[rhn-users] ipsec__plutorun: ...could not start conn "test"
Mark Lindsay
mark at IceraSemi.com
Mon Jun 21 10:56:10 UTC 2004
Hi Folks,
I've been trying to get freeswan to work for me for a
few weeks now, I've looked at lots of ducumentation and Q/As but I still
cannot get it to work.
I have 2 RedHat 9.0 boxes with the ncftpget freeswan 2.06 rpms on them,
with shared keys.
I get the "Ipsec SA established" messages when I run #>ipsec auto --up
test , but I cannot ping between the two networks.
I see the message `ipsec__plutorun: ...could not start conn "test"` in
the log file, so why do I get the SA established message?
This is driving me crazy, can any of you kind people help me, please,
please?
I have included the output from "ipsec barf" from one of the machines.
gateway1
Mon Jun 21 10:39:56 BST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.06
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version cat /proc/version
Linux version 2.4.20-8 (bhcompile at stripples.devel.redhat.com) (gcc
version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Thu Mar 13 17:18:24
EST 2003
+ _________________________ proc/net/ipsec_eroute sort -sg +3
+ /proc/net/ipsec_eroute
0 192.168.1.0/24 -> 192.168.6.0/24 =>
tun0x100a at 217.46.146.28
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.6.0 217.46.146.30 255.255.255.0 UG 0 0 0
ipsec0
217.46.146.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
217.46.146.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 217.46.146.30 0.0.0.0 UG 0 0 0
eth0
+ _________________________ proc/net/ipsec_spi cat /proc/net/ipsec_spi
tun0x100a at 217.46.146.28 IPIP: dir=out src=217.46.146.27
life(c,s,h)=addtime(44,0,0) refcount=4 ref=58
tun0x1009 at 217.46.146.27 IPIP: dir=in src=217.46.146.28
policy=192.168.6.0/24->192.168.1.0/24 flags=0x8<>
life(c,s,h)=addtime(44,0,0) refcount=4 ref=53
esp0x12c6d746 at 217.46.146.28 ESP_3DES_HMAC_MD5: dir=out src=217.46.146.27
iv_bits=64bits iv=0x79e10942acd8c3c2 ooowin=64 alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(44,0,0) refcount=4 ref=59
esp0xe27805fd at 217.46.146.27 ESP_3DES_HMAC_MD5: dir=in src=217.46.146.28
iv_bits=64bits iv=0x56bd8063ca7e382c ooowin=64 alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(44,0,0) refcount=4 ref=54
+ _________________________ proc/net/ipsec_spigrp cat
+ /proc/net/ipsec_spigrp
tun0x100a at 217.46.146.28 esp0x12c6d746 at 217.46.146.28
tun0x1009 at 217.46.146.27 esp0xe27805fd at 217.46.146.27
+ _________________________ proc/net/ipsec_tncfg cat
+ /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c9849ac0 4883 cc929c14 0 2 65535 00000000 3 1
+ _________________________ proc/net/pf_key-star cd /proc/net egrep '^'
+ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 3 cc929c14 4883 c9849ac0
pf_key_registered: 9 cc929c14 4883 c9849ac0
pf_key_registered: 10 cc929c14 4883 c9849ac0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star cd
+ /proc/sys/net/ipsec egrep '^' debug_eroute debug_esp debug_ipcomp
+ debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel
+ debug_verbose debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status ipsec auto --status
000 interface ipsec0/eth0 217.46.146.27
000 %myid = (none)
000 debug none
000
000 "test":
192.168.1.0/24===217.46.146.27---217.46.146.30...217.46.146.30---217.46.
146.28===192.168.6.0/24; erouted; eroute owner: #15
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface:
eth0;
000 "test": newest ISAKMP SA: #14; newest IPsec SA: #15;
000
000 #15: "test" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 28485s; newest IPSEC; eroute owner 000 #15: "test"
esp.12c6d746 at 217.46.146.28 esp.e27805fd at 217.46.146.27
tun.100a at 217.46.146.28 tun.1009 at 217.46.146.27 000 #14: "test"
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3285s; newest ISAKMP 000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:BF:79:7A:B4
inet addr:217.46.146.27 Bcast:217.46.146.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15664 errors:0 dropped:0 overruns:0 frame:0
TX packets:15739 errors:2 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:100
RX bytes:1505273 (1.4 Mb) TX bytes:1331157 (1.2 Mb)
Interrupt:5 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:50:BF:79:7A:D7
inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10610 errors:0 dropped:0 overruns:0 frame:0
TX packets:2221 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1422597 (1.3 Mb) TX bytes:358816 (350.4 Kb)
Interrupt:9 Base address:0xc000
ipsec0 Link encap:Ethernet HWaddr 00:50:BF:79:7A:B4
inet addr:217.46.146.27 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:17312 errors:0 dropped:0 overruns:0 frame:0
TX packets:17312 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1182041 (1.1 Mb) TX bytes:1182041 (1.1 Mb)
+ _________________________ ipsec_verify ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux FreeS/WAN 2.06
Checking for IPsec kernel support: found KLIPS [OK] Checking that pluto
is running [OK] Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking tun0x100a at 217.46.146.28 from 192.168.1.0/24 to 192.168.6.0/24
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: gateway1 [MISSING] Does the machine have
at least one non-private address?
[OK]
Looking for TXT in reverse map: 27.146.46.217.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
no MII interfaces found
+ _________________________ ipsec/directory ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn hostname --fqdn
gateway1
+ _________________________ hostname/ipaddress hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
10:39:57 up 39 min, 5 users, load average: 0.18, 0.04, 0.01
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 5351 4583 25 0 4144 1080 - R pts/2 0:00 |
\_ /bin/sh /usr/local/libexec/ipsec/barf
1 0 4881 1 25 0 2108 1028 wait4 S pts/2 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
1 0 4882 4881 25 0 2112 1048 wait4 S pts/2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug --uniqueids yes
--nocrsend --strictcrlpolicy --crlcheckinterval 0 --dump --opts
--stderrlog --wait no --pre --post --log daemon.error --pid
/var/run/pluto.pid
4 0 4883 4882 15 0 2072 984 schedu S pts/2 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies --uniqueids
0 0 4897 4883 25 0 1420 256 schedu S pts/2 0:00 |
\_ _pluto_adns
0 0 4884 4881 25 0 2092 1020 pipe_w S pts/2 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 4885 1 25 0 1360 460 pipe_w S pts/2 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=217.46.146.27
routenexthop=217.46.146.30
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file # RCSID $Id:
ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/config.html
#
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/adv_config.html
#
# Policy groups are enabled by default. See:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/policygroups.ht
ml
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
#config setup
#myid=@gateway1
#interfaces=%defaultroute
#interfaces="ipsec0=eth0"
#Debug-logging controls: "none" for (almost) none, "all" for
lots.
#klipsdebug=all
#plutodebug=all
#uniqueids=yes
conn test
#keyingtries=0
#ikelifetime=1h
#keylife=1h
#type=tunnel
#authby=secret #key exchange method
# Left security gateway, subnet behind it, next hop toward
right.
left=217.46.146.27
leftsubnet=192.168.1.0/24
#leftid=@icerasemi1.ath.cx
#leftid=gateway1
leftrsasigkey=[keyid AQOxac/G/]
leftnexthop=%defaultroute
#leftnexthop=217.46.146.30
#leftid=217.46.146.27
# Right security gateway, subnet behind it, next hop toward
left.
right=217.46.146.28
rightsubnet=192.168.6.0/24
#rightid=@icearsemi2.ath.cx
#rightid=gateway2
rightrsasigkey=[keyid AQOxac/G/]
rightnexthop=%defaultroute
#rightnexthop=217.46.146.30
#rightid=217.46.146.28
#rightid=@fred2
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
#To disable OE DNS
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets ipsec _include
+ /etc/ipsec.secrets ipsec _secretcensor
#< /etc/ipsec.secrets 1
217.46.146.27 217.46.146.28 : PSK "[sums to 6a95...]"
#217.46.146.28 217.46.146.27 : PSK "[sums to 6a95...]"
#gateway1.icerasemi.com gateway2.icerasemi.com : PSK "[sums to 6a95...]"
#gateway2.icerasemi.com gateway1.icerasemi.com : PSK "[sums to 6a95...]"
#@gateway1.icerasemi.com @gateway2.icerasemi.com : PSK "[sums to
6a95...]"
#@gateway2.icerasemi.com @gateway1.icerasemi.com : PSK "[sums to
6a95...]"
#217.46.146.28 217.46.146.27 : PSK "[sums to 44d5...]"
#217.46.146.27 : PSK "[sums to 6a95...]"
#217.46.146.28 : PSK "[sums to 44d5...]"
: RSA {
# RSA 2752 bits gateway1 Tue Jun 15 11:14:04 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOxac/G/]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block cat
+ /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which #
communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.5 2003/12/21 22:48:52 dhr Exp $ #
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear cat
+ /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which #
communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ #
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private cat
+ /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which # we
will communicate in the clear, or, if the other side initiates IPSEC, #
using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ #
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private cat
+ /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which #
communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ #
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear cat
+ /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which #
communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies #
authentication material, we will require private (i.e. encrypted) #
communications. If no such record is found, communications will be # in
the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.6 2003/12/21 22:48:52 dhr Exp $ #
0.0.0.0/0
+ _________________________ ipsec/ls-libdir ls -l /usr/local/lib/ipsec
total 200
-rwxr-xr-x 1 root root 14950 Apr 18 03:40 _confread
-rwxr-xr-x 1 root root 48687 Apr 18 03:40 _copyright
-rwxr-xr-x 1 root root 2379 Apr 18 03:40 _include
-rwxr-xr-x 1 root root 1475 Apr 18 03:40 _keycensor
-rwxr-xr-x 1 root root 69669 Apr 18 03:40 _pluto_adns
-rwxr-xr-x 1 root root 3586 Apr 18 03:40 _plutoload
-rwxr-xr-x 1 root root 5823 Apr 18 03:40 _plutorun
-rwxr-xr-x 1 root root 9910 Apr 18 03:40 _realsetup
-rwxr-xr-x 1 root root 1975 Apr 18 03:40 _secretcensor
-rwxr-xr-x 1 root root 8272 Apr 18 03:40 _startklips
-rwxr-xr-x 1 root root 7957 Apr 18 03:40 _updown
-rwxr-xr-x 1 root root 1942 Apr 18 03:40
ipsec_pr.template
+ _________________________ ipsec/ls-execdir ls -l
+ /usr/local/libexec/ipsec
total 3028
-rwxr-xr-x 1 root root 11950 Apr 18 03:40 auto
-rwxr-xr-x 1 root root 8591 Apr 18 03:40 barf
-rwxr-xr-x 1 root root 816 Apr 18 03:40 calcgoo
-rwxr-xr-x 1 root root 309449 Apr 18 03:40 eroute
-rwxr-xr-x 1 root root 179978 Apr 18 03:40 klipsdebug
-rwxr-xr-x 1 root root 2449 Apr 18 03:40 look
-rwxr-xr-x 1 root root 7132 Apr 18 03:40 mailkey
-rwxr-xr-x 1 root root 14807 Apr 18 03:40 manual
-rwxr-xr-x 1 root root 1898 Apr 18 03:40 newhostkey
-rwxr-xr-x 1 root root 161531 Apr 18 03:40 pf_key
-rwxr-xr-x 1 root root 1292921 Apr 18 03:40 pluto
-rwxr-xr-x 1 root root 53881 Apr 18 03:40 ranbits
-rwxr-xr-x 1 root root 104581 Apr 18 03:40 rsasigkey
-rwxr-xr-x 1 root root 17602 Apr 18 03:40 send-pr
lrwxrwxrwx 1 root root 22 Jun 15 11:13 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Apr 18 03:40 showdefaults
-rwxr-xr-x 1 root root 4489 Apr 18 03:40 showhostkey
-rwxr-xr-x 1 root root 320485 Apr 18 03:40 spi
-rwxr-xr-x 1 root root 252090 Apr 18 03:40 spigrp
-rwxr-xr-x 1 root root 52253 Apr 18 03:40 tncfg
-rwxr-xr-x 1 root root 10366 Apr 18 03:40 verify
-rwxr-xr-x 1 root root 207849 Apr 18 03:40 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 1182041 17312 0 0 0 0 0 0
1182041 17312 0 0 0 0 0 0
eth0: 1505943 15671 0 0 0 0 0 0
1331379 15742 2 0 0 0 2 0
eth1: 1422657 10611 0 0 0 0 0 0
358816 2221 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ipsec0 0006A8C0 1E922ED9 0003 0 0 0
00FFFFFF 0 0 0
eth0 00922ED9 00000000 0001 0 0 0
00FFFFFF 0 0 0
ipsec0 00922ED9 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth1 0001A8C0 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth1 0000FEA9 00000000 0001 0 0 0
0000FFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF 0 0 0
eth0 00000000 1E922ED9 0003 0 0 0
00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward cat
+ /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
+ eth1/rp_filter ipsec0/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:0
eth1/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux gateway1 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386
GNU/Linux
+ _________________________ redhat-release test -r /etc/redhat-release
+ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
+ _________________________ proc/net/ipsec_version cat
+ /proc/net/ipsec_version
FreeS/WAN version: 2.06
+ _________________________ iptables/list iptables -L -v -n
Chain INPUT (policy ACCEPT 7902 packets, 794K bytes)
pkts bytes target prot opt in out source
destination
39 9068 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT 22 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 28 packets, 1872 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- ipsec+ eth0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 ipsec+ 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- ipsec+ eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth1 ipsec+ 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7506 packets, 659K bytes)
pkts bytes target prot opt in out source
destination
39 10316 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT 22 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
+ _________________________ ipchains/list ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________ ipfwadm/forward ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/input ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipfwadm/output ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/nat iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 150 packets, 50919 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 135 packets, 8228 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 192.168.1.0/24
!192.168.6.0/24
Chain OUTPUT (policy ACCEPT 119 packets, 7166 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ ipfwadm/masq ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ iptables/mangle iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 130 packets, 11131 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 130 packets, 11131 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 150 packets, 25862 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 150 packets, 25862 bytes)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules cat /proc/modules
iptable_mangle 2776 0 (autoclean) (unused)
ipsec 269152 3
ide-cd 35196 0 (autoclean)
cdrom 33472 0 (autoclean) [ide-cd]
r128 87288 1
parport_pc 18756 1 (autoclean)
lp 8868 0 (autoclean)
parport 36480 1 (autoclean) [parport_pc lp]
autofs 12948 0 (autoclean) (unused)
ipt_MASQUERADE 2168 1 (autoclean)
ipt_state 1048 1 (autoclean)
ip_nat_ftp 4048 0 (unused)
iptable_nat 21208 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack_irc 4080 0 (unused)
ip_conntrack_ftp 5232 1
ip_conntrack 26528 4 [ipt_MASQUERADE ipt_state ip_nat_ftp
iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2380 1 (autoclean)
ip_tables 14648 7 [iptable_mangle ipt_MASQUERADE
ipt_state iptable_nat iptable_filter]
tulip 43648 2
keybdev 2880 0 (unused)
mousedev 5428 1
hid 21700 0 (unused)
input 5792 0 [keybdev mousedev hid]
ehci-hcd 19592 0 (unused)
usb-ohci 21160 0 (unused)
usbcore 77696 1 [hid ehci-hcd usb-ohci]
ext3 69984 2
jbd 51220 2 [ext3]
+ _________________________ proc/meminfo cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 261435392 241098752 20336640 0 20992000 113434624
Swap: 534634496 0 534634496
MemTotal: 255308 kB
MemFree: 19860 kB
MemShared: 0 kB
Buffers: 20500 kB
Cached: 110776 kB
SwapCached: 0 kB
Active: 171544 kB
ActiveAnon: 71204 kB
ActiveCache: 100340 kB
Inact_dirty: 25952 kB
Inact_laundry: 0 kB
Inact_clean: 5740 kB
Inact_target: 40644 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 255308 kB
LowFree: 19860 kB
SwapTotal: 522104 kB
SwapFree: 522104 kB
+ _________________________ dev/ipsec-ls ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls ls -l
+ /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi
+ /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Jun 21 10:39
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Jun 21 10:39
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Jun 21 10:39
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Jun 21 10:39
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Jun 21 10:39
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Jun 21 10:39
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config test -f
+ /usr/src/linux/.config _________________________ etc/syslog.conf cat
+ /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
#
# INN
#
news.=crit
/var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice
/var/log/news/news.notice
+ _________________________ etc/resolv.conf cat /etc/resolv.conf
#nameserver 217.46.146.25
nameserver 213.120.62.97
nameserver 213.120.62.101
nameserver 69.90.16.102
+ _________________________ lib/modules-ls ls -ltr /lib/modules
total 8
drwxr-xr-x 3 root root 4096 Jun 15 09:43 2.4.20-8
drwxr-xr-x 4 root root 4096 Jun 18 15:23 2.4.20-8custom
+ _________________________ proc/ksyms-netif_rx egrep netif_rx
+ /proc/ksyms
c01ee40c netif_rx_R9dc1cecd
+ _________________________ lib/modules-netif_rx modulegoo
+ kernel/net/ipv4/ipip.o netif_rx set +x
2.4.20-8: U netif_rx_R9dc1cecd
2.4.20-8custom:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '390,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Jun 21 10:27:35 gateway1 ipsec_setup: Starting FreeS/WAN IPsec 2.06...
Jun 21 10:27:35 gateway1 kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.06 Jun 21 10:27:35 gateway1
/etc/hotplug/net.agent: invoke ifup ipsec0 Jun 21 10:27:35 gateway1
ipsec_setup: Using /lib/modules/2.4.20-8/kernel/net/ipsec/ipsec.o
Jun 21 10:27:36 gateway1 /etc/hotplug/net.agent: invoke ifup ipsec2 Jun
21 10:27:36 gateway1 /etc/hotplug/net.agent: invoke ifup ipsec1 Jun 21
10:27:36 gateway1 ipsec_setup: KLIPS debug `none'
Jun 21 10:27:36 gateway1 /etc/hotplug/net.agent: invoke ifup ipsec3 Jun
21 10:27:36 gateway1 ipsec_setup: KLIPS ipsec0 on eth0
217.46.146.27/255.255.255.0 broadcast 217.46.146.255 Jun 21 10:27:36
gateway1 ipsec_setup: ...FreeS/WAN IPsec started Jun 21 10:27:36
gateway1 ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1: initiate Jun 21
10:27:36 gateway1 ipsec__plutorun: ...could not start conn "test"
+ _________________________ plog
+ sed -n '14472,$p' /var/log/secure
+ egrep -i pluto
+ cat
Jun 21 10:27:36 gateway1 ipsec__plutorun: Starting Pluto subsystem...
Jun 21 10:27:36 gateway1 pluto[4883]: Starting Pluto (FreeS/WAN Version
2.06 PLUTO_USES_KEYRR) Jun 21 10:27:36 gateway1 pluto[4883]: Using KLIPS
IPsec interface code Jun 21 10:27:36 gateway1 pluto[4883]: added
connection description "test"
Jun 21 10:27:36 gateway1 pluto[4883]: listening for IKE messages Jun 21
10:27:36 gateway1 pluto[4883]: adding interface ipsec0/eth0
217.46.146.27 Jun 21 10:27:36 gateway1 pluto[4883]: loading secrets from
"/etc/ipsec.secrets"
Jun 21 10:27:36 gateway1 pluto[4883]: "test" #1: initiating Main Mode
Jun 21 10:27:46 gateway1 pluto[4883]: "test" #1: discarding duplicate
packet; already STATE_MAIN_I3 Jun 21 10:28:05 gateway1 pluto[4883]:
"test" #1: discarding duplicate packet; already STATE_MAIN_I3 Jun 21
10:28:46 gateway1 pluto[4883]: "test" #1: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no
acceptable response to our first encrypted message Jun 21 10:28:46
gateway1 pluto[4883]: "test" #1: starting keying attempt 2 of an
unlimited number Jun 21 10:28:46 gateway1 pluto[4883]: "test" #2:
initiating Main Mode to replace #1 Jun 21 10:28:56 gateway1 pluto[4883]:
"test" #2: discarding duplicate packet; already STATE_MAIN_I3 Jun 21
10:29:17 gateway1 pluto[4883]: "test" #2: discarding duplicate packet;
already STATE_MAIN_I3 Jun 21 10:29:56 gateway1 pluto[4883]: "test" #2:
max number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted
message Jun 21 10:29:56 gateway1 pluto[4883]: "test" #2: starting keying
attempt 3 of an unlimited number Jun 21 10:29:56 gateway1 pluto[4883]:
"test" #3: initiating Main Mode to replace #2 Jun 21 10:30:06 gateway1
pluto[4883]: "test" #3: discarding duplicate packet; already
STATE_MAIN_I3 Jun 21 10:30:26 gateway1 pluto[4883]: ERROR: "test" #3:
sendto on eth0 to 217.46.146.28:500 failed in EVENT_RETRANSMIT. Errno 1:
Operation not permitted Jun 21 10:31:06 gateway1 pluto[4883]: "test" #3:
max number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted
message Jun 21 10:31:06 gateway1 pluto[4883]: "test" #3: starting keying
attempt 4 of an unlimited number Jun 21 10:31:06 gateway1 pluto[4883]:
"test" #4: initiating Main Mode to replace #3 Jun 21 10:31:15 gateway1
pluto[4883]: "test" #4: discarding duplicate packet; already
STATE_MAIN_I3 Jun 21 10:31:36 gateway1 pluto[4883]: "test" #4:
discarding duplicate packet; already STATE_MAIN_I3 Jun 21 10:32:16
gateway1 pluto[4883]: "test" #4: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message Jun 21 10:32:16 gateway1
pluto[4883]: "test" #4: starting keying attempt 5 of an unlimited number
Jun 21 10:32:16 gateway1 pluto[4883]: "test" #5: initiating Main Mode to
replace #4 Jun 21 10:32:26 gateway1 pluto[4883]: "test" #5: discarding
duplicate packet; already STATE_MAIN_I3 Jun 21 10:32:43 gateway1
pluto[4883]: "test" #6: responding to Main Mode Jun 21 10:32:43 gateway1
pluto[4883]: "test" #6: sent MR3, ISAKMP SA established Jun 21 10:32:43
gateway1 pluto[4883]: "test" #7: responding to Quick Mode Jun 21
10:32:43 gateway1 pluto[4883]: "test" #7: IPsec SA established
{ESP=>0x9187729a <0xe27805f9} Jun 21 10:33:26 gateway1 pluto[4883]:
"test" #5: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first
encrypted message Jun 21 10:33:26 gateway1 pluto[4883]: "test" #5:
starting keying attempt 6 of an unlimited number Jun 21 10:33:26
gateway1 pluto[4883]: "test" #8: initiating Main Mode to replace #5 Jun
21 10:33:26 gateway1 pluto[4883]: "test" #8: ISAKMP SA established Jun
21 10:33:26 gateway1 pluto[4883]: "test" #9: initiating Quick Mode
RSASIG+ENCRYPT+PFS+UP {using isakmp#8} Jun 21 10:33:26 gateway1
pluto[4883]: "test" #9: sent QI2, IPsec SA established {ESP=>0x9187729b
<0xe27805fa} Jun 21 10:37:10 gateway1 pluto[4883]: "test" #8: received
Delete SA payload: replace IPSEC State #9 in 10 seconds Jun 21 10:37:10
gateway1 pluto[4883]: "test" #8: received Delete SA(0x9187729a) payload:
deleting IPSEC State #7 Jun 21 10:37:10 gateway1 pluto[4883]: "test" #8:
received Delete SA payload: deleting ISAKMP State #8 Jun 21 10:37:10
gateway1 pluto[4883]: "test" #6: received Delete SA payload: deleting
ISAKMP State #6 Jun 21 10:37:12 gateway1 pluto[4883]: "test" #10:
responding to Main Mode Jun 21 10:37:13 gateway1 pluto[4883]: "test"
#10: sent MR3, ISAKMP SA established Jun 21 10:37:13 gateway1
pluto[4883]: "test" #11: responding to Quick Mode Jun 21 10:37:13
gateway1 pluto[4883]: "test" #11: IPsec SA established {ESP=>0x0d7931ec
<0xe27805fb} Jun 21 10:37:30 gateway1 pluto[4883]: "test" #10: received
Delete SA payload: replace IPSEC State #11 in 10 seconds Jun 21 10:37:30
gateway1 pluto[4883]: "test" #10: received Delete SA payload: deleting
ISAKMP State #10 Jun 21 10:37:32 gateway1 pluto[4883]: "test" #12:
responding to Main Mode Jun 21 10:37:32 gateway1 pluto[4883]: "test"
#12: sent MR3, ISAKMP SA established Jun 21 10:37:32 gateway1
pluto[4883]: "test" #13: responding to Quick Mode Jun 21 10:37:32
gateway1 pluto[4883]: "test" #13: IPsec SA established {ESP=>0x544dc3d7
<0xe27805fc} Jun 21 10:39:09 gateway1 pluto[4883]: "test" #12: received
Delete SA payload: replace IPSEC State #13 in 10 seconds Jun 21 10:39:09
gateway1 pluto[4883]: "test" #12: received Delete SA payload: deleting
ISAKMP State #12 Jun 21 10:39:12 gateway1 pluto[4883]: "test" #14:
responding to Main Mode Jun 21 10:39:12 gateway1 pluto[4883]: "test"
#14: sent MR3, ISAKMP SA established Jun 21 10:39:12 gateway1
pluto[4883]: "test" #15: responding to Quick Mode Jun 21 10:39:12
gateway1 pluto[4883]: "test" #15: IPsec SA established {ESP=>0x12c6d746
<0xe27805fd}
+ _________________________ date
+ date
Mon Jun 21 10:39:57 BST 2004
_______________________________________________
FreeS/WAN Users mailing list
users at lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
______________________________________________________________________
FreeS/WAN Users-moderated mailing list
You are subscribed to a moderated version of the Users list.
https://lists.freeswan.org/cgi-bin/mj_wwwusr
More information about the rhn-users
mailing list