|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
[Users] Problem with old route + output of ipsec barf
Date: Fri Feb 28 2003 - 02:35:50 EST
Hello,
> > I've got a trouble with my routes on my gateway. > > > > The network is the following : > > > > network A -- ipsec gw A -- router A --internet -- router B -- host B > > > > I start ipsec on gw A and on host B, and host B can reach network A. > > > > But if host B reboots or restart ipsec, he can nomore create a tunnel > > to reach network A. For it to work again, i have to replace by hand > > (ipsec auto --replace conn) my connection on gw A. > > > > It seems that after few hours gw A close the connection, but the route > > to host B (on ipsec0) is never remove, so my gw A answers the requests > > to negociate the new connection on ipsec0... And those answer never > > reach host B since the tunnel is down. > That's not how standard VPN connections behave; upon "ipsec auto --up> conn"
> from host B, you should be able to easily re-negotiate your connection. The
> existence of the route/connection on gw A shouldn't be a problem.
> I've certainly been able to reboot machines and immediately
renegotiate an
> IPSec connection with my peers; this happens automatically when my
DSL gateway
> (with a static IP address) suffers a hiccup.
> Can you post the output of ipsec barf from both machines when this
occurs, and
> relevant tcpdump information?
Here are the outputs of tcpdump on my gw A when i restart ipsec on hostB
gw-a # tcpdump -i eth1 host freeswan
tcpdump: listening on eth1
08:06:49.882304 freeswan.i3s.unice.fr.isakmp > democrite_0.isakmp:
isakmp: phase 1 I ident: [|sa] (DF)
08:06:59.938488 freeswan.i3s.unice.fr.isakmp > democrite_0.isakmp:
isakmp: phase 1 I ident: [|sa] (DF)
gw-a # tcpdump -i ipsec0
tcpdump: listening on ipsec0
08:06:47.970294 democrite_0.isakmp > freeswan.i3s.unice.fr.isakmp:
isakmp: phase 1 ? ident: [|sa] (DF)
08:06:49.884208 democrite_0.isakmp > freeswan.i3s.unice.fr.isakmp:
isakmp: phase 1 ? ident: [|sa] (DF)
08:06:59.880268 democrite_0.isakmp > freeswan.i3s.unice.fr.isakmp:
isakmp: phase 1 ? ident: [|sa] (DF)
08:06:59.940296 democrite_0.isakmp > freeswan.i3s.unice.fr.isakmp:
isakmp: phase 1 ? ident: [|sa] (DF)
the outputs of ipsec barf on hostB is attached.
Here are the outputs of ipsec barf on gw-a :
gw-a # ipsec barf
/usr/lib/ipsec/barf: unable to find /var/log/messages or local equivalent
/usr/lib/ipsec/barf: unable to find /var/log/secure or local equivalent
democrite
Fri Feb 28 08:13:37 MET 2003
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.19-xfs (root@linux) (gcc version 2.95.3 20010315
(release)) #2 Sat Aug 31 09:15:43 EST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0 134.59.131.0/24 -> 134.59.133.252/32 =>
tun0x1004@134.59.133.252
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
134.59.133.252 192.168.1.254 255.255.255.255 UGH 40 0 0
ipsec0
134.59.131.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
0.0.0.0 192.168.1.254 0.0.0.0 UG 40 0 0
eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1002@192.168.1.200 IPIP: dir=in src=134.59.133.252
policy=134.59.133.252/32->134.59.131.0/24 flags=0x8<>
life(c,s,h)=addtime(569,0,0)
tun0x1001@192.168.1.200 IPIP: dir=in src=134.59.133.252
policy=134.59.133.252/32->134.59.131.0/24 flags=0x8<>
life(c,s,h)=bytes(208,0,0)addtime(569,0,0)usetime(566,0,0)packets(2,0,0)
idle=565
esp0xdfaf4acf@134.59.133.252 ESP_3DES_HMAC_MD5: dir=out
src=192.168.1.200 iv_bits=64bits iv=0x11c5077a5781cea9 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(562,0,0)
esp0xdfaf4ace@134.59.133.252 ESP_3DES_HMAC_MD5: dir=out
src=192.168.1.200 iv_bits=64bits iv=0xcf6d0379de632a55 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(566,0,0)
esp0x3f028189@192.168.1.200 ESP_3DES_HMAC_MD5: dir=in
src=134.59.133.252 iv_bits=64bits iv=0xc469798d1f361cfc ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(569,0,0)
esp0x3f028188@192.168.1.200 ESP_3DES_HMAC_MD5: dir=in
src=134.59.133.252 iv_bits=64bits iv=0x742cbb0da95a0d81 ooowin=64 seq=2
bit=0x3 alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(208,0,0)addtime(569,0,0)usetime(566,0,0)packets(2,0,0)
idle=565
tun0x1004@134.59.133.252 IPIP: dir=out src=192.168.1.200
life(c,s,h)=addtime(562,0,0)
tun0x1003@134.59.133.252 IPIP: dir=out src=192.168.1.200
life(c,s,h)=addtime(566,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002@192.168.1.200 esp0x3f028189@192.168.1.200 tun0x1001@192.168.1.200 esp0x3f028188@192.168.1.200 tun0x1004@134.59.133.252 esp0xdfaf4acf@134.59.133.252 tun0x1003@134.59.133.252 esp0xdfaf4ace@134.59.133.252+ cat /proc/net/ipsec_tncfg
+ _________________________ proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0+ cd /proc/net
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St dc2477b0 12713 d57fa1d4 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk pf_key_registered: 2 d57fa1d4 12713 dc2477b0 pf_key_registered: 3 d57fa1d4 12713 dc2477b0 pf_key_registered: 9 d57fa1d4 12713 dc2477b0 pf_key_registered: 10 d57fa1d4 12713 dc2477b0 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1+ cd /proc/sys/net/ipsec
+ _________________________ proc/sys/net/ipsec-star
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth1 192.168.1.200
000
000 "i3s":
134.59.131.0/24===192.168.1.200---192.168.1.254...134.59.133.254---134.59.133.252 000 "i3s": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "i3s": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1; erouted 000 "i3s": newest ISAKMP SA: #1; newest IPsec SA: #3; eroute owner: #3 000
000 #3: "i3s" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 368s; newest IPSEC; eroute owner
000 #3: "i3s" esp.dfaf4acf@134.59.133.252 esp.3f028189@192.168.1.200 tun.1004@134.59.133.252 tun.1002@192.168.1.200 000 #2: "i3s" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 364s
000 #2: "i3s" esp.dfaf4ace@134.59.133.252 esp.3f028188@192.168.1.200 tun.1003@134.59.133.252 tun.1001@192.168.1.200 000 #1: "i3s" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2759s; newest ISAKMP 000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:02:B3:BC:C5:C1
inet addr:134.59.131.254 Bcast:134.59.131.255
Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:febc:c5c1/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21506725 errors:0 dropped:0 overruns:0 frame:0
TX packets:35123292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2749260466 (2621.8 Mb) TX bytes:3048571210 (2907.3 Mb)
Interrupt:20 Memory:fe860000-fe880000
eth1 Link encap:Ethernet HWaddr 00:02:B3:BC:C6:5E
inet addr:192.168.1.200 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:febc:c65e/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35165718 errors:0 dropped:0 overruns:0 frame:0
TX packets:21004917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3048221129 (2907.0 Mb) TX bytes:2682652959 (2558.3 Mb)
Interrupt:17 Memory:fe820000-fe840000
ipsec0 Link encap:Ethernet HWaddr 00:02:B3:BC:C6:5E
inet addr:192.168.1.200 Mask:255.255.255.0
inet6 addr: fe80::202:b3ff:febc:c65e/10 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:33 dropped:3 overruns:0 carrier:33
collisions:0 txqueuelen:10
RX bytes:168 (168.0 b) TX bytes:4026 (3.9 Kb)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hostname: Unknown host
+ _________________________ hostname/ipaddress
+ hostname --ip-address
hostname: Unknown host
+ _________________________ uptime
+ uptime
8:13am up 2 days, 18:21, 3 users, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 12926 12582 10 0 2192 992 wait4 S pts/0 0:00 |
\_ /bin/sh /usr/sbin/ipsec barf
000 0 12927 12926 16 0 2224 1060 wait4 S pts/0 0:00 |
\_ /bin/sh /usr/lib/ipsec/barf
040 0 12987 12927 16 0 2224 1060 - R pts/0 0:00 |
\_ /bin/sh /usr/lib/ipsec/barf
040 0 12704 1 9 0 2212 1032 wait4 S pts/0 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids yes --
040 0 12709 12704 9 0 2212 1032 wait4 S pts/0 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug all --uniqueids ye
100 0 12713 12709 9 0 1984 1016 do_sel S pts/0 0:00 |
\_ /usr/lib/ipsec/pluto --nofork --debug-all --uniqueids
000 0 12714 12713 9 0 1376 328 do_sel S pts/0 0:00 |
\_ _pluto_adns -d 7 10
000 0 12710 12704 8 0 2200 1028 pipe_w S pts/0 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --load %search --start %s
000 0 12705 1 9 0 1304 416 pipe_w S pts/0 0:00
logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1 routephys=eth1 routevirt=ipsec0 routevirt=ipsec0 routeaddr=192.168.1.200 routeaddr=192.168.1.200
routenexthop=192.168.1.254
routenexthop=192.168.1.254
defaultroutephys=eth1 defaultroutevirt=ipsec0 defaultrouteaddr=192.168.1.200
defaultroutenexthop=192.168.1.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
#interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=3
keylife=20m
disablearrivalcheck=no
authby=rsasig
conn i3s
left=192.168.1.200
leftnexthop=192.168.1.254
leftsubnet=134.59.131.0/24
leftrsasigkey=[keyid AQNXaiwGG]
right=134.59.133.252
#right=%any
rightnexthop=134.59.133.254
rightrsasigkey=[keyid AQOQhePhQ]
auto=add
#auto=start
#conn i3s-mac
# left=192.168.1.200
# leftnexthop=192.168.1.254
# leftsubnet=134.59.131.0/24
# leftrsasigkey=[keyid AQNXaiwGG]
# right=134.59.144.207
# rightnexthop=134.59.144.254
# rightid=@gtr301p2b.unice.fr
# rightrsasigkey=[keyid AQNJheNeB]
# auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1 # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently# with "[sums to ef67...]".
# do not change the indenting of that "[sums to 7d9d...]" : RSA {
# RSA 2192 bits democrite.i3s.unice.fr Wed Jan 29 09:43:18 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNXaiwGG]
#IN KEY 0x4200 4 1 [keyid AQNXaiwGG]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/lib/ipsec
total 1124
-rwxr-xr-x 1 root root 11167 Jan 1 1980 _confread -rwxr-xr-x 1 root root 7181 Jan 1 1980 _copyright -rwxr-xr-x 1 root root 2163 Jan 1 1980 _include -rwxr-xr-x 1 root root 1472 Jan 1 1980 _keycensor -rwxr-xr-x 1 root root 13071 Jan 1 1980 _pluto_adns -rwxr-xr-x 1 root root 3495 Jan 1 1980 _plutoload -rwxr-xr-x 1 root root 4553 Jan 1 1980 _plutorun -rwxr-xr-x 1 root root 7483 Jan 1 1980 _realsetup -rwxr-xr-x 1 root root 1971 Jan 1 1980 _secretcensor -rwxr-xr-x 1 root root 6934 Jan 1 1980 _startklips -rwxr-xr-x 1 root root 5014 Jan 1 1980 _updown -rwxr-xr-x 1 root root 7838 Jan 1 1980 _updown.dhcp -rwxr-xr-x 1 root root 13327 Jan 1 1980 auto -rwxr-xr-x 1 root root 7195 Jan 1 1980 barf -rwxr-xr-x 1 root root 816 Jan 1 1980 calcgoo -rwxr-xr-x 1 root root 72695 Jan 1 1980 eroute -rwxr-xr-x 1 root root 57743 Jan 1 1980 ikeping -rwxr-xr-x 1 root root 2910 Jan 1 1980 ipsec -rw-r--r-- 1 root root 1950 Jan 1 1980 ipsec_pr.template -rwxr-xr-x 1 root root 49867 Jan 1 1980 klipsdebug -rwxr-xr-x 1 root root 2437 Jan 1 1980 look -rwxr-xr-x 1 root root 16157 Jan 1 1980 manual -rwxr-xr-x 1 root root 1847 Jan 1 1980 newhostkey -rwxr-xr-x 1 root root 42508 Jan 1 1980 pf_key -rwxr-xr-x 1 root root 360728 Jan 1 1980 pluto -rwxr-xr-x 1 root root 10023 Jan 1 1980 ranbits -rwxr-xr-x 1 root root 22960 Jan 1 1980 rsasigkey -rwxr-xr-x 1 root root 16653 Jan 1 1980 send-pr lrwxrwxrwx 1 root root 22 Feb 25 14:50 setup -> /etc/rc.d/init.d/ipsec -rwxr-xr-x 1 root root 1041 Jan 1 1980 showdefaults -rwxr-xr-x 1 root root 4205 Jan 1 1980 showhostkey -rwxr-xr-x 1 root root 82853 Jan 1 1980 spi -rwxr-xr-x 1 root root 62620 Jan 1 1980 spigrp -rwxr-xr-x 1 root root 13394 Jan 1 1980 tncfg -rwxr-xr-x 1 root root 106652 Jan 1 1980 uml_netjig -rwxr-xr-x 1 root root 3353 Jan 1 1980 verify -rwxr-xr-x 1 root root 42825 Jan 1 1980 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh # default updown script # Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See < http://www.fsf.org/copyleft/gpl.txt>. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $ # CAUTION: Installing a new version of FreeS/WAN will install a new # copy of this script, wiping out any custom changes you make. If # you need changes, make a copy of this under another name, and customize# that, and use the (left/right)updown parameters in ipsec.conf to make # FreeS/WAN use yours instead of this default one.
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default
script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
;;
*) it="route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop
setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
;;
*)
it="route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK
2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
coming up
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
going down
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown.dhcp
#! /bin/sh # # customized updown script #
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default
script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop
setting??)" >&2
fi
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with
opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask
$PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p
$PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
if [ "$PLUTO_MY_PROTOCOL" == "6" ] || [ "$PLUTO_MY_PROTOCOL" ==
"17" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport
$PLUTO_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport
$PLUTO_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --sport
$PLUTO_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --dport
$PLUTO_MY_PORT -j ACCEPT
else
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -j ACCEPT
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
coming up
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes,
going down
# This is used only by the default updown script, not by your
custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmitface |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0:2749260466 21506725 0 0 0 0 0 4
3048571210 35123292 0 0 0 0 0 0
eth1:3048221129 35165718 0 0 0 0 0 41824
2682652959 21004917 0 0 0 0 0 0
ipsec0: 168 2 0 0 0 0 0 0
4026 0 33 3 0 0 33 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ipsec0 FC853B86 FE01A8C0 0007 0 0 0
FFFFFFFF40 0 0
eth0 00833B86 00000000 0001 0 0 0
00FFFFFF40 0 0
eth1 0001A8C0 00000000 0001 0 0 0
00FFFFFF40 0 0
ipsec0 0001A8C0 00000000 0001 0 0 0
00FFFFFF40 0 0
eth1 00000000 FE01A8C0 0003 0 0 1
0000000040 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
eth1/rp_filter ipsec0/rp_filter lo/rp_filter all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux democrite 2.4.19-xfs #2 Sat Aug 31 09:15:43 EST 2002 i686 unknown
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.98b
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 134.59.130.1
0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 134.59.130.1
0.0.0.0/0 udp spt:53
...
3412 481K ACCEPT tcp -- * * 134.59.131.0/24
0.0.0.0/0 tcp dpt:3128
3106 3061K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:80
0 0 I_LOG_REJECT all -- * * 255.255.255.255
0.0.0.0/0
0 0 I_LOG_REJECT all -- * * 0.0.0.0/0
0.0.0.0
...
2331 492K I_LOG_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 520 73288 I_LOG_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 382K 50M I_LOG_DROP all -- * * 0.0.0.0/00.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
21M 2277M ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
35M 45G F_LOG_ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ...
373 19148 F_LOG_REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 447 40260 ACCEPT all -- ipsec0 eth0 0.0.0.0/0 0.0.0.0/0 276 24910 ACCEPT all -- eth0 ipsec0 0.0.0.0/0 0.0.0.0/0 43506 3597K F_LOG_DROP all -- * * 0.0.0.0/00.0.0.0/0
Chain OUTPUT (policy DROP 7575 packets, 973K bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
134.59.130.1 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
134.59.130.1 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
134.59.1.7 tcp dpt:53
362 24580 ACCEPT udp -- * * 0.0.0.0/0
134.59.1.7 udp dpt:53
4021 3991K ACCEPT tcp -- * * 0.0.0.0/0
134.59.131.0/24 tcp spt:3128
3164 454K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
809 83342 O_LOG_ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
7753 1043K O_LOG_ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
276 39272 O_LOG_ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
Chain F_LOG_ACCEPT (30 references)
pkts bytes target prot opt in out source
destination
8 480 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 state NEW LOG flags 0 level
4 prefix `[FORWARD ACCEPT]: '
35M 45G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain F_LOG_DROP (1 references)
pkts bytes target prot opt in out source
destination
3642 451K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 4 prefix `[FORWARD DROP]: ' 43506 3597K DROP all -- * * 0.0.0.0/00.0.0.0/0
Chain F_LOG_REJECT (1 references)
pkts bytes target prot opt in out source
destination
187 9612 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 7 prefix
`[FORWARD REJECT]: '
373 19148 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain I_LOG_ACCEPT (5 references)
pkts bytes target prot opt in out source
destination
21 2616 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 state NEW LOG flags 0 level
4 prefix `[INPUT ACCEPT]: '
17757 1586K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain I_LOG_DROP (1 references)
pkts bytes target prot opt in out source
destination
24581 3232K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 4 prefix `[INPUT DROP]: ' 382K 50M DROP all -- * * 0.0.0.0/00.0.0.0/0
Chain I_LOG_REJECT (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 7 prefix
`[INPUT REJECT]: '
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain O_LOG_ACCEPT (6 references)
pkts bytes target prot opt in out source
destination
31 9780 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 state NEW LOG flags 0 level
4 prefix `[OUTPUT ACCEPT]: '
27295 6871K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain O_LOG_DROP (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 4 prefix
`[OUTPUT DROP]: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain O_LOG_REJECT (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 7/min burst 1 LOG flags 0 level 7 prefix
`[OUTPUT REJECT]: '
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/lib/ipsec/barf: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 669K packets, 67M bytes) pkts bytes target prot opt in out source destination
207 16826 DNAT all -- eth1 * 0.0.0.0/0 134.59.131.254 to:192.168.1.200 Chain POSTROUTING (policy ACCEPT 237K packets, 13M bytes) pkts bytes target prot opt in out source destination 265 16133 SNAT all -- * eth1 192.168.1.200 0.0.0.0/0 to:134.59.131.254 Chain OUTPUT (policy ACCEPT 7773 packets, 987K bytes) pkts bytes target prot opt in out sourcedestination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/lib/ipsec/barf: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/lib/ipsec/barf: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 6198 packets, 2834K bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 681 packets, 84254 bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 5517 packets, 2750K bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 308 packets, 85270 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5791 packets, 2832K bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ cat /proc/modules
iptable_mangle 2144 0 (autoclean) (unused) ipsec 235712 2 ipt_state 608 4 (autoclean) ipt_REJECT 2784 3 (autoclean) ipt_LOG 3328 9 (autoclean) ipt_limit 960 9 (autoclean) iptable_nat 19220 1 (autoclean) ip_conntrack 20364 2 (autoclean) [ipt_state iptable_nat] iptable_filter 1760 1 (autoclean) ip_tables 13184 9 [iptable_mangle ipt_state ipt_REJECT ipt_LOG ipt_limit iptable_nat iptable_filter] e1000 60876 2 lvm-mod 58528 11 (autoclean) aic7xxx 111328 0 (unused) aacraid 19956 1+ ls -l '/dev/ipsec*'
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached: Mem: 528519168 187731968 340787200 0 72531968 84455424 Swap: 1073733632 0 1073733632 MemTotal: 516132 kB MemFree: 332800 kB MemShared: 0 kB Buffers: 70832 kB Cached: 82476 kB SwapCached: 0 kB Active: 23924 kB Inactive: 138360 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 516132 kB LowFree: 332800 kB SwapTotal: 1048568 kB SwapFree: 1048568 kB
+ _________________________ dev/ipsec-ls
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Feb 28 08:13 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Feb 28 08:13 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Feb 28 08:13 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Feb 28 08:13 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Feb 28 08:13 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Feb 28 08:13/proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
domain i3s.unice.fr
nameserver 134.59.1.7
search i3s.unice.fr
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
lrwxrwxrwx 1 root root 18 Feb 25 14:50 /lib/modules -> /cdrom/lib/modules
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c01feeb0 netif_rx_R73775a25
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
/usr/lib/ipsec/barf: nm: command not found
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1,$p' /dev/null
+ egrep -i 'ipsec|klips|pluto'
+ cat
+ _________________________ plog
+ sed -n '1,$p' /dev/null
+ egrep -i pluto
+ cat
+ _________________________ date
+ date
Fri Feb 28 08:13:37 MET 2003
-- ______________________________________________________________________ | | | | L'intelligence est la chose _ \|/ | Patrick BALESTRA | | au monde la mieux partagée. O --0-- | Responsable informatique | | En effet, personne ne se _/\ /|\ | | | plaint d'en manquer ! (>(_)/==_~' | I3S, UMR 6070 du CNRS | | //\ | \_/_\ | | |.........................\_/ `--'\_/.......| | |-------------------------------------------| Tel : 04 92 94 27 81 | | email : balestra@i3s.unice.fr | Fax : 04 92 94 28 98 | ----------------------------------------------------------------------
freeswan.i3s.unice.fr
Fri Feb 28 08:37:01 CET 2003
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 1.99
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.18-14 (bhcompile@stripples.devel.redhat.com) (gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)) #1 Wed Sep 4 13:35:50 EDT 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0 134.59.133.252/32 -> 134.59.131.0/24 => %trap
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
134.59.133.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
134.59.133.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
134.59.131.0 134.59.133.254 255.255.255.0 UG 40 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 134.59.133.254 0.0.0.0 UG 40 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
cb9675c0 23139 c91e4814 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c91e4814 23139 cb9675c0
pf_key_registered: 3 c91e4814 23139 cb9675c0
pf_key_registered: 9 c91e4814 23139 cb9675c0
pf_key_registered: 10 c91e4814 23139 cb9675c0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:-1
debug_eroute:-1
debug_esp:-1
debug_ipcomp:-1
debug_netlink:2147483647
debug_pfkey:-1
debug_radij:-1
debug_rcv:-1
debug_spi:-1
debug_tunnel:-1
debug_verbose:0
debug_xform:-1
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/eth0 134.59.133.252
000
000 "i3s": 134.59.133.252---134.59.133.254...134.59.131.254[192.168.1.200]===134.59.131.0/24
000 "i3s": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "i3s": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; trap erouted
000 "i3s": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:29:9A:70:2C
inet addr:134.59.133.252 Bcast:134.59.133.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:990792 errors:0 dropped:0 overruns:0 frame:0
TX packets:145627 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:91137855 (86.9 Mb) TX bytes:41527789 (39.6 Mb)
Interrupt:11 Base address:0xc000
ipsec0 Link encap:Ethernet HWaddr 00:E0:29:9A:70:2C
inet addr:134.59.133.252 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:1962 (1.9 Kb)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:91516 errors:0 dropped:0 overruns:0 frame:0
TX packets:91516 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24366356 (23.2 Mb) TX bytes:24366356 (23.2 Mb)
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
freeswan.i3s.unice.fr
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
8:37am up 22 days, 23:00, 1 user, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
000 0 23330 22301 16 0 3856 1048 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/sbin/ipsec barf
000 0 23331 23330 15 0 3872 1092 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/barf
000 0 23371 23331 16 0 1452 448 pipe_w S pts/0 0:00 \_ grep -E -i ppid|pluto|ipsec|klips
040 0 23132 1 18 0 2200 1064 wait4 S pts/0 0:00 /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --uniqueids
040 0 23133 23132 18 0 2200 1072 wait4 S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutorun --debug all --unique
100 0 23139 23133 15 0 1968 844 schedu S pts/0 0:00 | \_ /usr/local/lib/ipsec/pluto --nofork --debug-all --uniqu
000 0 23176 23139 18 0 1380 252 schedu S pts/0 0:00 | \_ _pluto_adns -d 7 10
000 0 23134 23132 15 0 2188 1068 pipe_w S pts/0 0:00 \_ /bin/sh /usr/local/lib/ipsec/_plutoload --load %search --st
000 0 23135 1 15 0 1328 460 pipe_w S pts/0 0:00 logger -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=134.59.133.252
routeaddr=134.59.133.252
routenexthop=134.59.133.254
routenexthop=134.59.133.254
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=134.59.133.252
defaultroutenexthop=134.59.133.254
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=3
keylife=20m
disablearrivalcheck=no
authby=rsasig
conn i3s
left=134.59.131.254
leftid=192.168.1.200
leftsubnet=134.59.131.0/24
leftrsasigkey=[keyid AQNXaiwGG]
right=134.59.133.252
rightnexthop=134.59.133.254
rightrsasigkey=[keyid AQOQhePhQ]
auto=start
#auto=add
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits freeswan.i3s.unice.fr Wed Feb 5 09:57:39 2003
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOQhePhQ]
#IN KEY 0x4200 4 1 [keyid AQOQhePhQ]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/ls-dir
+ ls -l /usr/local/lib/ipsec
total 3144
-rwxr-xr-x 1 root root 11102 Nov 4 04:42 _confread
-rwxr-xr-x 1 root root 47903 Nov 4 04:42 _copyright
-rwxr-xr-x 1 root root 2163 Nov 4 04:42 _include
-rwxr-xr-x 1 root root 1472 Nov 4 04:42 _keycensor
-rwxr-xr-x 1 root root 70783 Nov 4 04:42 _pluto_adns
-rwxr-xr-x 1 root root 3495 Nov 4 04:42 _plutoload
-rwxr-xr-x 1 root root 4335 Nov 4 04:42 _plutorun
-rwxr-xr-x 1 root root 7450 Nov 4 04:42 _realsetup
-rwxr-xr-x 1 root root 1971 Nov 4 04:42 _secretcensor
-rwxr-xr-x 1 root root 7062 Nov 4 04:42 _startklips
-rwxr-xr-x 1 root root 5014 Nov 4 04:42 _updown
-rwxr-xr-x 1 root root 11404 Nov 4 04:42 auto
-rwxr-xr-x 1 root root 7198 Nov 4 04:42 barf
-rwxr-xr-x 1 root root 816 Nov 4 04:42 calcgoo
-rwxr-xr-x 1 root root 318737 Nov 4 04:42 eroute
-rwxr-xr-x 1 root root 141778 Nov 4 04:42 ikeping
-rwxr-xr-x 1 root root 2915 Nov 4 04:42 ipsec
-rw-r--r-- 1 root root 1950 Nov 4 04:42 ipsec_pr.template
-rwxr-xr-x 1 root root 169454 Nov 4 04:42 klipsdebug
-rwxr-xr-x 1 root root 2437 Nov 4 04:42 look
-rwxr-xr-x 1 root root 16157 Nov 4 04:42 manual
-rwxr-xr-x 1 root root 1847 Nov 4 04:42 newhostkey
-rwxr-xr-x 1 root root 144001 Nov 4 04:42 pf_key
-rwxr-xr-x 1 root root 1074575 Nov 4 04:42 pluto
-rwxr-xr-x 1 root root 52408 Nov 4 04:42 ranbits
-rwxr-xr-x 1 root root 78546 Nov 4 04:42 rsasigkey
-rwxr-xr-x 1 root root 16671 Nov 4 04:42 send-pr
lrwxrwxrwx 1 root root 22 Feb 5 09:57 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Nov 4 04:42 showdefaults
-rwxr-xr-x 1 root root 4205 Nov 4 04:42 showhostkey
-rwxr-xr-x 1 root root 333138 Nov 4 04:42 spi
-rwxr-xr-x 1 root root 268579 Nov 4 04:42 spigrp
-rwxr-xr-x 1 root root 60155 Nov 4 04:42 tncfg
-rwxr-xr-x 1 root root 16056 Nov 4 04:42 uml_netjig
-rwxr-xr-x 1 root root 3353 Nov 4 04:42 verify
-rwxr-xr-x 1 root root 212147 Nov 4 04:42 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/lib/ipsec
++ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in