- Create a CA ,possessing a self-signed CA certificate cacert.pem.
- Then create two private keys called keyA.pem and keyB.pem.
- Generate two certificates requests reqA.pem and reqB.pem signed by keyA.pem and keyB.pem, respectively.
- Use the CA to sign two certificates certA.pem and certB.pem based on the requests keyA.pem and keyB.pem, respectively.
- Copy cacert.pem to /etc/ipsec.d/cacerts on both hosts A and B.
On host A:
ipsec.secrets
: RSA keyA.pem
ipsec.conf
conn A-to-B right=<IP of B> rightid=<DN of certB.pem> rightrsasigkey=%cert left=%defaultroute leftcert=certA.pem auto=add
On host B:
: RSA keyB.pem
ipsec.conf
conn B-to-A right=<IP of A> rightid=<DN of certA.pem> rightrsasigkey=%cert left=%defaultroute leftcert=certB.pem auto=add
Regards
Andreas
MacManitou wrote:
Hello,
I have a problem with the installation of freeswan, maybe anybody can see the mistake I have made.
My ipsec.conf does look like this:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search plutowait=no forwardcontrol=no fragicmp=yes uniqueids=yes
conn %default type=tunnel # connection tries (0=unlimited) keyingtries=10 compress=yes authby=rsasig
conn denver211-to-hamburg183
type=tunnel
left= 100.100.100.5
leftnexthop=
leftid="C=de/ST=Lower Saxony/L=Lehrte/O=Webblazer/OU=Administration/CN=Sascha Muellner/[EMAIL PROTECTED]"
leftcert=webblazer.de.pem
leftrsasigkey=%cert
right=100.100.100.211
rightnexthop=
rightid="C=de/ST=Lower Saxony/L=Lehrte/O=Webblazer/OU=Administration/CN=Sascha Muellner/[EMAIL PROTECTED]"
rightcert=webblazer.de.pem
rightrsasigkey=%cert
auto=add
As you can see I only want to create a secure tunnel between two computers. My Problem is documented with this error log:
denver211
Mon Aug 11 02:11:28 CEST 2003
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.20-4GB-athlon ([EMAIL PROTECTED]) (gcc version 3.3 20030226 (prerelease) (SuSE Linux)) #1 Fri Jul 11 20:16:51 UTC 2003
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
100.100.100.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
100.100.100.0 0.0.0.0 255.255.254.0 U 0 0 0 ipsec0
0.0.0.0 100.100.100.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c7205040 5799 c92d6154 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c92d6154 5799 c7205040
pf_key_registered: 3 c92d6154 5799 c7205040
pf_key_registered: 9 c92d6154 5799 c7205040
pf_key_registered: 10 c92d6154 5799 c7205040
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 15 3 64 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 100.100.100.211
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536
000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048
000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072
000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "denver211-to-hamburg183": 100.100.100.211[C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED], ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]
000 "denver211-to-hamburg183": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
000 "denver211-to-hamburg183": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; unrouted
000 "denver211-to-hamburg183": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "denver211-to-hamburg183": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "denver211-to-hamburg183": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "denver211-to-hamburg183": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "denver211-to-hamburg183": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000
000 #1: "denver211-to-hamburg183" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 18s
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:4C:39:0E:F0
inet addr:100.100.100.211 Bcast: 100.100.100.255 Mask:255.255.254.0
inet6 addr: fe80::2e0:4cff:fe39:ef0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:179054 errors:0 dropped:0 overruns:0 frame:0
TX packets:4530 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:14392347 (13.7 Mb) TX bytes:929273 (907.4 Kb)
Interrupt:11
ipsec0 Link encap:IPIP Tunnel HWaddr inet addr:100.100.100.211 Mask:255.255.254.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
denver211.server4free.de
+ _________________________ hostname/ipaddress
+ hostname --ip-address
100.100.100.211
+ _________________________ uptime
+ uptime
2:11am up 1:06, 1 user, load average: 0.52, 0.14, 0.05
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 5905 1301 15 0 4680 1216 wait4 S pts/0 0:00 \_ /bin/sh /usr/sbin/ipsec barf
0 0 5906 5905 23 0 4704 1268 - R pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
0 0 5797 1 25 0 4696 1240 wait4 S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
0 0 5798 5797 25 0 4696 1240 wait4 S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --dump --load %search --start %search --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
0 0 5799 5798 15 0 2216 1056 schedu S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --debug-none --uniqueids
0 0 5800 5799 25 0 1408 268 schedu S pts/0 0:00 | \_ _pluto_adns 7 10
0 0 5801 5797 24 0 4688 1240 pipe_w S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --load %search --start %search --wait no --post
0 0 5803 1 25 0 3628 436 pipe_w S pts/0 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search plutowait=no forwardcontrol=no fragicmp=yes uniqueids=yes
conn %default type=tunnel # connection tries (0=unlimited) keyingtries=10 compress=yes authby=rsasig
conn denver211-to-hamburg183
type=tunnel
left=100.100.100.211
leftnexthop=
leftid="C=de/ST=Lower Saxony/L=Lehrte/O=Webblazer/OU=Administration/CN=Sascha Muellner/[EMAIL PROTECTED]"
leftcert=webblazer.de.pem
leftrsasigkey=%cert
right=100.100.100.5
rightnexthop=
rightid="C=de/ST=Lower Saxony/L=Lehrte/O=Webblazer/OU=Administration/CN=Sascha Muellner/[EMAIL PROTECTED]"
rightcert=webblazer.de.pem
rightrsasigkey=%cert
auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA webblazer.de.key "[sums to 83c0...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/lib/ipsec
total 1200
-rwxr-xr-x 1 root root 11307 Apr 16 16:24 _confread
-rwxr-xr-x 1 root root 6764 Apr 16 16:24 _copyright
-rwxr-xr-x 1 root root 2163 Apr 16 16:24 _include
-rwxr-xr-x 1 root root 1472 Apr 16 16:24 _keycensor
-rwxr-xr-x 1 root root 11901 Apr 16 16:24 _pluto_adns
-rwxr-xr-x 1 root root 3495 Apr 16 16:24 _plutoload
-rwxr-xr-x 1 root root 5695 Apr 16 16:24 _plutorun
-rwxr-xr-x 1 root root 8106 Apr 16 16:24 _realsetup
-rwxr-xr-x 1 root root 1971 Apr 16 16:24 _secretcensor
-rwxr-xr-x 1 root root 7520 Apr 16 16:24 _startklips
-rwxr-xr-x 1 root root 5014 Apr 16 16:24 _updown
-rwxr-xr-x 1 root root 7572 Apr 16 16:24 _updown.x509
-rwxr-xr-x 1 root root 13603 Apr 16 16:24 auto
-rwxr-xr-x 1 root root 7180 Apr 16 16:24 barf
-rwxr-xr-x 1 root root 816 Apr 16 16:24 calcgoo
-rwxr-xr-x 1 root root 78585 Apr 16 16:24 eroute
-rwxr-xr-x 1 root root 22188 Apr 16 16:24 ikeping
-rwxr-xr-x 1 root root 2909 Apr 16 16:24 ipsec
-rw-r--r-- 1 root root 1950 Apr 16 16:24 ipsec_pr.template
-rwxr-xr-x 1 root root 53881 Apr 16 16:24 klipsdebug
-rwxr-xr-x 1 root root 2437 Apr 16 16:24 look
-rwxr-xr-x 1 root root 16157 Apr 16 16:24 manual
-rwxr-xr-x 1 root root 1894 Apr 16 16:24 newhostkey
-rwxr-xr-x 1 root root 46404 Apr 16 16:24 pf_key
-rwxr-xr-x 1 root root 498976 Apr 16 16:24 pluto
-rwxr-xr-x 1 root root 9480 Apr 16 16:24 ranbits
-rwxr-xr-x 1 root root 23770 Apr 16 16:24 rsasigkey
-rwxr-xr-x 1 root root 16653 Apr 16 16:24 send-pr
lrwxrwxrwx 1 root root 17 Aug 10 17:23 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Apr 16 16:24 showdefaults
-rwxr-xr-x 1 root root 4205 Apr 16 16:24 showhostkey
-rwxr-xr-x 1 root root 114949 Apr 16 16:24 spi
-rwxr-xr-x 1 root root 65871 Apr 16 16:24 spigrp
-rwxr-xr-x 1 root root 12931 Apr 16 16:24 tncfg
-rwxr-xr-x 1 root root 15788 Apr 16 16:24 uml_netjig
-rwxr-xr-x 1 root root 4824 Apr 16 16:24 verify
-rwxr-xr-x 1 root root 42673 Apr 16 16:24 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize # that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one.
# check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown.x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections # # tag put in front of each log entry: TAG=vpn # # syslog facility and priority used: FAC_PRIO=local0.notice # # to create a special vpn logging file, put the following line into # the syslog configuration file /etc/syslog.conf: # # local0.notice -/var/log/vpn # # check interface version case "$PLUTO_VERSION" in 1.[0]) # Older Pluto?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 echo "$0: called by obsolete Pluto?" >&2 exit 2 ;; 1.*) ;; *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 exit 2 ;; esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then S_MY_PORT="--sport $PLUTO_MY_PORT" D_MY_PORT="--dport $PLUTO_MY_PORT" fi if [ "$PLUTO_PEER_PORT" != 0 ] then S_PEER_PORT="--sport $PLUTO_PEER_PORT" D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:14393205 179068 0 0 0 0 0 0 942827 4539 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 00B2ACD9 00000000 0001 0 0 0 00FEFFFF 0 0 0
ipsec0 00B2ACD9 00000000 0001 0 0 0 00FEFFFF 0 0 0
eth0 00000000 01B3ACD9 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
0
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux denver211 2.4.20-4GB-athlon #1 Fri Jul 11 20:16:51 UTC 2003 i686 unknown unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.99
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 3996 packets, 2300K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2950 packets, 627K bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 302 packets, 40589 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 68 packets, 5051 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 68 packets, 5051 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 4216 packets, 2332K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3992 packets, 2300K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2941 packets, 622K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2941 packets, 622K bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ cat /proc/modules
ipsec_sha1 8016 0 (unused)
ipsec_md5 5008 0 (unused)
ipsec_3des 17304 0 (unused)
ipsec 150752 2 [ipsec_sha1 ipsec_md5 ipsec_3des]
iptable_mangle 2200 0 (autoclean) (unused)
iptable_nat 16366 0 (autoclean) (unused)
ip_conntrack 16964 1 (autoclean) [iptable_nat]
iptable_filter 1708 0 (autoclean) (unused)
ip_tables 11200 5 [iptable_mangle iptable_nat iptable_filter]
isa-pnp 31560 0 (unused)
ipv6 145108 -1 (autoclean)
mousedev 4372 0 (unused)
joydev 5792 0 (unused)
evdev 4192 0 (unused)
input 3264 0 [mousedev joydev evdev]
usb-uhci 23664 0 (unused)
usbcore 63116 1 [usb-uhci]
raw1394 15828 0 (unused)
ieee1394 36496 0 [raw1394]
8139too 15752 1
mii 2528 0 [8139too]
quota_v2 7360 2
ext3 85928 1
jbd 50896 1 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 253702144 127385600 126316544 0 15593472 62906368
Swap: 1077501952 0 1077501952
MemTotal: 247756 kB
MemFree: 123356 kB
MemShared: 0 kB
Buffers: 15228 kB
Cached: 61432 kB
SwapCached: 0 kB
Active: 38552 kB
Inactive: 64776 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 247756 kB
LowFree: 123356 kB
SwapTotal: 1052248 kB
SwapFree: 1052248 kB
BigFree: 0 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Aug 11 02:11 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Aug 11 02:11 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Aug 11 02:11 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Aug 11 02:11 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Aug 11 02:11 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
CONFIG_MTD_OBSOLETE_CHIPS=y
CONFIG_CIPHER_TWOFISH=m
CONFIG_MD_MULTIPATH=m
CONFIG_NETLINK_DEV=m
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_PSD=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_IPLIMIT=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_STRING=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y
# IP: Virtual Server Configuration
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
# IPv6: Netfilter Configuration
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
# CONFIG_SHARED_IPV6_CARDS is not set
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPSEC=m
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
CONFIG_IDE_CHIPSETS=y
CONFIG_SCSI_IPS_OLD=m
CONFIG_SCSI_IPS=m
# CONFIG_SCSI_IZIP_EPP16 is not set
# CONFIG_SCSI_IZIP_SLOW_CTR is not set
CONFIG_TULIP=m
# CONFIG_TULIP_MWI is not set
# CONFIG_TULIP_MMIO is not set
CONFIG_HIPPI=y
CONFIG_PLIP=m
CONFIG_SLIP=m
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
CONFIG_SLIP_MODE_SLIP6=y
CONFIG_STRIP=m
CONFIG_IPHASE5526=m
CONFIG_WANPIPE_CHDLC=y
# CONFIG_WANPIPE_FR is not set
CONFIG_WANPIPE_X25=y
CONFIG_WANPIPE_PPP=y
CONFIG_WANPIPE_MULTPPP=y
CONFIG_PCMCIA_XIRTULIP=m
CONFIG_IPPP_FILTER=y
CONFIG_HISAX_FRITZ_PCIPNP=m
CONFIG_SERIAL_MULTIPORT=y
CONFIG_TIPAR=m
CONFIG_I2C_PHILIPSPAR=m
CONFIG_INPUT_GRIP=m
CONFIG_IPMI_HANDLER=m
CONFIG_IPMI_PANIC_EVENT=y
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_KCS=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_FBCON_IPLAN2P2=m
CONFIG_FBCON_IPLAN2P4=m
CONFIG_FBCON_IPLAN2P8=m
CONFIG_SND_CMIPCI=m
CONFIG_USB_AIPTEK=m
CONFIG_USB_SERIAL_IPAQ=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#
# # # print most on tty10 and on the xconsole pipe # kern.warn;*.err;authpriv.none /dev/tty10 kern.warn;*.err;authpriv.none |/dev/xconsole *.emerg *
# enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root
# # all email-messages in one file # mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err
# # all news-messages # # these files are rotated and examined by "news.daily" news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all
# # Warnings in one file # *.=warn;*.=err -/var/log/warn *.crit /var/log/warn
# # save the rest in one file # *.*;mail.none;news.none -/var/log/messages
# # enable this, if you want to keep all messages # in one file #*.* -/var/log/allmessages
#
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 100.100.90.201
nameserver 100.100.80.5
search Xserver.de
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 4
drwxr-xr-x 10 root root 4096 Aug 10 22:28 2.4.20-4GB-athlon
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c0247630 netif_rx
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.20-4GB-athlon: U netif_rx
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '15832,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Aug 11 02:11:06 denver211 ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Aug 11 02:11:07 denver211 kernel: ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
Aug 11 02:11:07 denver211 kernel: ipsec_md5_init(alg_type=14 alg_id=2 name=md5): ret=0
Aug 11 02:11:07 denver211 kernel: ipsec_sha1_init(alg_type=14 alg_id=3 name=sha1): ret=0
Aug 11 02:11:07 denver211 ipsec_setup: ipsec ipsec_3des ipsec_md5 ipsec_sha1
Aug 11 02:11:07 denver211 ipsec_setup: KLIPS ipsec0 on eth0 100.100.100.211/255.255.254.0 broadcast 100.100.100.255
Aug 11 02:11:07 denver211 ipsec__plutorun: Starting Pluto subsystem...
Aug 11 02:11:07 denver211 pluto[5799]: Starting Pluto (FreeS/WAN Version 1.99)
Aug 11 02:11:07 denver211 pluto[5799]: including X.509 patch with traffic selectors (Version 0.9.23)
Aug 11 02:11:07 denver211 pluto[5799]: including NAT-Traversal patch (Version 0.5a) [disabled]
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'crl.pem' (715 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: error in X.509 certificate
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'cacert.pem' (1700 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'cacert.der' (1222 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: Changing to directory '/etc/ipsec.d/crls'
Aug 11 02:11:07 denver211 pluto[5799]: loaded crl file 'crl.pem' (715 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: could not open my default X.509 cert file '/etc/x509cert.der'
Aug 11 02:11:07 denver211 pluto[5799]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Aug 11 02:11:07 denver211 ipsec_setup: ...FreeS/WAN IPsec started
Aug 11 02:11:07 denver211 ipsec_setup: ^M^[[146C^[[10D^[[1;32mdone^[[m^O
Aug 11 02:11:07 denver211 pluto[5799]: | from whack: got --esp=3des
Aug 11 02:11:07 denver211 pluto[5799]: | from whack: got --ike=3des
Aug 11 02:11:07 denver211 pluto[5799]: loaded host cert file '/etc/ipsec.d/webblazer.de.pem' (5128 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: loaded host cert file '/etc/ipsec.d/webblazer.de.pem' (5128 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: added connection description "denver211-to-hamburg183"
Aug 11 02:11:07 denver211 pluto[5799]: listening for IKE messages
Aug 11 02:11:07 denver211 pluto[5799]: adding interface ipsec0/eth0 100.100.100.211
Aug 11 02:11:07 denver211 pluto[5799]: loading secrets from "/etc/ipsec.secrets"
Aug 11 02:11:07 denver211 pluto[5799]: loaded private key file '/etc/ipsec.d/private/webblazer.de.key' (1743 bytes)
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: responding to Main Mode
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]'
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Issuer CA certificate not found
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: X.509 certificate rejected
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Signature check (on C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]) failed (wrong key?); tried *AwEAAZsyQ
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: sending notification INVALID_KEY_INFORMATION to 100.100.100.5:500
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]'
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Issuer CA certificate not found
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: X.509 certificate rejected
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Signature check (on C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]) failed (wrong key?); tried *AwEAAZsyQ
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: sending notification INVALID_KEY_INFORMATION to 100.100.100.5:500
+ _________________________ plog
+ sed -n '15838,$p' /var/log/messages
+ egrep -i pluto
+ cat
Aug 11 02:11:07 denver211 ipsec__plutorun: Starting Pluto subsystem...
Aug 11 02:11:07 denver211 pluto[5799]: Starting Pluto (FreeS/WAN Version 1.99)
Aug 11 02:11:07 denver211 pluto[5799]: including X.509 patch with traffic selectors (Version 0.9.23)
Aug 11 02:11:07 denver211 pluto[5799]: including NAT-Traversal patch (Version 0.5a) [disabled]
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_hash: Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_hash: Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: ike_alg_register_enc: Activating OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Aug 11 02:11:07 denver211 pluto[5799]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'crl.pem' (715 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: error in X.509 certificate
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'cacert.pem' (1700 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: loaded cacert file 'cacert.der' (1222 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: Changing to directory '/etc/ipsec.d/crls'
Aug 11 02:11:07 denver211 pluto[5799]: loaded crl file 'crl.pem' (715 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: could not open my default X.509 cert file '/etc/x509cert.der'
Aug 11 02:11:07 denver211 pluto[5799]: OpenPGP certificate file '/etc/pgpcert.pgp' not found
Aug 11 02:11:07 denver211 pluto[5799]: | from whack: got --esp=3des
Aug 11 02:11:07 denver211 pluto[5799]: | from whack: got --ike=3des
Aug 11 02:11:07 denver211 pluto[5799]: loaded host cert file '/etc/ipsec.d/webblazer.de.pem' (5128 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: loaded host cert file '/etc/ipsec.d/webblazer.de.pem' (5128 bytes)
Aug 11 02:11:07 denver211 pluto[5799]: added connection description "denver211-to-hamburg183"
Aug 11 02:11:07 denver211 pluto[5799]: listening for IKE messages
Aug 11 02:11:07 denver211 pluto[5799]: adding interface ipsec0/eth0 100.100.100.211
Aug 11 02:11:07 denver211 pluto[5799]: loading secrets from "/etc/ipsec.secrets"
Aug 11 02:11:07 denver211 pluto[5799]: loaded private key file '/etc/ipsec.d/private/webblazer.de.key' (1743 bytes)
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: responding to Main Mode
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]'
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Issuer CA certificate not found
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: X.509 certificate rejected
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Signature check (on C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]) failed (wrong key?); tried *AwEAAZsyQ
Aug 11 02:11:16 denver211 pluto[5799]: "denver211-to-hamburg183" #1: sending notification INVALID_KEY_INFORMATION to 100.100.100.5:500
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]'
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Issuer CA certificate not found
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: X.509 certificate rejected
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: Signature check (on C=de, ST=Lower Saxony, L=Lehrte, O=Webblazer, OU=Administration, CN=Sascha Muellner, [EMAIL PROTECTED]) failed (wrong key?); tried *AwEAAZsyQ
Aug 11 02:11:26 denver211 pluto[5799]: "denver211-to-hamburg183" #1: sending notification INVALID_KEY_INFORMATION to 100.100.100.5:500
+ _________________________ date
It seems to be that my CA certificate isn't found, do I have to create a new one or is their an easier way?
Thanks for all your help and a kind week, Sascha
======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Z�richweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
