[Leaf-user] RE: IPSEC Problems

John Abrams Sun, 24 Jun 2001 10:19:31 -0700
Hello again,

As I mentioned in the previous message I am posting the IPSEC barf and look
outputs then I'll follow with the routing table outputs and I suppose I
could grap the IPCHAINS filter and rules outputs. But none the less here it
is in all its pitiful glory.

# ipsec barf

cx1140290-c
Sun Jun 24 11:00:27 UTC 2001
+ _________________________
+
+ cat /proc/net/ipsec_eroute
192.168.10.0/24 -> 192.168.110.0/24 => [EMAIL PROTECTED]
+ _________________________
+
+ cat /proc/net/ipsec_spi
[EMAIL PROTECTED] IPIP: dir=out 24.9.126.49 -> 64.241.69.122
life(c,s,h)=add(680,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out alen=128 aklen=128
eklen=192 life(c,s,h)=add(680,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in alen=128 aklen=128 eklen=192
life(c,s,h)=add(680,0,0)
+ _________________________
+
+ cat /proc/net/ipsec_spigrp
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED]
+ _________________________
+
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
24.9.126.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0
24.9.126.0 0.0.0.0 255.255.255.128 U 0 0 0 ipsec0
192.168.110.0 24.9.126.1 255.255.255.0 UG 0 0 0 ipsec0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 24.9.126.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260 -> 1500
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0
+ _________________________
+
+ cat /proc/net/pf_key
sock pid d sleep socket next prev e destruct r z fa n p r w o sndbf stamp
Flags Type St
c06f6680 1371 0 c06c9a38 c06c9a1c 0 0 0 0 1 0 15 0 2 0 0 0 65535 0.327435
00000000 00000003 01
+ _________________________
+
+ ipsec auto --status
000
+ _________________________
+
+ ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:00:E8:DE:07:29
inet addr:24.9.126.49 Mask:255.255.255.128
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec1 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec2 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec3 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
brg0 Link encap:Ethernet HWaddr FE:FD:05:4A:C3:A8
unspec addr:[NONE SET] Bcast:[NONE SET] Mask:[NONE SET]
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:00:E8:DE:07:29
inet addr:24.9.126.49 Bcast:24.9.126.255 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:875 errors:0 dropped:0 overruns:0 frame:0
TX packets:638 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xfc60
eth1 Link encap:Ethernet HWaddr 00:01:02:6F:0C:E9
inet addr:192.168.10.40 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:663 errors:0 dropped:0 overruns:0 frame:0
TX packets:587 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xfc80
+ _________________________
+
+ ipsec --version
+ sed 1q
Linux FreeS/WAN 1.5
+ _________________________
+
+ hostname --fqdn
cx1140290-c.phnx3.az.home.com
+ _________________________
+
+ hostname --ip-address
24.9.126.49
+ _________________________
+
+ uptime
11:00:28 up 0 Days (0h), load average: 0.00 0.00 0.03
+ _________________________
+
+ ipsec showdefaults
phys=eth0
virt=ipsec0
addr=24.9.126.49
nexthop=24.9.126.1
+ _________________________
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
# RCSID $Id: conf.proto,v 1.24 2000/05/23 21:05:09 henry Exp $
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file.


# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="%defaultroute"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search


# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# Parameters for manual-keying testing (DON'T USE OPERATIONALLY).
# Note: only one test connection at a time can use these parameters!
spi=0x200
esp=3des-md5-96
md5sum: not found
espenckey=[sums to espe...]
md5sum: not found
espauthkey=[sums to espa...]
# If RSA authentication is used, get keys from DNS.
#leftrsasigkey=%dns
#rightrsasigkey=%dns
type=tunnel


# sample connection
conn metro1-metro2
# Left security gateway, subnet behind it, next hop toward right.
leftfirewall=yes
left=24.9.126.49
leftsubnet=192.168.10.0/24
leftnexthop=24.9.126.1
# Right security gateway, subnet behind it, next hop toward left.
#rightfirewall=yes
right=64.241.69.122
rightsubnet=192.168.110.0/24
rightnexthop=64.241.69.64
# Authorize this connection, but don't actually start it, at startup.
auto=manual
authby=esp
rightid=24.9.126.49
leftid=64.241.69.122
# To use RSA authentication (not legal in US until 20 Sept 2000),
# uncomment this next line.
#authby=rsasig
md5sum: not found
#leftrsasigkey=[sums to #lef...]
md5sum: not found
#rightrsasigkey=[sums to #rig...]
+ _________________________
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This is a sample ipsec.secrets file -- Yours had better be different!
# See the ipsec_pluto(8) manpage for a specification.
# 194.100.55.1 is isakmp-test.ssh.fi
# localhost is a domain name (but not actually useful)
md5sum: not found
24.9.126.49 64.241.69.122: "[sums to 24.9...]"
# the following entry could authenticate any of 10 different pairings
#isakmp-test.ssh.fi
#my1.imaginary.name
#my2.imaginary.name
#my3.imaginary.name # coffee pot (rarely perks up)
#my4.imaginary.name:
md5sum: not found
#"[sums to #"an...]"
# perhaps the only use for an entry with a single index:
# testing with two Plutos on the same system.
md5sum: not found
#127.000.000.001: "[sums to #127...]"
# Here is an RSA secret key.
# The empty index list means that it will be used unless a more specific
match is found.
md5sum: not found
# This was generated by "[sums to #...]".
# The pubkey comment is suitable for copying into config.sys.
: RSA
{
# 1024 bits, Fri Feb 4 20:18:49 2000
# for signatures only, UNSAFE FOR ENCRYPTION
md5sum: not found
#pubkey=[sums to #pub...]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# Here is another RSA secret key -- having two helps testing
@example.com: RSA
{
# 1040 bits, Fri Feb 4 20:22:17 2000
# for signatures only, UNSAFE FOR ENCRYPTION
md5sum: not found
#pubkey=[sums to #pub...]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# other secrets files can be interpolated
#> /etc/ipsec.secrets 59
+ _________________________
+
+ ls -l /usr/local/lib/ipsec
-rwxr-xr-x 1 root root 8719 Aug 21 2000 _confread
-rwxr-xr-x 1 root root 2124 Aug 21 2000 _include
-rwxr-xr-x 1 root root 1342 Aug 21 2000 _keycensor
-rwxr-xr-x 1 root root 1860 Aug 21 2000 _secretcensor
-rwxr-xr-x 1 root root 4089 Sep 11 2000 _updown
-rwxr-xr-x 1 root root 9315 Aug 21 2000 auto
-rwxr-xr-x 1 root root 4319 Aug 21 2000 barf
-rwxr-xr-x 1 root root 44620 Aug 21 2000 eroute
-rwxr-xr-x 1 root root 2346 Aug 21 2000 ipsec
-rwxr-xr-x 1 root root 36732 Aug 21 2000 klipsdebug
-rwxr-xr-x 1 root root 1993 Aug 21 2000 look
-rwxr-xr-x 1 root root 13886 Aug 21 2000 manual
-rwxr-xr-x 1 root root 221860 Aug 21 2000 pluto
-rwxr-xr-x 1 root root 6476 Aug 21 2000 ranbits
-rwxr-xr-x 1 root root 44200 Aug 21 2000 rsasigkey
lrwxrwxrwx 1 root root 17 Jun 24 10:42 setup ->
-rwxr-xr-x 1 root root 865 Aug 21 2000 showdefaults
-rwxr-xr-x 1 root root 52444 Aug 21 2000 spi
-rwxr-xr-x 1 root root 38768 Aug 21 2000 spigrp
-rwxr-xr-x 1 root root 8832 Aug 21 2000 tncfg
-rwxr-xr-x 1 root root 20152 Aug 21 2000 whack
-rwxr-xr-x 1 root root 1621 Aug 21 2000 showhostkey
+ _________________________
+
+ ls /usr/local/lib/ipsec
+ egrep updown
+ cat /usr/local/lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.5 2000/03/22 17:14:50 henry Exp $


# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, it's probably better to make a copy of this under
# another name, and modify that, and use the (left/right)updown parameters
# in ipsec.conf to make FreeS/WAN use yours instead of this one.


# check interface version
case "$PLUTO_VERSION" in
1.0) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$*" in
'') ;;
ipfwadm) # caused by (left/right)firewall=yes
;;
*) echo "$0: unknown parameter \`$1'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}


# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
oops="`route del -net $PLUTO_PEER_CLIENT_NET \
netmask $PLUTO_PEER_CLIENT_MASK 2>&1`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error in route command, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process')
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
status=0
;;
esac
exit $status
;;
route-host:*|route-client:*)
# connection to this host or client being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to this host or client being unrouted
downroute
;;
up-host:*)
# connection to this host coming up
;;
down-host:*)
# connection to this host going down
;;
up-client:)
# connection to client subnet coming up
;;
down-client:)
# connection to client subnet going down
;;
up-client:ipfwadm)
# connection to client subnet, through forwarding firewall, coming up
# beware: read the CAUTION comment up at the top before changing this
#ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -I forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Insert firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -I input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -I input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
down-client:ipfwadm)
# connection to client subnet, through forwarding firewall, going down
# beware: read the CAUTION comment up at the top before changing this
#ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
ipchains -D forward -j ACCEPT -b \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
# Delete firewall rule to accept ESP (Protocol 50) and AH (Protocol 51)
# packets from peer
ipchains -D input -j ACCEPT -p 50 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
ipchains -D input -j ACCEPT -p 51 -s $PLUTO_PEER/32 -d $PLUTO_ME/32
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets
errs drop fifo colls carrier compressed
lo: 230 2 0 0 0 0 0 0 230 2 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
brg0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0: 133689 876 0 0 0 0 0 264 58773 638 0 0 0 0 0 0
eth1: 60983 663 0 0 0 0 0 0 110575 587 0 0 0 0 0 0
+ _________________________
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 007E0918 00000000 0001 0 0 0 80FFFFFF 0 0 0
ipsec0 007E0918 00000000 0001 0 0 0 80FFFFFF 0 0 0
ipsec0 006EA8C0 017E0918 0003 0 0 0 00FFFFFF 0 0 0
eth1 000AA8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 017E0918 0003 0 0 0 00000000 0 0 0
+ _________________________
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
+
+ uname -a
Linux cx1140290-c 2.2.16 #7 Mon Aug 21 10:22:30 CDT 2000 i386 unknown
+ _________________________
+
+ cat /proc/version
Linux version 2.2.16 (root@debian) (gcc version 2.7.2.3) #7 Mon Aug 21
10:22:30 CDT 2000
+ _________________________
+
+ test -r /etc/redhat-release
+ _________________________
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.5
+ _________________________
+
+ ipchains -L -v -n
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination
ports
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.10.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 24.9.126.0/25 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.10.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 64.241.69.122 0.0.0.0/0 * -> 500
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 113
454 92469 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * ->
1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 123
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 68
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 64.241.69.122 0.0.0.0/0 * -> 500
0 0 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 67
15 4905 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
88 4176 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
43 5848 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 161:162 -> *
632 48721 ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination
ports
0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.110.0/24 192.168.10.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.10.0/24 192.168.110.0/24 n/a
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> *
622 47413 MASQ all ------ 0xFF 0x00 eth0 192.168.10.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination
ports
1182 149K fairq all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0 192.168.10.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> *
1182 149K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination
ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> *
15 1015 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53
15 4905 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 22 -> *
+ _________________________
+
+ ipfwadm -F -l -n
ipfwadm: not found
+ _________________________
+
+ ipfwadm -I -l -n
ipfwadm: not found
+ _________________________
+
+ ipfwadm -O -l -n
ipfwadm: not found
+ _________________________
+
+ ipchains -M -L -v -n
IP masquerading entries
prot expire initseq delta prevd source destination ports
ICMP 00:06.31 0 0 0 192.168.10.226 64.241.69.123 11388 (61005) -> 8
ICMP 00:06.40 0 0 0 192.168.10.226 64.58.76.176 11388 (61085) -> 8
TCP 00:32.33 0 0 0 192.168.10.225 216.33.236.253 1181 (61093) -> 80
TCP 239:54.45 0 0 0 192.168.10.226 205.188.2.90 3808 (61050) -> 5190
ICMP 00:06.69 0 0 0 192.168.10.226 209.144.217.3 11388 (61036) -> 8
TCP 239:08.93 0 0 0 192.168.10.226 205.188.6.98 3811 (61053) -> 5190
TCP 00:33.45 0 0 0 192.168.10.225 24.0.95.128 1184 (61096) -> 110
TCP 00:33.23 0 0 0 192.168.10.225 24.0.95.128 1183 (61095) -> 110
TCP 00:32.56 0 0 0 192.168.10.225 24.0.95.128 1182 (61094) -> 110
UDP 04:30.00 0 0 0 192.168.10.226 24.1.240.33 3843 (61098) -> 53
UDP 01:54.40 0 0 0 192.168.10.226 24.1.240.33 3834 (61084) -> 53
ICMP 00:06.60 0 0 0 192.168.10.226 24.221.50.192 11388 (61009) -> 8
TCP 01:30.31 0 0 0 192.168.10.226 152.163.180.24 3844 (61099) -> 80
TCP 01:31.08 0 0 0 192.168.10.226 152.163.180.56 3847 (61102) -> 80
TCP 01:30.89 0 0 0 192.168.10.226 152.163.180.56 3846 (61101) -> 80
TCP 01:30.51 0 0 0 192.168.10.226 152.163.180.56 3845 (61100) -> 80
+ _________________________
+
+ ipfwadm -M -l -n
ipfwadm: not found
+ _________________________
+
+ cat /proc/modules
ppp_deflate 40612 0 (unused)
ppp 20828 0 [ppp_deflate]
slhc 4408 0 [ppp]
ip_masq_mfw 3076 0 (unused)
ip_masq_portfw 2296 0 (unused)
ip_masq_autofw 2356 0 (unused)
ip_masq_user 2636 0 (unused)
ip_masq_cuseeme 852 0 (unused)
ip_masq_vdolive 1068 0 (unused)
ip_masq_raudio 2820 0 (unused)
ip_masq_quake 1108 0 (unused)
ip_masq_irc 1300 0 (unused)
ip_masq_ftp 2352 0 (unused)
3c59x 18436 1
ne2k-pci 4092 1
8390 6220 0 [ne2k-pci]
+ _________________________
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 13799424 12673024 1126400 2039808 5832704 1974272
Swap: 0 0 0
MemTotal: 13476 kB
MemFree: 1100 kB
MemShared: 1992 kB
Buffers: 5696 kB
Cached: 1928 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________
+
+ ls -l /dev/ipsec
c-w------- 1 root root 36, 10 Jun 24 10:46 /dev/ipsec
+ _________________________
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_spinew
/proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_spinew
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jun 24 11:00 /proc/net/ipsec_version
+ _________________________
+
+ test -f /usr/src/linux/.config
+ _________________________
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#
#*.* @host.ip.address-or-name.here

#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#cron.* /var/log/cron.log
#lpr.* -/var/log/lpr.log
#mail.* /var/log/mail.log
#user.* -/var/log/user.log
#uucp.* -/var/log/uucp.log
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#ppp
local2.* -/var/log/ppp.log
#portslave
local6.* -/var/log/pslave.log
+ _________________________
+
+ test -f /var/log/kern.debug
+ _________________________
+
+ cat
+ egrep -i ipsec|klips|pluto
+ egrep -n Starting FreeS.WAN /var/log/syslog
+ sed -n $s/:.*//p
+ sed -n 108,$p /var/log/syslog
Jun 24 10:51:19 cx1140290-c ipsec_setup: Starting FreeS/WAN IPSEC 1.5...
Jun 24 10:51:19 cx1140290-c ipsec_setup: KLIPS debug `none'
Jun 24 10:51:20 cx1140290-c ipsec_setup: KLIPS ipsec0 on eth0
24.9.126.49/255.255.255.128 broadcast 24.9.126.255
Jun 24 10:51:20 cx1140290-c ipsec_setup: WARNING: ipsec0 has route filtering
turned on, KLIPS may not work
Jun 24 10:51:20 cx1140290-c ipsec_setup:
(/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
Jun 24 10:51:20 cx1140290-c ipsec_setup: Pluto debug `none'
Jun 24 10:51:22 cx1140290-c ipsec_setup: ...FreeS/WAN IPSEC started
+ _________________________
+
+ egrep -i pluto
+ egrep -n Starting Pluto /var/log/auth.log
+ cat
+ sed -n $s/:.*//p
+ sed -n 15,$p /var/log/auth.log
Jun 24 10:51:20 cx1140290-c Pluto[1371]: Starting Pluto (FreeS/WAN Version
1.5)
Jun 24 10:51:21 cx1140290-c Pluto[1371]: listening for IKE messages
Jun 24 10:51:21 cx1140290-c Pluto[1371]: adding interface ipsec0/eth0
24.9.126.49
Jun 24 10:51:21 cx1140290-c Pluto[1371]: loading secrets from
"/etc/ipsec.secrets"
Jun 24 10:51:21 cx1140290-c Pluto[1371]: loading secrets from "/dev/null"
+ _________________________
+
+ date
Sun Jun 24 11:00:29 UTC 2001
###---------------<end of file>-------------------###

# ipsec look

cx1140290-c Sun Jun 24 11:01:04 UTC 2001
192.168.10.0/24 -> 192.168.110.0/24 => [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED] IPIP: dir=out 24.9.126.49 -> 64.241.69.122
life(c,s,h)=add(680,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out alen=128 aklen=128
eklen=192 life(c,s,h)=add(680,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in alen=128 aklen=128 eklen=192
life(c,s,h)=add(680,0,0)
#### Even then though the saved output doesn't show it "here" in the
terminal I get the error "paste: not found" and it shows up where this line
is. any ideas?
Destination Gateway Genmask Flags MSS Window irtt Iface
24.9.126.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0
24.9.126.0 0.0.0.0 255.255.255.128 U 0 0 0 ipsec0
192.168.110.0 24.9.126.1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 24.9.126.1 0.0.0.0 UG 0 0 0 eth0

###---------------<end of file>-------------------###

Thanks again
John


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: IPSEC Problems

Reply via email to
