[leaf-user] IPsec troubleshooting pointers

Lee Kimber Sat, 16 Nov 2002 13:47:11 -0800

Hi,

I'm trying to create a host subnet connection from an XP box to a subnet behind a Bering V1 rc4 NAT firewall.

When the XP client pings an interface on the firewalled subnet, it returns one "Negotiating IP security" response followed by "Request timed out" for its other ping packets. Judging from /var/log/auth.log, the problem occurs after IPsec SA is established. I'm out of ideas to troubleshoot for what that problem might be.

In producing ipsec barf, there is clearly a problem with there being no md5sum on the system, but shouldn't that be part of ipsec.lrp if it is required for operation?

Grateful for any ideas....

auth.log, ipsec start up and ipsec barf are below.

Thanks!

Lee

IPsec Windows XP to Bering/FreeS/WAN connection failures

What auth.log shows when I attempt to connect:
Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto subsystem...
Nov 16 23:02:37 beringfirewall pluto[7363]: Starting Pluto (FreeS/WAN Version 1.98b)
Nov 16 23:02:38 beringfirewall pluto[7363]: added connection description "w2k-road-warriors"
Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE messages
Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface ipsec0/eth0 192.168.2.253
Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from "/etc/ipsec.secrets"
Nov 16 23:03:50 beringfirewall pluto[7363]: packet from 192.168.2.1:500: ignoring Vendor ID payload
Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1
Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: sent MR3, ISAKMP SA established
Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #2: responding to Quick Mode
Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #2: IPsec SA established

then it pauses until eventually...

Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: ignoring Delete SA payload
Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: received and ignored informational message

IPsec start up
# /etc/init.d/ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
ipsec_setup: Using /lib/modules/ipsec.o
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)

ipsec barf
beringfirewall
Sat Nov 16 23:12:05 UTC 2002
+ _________________________ version
+
+ ipsec --version
Linux FreeS/WAN 1.98b
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+
+ cat /proc/version
Linux version 2.4.18 (root@samsung) (gcc version 2.95.4 20011002 (Debian prerelease)) #6 Sun Oct 20 15:06:22 CEST 2002
+ _________________________ proc/net/ipsec_eroute
+
+ sort +3 /proc/net/ipsec_eroute
sort: +3: No such file or directory
+ cat /proc/net/ipsec_eroute
0 192.168.3.0/24 -> 192.168.2.1/32 => [EMAIL PROTECTED]
+ _________________________ ip/route
+
+ ip route
192.168.2.1 via 192.168.2.1 dev ipsec0
192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.254
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.253
192.168.2.0/24 dev ipsec0 proto kernel scope link src 192.168.2.253
default via 192.168.2.254 dev eth0
+ _________________________ proc/net/ipsec_spi
+
+ cat /proc/net/ipsec_spi
[EMAIL PROTECTED] IPIP: dir=out src=192.168.2.253 life(c,s,h)=addtime(495,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=addtime(495,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=192.168.2.253 iv_bits=64bits iv=0x9ce1a78a77432e41 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(495,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=192.168.2.1 iv_bits=64bits iv=0xbd540ccc4e86f6d7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(495,0,0)
+ _________________________ proc/net/ipsec_spigrp
+
+ cat /proc/net/ipsec_spigrp
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
+ _________________________ proc/net/ipsec_tncfg
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c1fb93f0 7363 c118d750 0 0 0 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c118d750 7363 c1fb93f0
pf_key_registered: 3 c118d750 7363 c1fb93f0
pf_key_registered: 9 c118d750 7363 c1fb93f0
pf_key_registered: 10 c118d750 7363 c1fb93f0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+
+ cd /proc/sys/net/ipsec
+ egrep ^ icmp inbound_policy_check tos
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+
+ ipsec auto --status
000 interface ipsec0/eth0 192.168.2.253
000
000 "w2k-road-warriors"[1]: 192.168.3.0/24===192.168.2.253...192.168.2.1
000 "w2k-road-warriors"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors"[1]: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; erouted
000 "w2k-road-warriors"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000 "w2k-road-warriors": 192.168.3.0/24===192.168.2.253...%any
000 "w2k-road-warriors": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "w2k-road-warriors": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth0; unrouted
000 "w2k-road-warriors": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #2: "w2k-road-warriors"[1] 192.168.2.1 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28036s; newest IPSEC; eroute owner
000 #2: "w2k-road-warriors"[1] 192.168.2.1 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "w2k-road-warriors"[1] 192.168.2.1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2835s; newest ISAKMP
000
+ _________________________ ip/address
+
+ ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:b7:68:1a:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.253/24 brd 192.168.2.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:aa:00:ac:2c:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.254/24 brd 192.168.3.255 scope global eth1
21: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:09:b7:68:1a:9a brd ff:ff:ff:ff:ff:ff
inet 192.168.2.253/24 brd 192.168.2.255 scope global ipsec0
22: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
23: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
24: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
+ _________________________ ipsec/directory
+
+ ipsec --directory
/lib/ipsec
+ _________________________ hostname/fqdn
+
+ hostname -f
hostname: beringfirewall: Host name lookup failure
+ _________________________ hostname/ipaddress
+
+ hostname -i
hostname: beringfirewall: Host name lookup failure
+ _________________________ uptime
+
+ uptime
11:17pm up 5:46, load average: 0.00, 0.00, 0.00
+ _________________________ ps
+
+ ps alxwf
+ egrep -i ppid|pluto|ipsec|klips
11814 root 1748 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
13715 root 1284 S logger -p daemon.error -t ipsec__plutorun
27681 root 1748 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
995 root 1420 S /bin/sh /lib/ipsec/_plutoload --load %search --start
12330 root 1748 S /bin/sh /lib/ipsec/_plutorun --debug none --uniqueid
7363 root 1264 S /lib/ipsec/pluto --nofork --debug-none --uniqueids
6949 root 828 S _pluto_adns 7 10
25521 root 856 S /bin/sh /sbin/ipsec barf
4885 root 1580 S /bin/sh /lib/ipsec/barf
14038 root 1580 R /bin/sh /lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=192.168.2.253
routeaddr=192.168.2.253
routenexthop=192.168.2.254
routenexthop=192.168.2.254
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=192.168.2.253
defaultroutenexthop=192.168.2.254
+ _________________________ ipsec/conf
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
# authby=rsasig
# leftrsasigkey=%dns
# rightrsasigkey=%dns
# Following added by Lee just as above 3 commented by Lee
authby=secret
left=192.168.2.253
leftsubnet=192.168.3.0/24
leftfirewall=yes
pfs=yes
auto=add

# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
# left=%defaultroute
# right=%opportunistic
# uncomment to enable incoming; change to auto=route for outgoing
#auto=add

# sample VPN connection
#conn sample
# Left security gateway, subnet behind it, next hop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add

conn w2k-road-warriors
right=%any
+ _________________________ ipsec/secrets
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
md5sum: not found
# with "[sums to #...]".
md5sum: not found
%any 192.168.2.253: PSK "[sums to %any...]"
md5sum: not found
# do not change the indenting of that "[sums to #...]"
+ _________________________ ipsec/ls-dir
+
+ ls -l /lib/ipsec
-rwxr-xr-x 1 root root 11102 Jul 7 12:27 _confread
-rwxr-xr-x 1 root root 4136 Jul 7 12:28 _copyright
-rwxr-xr-x 1 root root 2163 Jul 7 12:27 _include
-rwxr-xr-x 1 root root 1472 Jul 7 12:27 _keycensor
-rwxr-xr-x 1 root root 9360 Jul 7 12:28 _pluto_adns
-rwxr-xr-x 1 root root 3495 Jul 7 12:27 _plutoload
-rwxr-xr-x 1 root root 4376 Jul 7 12:27 _plutorun
-rwxr-xr-x 1 root root 7591 Jul 7 12:28 _realsetup
-rwxr-xr-x 1 root root 1971 Jul 7 12:27 _secretcensor
-rwxr-xr-x 1 root root 7687 Sep 2 17:25 _startklips
-rwxr-xr-x 1 root root 7575 Jul 7 12:28 _updown
-rwxr-xr-x 1 root root 11404 Jul 7 12:27 auto
-rwxr-xr-x 1 root root 7172 Jul 7 12:28 barf
-rwxr-xr-x 1 root root 59360 Jul 7 12:28 eroute
-rwxr-xr-x 1 root root 18024 Jul 7 12:28 ikeping
-rwxr-xr-x 1 root root 2906 Jul 7 12:27 ipsec
-rw-r--r-- 1 root root 1950 Jul 7 12:27 ipsec_pr.template
-rwxr-xr-x 1 root root 41312 Jul 7 12:28 klipsdebug
-rwxr-xr-x 1 root root 2659 Oct 13 08:00 look
-rwxr-xr-x 1 root root 16450 Oct 13 08:00 manual
-rwxr-xr-x 1 root root 1847 Jul 7 12:27 newhostkey
-rwxr-xr-x 1 root root 34556 Jul 7 12:28 pf_key
-rwxr-xr-x 1 root root 311372 Jul 7 12:28 pluto
-rwxr-xr-x 1 root root 6484 Jul 7 12:28 ranbits
-rwxr-xr-x 1 root root 64220 Jul 7 12:28 rsasigkey
-rwxr-xr-x 1 root root 16641 Jul 7 12:27 send-pr
lrwxrwxrwx 1 root root 17 Nov 16 17:30 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1041 Jul 7 12:27 showdefaults
-rwxr-xr-x 1 root root 4205 Jul 7 12:27 showhostkey
-rwxr-xr-x 1 root root 68812 Jul 7 12:28 spi
-rwxr-xr-x 1 root root 51212 Jul 7 12:28 spigrp
-rwxr-xr-x 1 root root 9544 Jul 7 12:28 tncfg
-rwxr-xr-x 1 root root 32140 Jul 7 12:28 whack
+ _________________________ ipsec/updowns
+
+ ls /lib/ipsec
+ egrep updown
+ cat /lib/ipsec/_updown
#! /bin/sh
# default updown script
# Copyright (C) 2000, 2001 D. Hugh Redelmeier, Henry Spencer
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.19 2002/03/25 18:04:42 henry Exp $

# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.

# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac

# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac

# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
# <CTC> convert to iproute2 - add mask2bits function
#-------------------------------------------------------------------------
# mask2bits function, returns the number of bits in the netmask parameter.
# borrowed from http://www.stearns.org/samlib/samlib-0.1/samlib
#-------------------------------------------------------------------------
#No external apps needed.
mask2bits () {
case $1 in
255.255.255.255) echo 32 ;;
255.255.255.254) echo 31 ;;
255.255.255.252) echo 30 ;;
255.255.255.248) echo 29 ;;
255.255.255.240) echo 28 ;;
255.255.255.224) echo 27 ;;
255.255.255.192) echo 26 ;;
255.255.255.128) echo 25 ;;
255.255.255.0) echo 24 ;;
255.255.254.0) echo 23 ;;
255.255.252.0) echo 22 ;;
255.255.248.0) echo 21 ;;
255.255.240.0) echo 20 ;;
255.255.224.0) echo 19 ;;
255.255.192.0) echo 18 ;;
255.255.128.0) echo 17 ;;
255.255.0.0) echo 16 ;;
255.254.0.0) echo 15 ;;
255.252.0.0) echo 14 ;;
255.248.0.0) echo 13 ;;
255.240.0.0) echo 12 ;;
255.224.0.0) echo 11 ;;
255.192.0.0) echo 10 ;;
255.128.0.0) echo 9 ;;
255.0.0.0) echo 8 ;;
254.0.0.0) echo 7 ;;
252.0.0.0) echo 6 ;;
248.0.0.0) echo 5 ;;
240.0.0.0) echo 4 ;;
224.0.0.0) echo 3 ;;
192.0.0.0) echo 2 ;;
128.0.0.0) echo 1 ;;
0.0.0.0) echo 0 ;;
*) echo 32 ;;
esac
} #End of mask2bits
doroute() {
# parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
# parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
parms2="dev $PLUTO_INTERFACE via $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
# it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
# route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
it="ip route $1 0.0.0.0/1 $parms2 &&"
it="$it ip route $1 128.0.0.0/1 $parms2"
;;
# *) it="route $1 $parms $parms2"
*) it="ip route $1 $parms $parms2"
;;
esac
eval $it
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}

# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
# it="route del -net 0.0.0.0 netmask 128.0.0.0 2>&1 ;
# route del -net 128.0.0.0 netmask 128.0.0.0 2>&1"
it="ip route del 0.0.0.0/1 2>&1 ; ip route del 128.0.0.0/1 2>&1"
;;
*)
# it="route del -net $PLUTO_PEER_CLIENT_NET \
# netmask $PLUTO_PEER_CLIENT_MASK 2>&1"
PLUTO_PEER_CLIENT_BITS=`mask2bits $PLUTO_PEER_CLIENT_MASK`
parms="$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_BITS"
it="ip route del $parms 2>&1"
;;
esac
oops="`eval $it`"
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
# <CTC> iproute2 gives a _different_ incomprehensible answer
# 'SIOCDELRT: No such process'*)
'RTNETLINK answers: No such process'*)
# </CTC>
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
# ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
# <CTC> replace with iptables commands
# ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
# -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
iptables -D FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
# </CTC>
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 51524 360 0 0 0 0 0 0 51524 360 0 0 0 0 0 0
ummy0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0: 7319863 17131 1410 0 0 1410 0 0 2506629 15616 29 0 0 104 29 0
eth1: 2037144 13162 0 0 0 0 0 0 7316570 14264 0 0 0 0 1 0
psec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
psec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
psec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
psec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
_________________________ proc/net/route
+
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
psec0 0102A8C0 0102A8C0 0007 0 0 0 FFFFFFFF 40 0 0
th1 0003A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
th0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
psec0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 40 0 0
th0 00000000 FE02A8C0 0003 0 0 0 00000000 40 0 0
_________________________ proc/sys/net/ipv4/ip_forward
+
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+
+ cd /proc/sys/net/ipv4/conf
+ egrep ^ all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:1
eth1/rp_filter:0
ipsec0/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+
+ uname -a
Linux beringfirewall 2.4.18 #6 Sun Oct 20 15:06:22 CEST 2002 i586 unknown
+ _________________________ redhat-release
+
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.98b
+ _________________________ iptables/list
+
+ iptables -L -v -n
Chain INPUT (policy DROP 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
337 49724 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
2699 143K eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
56 13692 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 192.168.2.1 192.168.3.0/24
0 0 ACCEPT ah -- * * 192.168.3.0/24 192.168.2.1
0 0 ACCEPT ah -- * * 192.168.2.1 192.168.3.0/24
0 0 ACCEPT ah -- * * 192.168.3.0/24 192.168.2.1
14064 7111K eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
12555 1805K eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_fwd ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
337 49724 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
2521 657K fw2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0
6 904 fw2gw ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain all2all (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
56 13692 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
56 13692 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
109 7332 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0 192.168.2.255
0 0 DROP ah -- * * 0.0.0.0/0 192.168.3.255

Chain dynamic (6 references)
pkts bytes target prot opt in out source destination

Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
14064 7111K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
14064 7111K net2loc ah -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0

Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
2699 143K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
2699 143K net2fw ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
12555 1805K dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
12555 1805K loc2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2gw ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
56 13692 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
56 13692 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2gw (1 references)
pkts bytes target prot opt in out source destination
6 904 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
2410 650K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
111 7188 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain gw2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 gw2loc ah -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
56 13692 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc2gw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
12319 1746K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
236 58491 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
109 7332 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
2559 130K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 40 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0 0.0.0.0/0
27 5664 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500 state NEW
3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
109 7332 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
14014 7107K ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.1 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2 state NEW tcp dpt:22
48 4212 ACCEPT udp -- * * 0.0.0.0/0 192.168.3.2 state NEW udp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2 state NEW tcp dpt:137
1 247 ACCEPT udp -- * * 0.0.0.0/0 192.168.3.2 state NEW udp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2 state NEW tcp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.3.2 state NEW udp dpt:139
1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2 state NEW tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.3 state NEW tcp dpt:3389
0 0 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain newnotsyn (10 references)
pkts bytes target prot opt in out source destination
1 40 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
+ _________________________ ipchains/list
+
+ ipchains -L -v -n
ipchains: not found
+ _________________________ ipfwadm/forward
+
+ ipfwadm -F -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/input
+
+ ipfwadm -I -l -n -e
ipfwadm: not found
+ _________________________ ipfwadm/output
+
+ ipfwadm -O -l -n -e
ipfwadm: not found
+ _________________________ iptables/nat
+
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 420 packets, 82317 bytes)
pkts bytes target prot opt in out source destination
240 22942 net_dnat ah -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 116 packets, 8759 bytes)
pkts bytes target prot opt in out source destination
269 60631 eth0_masq ah -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 66 packets, 4252 bytes)
pkts bytes target prot opt in out source destination

Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
236 58491 MASQUERADE ah -- * * 192.168.3.0/24 0.0.0.0/0

Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:24 to:192.168.3.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26 to:192.168.3.2:22
90 7488 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 to:192.168.3.2:137
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 to:192.168.3.2:137
26 6214 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 to:192.168.3.2:138
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:138 to:192.168.3.2:138
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139 to:192.168.3.2:139
1 48 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 to:192.168.3.2:139
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.3.3:3389
+ _________________________ ipchains/masq
+
+ ipchains -M -L -v -n
ipchains: not found
+ _________________________ ipfwadm/masq
+
+ ipfwadm -M -l -n -e
ipfwadm: not found
+ _________________________ iptables/mangle
+
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 29810 packets, 9135K bytes)
pkts bytes target prot opt in out source destination
29778 9131K pretos ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 3122 packets, 209K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 26619 packets, 8916K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2898 packets, 711K bytes)
pkts bytes target prot opt in out source destination
2864 708K outtos ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 29517 packets, 9627K bytes)
pkts bytes target prot opt in out source destination

Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
2396 648K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
pkts bytes target prot opt in out source destination
2548 127K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
13 778 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
13 1098 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
+ _________________________ proc/modules
+
+ cat /proc/modules
ipsec 133648 2
ip_nat_irc 2400 0 (unused)
ip_nat_ftp 3008 0 (unused)
ip_conntrack_irc 3104 1
ip_conntrack_ftp 3840 1
eepro 13000 2
airo 33400 1
ide-probe-mod 7520 0
ide-disk 6560 0
ide-mod 50948 0 [ide-probe-mod ide-disk]
+ _________________________ proc/meminfo
+
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 31248384 10469376 20779008 0 98304 5607424
Swap: 0 0 0
MemTotal: 30516 kB
MemFree: 20292 kB
MemShared: 0 kB
Buffers: 96 kB
Cached: 5476 kB
SwapCached: 0 kB
Active: 0 kB
Inactive: 7284 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 30516 kB
LowFree: 20292 kB
SwapTotal: 0 kB
SwapFree: 0 kB
+ _________________________ dev/ipsec-ls
+
+ ls -l /dev/ipsec*
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
-r--r--r-- 1 root wheel 0 Nov 16 23:17 /proc/net/ipsec_eroute
-r--r--r-- 1 root wheel 0 Nov 16 23:17 /proc/net/ipsec_spi
-r--r--r-- 1 root wheel 0 Nov 16 23:17 /proc/net/ipsec_spigrp
-r--r--r-- 1 root wheel 0 Nov 16 23:17 /proc/net/ipsec_tncfg
-r--r--r-- 1 root wheel 0 Nov 16 23:17 /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# Log everything remotely. The other machine must run syslog with '-r'.
# WARNING: Doing this is unsecure and can open you up to a DoS attack.
#

#*.* @host.ip.address-or-name.here

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#cron.* /var/log/cron.log

#lpr.* -/var/log/lpr.log
#mail.* /var/log/mail.log
#user.* -/var/log/user.log
#uucp.* -/var/log/uucp.log

#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#ppp
local2.* -/var/log/ppp.log

#portslave
local6.* -/var/log/pslave.log
+ _________________________ etc/resolv.conf
+
+ cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.1.254

+ _________________________ lib/modules-ls
+
+ ls -ltr /lib/modules
-rw-r--r-- 1 root root 6744 Oct 20 16:12 slhc.o
-rw-r--r-- 1 root root 3636 Oct 20 16:12 pppox.o
-rw-r--r-- 1 root root 11732 Oct 20 16:12 pppoe.o
-rw-r--r-- 1 root root 7908 Oct 20 16:12 ppp_synctty.o
-rw-r--r-- 1 root root 22352 Oct 20 16:12 ppp_mppe.o
-rw-r--r-- 1 root root 23712 Oct 20 16:12 ppp_generic.o
-rw-r--r-- 1 root root 39424 Oct 20 16:12 ppp_deflate.o
-rw-r--r-- 1 root root 9948 Oct 20 16:12 ppp_async.o
-rw-r--r-- 1 root root 8516 Oct 20 16:12 ne2k-pci.o
-rw-r--r-- 1 root root 9816 Oct 20 16:12 n_hdlc.o
-rw-r--r-- 1 root root 4200 Oct 20 16:12 ip_nat_irc.o
-rw-r--r-- 1 root root 4748 Oct 20 16:12 ip_nat_ftp.o
-rw-r--r-- 1 root root 5716 Oct 20 16:12 ip_conntrack_irc.o
-rw-r--r-- 1 root root 5936 Oct 20 16:12 ip_conntrack_ftp.o
-rw-r--r-- 1 root root 26328 Oct 20 16:12 eepro100.o
-rw-r--r-- 1 root root 8872 Oct 20 16:12 8390.o
-rw-r--r-- 1 root root 36120 Oct 20 16:12 3c59x.o
-rwxr-xr-x 1 root root 46140 Nov 6 23:01 airo.o
-rw-r--r-- 1 root root 8144 Nov 6 23:01 ne.o
-rwxr-xr-x 1 root root 165214 Nov 10 21:19 ipsec.o
-rwxr-xr-x 1 root root 15976 Nov 11 21:47 eepro.o
lrwxrwxrwx 1 root root 12 Nov 16 17:30 2.4.18 -> /lib/modules
+ _________________________ proc/ksyms-netif_rx
+
+ egrep netif_rx /proc/ksyms
c018d710 netif_rx
+ _________________________ lib/modules-netif_rx
+
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.18:
+ _________________________ kern.debug
+
+ test -f /var/log/kern.debug
+ _________________________ klog
+
+ sed -n 210,$p /var/log/syslog
+ egrep -i ipsec|klips|pluto
+ cat
Nov 16 23:02:36 beringfirewall ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
Nov 16 23:02:36 beringfirewall ipsec_setup: Using /lib/modules/ipsec.o
Nov 16 23:02:37 beringfirewall ipsec_setup: KLIPS ipsec0 on eth0 192.168.2.253/24 broadcast 192.168.2.255
Nov 16 23:02:37 beringfirewall ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
Nov 16 23:02:37 beringfirewall ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
Nov 16 23:02:37 beringfirewall ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+
+ sed -n 224,$p /var/log/auth.log
+ egrep -i pluto
+ cat
Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto subsystem...
Nov 16 23:02:37 beringfirewall pluto[7363]: Starting Pluto (FreeS/WAN Version 1.98b)
Nov 16 23:02:38 beringfirewall pluto[7363]: added connection description "w2k-road-warriors"
Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE messages
Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface ipsec0/eth0 192.168.2.253
Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from "/etc/ipsec.secrets"
Nov 16 23:03:50 beringfirewall pluto[7363]: packet from 192.168.2.1:500: ignoring Vendor ID payload
Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1
Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: sent MR3, ISAKMP SA established
Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #2: responding to Quick Mode
Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #2: IPsec SA established
Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: ignoring Delete SA payload
Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: received and ignored informational message
Nov 16 23:09:24 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: ignoring Delete SA payload
Nov 16 23:09:24 beringfirewall pluto[7363]: "w2k-road-warriors"[1] 192.168.2.1 #1: received and ignored informational message
+ _________________________ date
+
+ date
Sat Nov 16 23:17:06 UTC 2002

-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] IPsec troubleshooting pointers

Reply via email to