Hej Linux folk!
Jeg er ved at rode med noget IPsec (freeswan) og x.509 certificate road
warrior VPN. Har downloadet den nyeste Freeswan, patchet med x.509, patchet
kernen og kompilreret det hele.
Problemet! Jeg forsøger at logge på med IPsec klienten (w2k), men der sker
ikke noget som helst. Har prøvet at sætte debug til all..... ingen ting
ekstra i loggen under forsøg på at kalde op. Havde ellers håbet på en fejl
eller noget i den stil.
Freeswan er ret nyt for mig....så en god ting er "ipsec barf". Jeg bliver
utrolig glad, hvis en erfaren linux/Ipsec/freewan admin kunne lede mig på
rette vej.
Her kommer det så ;)
vpnbox
Fri Mar 1 21:53:51 CET 2002
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.95
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.17 (root@vpnbox) (gcc version 2.95.2 20000220 (Debian
GNU/Linux)) #1 Sat Feb 23 19:09:04 CET 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +1 /proc/net/ipsec_eroute
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.0.0.202 0.0.0.0 255.255.255.255 UH 40 0 0
ppp0
80.196.204.20 0.0.0.0 255.255.255.252 U 40 0 0
eth0
80.196.204.20 0.0.0.0 255.255.255.252 U 40 0 0
ipsec0
10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
eth1
0.0.0.0 80.196.204.21 0.0.0.0 UG 40 0 0
eth0
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c6384b60 21039 c2678940 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c2678940 21039 c6384b60
pf_key_registered: 3 c2678940 21039 c6384b60
pf_key_registered: 9 c2678940 21039 c6384b60
pf_key_registered: 10 c2678940 21039 c6384b60
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 80.196.204.22
000
000 "rw": 80.196.204.22[@kirkegade.dyndns.dk]...%any
000 "rw": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "rw": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth0; unrouted
000 "rw": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:40:95:30:B8:52
inet addr:80.196.204.22 Bcast:80.255.255.255
Mask:255.255.255.252
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2736029 errors:476 dropped:0 overruns:0 frame:0
TX packets:1877289 errors:0 dropped:0 overruns:0 carrier:0
collisions:1536 txqueuelen:100
Interrupt:11 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:C0:26:2A:C0:D5
inet addr:10.0.0.200 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1841367 errors:0 dropped:0 overruns:0 frame:0
TX packets:2629804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0x4000
ipsec0 Link encap:Ethernet HWaddr 00:40:95:30:B8:52
inet addr:80.196.204.22 Mask:255.255.255.252
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.206 P-t-P:10.0.0.202 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:13049 errors:0 dropped:0 overruns:0 frame:0
TX packets:13318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
vpnbox.robtech.dk
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.0.254
+ _________________________ uptime
+ uptime
9:53pm up 6 days, 1:03, 1 user, load average: 0.02, 0.01, 0.00
+ _________________________ ps
+ ps alxw
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
040 0 21035 1 9 0 1756 844 wait4 S pts/1 0:00 /bin/sh
/usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --dump --load
%search --start %search --wait --pre --post --log daemon.error --pid
/var/run/pluto.pid
000 0 21036 1 9 0 988 364 pipe_w S pts/1 0:00
logger -p daemon.error -t ipsec__plutorun
040 0 21037 21035 9 0 1756 844 wait4 S pts/1 0:00 /bin/sh
/usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes --dump --load
%search --start %search --wait --pre --post --log daemon.error --pid
/var/run/pluto.pid
000 0 21038 21035 8 0 1744 828 pipe_w S pts/1 0:00 /bin/sh
/usr/local/lib/ipsec/_plutoload --load %search --start
search --wait --post
100 0 21039 21037 9 0 1528 796 select S pts/1 0:00
/usr/local/lib/ipsec/pluto --nofork --debug-none --uniqueids
100 0 21094 20646 9 0 1740 812 wait4 S pts/1 0:00 /bin/sh
/usr/local/sbin/ipsec barf
000 0 21095 21094 16 0 1772 864 wait4 S /home/skumflum/barf
0:00 /bin/sh /usr/local/lib/ipsec/barf
040 0 21136 21095 16 0 1772 864 - R /home/skumflum/barf
0:00 /bin/sh /usr/local/lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=80.196.204.22
routeaddr=80.196.204.22
routenexthop=80.196.204.21
routenexthop=80.196.204.21
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=80.196.204.22
defaultroutenexthop=80.196.204.21
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
authby=rsasig
#use certificates
leftrsasigkey=%cert
rightrsasigkey=%cert
#Gateway info
left=80.196.204.22
leftid=@kirkegade.dyndns.dk
conn rw
right=%any
auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA key.pem
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 3264
-rwxr-xr-x 1 root staff 11089 Feb 24 11:45 _confread
-rwxr-xr-x 1 root staff 11089 Feb 22 18:28 _confread~
-rwxr-xr-x 1 root staff 31787 Feb 24 11:45 _copyright
-rwxr-xr-x 1 root staff 31787 Feb 22 18:28 _copyright~
-rwxr-xr-x 1 root staff 2163 Feb 24 11:45 _include
-rwxr-xr-x 1 root staff 2163 Feb 22 18:28 _include~
-rwxr-xr-x 1 root staff 1383 Feb 24 11:45 _keycensor
-rwxr-xr-x 1 root staff 1383 Feb 22 18:28 _keycensor~
-rwxr-xr-x 1 root staff 3495 Feb 24 11:45 _plutoload
-rwxr-xr-x 1 root staff 3495 Feb 22 18:28 _plutoload~
-rwxr-xr-x 1 root staff 3622 Feb 24 11:45 _plutorun
-rwxr-xr-x 1 root staff 3622 Feb 22 18:28 _plutorun~
-rwxr-xr-x 1 root staff 7272 Feb 24 11:45 _realsetup
-rwxr-xr-x 1 root staff 7272 Feb 22 18:28 _realsetup~
-rwxr-xr-x 1 root staff 1904 Feb 24 11:45 _secretcensor
-rwxr-xr-x 1 root staff 1904 Feb 22 18:28 _secretcensor~
-rwxr-xr-x 1 root staff 6076 Feb 24 11:45 _startklips
-rwxr-xr-x 1 root staff 6076 Feb 22 18:28 _startklips~
-rwxr-xr-x 1 root staff 5262 Feb 24 11:45 _updown
-rwxr-xr-x 1 root staff 5262 Feb 22 18:28 _updown~
-rwxr-xr-x 1 root staff 12247 Feb 24 11:45 auto
-rwxr-xr-x 1 root staff 12247 Feb 22 18:28 auto~
-rwxr-xr-x 1 root staff 6436 Feb 24 11:45 barf
-rwxr-xr-x 1 root staff 6436 Feb 22 18:28 barf~
-rwxr-xr-x 1 root staff 188417 Feb 24 11:45 eroute
-rwxr-xr-x 1 root staff 2829 Feb 24 11:45 ipsec
-rw-r--r-- 1 root staff 1950 Feb 24 11:45 ipsec_pr.template
-rwxr-xr-x 1 root staff 2829 Feb 22 18:28 ipsec~
-rwxr-xr-x 1 root staff 135062 Feb 24 11:45 klipsdebug
-rwxr-xr-x 1 root staff 2437 Feb 24 11:45 look
-rwxr-xr-x 1 root staff 2437 Feb 22 18:28 look~
-rwxr-xr-x 1 root staff 16172 Feb 24 11:45 manual
-rwxr-xr-x 1 root staff 16172 Feb 22 18:28 manual~
-rwxr-xr-x 1 root staff 1227 Feb 24 11:45 newhostkey
-rwxr-xr-x 1 root staff 1227 Feb 22 18:28 newhostkey~
-rwxr-xr-x 1 root staff 107266 Feb 24 11:45 pf_key
-rwxr-xr-x 1 root staff 813799 Feb 24 11:45 pluto
-rwxr-xr-x 1 root staff 813799 Feb 22 18:28 pluto~
-rwxr-xr-x 1 root staff 37848 Feb 24 11:45 ranbits
-rwxr-xr-x 1 root staff 37848 Feb 22 18:28 ranbits~
-rwxr-xr-x 1 root staff 62976 Feb 24 11:45 rsasigkey
-rwxr-xr-x 1 root staff 62976 Feb 22 18:28 rsasigkey~
-rwxr-xr-x 1 root staff 16671 Feb 24 11:45 send-pr
-rwxr-xr-x 1 root staff 16671 Feb 22 18:28 send-pr~
lrwxrwxrwx 1 root staff 17 Feb 24 11:45 setup ->
/etc/init.d/ipsec
-rwxr-xr-x 1 root staff 1041 Feb 24 11:45 showdefaults
-rwxr-xr-x 1 root staff 1041 Feb 22 18:28 showdefaults~
-rwxr-xr-x 1 root staff 3484 Feb 24 11:45 showhostkey
-rwxr-xr-x 1 root staff 3484 Feb 22 18:28 showhostkey~
-rwxr-xr-x 1 root staff 212110 Feb 24 11:45 spi
-rwxr-xr-x 1 root staff 166785 Feb 24 11:45 spigrp
-rwxr-xr-x 1 root staff 50927 Feb 24 11:45 tncfg
-rwxr-xr-x 1 root staff 116812 Feb 24 11:45 whack
-rwxr-xr-x 1 root staff 116812 Feb 22 18:28 whack~
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <
http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.18 2001/11/09 04:12:19 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/local/lib/ipsec/_updown~
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <
http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.18 2001/11/09 04:12:19 henry Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
eth0:2837188774 2736029 476 0 0 0 0 0
179455650 1877289 0 0 0 1536 0 0
eth1:172287053 1841367 0 0 0 0 0 0
2821238207 2629804 0 0 0 0 0 0
ppp0: 707438 13049 0 0 0 0 0 0 2169435
13318 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ppp0 CA00000A 00000000 0005 0 0 0 FFFFFFFF 40 0 0
eth0 14CCC450 00000000 0001 0 0 0 FCFFFFFF 40 0 0
ipsec0 14CCC450 00000000 0001 0 0 0 FCFFFFFF 40 0 0
eth1 0000000A 00000000 0001 0 0 0 000000FF 40 0 0
eth0 00000000 15CCC450 0003 0 0 0 00000000 40 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ uname-a
+ uname -a
Linux vpnbox 2.4.17 #1 Sat Feb 23 19:09:04 CET 2002 i686 unknown
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.95
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 836 packets, 98709 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
1081 51688 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:25
8 384 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:10000
4 680 ACCEPT udp -- * * 0.0.0.0/0
80.196.204.22 udp dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
80.196.204.22
0 0 ACCEPT ah -- * * 0.0.0.0/0
80.196.204.22
0 0 DROP udp -- * * 0.0.0.0/0
10.0.0.200 udp dpt:514
0 0 DROP tcp -- * * 0.0.0.0/0
10.0.0.200 tcp dpt:901
0 0 DROP tcp -- * * 0.0.0.0/0
10.0.0.200 tcp dpt:515
66 7627 block all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 3707K packets, 2662M bytes)
pkts bytes target prot opt in out source
destination
41 4135 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 1/sec burst 3 LOG flags 6 level 4 prefix
`FORWARD: '
Chain OUTPUT (policy ACCEPT 1247 packets, 1124K bytes)
pkts bytes target prot opt in out source
destination
Chain block (1 references)
pkts bytes target prot opt in out source
destination
16 855 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
45 6447 ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state NEW
+ _________________________ ipchains/list
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 34053 packets, 4385K bytes)
pkts bytes target prot opt in out source
destination
1 60 DNAT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:25 to:10.0.0.1:25
0 0 DNAT tcp -- * * 0.0.0.0/0
80.196.204.22 tcp dpt:80 to:10.0.0.1:80
Chain POSTROUTING (policy ACCEPT 1084 packets, 64458 bytes)
pkts bytes target prot opt in out source
destination
4 271 SNAT all -- * * 10.0.0.0/8
!10.0.0.0/8 to:80.196.204.22
Chain OUTPUT (policy ACCEPT 79 packets, 5367 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 4624K packets, 2940M bytes)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
45806 2421K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
5728 3292K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
1432 69143 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
43720 2313K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
5682 3289K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
1395 67350 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
43715 2312K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
5682 3289K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
1395 67350 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
3786 188K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
4638 3169K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
1129 54486 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
2875 139K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
3639 3118K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
836 40565 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
1306 64408 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
10 480 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 TOS set 0x10
1080 51648 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
8 384 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x08
Chain OUTPUT (policy ACCEPT 403K packets, 54M bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ cat /proc/modules
ppp_deflate 39040 0 (autoclean)
ppp_mppe 20128 2 (autoclean)
bsd_comp 3952 0 (autoclean)
ppp_async 6128 1 (autoclean)
ppp_generic 15440 3 (autoclean) [ppp_deflate ppp_mppe bsd_comp
ppp_async]
slhc 4288 0 (autoclean) [ppp_generic]
8139too 12640 2
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 129671168 123760640 5910528 0 11378688 54378496
Swap: 197365760 8388608 188977152
MemTotal: 126632 kB
MemFree: 5772 kB
MemShared: 0 kB
Buffers: 11112 kB
Cached: 51700 kB
SwapCached: 1404 kB
Active: 58376 kB
Inactive: 9416 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 126632 kB
LowFree: 5772 kB
SwapTotal: 192740 kB
SwapFree: 184548 kB
+ _________________________ dev/ipsec-ls
+ ls -l /dev/ipsec
c-w------- 1 root root 36, 10 Jan 19 16:51 /dev/ipsec
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Mar 1 21:53
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Mar 1 21:53
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Mar 1 21:53 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Mar 1 21:53
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Mar 1 21:53
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Mar 1 21:53
/proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ egrep 'IP|NETLINK' /usr/src/linux/.config
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
CONFIG_SYSVIPC=y
# CONFIG_MD_MULTIPATH is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# IP: Netfilter Configuration
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IPX is not set
CONFIG_IPSEC=y
# IPSec options (FreeS/WAN)
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
# CONFIG_IDEDMA_PCI_WIP is not set
# CONFIG_IDE_CHIPSETS is not set
# CONFIG_TULIP is not set
# CONFIG_PLIP is not set
# CONFIG_SLIP is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* /var/log/mail.log
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '39121,$p' /var/log/syslog
+ egrep -i 'ipsec|klips|pluto'
+ cat
Mar 1 21:53:38 vpnbox ipsec_setup: Starting FreeS/WAN IPsec 1.95...
Mar 1 21:53:38 vpnbox ipsec_setup: KLIPS debug `none'
Mar 1 21:53:38 vpnbox ipsec_setup: KLIPS ipsec0 on eth0
80.196.204.22/255.255.255.252 broadcast 80.255.255.255
Mar 1 21:53:38 vpnbox ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+ sed -n '6530,$p' /var/log/auth.log
+ egrep -i pluto
+ cat
Mar 1 21:53:38 vpnbox ipsec__plutorun: Starting Pluto subsystem...
Mar 1 21:53:38 vpnbox Pluto[21039]: Starting Pluto (FreeS/WAN Version 1.95)
Mar 1 21:53:38 vpnbox Pluto[21039]: including X.509 patch (Version 0.9.8)
Mar 1 21:53:38 vpnbox Pluto[21039]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 1 21:53:38 vpnbox Pluto[21039]: loaded cacert file 'caCert.pem' (1367
bytes)
Mar 1 21:53:38 vpnbox Pluto[21039]: Changing to directory
'/etc/ipsec.d/crls'
Mar 1 21:53:38 vpnbox Pluto[21039]: Warning: empty directory
Mar 1 21:53:38 vpnbox Pluto[21039]: loaded my X.509 cert file
'/etc/x509cert.der' (988 bytes)
Mar 1 21:53:39 vpnbox Pluto[21039]: added connection description "rw"
Mar 1 21:53:39 vpnbox Pluto[21039]: listening for IKE messages
Mar 1 21:53:39 vpnbox Pluto[21039]: adding interface ipsec0/eth0
80.196.204.22
Mar 1 21:53:39 vpnbox Pluto[21039]: loading secrets from
"/etc/ipsec.secrets"
Mar 1 21:53:39 vpnbox Pluto[21039]: loaded private key file
'/etc/ipsec.d/private/key.pe' (887 bytes)
+ _________________________ date
+ date
Fri Mar 1 21:53:51 CET 2002