Everyone, After much hair pulling, blood-pressure raising, mustache twitching....
I am trying to configure Bering in a Road Warrior configuration using ( I shudder to admit ) Win2k clients. I've gone through Chad Carr's instructions about 10 times and various docs from both www.freeswan.org and freeswan.ca the Win2k/XP box says "Negotiating IP Security" when trying to ping and I see nothing in an ipsec barf that would lead me to believe there is even a connection being attempted. I tried to determine whether or not the ports were open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d 65.114.249.131:500, only gives me a "Will be implemented real soon ;)" so I scanned the Bering box with nmap and got Here are the outputs nmap --- # nmap (V. 3.00) scan initiated Wed Jan 1 23:00:31 2003 as: nmap -sS -vv -oN scan.txt 65.114.249.131 Interesting ports on (65.114.249.131): (The 1599 ports scanned but not shown below are in state: filtered) Port State Service 113/tcp closed auth 135/tcp closed loc-srv # Nmap run completed at Wed Jan 1 23:03:24 2003 -- 1 IP address (1 host up) scanned in 173 seconds ipsec barf ---- diablo Wed Jan 1 15:55:44 UTC 2003 + _________________________ version + + ipsec --version Linux FreeS/WAN 1.99 See `ipsec --copyright' for copyright information. + _________________________ proc/version + + cat /proc/version Linux version 2.4.18 (root@uml_woody) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sun Nov 10 17:40:20 UTC 2002 + _________________________ proc/net/ipsec_eroute + + sort +3 /proc/net/ipsec_eroute sort: +3: No such file or directory + cat /proc/net/ipsec_eroute + _________________________ ip/route + + ip route 65.114.249.0/24 dev eth0 proto kernel scope link src 65.114.249.131 65.114.249.0/24 dev ipsec0 proto kernel scope link src 65.114.249.131 10.4.8.0/24 dev eth1 proto kernel scope link src 10.4.8.254 default via 65.114.249.1 dev eth0 + _________________________ proc/net/ipsec_spi + + cat /proc/net/ipsec_spi + _________________________ proc/net/ipsec_spigrp + + cat /proc/net/ipsec_spigrp + _________________________ proc/net/ipsec_tncfg + + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ proc/net/pf_key + + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St c113ab00 11177 c1111f00 0 0 0 0 2 65535 00000000 3 1 + _________________________ proc/net/pf_key-star + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c1111f00 11177 c113ab00 pf_key_registered: 3 c1111f00 11177 c113ab00 pf_key_registered: 9 c1111f00 11177 c113ab00 pf_key_registered: 10 c1111f00 11177 c113ab00 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ proc/sys/net/ipsec-star + + cd /proc/sys/net/ipsec + egrep ^ icmp inbound_policy_check tos icmp:1 inbound_policy_check:1 tos:1 + _________________________ ipsec/status + + ipsec auto --status 000 interface ipsec0/eth0 65.114.249.131 000 000 "w2k-road-warriors": 10.4.8.0/24===65.114.249.131...%any 000 "w2k-road-warriors": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "w2k-road-warriors": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted 000 "w2k-road-warriors": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 + _________________________ ip/address + + ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:da:7d:e9 brd ff:ff:ff:ff:ff:ff inet 65.114.249.131/24 brd 65.114.249.255 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:b5:31:62 brd ff:ff:ff:ff:ff:ff inet 10.4.8.254/24 brd 10.4.8.255 scope global eth1 13: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:a0:24:da:7d:e9 brd ff:ff:ff:ff:ff:ff inet 65.114.249.131/24 brd 65.114.249.255 scope global ipsec0 14: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 15: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 16: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip + _________________________ ipsec/directory + + ipsec --directory /lib/ipsec + _________________________ hostname/fqdn + + hostname -f diablo + _________________________ hostname/ipaddress + + hostname -i 10.4.8.254 + _________________________ uptime + + uptime 3:55pm up 39 min, load average: 0.08, 0.01, 0.00 + _________________________ ps + + ps alxwf + egrep -i ppid|pluto|ipsec|klips 3491 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all --uniqueids 9783 root 1224 S logger -p daemon.error -t ipsec__plutorun 30998 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all --uniqueids 17668 root 1300 S /bin/sh /lib/ipsec/_plutoload --load %search --start 8581 root 1544 S /bin/sh /lib/ipsec/_plutorun --debug all --uniqueids 11177 root 2024 S /lib/ipsec/pluto --nofork --debug-all --uniqueids 29663 root 912 S _pluto_adns -d 7 10 16226 root 1256 S /bin/sh /sbin/ipsec barf 31621 root 1804 S /bin/sh /lib/ipsec/barf 27877 root 1804 R /bin/sh /lib/ipsec/barf + _________________________ ipsec/showdefaults + + ipsec showdefaults routephys=eth0 routephys=eth0 routevirt=ipsec0 routevirt=ipsec0 routeaddr=65.114.249.131 routeaddr=65.114.249.131 routenexthop=65.114.249.1 routenexthop=65.114.249.1 defaultroutephys=eth0 defaultroutevirt=ipsec0 defaultrouteaddr=65.114.249.131 defaultroutenexthop=65.114.249.1 + _________________________ ipsec/conf + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=all # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default type=tunnel keyexchange=ike keylife=8h disablearrivalcheck=no # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 authby=secret left=65.114.249.131 leftsubnet=10.4.8.0/24 leftfirewall=yes pfs=yes # Win2K Road Warriors conn w2k-road-warriors right=%any auto=add + _________________________ ipsec/secrets + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 : RSA { # RSA 2192 bits diablo.netvantix.net Wed Jan 1 11:00:54 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[keyid AQPDQj/Cf] #IN KEY 0x4200 4 1 [keyid AQPDQj/Cf] # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA) Modulus: [...] PublicExponent: [...] # everything after this point is secret PrivateExponent: [...] Prime1: [...] Prime2: [...] Exponent1: [...] Exponent2: [...] Coefficient: [...] } md5sum: not found # do not change the indenting of that "[sums to #...]" md5sum: not found %any %any: PSK "[sums to %any...]" + _________________________ ipsec/ls-dir + + ls -l /lib/ipsec -rwxr-xr-x 1 dnslog 29 11102 Nov 10 16:33 _confread -rwxr-xr-x 1 dnslog 29 4132 Nov 11 15:14 _copyright -rwxr-xr-x 1 dnslog 29 2163 Nov 10 16:33 _include -rwxr-xr-x 1 dnslog 29 1472 Nov 10 16:33 _keycensor -rwxr-xr-x 1 dnslog 29 9356 Nov 11 15:14 _pluto_adns -rwxr-xr-x 1 dnslog 29 3495 Nov 10 16:33 _plutoload -rwxr-xr-x 1 dnslog 29 4335 Nov 10 16:33 _plutorun -rwxr-xr-x 1 dnslog 29 7591 Nov 10 16:33 _realsetup -rwxr-xr-x 1 dnslog 29 1971 Nov 10 16:33 _secretcensor -rwxr-xr-x 1 dnslog 29 7825 Nov 20 21:43 _startklips -rwxr-xr-x 1 dnslog 29 7575 Nov 10 16:33 _updown -rwxr-xr-x 1 dnslog 29 11404 Nov 10 16:33 auto -rwxr-xr-x 1 dnslog 29 7175 Nov 10 16:33 barf -rwxr-xr-x 1 dnslog 29 59360 Nov 11 15:14 eroute -rwxr-xr-x 1 dnslog 29 18036 Nov 11 15:14 ikeping -rwxr-xr-x 1 dnslog 29 2905 Nov 10 16:33 ipsec -rw-r--r-- 1 dnslog 29 1950 Nov 10 16:33 ipsec_pr.template -rwxr-xr-x 1 dnslog 29 41308 Nov 11 15:14 klipsdebug -rwxr-xr-x 1 dnslog 29 2646 Nov 24 18:09 look -rwxr-xr-x 1 dnslog 29 16450 Nov 23 14:56 manual -rwxr-xr-x 1 dnslog 29 1847 Nov 10 16:33 newhostkey -rwxr-xr-x 1 dnslog 29 34556 Nov 11 15:14 pf_key -rwxr-xr-x 1 dnslog 29 326940 Nov 11 15:14 pluto -rwxr-xr-x 1 dnslog 29 6484 Nov 11 15:14 ranbits -rwxr-xr-x 1 dnslog 29 73788 Nov 11 15:14 rsasigkey -rwxr-xr-x 1 dnslog 29 16641 Nov 10 16:33 send-pr lrwxrwxrwx 1 root root 17 Jan 1 16:01 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 dnslog 29 1041 Nov 10 16:33 showdefaults -rwxr-xr-x 1 dnslog 29 4205 Nov 10 16:33 showhostkey -rwxr-xr-x 1 dnslog 29 68812 Nov 11 15:14 spi -rwxr-xr-x 1 dnslog 29 51208 Nov 11 15:14 spigrp -rwxr-xr-x 1 dnslog 29 9544 Nov 11 15:14 tncfg -rwxr-xr-x 1 dnslog 29 32136 Nov 11 15:14 whack + _________________________ ipsec/updowns + + ls /lib/ipsec + egrep updown + cat /lib/ipsec/_updown #! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one. # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac # check parameter(s) case "$1:$*" in ':') # no parameters ;; ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only ;; custom:*) # custom parameters (see above CAUTION comment) ;; *) echo "$0: unknown parameters \`$*'" >&2 exit 2 ;; esac # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { doroute add } downroute() { doroute del } # <CTC> convert to iproute2 - add mask2bits function #------------------------------------------------------------------------- # mask2bits function, returns the number of bits in the netmask parameter. # borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib #------------------------------------------------------------------------- #No external apps needed. mask2bits () { case $1 in 255.255.255.255) echo 32 ;; 255.255.255.254) echo 31 ;; 255.255.255.252) echo 30 ;; 255.255.255.248) echo 29 ;; 255.255.255.240) echo 28 ;; 255.255.255.224) echo 27 ;; 255.255.255.192) echo 26 ;; 255.255.255.128) echo 25 ;; 255.255.255.0) echo 24 ;; 255.255.254.0) echo 23 ;; 255.255.252.0) echo 22 ;; 255.255.248.0) echo 21 ;; 255.255.240.0) echo 20 ;; 255.255.224.0) echo 19 ;; 255.255.192.0) echo 18 ;; 255.255.128.0) echo 17 ;; 255.255.0.0) echo 16 ;; 255.254.0.0) echo 15 ;; 255.252.0.0) echo 14 ;; 255.248.0.0) echo 13 ;; 255.240.0.0) echo 12 ;; 255.224.0.0) echo 11 ;; 255.192.0.0) echo 10 ;; 255.128.0.0) echo 9 ;; 255.0.0.0) echo 8 ;; 254.0.0.0) echo 7 ;; 252.0.0.0) echo 6 ;; 248.0.0.0) echo 5 ;; 240.0.0.0) echo 4 ;; 224.0.0.0) echo 3 ;; 192.0.0.0) echo 2 ;; 128.0.0.0) echo 1 ;; 0.0.0.0) echo 0 ;; *) echo 32 ;; esac } #End of mask2bits doroute() { # parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP" # parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK" PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK` parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS" parms2="dev $PLUTO_INTERFACE via $PLUTO_NEXT_HOP" case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic # it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 && # route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2" it="ip route $1 0.0.0.0/1 $parms2 &&" it="$it ip route $1 128.0.0.0/1 $parms2" ;; # *) it="route $1 $parms $parms2" *) it="ip route $1 $parms $parms2" ;; esac eval $it st=$? if test $st -ne 0 then # route has already given its own cryptic message echo "$0: \`$it' failed" >&2 if test " $1 $st" = " add 7" then # another totally undocumented interface -- 7 and # "SIOCADDRT: Network is unreachable" means that # the gateway isn't reachable. echo "$0: (incorrect or missing nexthop setting??)" >&2 fi fi return $st } # the big choice case "$PLUTO_VERB:$1" in prepare-host:*|prepare-client:*) # delete possibly-existing route (preliminary to adding a route) case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in "0.0.0.0/0.0.0.0") # horrible kludge for obscure routing bug with opportunistic # it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ; # route del -net 128.0.0.0 netmask 128.0.0.0 2>&1" it="ip route del 0.0.0.0/1 2>&1 ; ip route del 128.0.0.0/1 2>&1" ;; *) # it="route del -net $PLUTO_PEER_CLIENT_NET \ # netmask $PLUTO_PEER_CLIENT_MASK 2>&1" PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK` parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS" it="ip route del $parms 2>&1" ;; esac oops="`eval $it`" status="$?" if test " $oops" = " " -a " $status" != " 0" then oops="silent error, exit status $status" fi case "$oops" in # <CTC> iproute2 gives a _different_ incomprehensible answer # 'SIOCDELRT: No such process'*) 'RTNETLINK answers: No such process'*) # </CTC> # This is what route (currently -- not documented!) gives # for "could not find such a route". oops= status=0 ;; esac if test " $oops" != " " -o " $status" != " 0" then echo "$0: \`$it' failed ($oops)" >&2 fi exit $status ;; route-host:*|route-client:*) # connection to me or my client subnet being routed uproute ;; unroute-host:*|unroute-client:*) # connection to me or my client subnet being unrouted downroute ;; up-host:*) # connection to me coming up # If you are doing a custom version, firewall commands go here. ;; down-host:*) # connection to me going down # If you are doing a custom version, firewall commands go here. ;; up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. ;; up-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. # <CTC> replace with iptables commands # ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ # -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT # </CTC> ;; down-client:ipfwadm) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. # <CTC> replace with iptables commands # ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ # -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK iptables -D FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -D FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT # </CTC> ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 ;; esac + _________________________ proc/net/dev + + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 dummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth0: 2347452 7811 0 0 0 0 0 0 1848 27 0 0 0 0 0 0 eth1: 3136 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ proc/net/route + + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 00F97241 00000000 0001 0 0 0 00FFFFFF 40 0 0 ipsec0 00F97241 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth1 0008040A 00000000 0001 0 0 0 00FFFFFF 40 0 0 eth0 00000000 01F97241 0003 0 0 0 00000000 40 0 0 + _________________________ proc/sys/net/ipv4/ip_forward + + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ proc/sys/net/ipv4/conf/star-rp_filter + + cd /proc/sys/net/ipv4/conf + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 eth1/rp_filter:0 ipsec0/rp_filter:0 lo/rp_filter:0 + _________________________ uname-a + + uname -a Linux diablo 2.4.18 #1 Sun Nov 10 17:40:20 UTC 2002 i586 unknown + _________________________ redhat-release + + test -r /etc/redhat-release + _________________________ proc/net/ipsec_version + + cat /proc/net/ipsec_version FreeS/WAN version: 1.99 + _________________________ iptables/list + + iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 6473 259K eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 15 2086 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0 14 854 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 2 80 fw2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 15 2086 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16 2164 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 1 40 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP ah -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4 1 40 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP ah -- * * 0.0.0.0/0 65.114.249.255 0 0 DROP ah -- * * 0.0.0.0/0 10.4.8.255 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 6473 259K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 6473 259K rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0 13 748 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 6460 258K net2fw ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 15 2086 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 15 2086 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2gw (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 2 80 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain gw2fw (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 15 2086 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (27 references) pkts bytes target prot opt in out source destination 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:' 0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 6459 258K common ah -- * * 0.0.0.0/0 0.0.0.0/0 6456 258K LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 6456 258K DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 40 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW 6459 258K net2all ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (8 references) pkts bytes target prot opt in out source destination 1 40 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 2 80 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN ah -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP ah -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop ah -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop ah -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop ah -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop ah -- * * 0.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 2.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 5.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 7.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 23.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 27.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 31.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 36.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 39.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 41.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 42.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 58.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 60.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 70.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 72.0.0.0/5 0.0.0.0/0 0 0 logdrop ah -- * * 82.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 84.0.0.0/6 0.0.0.0/0 0 0 logdrop ah -- * * 88.0.0.0/5 0.0.0.0/0 0 0 logdrop ah -- * * 96.0.0.0/3 0.0.0.0/0 0 0 logdrop ah -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 197.0.0.0/8 0.0.0.0/0 0 0 logdrop ah -- * * 222.0.0.0/7 0.0.0.0/0 0 0 logdrop ah -- * * 240.0.0.0/4 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination + _________________________ ipchains/list + + ipchains -L -v -n ipchains: not found + _________________________ ipfwadm/forward + + ipfwadm -F -l -n -e ipfwadm: not found + _________________________ ipfwadm/input + + ipfwadm -I -l -n -e ipfwadm: not found + _________________________ ipfwadm/output + + ipfwadm -O -l -n -e ipfwadm: not found + _________________________ iptables/nat + + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 6908 packets, 295K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 80 bytes) pkts bytes target prot opt in out source destination 2 80 eth0_masq ah -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE ah -- * * 10.4.8.0/24 0.0.0.0/0 + _________________________ ipchains/masq + + ipchains -M -L -v -n ipchains: not found + _________________________ ipfwadm/masq + + ipfwadm -M -l -n -e ipfwadm: not found + _________________________ iptables/mangle + + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 6908 packets, 295K bytes) pkts bytes target prot opt in out source destination 6892 293K man1918 ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 6906 295K pretos ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 6488 packets, 261K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16 packets, 934 bytes) pkts bytes target prot opt in out source destination 16 934 outtos ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 16 packets, 934 bytes) pkts bytes target prot opt in out source destination Chain logdrop (27 references) pkts bytes target prot opt in out source destination 0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:' 0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain man1918 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN ah -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP ah -- * * 0.0.0.0/0 169.254.0.0/16 0 0 logdrop ah -- * * 0.0.0.0/0 172.16.0.0/12 0 0 logdrop ah -- * * 0.0.0.0/0 192.0.2.0/24 0 0 logdrop ah -- * * 0.0.0.0/0 192.168.0.0/16 0 0 logdrop ah -- * * 0.0.0.0/0 0.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 2.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 5.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 7.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 10.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 23.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 27.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 31.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 36.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 39.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 41.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 42.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 58.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 60.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 70.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 72.0.0.0/5 0 0 logdrop ah -- * * 0.0.0.0/0 82.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 84.0.0.0/6 0 0 logdrop ah -- * * 0.0.0.0/0 88.0.0.0/5 0 0 logdrop ah -- * * 0.0.0.0/0 96.0.0.0/3 0 0 logdrop ah -- * * 0.0.0.0/0 127.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 197.0.0.0/8 0 0 logdrop ah -- * * 0.0.0.0/0 222.0.0.0/7 0 0 logdrop ah -- * * 0.0.0.0/0 240.0.0.0/4 Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 4 160 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 4 160 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 4 160 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 + _________________________ proc/modules + + cat /proc/modules ipsec 133776 2 ip_nat_irc 2400 0 (unused) ip_nat_ftp 3008 0 (unused) ip_conntrack_irc 3104 1 ip_conntrack_ftp 3840 1 3c59x 24752 2 ide-prob 7516 0 ide-disk 6560 0 ide-mod 50948 0 [ide-prob ide-disk] + _________________________ proc/meminfo + + cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 47763456 12197888 35565568 0 69632 6836224 Swap: 0 0 0 MemTotal: 46644 kB MemFree: 34732 kB MemShared: 0 kB Buffers: 68 kB Cached: 6676 kB SwapCached: 0 kB Active: 20 kB Inactive: 9048 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 46644 kB LowFree: 34732 kB SwapTotal: 0 kB SwapFree: 0 kB + _________________________ dev/ipsec-ls + + ls -l /dev/ipsec* ls: /dev/ipsec*: No such file or directory + _________________________ proc/net/ipsec-ls + + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root wheel 0 Jan 1 15:55 /proc/net/ipsec_eroute -r--r--r-- 1 root wheel 0 Jan 1 15:55 /proc/net/ipsec_spi -r--r--r-- 1 root wheel 0 Jan 1 15:55 /proc/net/ipsec_spigrp -r--r--r-- 1 root wheel 0 Jan 1 15:55 /proc/net/ipsec_tncfg -r--r--r-- 1 root wheel 0 Jan 1 15:55 /proc/net/ipsec_version + _________________________ usr/src/linux/.config + + test -f /usr/src/linux/.config + _________________________ etc/syslog.conf + + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # Log everything remotely. The other machine must run syslog with '-r'. # WARNING: Doing this is unsecure and can open you up to a DoS attack. # #*.* @host.ip.address-or-name.here # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #cron.* /var/log/cron.log #lpr.* -/var/log/lpr.log #mail.* /var/log/mail.log #user.* -/var/log/user.log #uucp.* -/var/log/uucp.log # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * #ppp local2.* -/var/log/ppp.log #portslave local6.* -/var/log/pslave.log + _________________________ etc/resolv.conf + + cat /etc/resolv.conf nameserver 127.0.0.1 nameserver 10.4.8.254 nameserver 65.114.248.4 nameserver 65.114.248.5 + _________________________ lib/modules-ls + + ls -ltr /lib/modules -rw-r--r-- 1 root root 6744 Nov 11 13:25 slhc.o -rw-r--r-- 1 root root 3636 Nov 11 13:25 pppox.o -rw-r--r-- 1 root root 11732 Nov 11 13:25 pppoe.o -rw-r--r-- 1 root root 7908 Nov 11 13:25 ppp_synctty.o -rw-r--r-- 1 root root 22352 Nov 11 13:25 ppp_mppe.o -rw-r--r-- 1 root root 23712 Nov 11 13:25 ppp_generic.o -rw-r--r-- 1 root root 39424 Nov 11 13:25 ppp_deflate.o -rw-r--r-- 1 root root 9948 Nov 11 13:25 ppp_async.o -rw-r--r-- 1 root root 8516 Nov 11 13:25 ne2k-pci.o -rw-r--r-- 1 root root 8144 Nov 11 13:25 ne.o -rw-r--r-- 1 root root 9816 Nov 11 13:25 n_hdlc.o -rw-r--r-- 1 root root 4200 Nov 11 13:25 ip_nat_irc.o -rw-r--r-- 1 root root 4748 Nov 11 13:25 ip_nat_ftp.o -rw-r--r-- 1 root root 5716 Nov 11 13:25 ip_conntrack_irc.o -rw-r--r-- 1 root root 5936 Nov 11 13:25 ip_conntrack_ftp.o -rw-r--r-- 1 root root 26328 Nov 11 13:25 eepro100.o -rw-r--r-- 1 root root 8872 Nov 11 13:25 8390.o -rw-r--r-- 1 root root 36120 Nov 11 13:25 3c59x.o -rwxr-xr-x 1 root root 165334 Dec 26 10:58 ipsec.o lrwxrwxrwx 1 root root 12 Jan 1 16:01 2.4.18 -> /lib/modules + _________________________ proc/ksyms-netif_rx + + egrep netif_rx /proc/ksyms c018d710 netif_rx + _________________________ lib/modules-netif_rx + + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.4.18: + _________________________ kern.debug + + test -f /var/log/kern.debug + _________________________ klog + + sed -n 100,$p /var/log/syslog + egrep -i ipsec|klips|pluto + cat Jan 1 15:36:09 diablo ipsec_setup: Starting FreeS/WAN IPsec 1.99... Jan 1 15:36:09 diablo ipsec_setup: Using /lib/modules/ipsec.o Jan 1 15:36:09 diablo ipsec_setup: KLIPS ipsec0 on eth0 65.114.249.131/24 broadcast 65.114.249.255 Jan 1 15:36:09 diablo ipsec_setup: ...FreeS/WAN IPsec started + _________________________ plog + + sed -n 156,$p /var/log/auth.log + egrep -i pluto + cat Jan 1 15:36:09 diablo ipsec__plutorun: Starting Pluto subsystem... Jan 1 15:36:09 diablo pluto[11177]: Starting Pluto (FreeS/WAN Version 1.99) Jan 1 15:36:09 diablo pluto[11177]: | opening /dev/urandom Jan 1 15:36:09 diablo pluto[11177]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds Jan 1 15:36:09 diablo pluto[11177]: | process 11177 listening for PF_KEY_V2 on file descriptor 6 Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 02 02 00 00 00 01 00 00 00 a9 2b 00 00 Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message 1 Jan 1 15:36:09 diablo pluto[11177]: | AH registered with kernel. Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 03 02 00 00 00 02 00 00 00 a9 2b 00 00 Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message 2 Jan 1 15:36:09 diablo pluto[11177]: | ESP registered with kernel. Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 0a 02 00 00 00 03 00 00 00 a9 2b 00 00 Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message 3 Jan 1 15:36:09 diablo pluto[11177]: | IPCOMP registered with kernel. Jan 1 15:36:09 diablo pluto[11177]: | finish_pfkey_msg: SADB_REGISTER message 4 for IPIP Jan 1 15:36:09 diablo pluto[11177]: | 02 07 00 09 02 00 00 00 04 00 00 00 a9 2b 00 00 Jan 1 15:36:09 diablo pluto[11177]: | pfkey_get: SADB_REGISTER message 4 Jan 1 15:36:09 diablo pluto[11177]: | IPIP registered with kernel. Jan 1 15:36:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds Jan 1 15:36:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 120 seconds Jan 1 15:36:10 diablo pluto[11177]: | Jan 1 15:36:10 diablo pluto[11177]: | *received whack message Jan 1 15:36:10 diablo pluto[11177]: added connection description "w2k-road-warriors" Jan 1 15:36:10 diablo pluto[11177]: | 10.4.8.0/24===65.114.249.131...%any Jan 1 15:36:10 diablo pluto[11177]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS Jan 1 15:36:10 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 119 seconds Jan 1 15:36:10 diablo pluto[11177]: | Jan 1 15:36:10 diablo pluto[11177]: | *received whack message Jan 1 15:36:10 diablo pluto[11177]: listening for IKE messages Jan 1 15:36:10 diablo pluto[11177]: | found lo with address 127.0.0.1 Jan 1 15:36:10 diablo pluto[11177]: | found eth0 with address 65.114.249.131 Jan 1 15:36:10 diablo pluto[11177]: | found eth1 with address 10.4.8.254 Jan 1 15:36:10 diablo pluto[11177]: | found ipsec0 with address 65.114.249.131 Jan 1 15:36:10 diablo pluto[11177]: | IP interface eth1 10.4.8.254 has no matching ipsec* interface -- ignored Jan 1 15:36:10 diablo pluto[11177]: adding interface ipsec0/eth0 65.114.249.131 Jan 1 15:36:10 diablo pluto[11177]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored Jan 1 15:36:10 diablo pluto[11177]: | could not open /proc/net/if_inet6 Jan 1 15:36:10 diablo pluto[11177]: loading secrets from "/etc/ipsec.secrets" Jan 1 15:36:10 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 119 seconds Jan 1 15:36:32 diablo pluto[11177]: | Jan 1 15:36:32 diablo pluto[11177]: | *received whack message Jan 1 15:36:32 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 97 seconds Jan 1 15:38:09 diablo pluto[11177]: | Jan 1 15:38:09 diablo pluto[11177]: | *time to handle event Jan 1 15:38:09 diablo pluto[11177]: | event after this is EVENT_REINIT_SECRET in 3480 seconds Jan 1 15:38:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds Jan 1 15:38:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 120 seconds Jan 1 15:40:09 diablo pluto[11177]: | Jan 1 15:40:09 diablo pluto[11177]: | *time to handle event Jan 1 15:40:09 diablo pluto[11177]: | event after this is EVENT_REINIT_SECRET in 3360 seconds Jan 1 15:40:09 diablo pluto[11177]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds Jan 1 15:40:09 diablo pluto[11177]: | next event EVENT_SHUNT_SCAN in 120 seconds Jan 1 15:42:09 diablo pluto[11177]: | Jan 1 15:42:09 diablo pluto[11177]: | *time to handle event Jan 1 15:42:09 diablo pluto[11177]: | eve + _________________________ date + + date Wed Jan 1 15:55:48 UTC 2003 ping --- Pinging 10.4.8.254 with 32 bytes of data: Negotiating IP Security. Negotiating IP Security. Negotiating IP Security. Negotiating IP Security. Ping statistics for 10.4.8.254: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Well if anyone has any ideas...... Thanks! Steve ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html