Everyone,
After much hair pulling, blood-pressure raising, mustache twitching....
I am trying to configure Bering in a Road Warrior configuration using (
I shudder to admit ) Win2k clients.
I've gone through Chad Carr's instructions about 10 times and various
docs from both www.freeswan.org and freeswan.ca the Win2k/XP box says
"Negotiating IP Security" when trying to ping and I see nothing in an
ipsec barf that would lead me to believe there is even a connection
being attempted. I tried to determine whether or not the ports were
open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d
65.114.249.131:500, only gives me a "Will be implemented real soon ;)"
so I scanned the Bering box with nmap and got
Here are the outputs
nmap ---
# nmap (V. 3.00) scan initiated Wed Jan 1 23:00:31 2003 as: nmap -sS
-vv -oN scan.txt 65.114.249.131
Interesting ports on (65.114.249.131):
(The 1599 ports scanned but not shown below are in state: filtered)
Port State Service
113/tcp closed auth
135/tcp closed loc-srv
# Nmap run completed at Wed Jan 1 23:03:24 2003 -- 1 IP address (1 host
up) scanned in 173 seconds
ipsec barf ----
diablo
Wed Jan 1 15:55:44 UTC 2003
+ _________________________ version
+
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@uml_woody) (gcc version 2.95.4 20011002
(Debian prerelease)) #1 Sun Nov 10 17:40:20 UTC 2002
+ _________________________ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
+ _________________________ ip/route
+
+ ip route
65.114.249.0/24 dev eth0 proto kernel scope link src 65.114.249.131
65.114.249.0/24 dev ipsec0 proto kernel scope link src 65.114.249.131
10.4.8.0/24 dev eth1 proto kernel scope link src 10.4.8.254
default via 65.114.249.1 dev eth0
+ _________________________ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c113ab00 11177 c1111f00 0 0 0 0 2 65535 00000000 3
1
+ _________________________ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c1111f00 11177 c113ab00
pf_key_registered: 3 c1111f00 11177 c113ab00
pf_key_registered: 9 c1111f00 11177 c113ab00
pf_key_registered: 10 c1111f00 11177 c113ab00
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 interface ipsec0/eth0 65.114.249.131
000
000 "w2k-road-warriors": 10.4.8.0/24===65.114.249.131...%any
000 "w2k-road-warriors": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors": policy: PSK+ENCRYPT+TUNNEL+PFS; interface:
eth0; unrouted
000 "w2k-road-warriors": newest ISAKMP SA: #0; newest IPsec SA: #0;
eroute owner: #0
000
000
+ _________________________ ip/address
+
+ ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:da:7d:e9 brd ff:ff:ff:ff:ff:ff
inet 65.114.249.131/24 brd 65.114.249.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:b5:31:62 brd ff:ff:ff:ff:ff:ff
inet 10.4.8.254/24 brd 10.4.8.255 scope global eth1
13: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:a0:24:da:7d:e9 brd ff:ff:ff:ff:ff:ff
inet 65.114.249.131/24 brd 65.114.249.255 scope global ipsec0
14: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
15: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
16: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
+ _________________________ ipsec/directory
+
+ ipsec --directory
/lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname -f
diablo
+ _________________________ hostname/ipaddress
+
+ hostname -i
10.4.8.254
+ _________________________ uptime
+
+ uptime
3:55pm up 39 min, load average: 0.08, 0.01, 0.00
+ _________________________ ps
+
+ ps alxwf
+ egrep -i ppid|pluto|ipsec|klips
3491 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all
--uniqueids
9783 root 1224 S logger -p daemon.error -t ipsec__plutorun
30998 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all
--uniqueids
17668 root 1300 S /bin/sh /lib/ipsec/_plutoload --load %search
--start
8581 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all
--uniqueids
11177 root 2024 S /lib/ipsec/pluto --nofork --debug-all
--uniqueids
29663 root 912 S _pluto_adns -d 7 10
16226 root 1256 S /bin/sh /sbin/ipsec barf
31621 root 1804 S /bin/sh /lib/ipsec/barf
27877 root 1804 R /bin/sh /lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=65.114.249.131
routeaddr=65.114.249.131
routenexthop=65.114.249.1
routenexthop=65.114.249.1
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=65.114.249.131
defaultroutenexthop=65.114.249.1
+ _________________________ ipsec/conf
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
type=tunnel
keyexchange=ike
keylife=8h
disablearrivalcheck=no
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
authby=secret
left=65.114.249.131
leftsubnet=10.4.8.0/24
leftfirewall=yes
pfs=yes
# Win2K Road Warriors
conn w2k-road-warriors
right=%any
auto=add
+ _________________________ ipsec/secrets
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits diablo.netvantix.net Wed Jan 1 11:00:54 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQPDQj/Cf]
#IN KEY 0x4200 4 1 [keyid AQPDQj/Cf]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
md5sum: not found
# do not change the indenting of that "[sums to #...]"
md5sum: not found
%any %any: PSK "[sums to %any...]"
+ _________________________ ipsec/ls-dir
+
+ ls -l /lib/ipsec
-rwxr-xr-x 1 dnslog 29 11102 Nov 10 16:33 _confread
-rwxr-xr-x 1 dnslog 29 4132 Nov 11 15:14 _copyright
-rwxr-xr-x 1 dnslog 29 2163 Nov 10 16:33 _include
-rwxr-xr-x 1 dnslog 29 1472 Nov 10 16:33 _keycensor
-rwxr-xr-x 1 dnslog 29 9356 Nov 11 15:14 _pluto_adns
-rwxr-xr-x 1 dnslog 29 3495 Nov 10 16:33 _plutoload
-rwxr-xr-x 1 dnslog 29 4335 Nov 10 16:33 _plutorun
-rwxr-xr-x 1 dnslog 29 7591 Nov 10 16:33 _realsetup
-rwxr-xr-x 1 dnslog 29 1971 Nov 10 16:33 _secretcensor
-rwxr-xr-x 1 dnslog 29 7825 Nov 20 21:43 _startklips
-rwxr-xr-x 1 dnslog 29 7575 Nov 10 16:33 _updown
-rwxr-xr-x 1 dnslog 29 11404 Nov 10 16:33 auto
-rwxr-xr-x 1 dnslog 29 7175 Nov 10 16:33 barf
-rwxr-xr-x 1 dnslog 29 59360 Nov 11 15:14 eroute
-rwxr-xr-x 1 dnslog 29 18036 Nov 11 15:14 ikeping
-rwxr-xr-x 1 dnslog 29 2905 Nov 10 16:33 ipsec
-rw-r--r-- 1 dnslog 29 1950 Nov 10 16:33
ipsec_pr.template
-rwxr-xr-x 1 dnslog 29 41308 Nov 11 15:14 klipsdebug
-rwxr-xr-x 1 dnslog 29 2646 Nov 24 18:09 look
-rwxr-xr-x 1 dnslog 29 16450 Nov 23 14:56 manual
-rwxr-xr-x 1 dnslog 29 1847 Nov 10 16:33 newhostkey
-rwxr-xr-x 1 dnslog 29 34556 Nov 11 15:14 pf_key
-rwxr-xr-x 1 dnslog 29 326940 Nov 11 15:14 pluto
-rwxr-xr-x 1 dnslog 29 6484 Nov 11 15:14 ranbits
-rwxr-xr-x 1 dnslog 29 73788 Nov 11 15:14 rsasigkey
-rwxr-xr-x 1 dnslog 29 16641 Nov 10 16:33 send-pr
lrwxrwxrwx 1 root root 17 Jan 1 16:01 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 dnslog 29 1041 Nov 10 16:33 showdefaults
-rwxr-xr-x 1 dnslog 29 4205 Nov 10 16:33 showhostkey
-rwxr-xr-x 1 dnslog 29 68812 Nov 11 15:14 spi
-rwxr-xr-x 1 dnslog 29 51208 Nov 11 15:14 spigrp
-rwxr-xr-x 1 dnslog 29 9544 Nov 11 15:14 tncfg
-rwxr-xr-x 1 dnslog 29 32136 Nov 11 15:14 whack
+ _________________________ ipsec/updowns
+
+ ls /lib/ipsec
+ egrep updown
+ cat /lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify
it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and
customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great
care.
uproute() {
doroute add
}
downroute() {
doroute del
}
# <CTC> convert to iproute2 - add mask2bits function
#-------------------------------------------------------------------------
# mask2bits function, returns the number of bits in the netmask
parameter.
# borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib
#-------------------------------------------------------------------------
#No external apps needed.
mask2bits () {
case $1 in
255.255.255.255) echo 32 ;;
255.255.255.254) echo 31 ;;
255.255.255.252) echo 30 ;;
255.255.255.248) echo 29 ;;
255.255.255.240) echo 28 ;;
255.255.255.224) echo 27 ;;
255.255.255.192) echo 26 ;;
255.255.255.128) echo 25 ;;
255.255.255.0) echo 24 ;;
255.255.254.0) echo 23 ;;
255.255.252.0) echo 22 ;;
255.255.248.0) echo 21 ;;
255.255.240.0) echo 20 ;;
255.255.224.0) echo 19 ;;
255.255.192.0) echo 18 ;;
255.255.128.0) echo 17 ;;
255.255.0.0) echo 16 ;;
255.254.0.0) echo 15 ;;
255.252.0.0) echo 14 ;;
255.248.0.0) echo 13 ;;
255.240.0.0) echo 12 ;;
255.224.0.0) echo 11 ;;
255.192.0.0) echo 10 ;;
255.128.0.0) echo 9 ;;
255.0.0.0) echo 8 ;;
254.0.0.0) echo 7 ;;
252.0.0.0) echo 6 ;;
248.0.0.0) echo 5 ;;
240.0.0.0) echo 4 ;;
224.0.0.0) echo 3 ;;
192.0.0.0) echo 2 ;;
128.0.0.0) echo 1 ;;
0.0.0.0) echo 0 ;;
*) echo 32 ;;
esac
} #End of mask2bits
doroute() {
# parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
# parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
parms2="dev $PLUTO_INTERFACE via $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
# it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
# route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
it="ip route $1 0.0.0.0/1 $parms2 &&"
it="$it ip route $1 128.0.0.0/1 $parms2"
;;
# *) it="route $1 $parms $parms2"
*) it="ip route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
# it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
# route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
it="ip route del 0.0.0.0/1 2>&1 ; ip route del 128.0.0.0/1 2>&1"
;;
*)
# it="route del -net $PLUTO_PEER_CLIENT_NET \
# netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
it="ip route del $parms 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
# <CTC> iproute2 gives a _different_ incomprehensible answer
# 'SIOCDELRT: No such process'*)
'RTNETLINK answers: No such process'*)
# </CTC>
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
# ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going
down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
# ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -D FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed
multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
dummy0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0: 2347452 7811 0 0 0 0 0 0
1848 27 0 0 0 0 0 0
eth1: 3136 29 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+
+ cat /proc/net/route
Iface Destination Gateway
Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 00F97241 00000000 0001 0 0 0 00FFFFFF
40 0 0
ipsec0 00F97241 00000000 0001 0 0 0 00FFFFFF
40 0 0
eth1 0008040A 00000000 0001 0 0 0 00FFFFFF
40 0 0
eth0 00000000 01F97241 0003 0 0 0 00000000
40 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+
+ uname -a
Linux diablo 2.4.18 #1 Sun Nov 10 17:40:20 UTC 2002 i586 unknown
+ _________________________ redhat-release
+
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.99
+ _________________________ iptables/list
+
+ iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0
0.0.0.0/0
6473 259K eth0_in ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
15 2086 eth1_in ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT ah -- * lo 0.0.0.0/0
0.0.0.0/0
14 854 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
2 80 fw2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (5 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
15 2086 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
16 2164 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
1 40 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
224.0.0.0/4
1 40 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
65.114.249.255
0 0 DROP ah -- * * 0.0.0.0/0
10.4.8.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 rfc1918 ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
6473 259K dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
6473 259K rfc1918 ah -- * * 0.0.0.0/0
0.0.0.0/0
13 748 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
6460 258K net2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 loc2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
15 2086 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
15 2086 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2gw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
2 80 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain gw2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
15 2086 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (27 references)
pkts bytes target prot opt in out source
destination
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
6459 258K common ah -- * * 0.0.0.0/0
0.0.0.0/0
6456 258K LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
6456 258K DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 40 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
6459 258K net2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source
destination
1 40 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source
destination
2 80 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN ah -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP ah -- * * 169.254.0.0/16
0.0.0.0/0
0 0 logdrop ah -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop ah -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop ah -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop ah -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 60.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop ah -- * * 82.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop ah -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop ah -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop ah -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 222.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 240.0.0.0/4
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/list
+
+ ipchains -L -v -n
ipchains: not found
+ _________________________ ipfwadm/forward
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/input
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/output
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________ iptables/nat
+
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 6908 packets, 295K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 80 bytes)
pkts bytes target prot opt in out source
destination
2 80 eth0_masq ah -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE ah -- * * 10.4.8.0/24
0.0.0.0/0
+ _________________________ ipchains/masq
+
+ ipchains -M -L -v -n
ipchains: not found
+ _________________________ ipfwadm/masq
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________ iptables/mangle
+
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 6908 packets, 295K bytes)
pkts bytes target prot opt in out source
destination
6892 293K man1918 ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
6906 295K pretos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 6488 packets, 261K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 16 packets, 934 bytes)
pkts bytes target prot opt in out source
destination
16 934 outtos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 16 packets, 934 bytes)
pkts bytes target prot opt in out source
destination
Chain logdrop (27 references)
pkts bytes target prot opt in out source
destination
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop ah -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop ah -- * * 0.0.0.0/0
192.0.2.0/24
0 0 logdrop ah -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop ah -- * * 0.0.0.0/0
0.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
2.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
5.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
7.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
10.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
23.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
27.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
31.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
36.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
39.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
41.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
42.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
58.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
60.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
70.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
72.0.0.0/5
0 0 logdrop ah -- * * 0.0.0.0/0
82.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
84.0.0.0/6
0 0 logdrop ah -- * * 0.0.0.0/0
88.0.0.0/5
0 0 logdrop ah -- * * 0.0.0.0/0
96.0.0.0/3
0 0 logdrop ah -- * * 0.0.0.0/0
127.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
197.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
222.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
4 160 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
4 160 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
4 160 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
+ _________________________ proc/modules
+
+ cat /proc/modules
ipsec 133776 2
ip_nat_irc 2400 0 (unused)
ip_nat_ftp 3008 0 (unused)
ip_conntrack_irc 3104 1
ip_conntrack_ftp 3840 1
3c59x 24752 2
ide-prob 7516 0
ide-disk 6560 0
ide-mod 50948 0 [ide-prob ide-disk]
+ _________________________ proc/meminfo
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 47763456 12197888 35565568 0 69632 6836224
Swap: 0 0 0
MemTotal: 46644 kB
MemFree: 34732 kB
MemShared: 0 kB
Buffers: 68 kB
Cached: 6676 kB
SwapCached: 0 kB
Active: 20 kB
Inactive: 9048 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 46644 kB
LowFree: 34732 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________ dev/ipsec-ls
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi
/proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root wheel 0 Jan 1 15:55
/proc/net/ipsec_eroute
-r--r--r-- 1 root wheel 0 Jan 1 15:55
/proc/net/ipsec_spi
-r--r--r-- 1 root wheel 0 Jan 1 15:55
/proc/net/ipsec_spigrp
-r--r--r-- 1 root wheel 0 Jan 1 15:55
/proc/net/ipsec_tncfg
-r--r--r-- 1 root wheel 0 Jan 1 15:55
/proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.* @host.ip.address-or-name.here
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#cron.* /var/log/cron.log
#lpr.* -/var/log/lpr.log
#mail.* /var/log/mail.log
#user.* -/var/log/user.log
#uucp.* -/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#ppp
local2.* -/var/log/ppp.log
#portslave
local6.* -/var/log/pslave.log
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 10.4.8.254
nameserver 65.114.248.4
nameserver 65.114.248.5
+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
-rw-r--r-- 1 root root 6744 Nov 11 13:25 slhc.o
-rw-r--r-- 1 root root 3636 Nov 11 13:25 pppox.o
-rw-r--r-- 1 root root 11732 Nov 11 13:25 pppoe.o
-rw-r--r-- 1 root root 7908 Nov 11 13:25 ppp_synctty.o
-rw-r--r-- 1 root root 22352 Nov 11 13:25 ppp_mppe.o
-rw-r--r-- 1 root root 23712 Nov 11 13:25 ppp_generic.o
-rw-r--r-- 1 root root 39424 Nov 11 13:25 ppp_deflate.o
-rw-r--r-- 1 root root 9948 Nov 11 13:25 ppp_async.o
-rw-r--r-- 1 root root 8516 Nov 11 13:25 ne2k-pci.o
-rw-r--r-- 1 root root 8144 Nov 11 13:25 ne.o
-rw-r--r-- 1 root root 9816 Nov 11 13:25 n_hdlc.o
-rw-r--r-- 1 root root 4200 Nov 11 13:25 ip_nat_irc.o
-rw-r--r-- 1 root root 4748 Nov 11 13:25 ip_nat_ftp.o
-rw-r--r-- 1 root root 5716 Nov 11 13:25
ip_conntrack_irc.o
-rw-r--r-- 1 root root 5936 Nov 11 13:25
ip_conntrack_ftp.o
-rw-r--r-- 1 root root 26328 Nov 11 13:25 eepro100.o
-rw-r--r-- 1 root root 8872 Nov 11 13:25 8390.o
-rw-r--r-- 1 root root 36120 Nov 11 13:25 3c59x.o
-rwxr-xr-x 1 root root 165334 Dec 26 10:58 ipsec.o
lrwxrwxrwx 1 root root 12 Jan 1 16:01 2.4.18 ->
/lib/modules
+ _________________________ proc/ksyms-netif_rx
+
+ egrep netif_rx /proc/ksyms
c018d710 netif_rx
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ sed -n 100,$p /var/log/syslog
+ egrep -i ipsec|klips|pluto
+ cat
Jan 1 15:36:09 diablo ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Jan 1 15:36:09 diablo ipsec_setup: Using /lib/modules/ipsec.o
Jan 1 15:36:09 diablo ipsec_setup: KLIPS ipsec0 on eth0
65.114.249.131/24 broadcast 65.114.249.255
Jan 1 15:36:09 diablo ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+
+ sed -n 156,$p /var/log/auth.log
+ egrep -i pluto
+ cat
Jan 1 15:36:09 diablo ipsec__plutorun: Starting Pluto subsystem...
Jan 1 15:36:09 diablo pluto[11177]: Starting Pluto (FreeS/WAN Version
1.99)
Jan 1 15:36:09 diablo pluto[11177]: | opening /dev/urandom
Jan 1 15:36:09 diablo pluto[11177]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Jan 1 15:36:09 diablo pluto[11177]: | process 11177 listening for
PF_KEY_V2 on file descriptor 6
Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER
message 1 for AH
Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 02 02 00 00 00 01 00
00 00 a9 2b 00 00
Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message
1
Jan 1 15:36:09 diablo pluto[11177]: | AH registered with kernel.
Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER
message 2 for ESP
Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 03 02 00 00 00 02 00
00 00 a9 2b 00 00
Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message
2
Jan 1 15:36:09 diablo pluto[11177]: | ESP registered with kernel.
Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER
message 3 for IPCOMP
Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 0a 02 00 00 00 03 00
00 00 a9 2b 00 00
Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message
3
Jan 1 15:36:09 diablo pluto[11177]: | IPCOMP registered with kernel.
Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER
message 4 for IPIP
Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 09 02 00 00 00 04 00
00 00 a9 2b 00 00
Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message
4
Jan 1 15:36:09 diablo pluto[11177]: | IPIP registered with kernel.
Jan 1 15:36:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Jan 1 15:36:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in
120 seconds
Jan 1 15:36:10 diablo pluto[11177]: |
Jan 1 15:36:10 diablo pluto[11177]: | *received whack message
Jan 1 15:36:10 diablo pluto[11177]: added connection description
"w2k-road-warriors"
Jan 1 15:36:10 diablo pluto[11177]: |
10.4.8.0/24===65.114.249.131...%any
Jan 1 15:36:10 diablo pluto[11177]: | ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy:
PSK+ENCRYPT+TUNNEL+PFS
Jan 1 15:36:10 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in
119 seconds
Jan 1 15:36:10 diablo pluto[11177]: |
Jan 1 15:36:10 diablo pluto[11177]: | *received whack message
Jan 1 15:36:10 diablo pluto[11177]: listening for IKE messages
Jan 1 15:36:10 diablo pluto[11177]: | found lo with address 127.0.0.1
Jan 1 15:36:10 diablo pluto[11177]: | found eth0 with address
65.114.249.131
Jan 1 15:36:10 diablo pluto[11177]: | found eth1 with address
10.4.8.254
Jan 1 15:36:10 diablo pluto[11177]: | found ipsec0 with address
65.114.249.131
Jan 1 15:36:10 diablo pluto[11177]: | IP interface eth1 10.4.8.254 has
no matching ipsec* interface -- ignored
Jan 1 15:36:10 diablo pluto[11177]: adding interface ipsec0/eth0
65.114.249.131
Jan 1 15:36:10 diablo pluto[11177]: | IP interface lo 127.0.0.1 has no
matching ipsec* interface -- ignored
Jan 1 15:36:10 diablo pluto[11177]: | could not open /proc/net/if_inet6
Jan 1 15:36:10 diablo pluto[11177]: loading secrets from
"/etc/ipsec.secrets"
Jan 1 15:36:10 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in
119 seconds
Jan 1 15:36:32 diablo pluto[11177]: |
Jan 1 15:36:32 diablo pluto[11177]: | *received whack message
Jan 1 15:36:32 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 97
seconds
Jan 1 15:38:09 diablo pluto[11177]: |
Jan 1 15:38:09 diablo pluto[11177]: | *time to handle event
Jan 1 15:38:09 diablo pluto[11177]: | event after this is
EVENT_REINIT_SECRET in 3480 seconds
Jan 1 15:38:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Jan 1 15:38:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in
120 seconds
Jan 1 15:40:09 diablo pluto[11177]: |
Jan 1 15:40:09 diablo pluto[11177]: | *time to handle event
Jan 1 15:40:09 diablo pluto[11177]: | event after this is
EVENT_REINIT_SECRET in 3360 seconds
Jan 1 15:40:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Jan 1 15:40:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in
120 seconds
Jan 1 15:42:09 diablo pluto[11177]: |
Jan 1 15:42:09 diablo pluto[11177]: | *time to handle event
Jan 1 15:42:09 diablo pluto[11177]: | eve
+ _________________________ date
+
+ date
Wed Jan 1 15:55:48 UTC 2003
ping ---
Pinging 10.4.8.254 with 32 bytes of data:
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Ping statistics for 10.4.8.254:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Well if anyone has any ideas......
Thanks!
Steve
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
