec0 via 62.147.151.223' failed
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client command exited with status 2
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.151.223/32 dev
ipsec0 via 62.147.151.223' failed
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: ERROR: "w2k-road-warriors"[1]
62.147.151.223 #2: pfkey write() of SADB_DELETE message 21 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:38:48 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 15 00 00 00
97 5e 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a8 00 01 00 00
00 00 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 97 df
Nov 16 13:38:48 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
Nov 16 13:39:19 firewall pluto[24215]: packet from 62.147.113.146:500: ignoring
Vendor ID payload
Nov 16 13:39:19 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
responding to Main Mode from unknown peer 62.147.113.146
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
Peer ID is ID_IPV4_ADDR: '62.147.113.146'
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
sent MR3, ISAKMP SA established
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
responding to Quick Mode
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.113.146/32 dev
ipsec0 via 62.147.113.146' failed
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client command exited with status 2
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.113.146/32 dev
ipsec0 via 62.147.113.146' failed
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: ERROR: "w2k-road-warriors"[2]
62.147.113.146 #4: pfkey write() of SADB_DELETE message 38 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:39:30 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 26 00 00 00
97 5e 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a9 00 01 00 00
00 00 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 71 92
Nov 16 13:39:30 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
max number of retransmissions (2) reached STATE_QUICK_R1
Nov 16 13:39:47 firewall pluto[24215]: ERROR: "w2k-road-warriors"[1]
62.147.151.223 #2: pfkey write() of SADB_DELETE message 39 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:39:47 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 27 00 00 00
97 5e 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a8 00 01 00 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 97 df
Nov 16 13:39:47 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
Nov 16 13:40:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
max number of retransmissions (2) reached STATE_QUICK_R1
Nov 16 13:40:30 firewall pluto[24215]: ERROR: "w2k-road-warriors"[2]
62.147.113.146 #4: pfkey write() of SADB_DELETE message 40 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:40:30 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 28 00 00 00
97 5e 00 00
Nov 16 13:40:30 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a9 00 01 00 00
00 00 00 00
Nov 16 13:40:30 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 71 92
Nov 16 13:40:30 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:40:30 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
+ _________________________ date
+
+ date
Sat Nov 16 13:40:36 UTC 2002
AUTH.LOG :
Nov 16 13:35:22 firewall sshd[28698]: Server listening on 0.0.0.0 port 22.
Nov 16 13:35:35 firewall ipsec__plutorun: Starting Pluto subsystem...
Nov 16 13:35:35 firewall pluto[24215]: Starting Pluto (FreeS/WAN Version 1.98b)
Nov 16 13:35:35 firewall pluto[24215]: including X.509 patch (Version 0.9.13)
Nov 16 13:35:35 firewall pluto[24215]: Could not change to directory
'/etc/ipsec.d/cacerts'
Nov 16 13:35:35 firewall pluto[24215]: Could not change to directory
'/etc/ipsec.d/crls'
Nov 16 13:35:35 firewall pluto[24215]: loaded my default X.509 cert file
'/etc/x509cert.der' (7 bytes)
Nov 16 13:35:35 firewall pluto[24215]: file coded in unknown format, discarded
Nov 16 13:35:35 firewall pluto[24215]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Nov 16 13:35:36 firewall pluto[24215]: added connection description "sample"
Nov 16 13:35:37 firewall pluto[24215]: added connection description
"w2k-road-warriors"
Nov 16 13:35:37 firewall pluto[24215]: listening for IKE messages
Nov 16 13:35:37 firewall pluto[24215]: adding interface ipsec0/ppp0 ip.pub.lik.254
Nov 16 13:35:37 firewall pluto[24215]: loading secrets from "/etc/ipsec.secrets"
Nov 16 13:35:38 firewall login[29553]: root login on `tty1'
Nov 16 13:38:36 firewall pluto[24215]: packet from 62.147.151.223:500: ignoring
Vendor ID payload
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
responding to Main Mode from unknown peer 62.147.151.223
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
Peer ID is ID_IPV4_ADDR: '62.147.151.223'
Nov 16 13:38:36 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #1:
sent MR3, ISAKMP SA established
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
responding to Quick Mode
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.151.223/32 dev
ipsec0 via 62.147.151.223' failed
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client command exited with status 2
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:37 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.151.223/32 dev
ipsec0 via 62.147.151.223' failed
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
route-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output:
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:38:48 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
down-client command exited with status 2
Nov 16 13:38:48 firewall pluto[24215]: ERROR: "w2k-road-warriors"[1]
62.147.151.223 #2: pfkey write() of SADB_DELETE message 21 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:38:48 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 15 00 00 00
97 5e 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a8 00 01 00 00
00 00 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 97 df
Nov 16 13:38:48 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:38:48 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
Nov 16 13:39:19 firewall pluto[24215]: packet from 62.147.113.146:500: ignoring
Vendor ID payload
Nov 16 13:39:19 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
responding to Main Mode from unknown peer 62.147.113.146
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
Peer ID is ID_IPV4_ADDR: '62.147.113.146'
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #3:
sent MR3, ISAKMP SA established
Nov 16 13:39:20 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
responding to Quick Mode
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.113.146/32 dev
ipsec0 via 62.147.113.146' failed
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client command exited with status 2
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:21 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: RTNETLINK answers: Network is unreachable
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client output: /lib/ipsec/_updown: `ip route add 62.147.113.146/32 dev
ipsec0 via 62.147.113.146' failed
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
route-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: iptables v1.2.6a: Illegal option `-s' with this command
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output:
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client output: Try `iptables -h' or 'iptables --help' for more information.
Nov 16 13:39:30 firewall pluto[24215]: "w2k-road-warriors"[2] 62.147.113.146 #4:
down-client command exited with status 2
Nov 16 13:39:30 firewall pluto[24215]: ERROR: "w2k-road-warriors"[2]
62.147.113.146 #4: pfkey write() of SADB_DELETE message 38 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:39:30 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 26 00 00 00
97 5e 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a9 00 01 00 00
00 00 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 71 92
Nov 16 13:39:30 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:39:30 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: "w2k-road-warriors"[1] 62.147.151.223 #2:
max number of retransmissions (2) reached STATE_QUICK_R1
Nov 16 13:39:47 firewall pluto[24215]: ERROR: "w2k-road-warriors"[1]
62.147.151.223 #2: pfkey write() of SADB_DELETE message 39 for Delete SA
[EMAIL PROTECTED] failed. Errno 3: No such process
Nov 16 13:39:47 firewall pluto[24215]: | 02 04 00 03 0a 00 00 00 27 00 00 00
97 5e 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 02 00 01 00 62 e0 2d a8 00 01 00 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 03 00 05 00 00 00 00 00 02 00 01 f4
3e 93 97 df
Nov 16 13:39:47 firewall pluto[24215]: | 00 00 00 00 00 00 00 00 03 00 06 00
00 00 00 00
Nov 16 13:39:47 firewall pluto[24215]: | 02 00 00 00 c3 9a 80 fe 00 00 00 00
00 00 00 00
On Friday 15 November 2002 16:55, Stef wrote:
> Hi all,
>
> I have a problem with the last distro Bering-rc4 and ipsec.lrp
> package.
>
> I try to conect with a road-warrior and every seems ok (SA
> established) except that the /var/log/auth.log mention a problem with
> the impossibility to write the "route add" for the IP of my road
> warrior. I follow all steps explain in the users guide from the
> Bering web page.
What is the exact error message?
If the Road-warrior ip is in the rfc1918 addressing, it probably won't
work. An ipsec barf would be extremely useful to locating any and
virtually all possible problems.
-- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net If linux isn't the answer, you've probably got the
wrong question!
--------------------------------
Interface WebMail / Magic OnLine
--> http://webmail.magic.fr
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
