hollywood Tue Feb 23 20:15:19 EST 2010 + _________________________ version + ipsec --version Linux Openswan U2.6.master-201008.git-g6cebcb2a-dirty/K2.6.30-2-amd64 (netkey) See `ipsec --copyright' for copyright information. + _________________________ /proc/version + cat /proc/version Linux version 2.6.30-2-amd64 (Debian 2.6.30-8) (waldi@debian.org) (gcc version 4.3.4 (Debian 4.3.4-3) ) #1 SMP Fri Sep 25 22:16:56 UTC 2009 + _________________________ /proc/net/ipsec_eroute + test -r /proc/net/ipsec_eroute + _________________________ netstat-rn + netstat -nr + head -n 100 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 64.34.169.64 0.0.0.0 255.255.255.192 U 0 0 0 eth0 64.34.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 64.34.169.65 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 64.34.169.65 0.0.0.0 UG 0 0 0 eth0 + _________________________ /proc/net/ipsec_spi + test -r /proc/net/ipsec_spi + _________________________ /proc/net/ipsec_spigrp + test -r /proc/net/ipsec_spigrp + _________________________ /proc/net/ipsec_tncfg + test -r /proc/net/ipsec_tncfg + _________________________ /proc/net/pfkey + test -r /proc/net/pfkey + cat /proc/net/pfkey sk RefCnt Rmem Wmem User Inode + _________________________ ip-xfrm-state + ip xfrm state src 96.255.200.208 dst 64.34.173.20 proto esp spi 0xa3dd0b72 reqid 16397 mode transport replay-window 32 auth hmac(sha1) 0x7c664d668dc981745db86fd477666f5343b778b9 enc cbc(aes) 0x8986df73408582bbd3262dd2d931296d encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 64.34.173.20 dst 96.255.200.208 proto esp spi 0xb28b615c reqid 16397 mode transport replay-window 32 auth hmac(sha1) 0xa0230c7bc724f95be98367622eb605f76c35395f enc cbc(aes) 0x714b05d50471c95015741d1bbdba549d encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 sel src 0.0.0.0/0 dst 0.0.0.0/0 + _________________________ ip-xfrm-policy + ip xfrm policy src 64.34.173.20/32 dst 96.255.200.208/32 proto udp sport 1701 dport 1701 dir out priority 2080 tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16397 mode transport src 96.255.200.208/32 dst 64.34.173.20/32 proto udp sport 1701 dport 1701 dir in priority 2080 tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16397 mode transport src ::/0 dst ::/0 dir 4 priority 0 src ::/0 dst ::/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 + _________________________ /proc/crypto + test -r /proc/crypto + cat /proc/crypto name : authenc(hmac(sha1),cbc(aes)) driver : authenc(hmac(sha1-generic),cbc(aes-asm)) module : authenc priority : 2000 refcnt : 3 selftest : passed type : aead async : yes blocksize : 16 ivsize : 16 maxauthsize : 20 geniv : name : cbc(aes) driver : cbc(aes-asm) module : kernel priority : 200 refcnt : 3 selftest : passed type : givcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : chainiv name : deflate driver : deflate-generic module : deflate priority : 0 refcnt : 1 selftest : passed type : compression name : rfc3686(ctr(aes)) driver : rfc3686(ctr(aes-asm)) module : ctr priority : 200 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 20 max keysize : 36 ivsize : 8 geniv : seqiv name : ctr(aes) driver : ctr(aes-asm) module : ctr priority : 200 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : cbc(twofish) driver : cbc(twofish-generic) module : cbc priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : cbc(camellia) driver : cbc(camellia-generic) module : cbc priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : camellia driver : camellia-generic module : camellia priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : cbc(serpent) driver : cbc(serpent-generic) module : cbc priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 16 min keysize : 0 max keysize : 32 ivsize : 16 geniv : name : cbc(aes) driver : cbc(aes-asm) module : cbc priority : 200 refcnt : 3 selftest : passed type : blkcipher blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : name : cbc(blowfish) driver : cbc(blowfish-generic) module : cbc priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 4 max keysize : 56 ivsize : 8 geniv : name : cbc(cast5) driver : cbc(cast5-generic) module : cbc priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 5 max keysize : 16 ivsize : 8 geniv : name : cast5 driver : cast5-generic module : cast5 priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 5 max keysize : 16 name : cbc(des3_ede) driver : cbc(des3_ede-generic) module : cbc priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 24 max keysize : 24 ivsize : 8 geniv : name : cbc(des) driver : cbc(des-generic) module : cbc priority : 0 refcnt : 1 selftest : passed type : blkcipher blocksize : 8 min keysize : 8 max keysize : 8 ivsize : 8 geniv : name : xcbc(aes) driver : xcbc(aes-asm) module : xcbc priority : 200 refcnt : 1 selftest : passed type : hash blocksize : 16 digestsize : 16 name : hmac(rmd160) driver : hmac(rmd160-generic) module : hmac priority : 0 refcnt : 1 selftest : passed type : hash blocksize : 64 digestsize : 20 name : rmd160 driver : rmd160-generic module : rmd160 priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 20 descsize : 96 name : hmac(sha256) driver : hmac(sha256-generic) module : hmac priority : 0 refcnt : 1 selftest : passed type : hash blocksize : 64 digestsize : 32 name : hmac(sha1) driver : hmac(sha1-generic) module : hmac priority : 0 refcnt : 3 selftest : passed type : hash blocksize : 64 digestsize : 20 name : sha1 driver : sha1-generic module : sha1_generic priority : 0 refcnt : 5 selftest : passed type : shash blocksize : 64 digestsize : 20 descsize : 96 name : hmac(md5) driver : hmac(md5-generic) module : hmac priority : 0 refcnt : 1 selftest : passed type : hash blocksize : 64 digestsize : 16 name : compress_null driver : compress_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : compression name : digest_null driver : digest_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 1 digestsize : 0 descsize : 0 name : ecb(cipher_null) driver : ecb-cipher_null module : crypto_null priority : 100 refcnt : 1 selftest : passed type : blkcipher blocksize : 1 min keysize : 0 max keysize : 0 ivsize : 0 geniv : name : cipher_null driver : cipher_null-generic module : crypto_null priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 1 min keysize : 0 max keysize : 0 name : tnepres driver : tnepres-generic module : serpent priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 0 max keysize : 32 name : serpent driver : serpent-generic module : serpent priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 0 max keysize : 32 name : blowfish driver : blowfish-generic module : blowfish priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 4 max keysize : 56 name : twofish driver : twofish-generic module : twofish priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : sha256 driver : sha256-generic module : sha256_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 32 descsize : 168 name : sha224 driver : sha224-generic module : sha256_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 28 descsize : 168 name : sha512 driver : sha512-generic module : sha512_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 128 digestsize : 64 descsize : 208 name : sha384 driver : sha384-generic module : sha512_generic priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 128 digestsize : 48 descsize : 208 name : des3_ede driver : des3_ede-generic module : des_generic priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 24 max keysize : 24 name : des driver : des-generic module : des_generic priority : 0 refcnt : 1 selftest : passed type : cipher blocksize : 8 min keysize : 8 max keysize : 8 name : aes driver : aes-asm module : aes_x86_64 priority : 200 refcnt : 3 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : aes driver : aes-generic module : aes_generic priority : 100 refcnt : 1 selftest : passed type : cipher blocksize : 16 min keysize : 16 max keysize : 32 name : stdrng driver : krng module : kernel priority : 200 refcnt : 2 selftest : passed type : rng seedsize : 0 name : md5 driver : md5-generic module : kernel priority : 0 refcnt : 1 selftest : passed type : shash blocksize : 64 digestsize : 16 descsize : 88 + __________________________/proc/sys/net/core/xfrm-star /usr/lib/ipsec/barf: line 191: __________________________/proc/sys/net/core/xfrm-star: No such file or directory + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_acq_expires: ' /proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires 30 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_etime: ' /proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime 10 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: ' /proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth 2 + for i in '/proc/sys/net/core/xfrm_*' + echo -n '/proc/sys/net/core/xfrm_larval_drop: ' /proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop 1 + _________________________ /proc/sys/net/ipsec-star + test -d /proc/sys/net/ipsec + _________________________ ipsec/status + ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 64.34.169.81 000 interface eth0/eth0 64.34.169.81 000 interface eth0:1/eth0:1 64.34.173.20 000 interface eth0:1/eth0:1 64.34.173.20 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 000 - disallowed 0 subnets: 000 WARNING: Either virtual_private= was not specified, or there was a syntax 000 error in that line. 'left/rightsubnet=%priv' will not work! 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "wonderproxy-L2TP": 64.34.173.20<64.34.173.20>[+S=C]:17/1701...%any[+S=C]:17/%any; unrouted; eroute owner: #0 000 "wonderproxy-L2TP": myip=unset; hisip=unset; 000 "wonderproxy-L2TP": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "wonderproxy-L2TP": policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0:1; 000 "wonderproxy-L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "wonderproxy-L2TP-NAT": 64.34.173.20<64.34.173.20>[+S=C]:17/1701...%virtual[+S=C]:17/%any===?; unrouted; eroute owner: #0 000 "wonderproxy-L2TP-NAT": myip=unset; hisip=unset; 000 "wonderproxy-L2TP-NAT": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "wonderproxy-L2TP-NAT": policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0:1; 000 "wonderproxy-L2TP-NAT": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "wonderproxy-L2TP-NAT"[2]: 64.34.173.20<64.34.173.20>[+S=C]:17/1701...96.255.200.208[192.168.1.3,+S=C]:17/1701; erouted; eroute owner: #2 000 "wonderproxy-L2TP-NAT"[2]: myip=unset; hisip=unset; 000 "wonderproxy-L2TP-NAT"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "wonderproxy-L2TP-NAT"[2]: policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0:1; 000 "wonderproxy-L2TP-NAT"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "wonderproxy-L2TP-NAT"[2]: IKE algorithm newest: AES_CBC_128-SHA1-MODP2048 000 000 #2: "wonderproxy-L2TP-NAT"[2] 96.255.200.208:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28774s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set 000 #2: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 esp.b28b615c@96.255.200.208 esp.a3dd0b72@64.34.173.20 ref=0 refhim=4294901761 000 #1: "wonderproxy-L2TP-NAT"[2] 96.255.200.208:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 3574s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 + _________________________ ifconfig-a + ifconfig -a eth0 Link encap:Ethernet HWaddr 00:30:48:d2:af:10 inet addr:64.34.169.81 Bcast:64.34.169.127 Mask:255.255.255.192 inet6 addr: fe80::230:48ff:fed2:af10/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:46175528 errors:0 dropped:0 overruns:0 frame:0 TX packets:25273641 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19534590434 (18.1 GiB) TX bytes:22884896841 (21.3 GiB) Interrupt:30 Base address:0xa000 eth0:1 Link encap:Ethernet HWaddr 00:30:48:d2:af:10 inet addr:64.34.173.20 Bcast:64.34.173.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:30 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2828729 errors:0 dropped:0 overruns:0 frame:0 TX packets:2828729 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:564031952 (537.9 MiB) TX bytes:564031952 (537.9 MiB) + _________________________ ip-addr-list + ip addr list 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:30:48:d2:af:10 brd ff:ff:ff:ff:ff:ff inet 64.34.169.81/26 brd 64.34.169.127 scope global eth0 inet 64.34.173.20/24 brd 64.34.173.255 scope global eth0:1 inet6 fe80::230:48ff:fed2:af10/64 scope link valid_lft forever preferred_lft forever + _________________________ ip-route-list + ip route list 64.34.169.64/26 dev eth0 proto kernel scope link src 64.34.169.81 64.34.173.0/24 dev eth0 proto kernel scope link src 64.34.173.20 127.0.0.0/8 dev lo scope link default via 64.34.169.65 dev eth0 src 64.34.173.20 default via 64.34.169.65 dev eth0 + _________________________ ip-rule-list + ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default + _________________________ ipsec_verify + ipsec verify --nocolour Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.master-201008.git-g6cebcb2a-dirty/K2.6.30-2-amd64 (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] + _________________________ mii-tool + '[' -x /sbin/mii-tool ']' + /sbin/mii-tool -v SIOCGMIIPHY on 'eth0' failed: Operation not supported no MII interfaces found + _________________________ ipsec/directory + ipsec --directory /usr/lib/ipsec + _________________________ hostname/fqdn + hostname --fqdn hollywood.paulhost.ca + _________________________ hostname/ipaddress + hostname --ip-address 64.34.169.81 + _________________________ uptime + uptime 20:15:19 up 125 days, 21:21, 3 users, load average: 0.02, 0.01, 0.00 + _________________________ ps + ps alxwf + egrep -i 'ppid|pluto|ipsec|klips' F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 4 0 7273 6623 20 0 11464 1452 - S+ pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/barf 0 0 7353 7273 20 0 5944 644 - S+ pts/1 0:00 \_ egrep -i ppid|pluto|ipsec|klips 1 0 7004 1 20 0 9040 500 - S pts/1 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 1 0 7006 7004 20 0 9040 680 - S pts/1 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 --crlcheckinterval 0 --ocspuri --nhelpers --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid 4 0 7007 7006 20 0 64496 3096 - S pts/1 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 1 0 7011 7007 30 10 64488 1228 - SN pts/1 0:00 | \_ pluto helper # 0 0 0 7039 7007 20 0 5788 376 - S pts/1 0:00 | \_ _pluto_adns 0 0 7010 7004 20 0 9000 1284 - S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post 0 0 7005 1 20 0 3788 604 - S pts/1 0:00 logger -s -p daemon.error -t ipsec__plutorun + _________________________ ipsec/showdefaults + ipsec showdefaults routephys=eth0 routevirt=none routeaddr=64.34.173.20 routenexthop=64.34.169.65 + _________________________ ipsec/conf + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - Openswan IPsec configuration file version 2.0 # basic configuration config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey # connections conn wonderproxy-L2TP-NAT rightsubnet=vhost:%no,%priv also=wonderproxy-L2TP conn wonderproxy-L2TP authby=secret pfs=no rekey=no keyingtries=3 type=transport left=64.34.173.20 leftprotoport=17/1701 right=%any rightprotoport=17/%any auto=add + _________________________ ipsec/secrets + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor #< /etc/ipsec.secrets 1 # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $ # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "[sums to ef67...]". : PSK "[sums to 97a5...]" + _________________________ ipsec/listall + ipsec auto --listall 000 000 List of Public Keys: 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 10: PSK (none) (none) + '[' /etc/ipsec.d/policies ']' + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/block + base=block + _________________________ ipsec/policies/block + cat /etc/ipsec.d/policies/block # This file defines the set of CIDRs (network/mask-length) to which # communication should never be allowed. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear + base=clear + _________________________ ipsec/policies/clear + cat /etc/ipsec.d/policies/clear # This file defines the set of CIDRs (network/mask-length) to which # communication should always be in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # root name servers should be in the clear 192.58.128.30/32 198.41.0.4/32 192.228.79.201/32 192.33.4.12/32 128.8.10.90/32 192.203.230.10/32 192.5.5.241/32 192.112.36.4/32 128.63.2.53/32 192.36.148.17/32 193.0.14.129/32 199.7.83.42/32 202.12.27.33/32 + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/clear-or-private + base=clear-or-private + _________________________ ipsec/policies/clear-or-private + cat /etc/ipsec.d/policies/clear-or-private # This file defines the set of CIDRs (network/mask-length) to which # we will communicate in the clear, or, if the other side initiates IPSEC, # using encryption. This behaviour is also called "Opportunistic Responder". # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private + base=private + _________________________ ipsec/policies/private + cat /etc/ipsec.d/policies/private # This file defines the set of CIDRs (network/mask-length) to which # communication should always be private (i.e. encrypted). # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $ # + for policy in '$POLICIES/*' ++ basename /etc/ipsec.d/policies/private-or-clear + base=private-or-clear + _________________________ ipsec/policies/private-or-clear + cat /etc/ipsec.d/policies/private-or-clear # This file defines the set of CIDRs (network/mask-length) to which # communication should be private, if possible, but in the clear otherwise. # # If the target has a TXT (later IPSECKEY) record that specifies # authentication material, we will require private (i.e. encrypted) # communications. If no such record is found, communications will be # in the clear. # # See /usr/share/doc/openswan/policygroups.html for details. # # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $ # 0.0.0.0/0 + _________________________ ipsec/ls-libdir + ls -l /usr/lib/ipsec total 2140 -rwxr-xr-x 1 root root 7032 Feb 22 19:13 _copyright -rwxr-xr-x 1 root root 2379 Feb 22 19:12 _include -rwxr-xr-x 1 root root 1475 Feb 22 19:12 _keycensor -rwxr-xr-x 1 root root 11064 Feb 22 19:13 _pluto_adns -rwxr-xr-x 1 root root 2632 Feb 22 19:12 _plutoload -rwxr-xr-x 1 root root 8207 Feb 22 19:13 _plutorun -rwxr-xr-x 1 root root 12943 Feb 22 19:12 _realsetup -rwxr-xr-x 1 root root 1975 Feb 22 19:12 _secretcensor -rwxr-xr-x 1 root root 8567 Feb 22 19:13 _startklips -rwxr-xr-x 1 root root 6036 Feb 22 19:13 _startnetkey -rwxr-xr-x 1 root root 4868 Feb 22 19:12 _updown -rwxr-xr-x 1 root root 14028 Feb 22 19:13 _updown.klips -rwxr-xr-x 1 root root 11745 Feb 22 19:13 _updown.mast -rwxr-xr-x 1 root root 8680 Feb 22 19:13 _updown.netkey -rwxr-xr-x 1 root root 185384 Feb 22 19:13 addconn -rwxr-xr-x 1 root root 6015 Feb 22 19:12 auto -rwxr-xr-x 1 root root 10816 Feb 22 19:13 barf -rwxr-xr-x 1 root root 86696 Feb 22 19:13 eroute -rwxr-xr-x 1 root root 21816 Feb 22 19:13 ikeping -rwxr-xr-x 1 root root 64808 Feb 22 19:13 klipsdebug -rwxr-xr-x 1 root root 2591 Feb 22 19:12 look -rwxr-xr-x 1 root root 2182 Feb 22 19:13 newhostkey -rwxr-xr-x 1 root root 57768 Feb 22 19:13 pf_key -rwxr-xr-x 1 root root 882608 Feb 22 19:13 pluto -rwxr-xr-x 1 root root 11160 Feb 22 19:13 ranbits -rwxr-xr-x 1 root root 20880 Feb 22 19:13 rsasigkey -rwxr-xr-x 1 root root 766 Feb 22 19:13 secrets lrwxrwxrwx 1 root root 17 Feb 22 19:13 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Feb 22 19:13 showdefaults -rwxr-xr-x 1 root root 232120 Feb 22 19:13 showhostkey -rwxr-xr-x 1 root root 23528 Feb 22 19:13 showpolicy -rwxr-xr-x 1 root root 140968 Feb 22 19:13 spi -rwxr-xr-x 1 root root 74296 Feb 22 19:13 spigrp -rwxr-xr-x 1 root root 69864 Feb 22 19:13 tncfg -rwxr-xr-x 1 root root 13400 Feb 22 19:13 verify -rwxr-xr-x 1 root root 53536 Feb 22 19:13 whack + _________________________ ipsec/ls-execdir + ls -l /usr/lib/ipsec total 2140 -rwxr-xr-x 1 root root 7032 Feb 22 19:13 _copyright -rwxr-xr-x 1 root root 2379 Feb 22 19:12 _include -rwxr-xr-x 1 root root 1475 Feb 22 19:12 _keycensor -rwxr-xr-x 1 root root 11064 Feb 22 19:13 _pluto_adns -rwxr-xr-x 1 root root 2632 Feb 22 19:12 _plutoload -rwxr-xr-x 1 root root 8207 Feb 22 19:13 _plutorun -rwxr-xr-x 1 root root 12943 Feb 22 19:12 _realsetup -rwxr-xr-x 1 root root 1975 Feb 22 19:12 _secretcensor -rwxr-xr-x 1 root root 8567 Feb 22 19:13 _startklips -rwxr-xr-x 1 root root 6036 Feb 22 19:13 _startnetkey -rwxr-xr-x 1 root root 4868 Feb 22 19:12 _updown -rwxr-xr-x 1 root root 14028 Feb 22 19:13 _updown.klips -rwxr-xr-x 1 root root 11745 Feb 22 19:13 _updown.mast -rwxr-xr-x 1 root root 8680 Feb 22 19:13 _updown.netkey -rwxr-xr-x 1 root root 185384 Feb 22 19:13 addconn -rwxr-xr-x 1 root root 6015 Feb 22 19:12 auto -rwxr-xr-x 1 root root 10816 Feb 22 19:13 barf -rwxr-xr-x 1 root root 86696 Feb 22 19:13 eroute -rwxr-xr-x 1 root root 21816 Feb 22 19:13 ikeping -rwxr-xr-x 1 root root 64808 Feb 22 19:13 klipsdebug -rwxr-xr-x 1 root root 2591 Feb 22 19:12 look -rwxr-xr-x 1 root root 2182 Feb 22 19:13 newhostkey -rwxr-xr-x 1 root root 57768 Feb 22 19:13 pf_key -rwxr-xr-x 1 root root 882608 Feb 22 19:13 pluto -rwxr-xr-x 1 root root 11160 Feb 22 19:13 ranbits -rwxr-xr-x 1 root root 20880 Feb 22 19:13 rsasigkey -rwxr-xr-x 1 root root 766 Feb 22 19:13 secrets lrwxrwxrwx 1 root root 17 Feb 22 19:13 setup -> /etc/init.d/ipsec -rwxr-xr-x 1 root root 1054 Feb 22 19:13 showdefaults -rwxr-xr-x 1 root root 232120 Feb 22 19:13 showhostkey -rwxr-xr-x 1 root root 23528 Feb 22 19:13 showpolicy -rwxr-xr-x 1 root root 140968 Feb 22 19:13 spi -rwxr-xr-x 1 root root 74296 Feb 22 19:13 spigrp -rwxr-xr-x 1 root root 69864 Feb 22 19:13 tncfg -rwxr-xr-x 1 root root 13400 Feb 22 19:13 verify -rwxr-xr-x 1 root root 53536 Feb 22 19:13 whack + _________________________ /proc/net/dev + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo:564032388 2828733 0 0 0 0 0 0 564032388 2828733 0 0 0 0 0 0 eth0:19534590434 46175528 0 0 0 0 0 0 22884896841 25273641 0 0 0 0 0 0 + _________________________ /proc/net/route + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 40A92240 00000000 0001 0 0 0 C0FFFFFF 0 0 0 eth0 00AD2240 00000000 0001 0 0 0 00FFFFFF 0 0 0 lo 0000007F 00000000 0001 0 0 0 000000FF 0 0 0 eth0 00000000 41A92240 0003 0 0 0 00000000 0 0 0 eth0 00000000 41A92240 0003 0 0 0 00000000 0 0 0 + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc + cat /proc/sys/net/ipv4/ip_no_pmtu_disc 0 + _________________________ /proc/sys/net/ipv4/ip_forward + cat /proc/sys/net/ipv4/ip_forward 0 + _________________________ /proc/sys/net/ipv4/tcp_ecn + cat /proc/sys/net/ipv4/tcp_ecn 0 + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter + cd /proc/sys/net/ipv4/conf + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter all/rp_filter:0 default/rp_filter:0 eth0/rp_filter:0 lo/rp_filter:0 + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects + cd /proc/sys/net/ipv4/conf + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects all/accept_redirects:0 all/secure_redirects:1 all/send_redirects:0 default/accept_redirects:0 default/secure_redirects:1 default/send_redirects:0 eth0/accept_redirects:1 eth0/secure_redirects:1 eth0/send_redirects:1 lo/accept_redirects:1 lo/secure_redirects:1 lo/send_redirects:1 + _________________________ /proc/sys/net/ipv4/tcp_window_scaling + cat /proc/sys/net/ipv4/tcp_window_scaling 1 + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale + cat /proc/sys/net/ipv4/tcp_adv_win_scale 2 + _________________________ uname-a + uname -a Linux hollywood.paulhost.ca 2.6.30-2-amd64 #1 SMP Fri Sep 25 22:16:56 UTC 2009 x86_64 GNU/Linux + _________________________ config-built-with + test -r /proc/config_built_with + _________________________ distro-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/redhat-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/debian-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/SuSE-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandrake-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/mandriva-release + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + test -f /etc/gentoo-release + _________________________ /proc/net/ipsec_version + test -r /proc/net/ipsec_version + test -r /proc/net/pfkey ++ uname -r + echo 'NETKEY (2.6.30-2-amd64) support detected ' NETKEY (2.6.30-2-amd64) support detected + _________________________ iptables + test -r /sbin/iptables + iptables -L -v -n Chain INPUT (policy ACCEPT 2749 packets, 6452K bytes) pkts bytes target prot opt in out source destination 667K 155M fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 1074K 73M fail2ban-named-refused-udp udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,953 8661K 1020M fail2ban-squid-jail tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080 85628 52M ironwall all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 85828 packets, 54M bytes) pkts bytes target prot opt in out source destination Chain fail2ban-named-refused-udp (1 references) pkts bytes target prot opt in out source destination 1074K 73M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-squid-jail (1 references) pkts bytes target prot opt in out source destination 8661K 1020M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 658K 155M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ironwall (1 references) pkts bytes target prot opt in out source destination 80527 46M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 279 10668 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 10 1520 ACCEPT esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 9 540 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 361 24889 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 1013 53728 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 48 4904 ACCEPT udp -- eth0 * 64.251.22.48 0.0.0.0/0 udp dpt:161 3 828 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 31 1860 ACCEPT tcp -- eth0 * 64.251.22.48 0.0.0.0/0 tcp dpt:1040 0 0 ACCEPT tcp -- eth0 * 67.223.252.227 0.0.0.0/0 tcp dpt:1040 1 108 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 8 480 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 588 59844 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 + _________________________ iptables-nat + iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 1712 packets, 119K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2021 packets, 129K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2021 packets, 129K bytes) pkts bytes target prot opt in out source destination + _________________________ iptables-mangle + iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 51354 packets, 35M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 51334 packets, 35M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 46999 packets, 36M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 46999 packets, 36M bytes) pkts bytes target prot opt in out source destination + _________________________ /proc/modules + test -f /proc/modules + cat /proc/modules xfrm_user 20848 2 - Live 0xffffffffa0bf6000 ah6 6144 0 - Live 0xffffffffa0bef000 ah4 5296 0 - Live 0xffffffffa0be8000 esp6 6560 0 - Live 0xffffffffa0be1000 esp4 6832 2 - Live 0xffffffffa0bda000 xfrm4_mode_beet 2992 0 - Live 0xffffffffa0bd4000 xfrm4_tunnel 2720 0 - Live 0xffffffffa0bce000 xfrm4_mode_tunnel 2752 0 - Live 0xffffffffa0bc8000 xfrm4_mode_transport 2288 4 - Live 0xffffffffa0bc2000 xfrm6_mode_transport 2336 0 - Live 0xffffffffa0bbc000 xfrm6_mode_ro 2176 0 - Live 0xffffffffa0bb6000 xfrm6_mode_beet 2800 0 - Live 0xffffffffa0bb0000 xfrm6_mode_tunnel 2656 0 - Live 0xffffffffa0baa000 ipcomp 3328 0 - Live 0xffffffffa0ba4000 ipcomp6 3424 0 - Live 0xffffffffa0b9e000 xfrm6_tunnel 9088 1 ipcomp6, Live 0xffffffffa0b96000 af_key 29104 0 - Live 0xffffffffa0b7c000 iptable_mangle 4032 0 - Live 0xffffffffa0b76000 iptable_nat 6208 0 - Live 0xffffffffa0b6f000 nf_nat 20068 1 iptable_nat, Live 0xffffffffa0b65000 authenc 5968 2 - Live 0xffffffffa049a000 deflate 3104 0 - Live 0xffffffffa030a000 zlib_deflate 19960 1 deflate, Live 0xffffffffa0303000 ctr 4624 0 - Live 0xffffffffa02fc000 camellia 18368 0 - Live 0xffffffffa02f2000 cast5 17328 0 - Live 0xffffffffa02e8000 rmd160 7904 0 - Live 0xffffffffa02e1000 sha1_generic 2528 4 - Live 0xffffffffa02db000 hmac 4320 2 - Live 0xffffffffa02d4000 crypto_null 3696 0 - Live 0xffffffffa02ce000 ccm 8752 0 - Live 0xffffffffa02c6000 serpent 17616 0 - Live 0xffffffffa02bc000 blowfish 8768 0 - Live 0xffffffffa02b4000 twofish 6816 0 - Live 0xffffffffa02ad000 twofish_common 14464 1 twofish, Live 0xffffffffa02a7000 ecb 3072 0 - Live 0xffffffffa02a1000 xcbc 4840 0 - Live 0xffffffffa029a000 cbc 3776 2 - Live 0xffffffffa0294000 sha256_generic 9440 0 - Live 0xffffffffa028c000 sha512_generic 5536 0 - Live 0xffffffffa0285000 des_generic 16960 0 - Live 0xffffffffa027b000 cryptd 7336 0 - Live 0xffffffffa026c000 aes_x86_64 8928 2 - Live 0xffffffffa0264000 aes_generic 27840 1 aes_x86_64, Live 0xffffffffa025b000 tunnel4 3632 1 xfrm4_tunnel, Live 0xffffffffa01a0000 xfrm_ipcomp 6204 2 ipcomp,ipcomp6, Live 0xffffffffa00cb000 tunnel6 3536 1 xfrm6_tunnel, Live 0xffffffffa0094000 rng_core 4888 0 - Live 0xffffffffa000e000 xt_multiport 3216 3 - Live 0xffffffffa0250000 xt_tcpudp 3328 10 - Live 0xffffffffa024a000 nf_conntrack_ipv4 15240 4 iptable_nat,nf_nat, Live 0xffffffffa0241000 nf_defrag_ipv4 2288 1 nf_conntrack_ipv4, Live 0xffffffffa023b000 xt_state 2400 1 - Live 0xffffffffa0235000 nf_conntrack 70192 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state, Live 0xffffffffa021e000 iptable_filter 3776 1 - Live 0xffffffffa0218000 ip_tables 17392 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xffffffffa020e000 x_tables 22440 5 iptable_nat,xt_multiport,xt_tcpudp,xt_state,ip_tables, Live 0xffffffffa0203000 dm_snapshot 22924 0 - Live 0xffffffffa01f8000 dm_mirror 14648 0 - Live 0xffffffffa01ef000 dm_region_hash 12736 1 dm_mirror, Live 0xffffffffa01e9000 dm_log 9924 2 dm_mirror,dm_region_hash, Live 0xffffffffa01e1000 dm_mod 59384 3 dm_snapshot,dm_mirror,dm_log, Live 0xffffffffa01cd000 loop 15980 0 - Live 0xffffffffa01c4000 snd_pcm 78472 0 - Live 0xffffffffa01a3000 snd_timer 21824 1 snd_pcm, Live 0xffffffffa0198000 snd 63912 2 snd_pcm,snd_timer, Live 0xffffffffa0183000 i2c_nforce2 7864 0 - Live 0xffffffffa017c000 i2c_core 25456 1 i2c_nforce2, Live 0xffffffffa0170000 soundcore 7984 1 snd, Live 0xffffffffa0169000 snd_page_alloc 9984 1 snd_pcm, Live 0xffffffffa0161000 k8temp 5152 0 - Live 0xffffffffa015a000 evdev 10448 0 - Live 0xffffffffa0152000 button 6512 0 - Live 0xffffffffa014b000 pcspkr 2800 0 - Live 0xffffffffa0145000 serio_raw 5844 0 - Live 0xffffffffa013e000 processor 40208 0 - Live 0xffffffffa012f000 ext3 122848 3 - Live 0xffffffffa010c000 jbd 48152 1 ext3, Live 0xffffffffa00fb000 mbcache 8804 1 ext3, Live 0xffffffffa00f3000 sd_mod 33736 6 - Live 0xffffffffa00df000 crc_t10dif 2096 1 sd_mod, Live 0xffffffffa00dc000 ata_generic 5924 0 - Live 0xffffffffa00d5000 ide_pci_generic 4964 0 - Live 0xffffffffa00ce000 ide_core 104976 1 ide_pci_generic, Live 0xffffffffa00af000 ohci_hcd 22812 0 - Live 0xffffffffa00a4000 sata_nv 24952 4 - Live 0xffffffffa0098000 libata 175660 2 ata_generic,sata_nv, Live 0xffffffffa0067000 forcedeth 52668 0 - Live 0xffffffffa0055000 scsi_mod 158768 2 sd_mod,libata, Live 0xffffffffa0028000 ehci_hcd 33996 0 - Live 0xffffffffa001a000 thermal 15936 0 - Live 0xffffffffa0011000 fan 5240 0 - Live 0xffffffffa000a000 thermal_sys 16448 3 processor,thermal,fan, Live 0xffffffffa0000000 + _________________________ /proc/meminfo + cat /proc/meminfo MemTotal: 2061536 kB MemFree: 36184 kB Buffers: 280192 kB Cached: 1112904 kB SwapCached: 3824 kB Active: 808972 kB Inactive: 872724 kB Active(anon): 202012 kB Inactive(anon): 86648 kB Active(file): 606960 kB Inactive(file): 786076 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 6032368 kB SwapFree: 5954736 kB Dirty: 260 kB Writeback: 0 kB AnonPages: 285248 kB Mapped: 47264 kB Slab: 303064 kB SReclaimable: 283204 kB SUnreclaim: 19860 kB PageTables: 20152 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 7063136 kB Committed_AS: 815460 kB VmallocTotal: 34359738367 kB VmallocUsed: 274492 kB VmallocChunk: 34359433847 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB DirectMap4k: 7744 kB DirectMap2M: 2088960 kB + _________________________ /proc/net/ipsec-ls + test -f /proc/net/ipsec_version + _________________________ usr/src/linux/.config + test -f /proc/config.gz ++ uname -r + test -f /lib/modules/2.6.30-2-amd64/build/.config + echo 'no .config file found, cannot list kernel properties' no .config file found, cannot list kernel properties + _________________________ etc/syslog.conf + _________________________ etc/syslog-ng/syslog-ng.conf + cat /etc/syslog-ng/syslog-ng.conf cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory + cat /etc/syslog.conf # /etc/syslog.conf Configuration file for syslogd. # # For more information see syslog.conf(5) # manpage. # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some `catch-all' logfiles. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole + _________________________ etc/resolv.conf + cat /etc/resolv.conf #/etc/resolv.conf search wonderproxy.com paulhost.ca watchmephotoshop.com nameserver 127.0.0.1 + _________________________ lib/modules-ls + ls -ltr /lib/modules total 8 drwxr-xr-x 3 root root 4096 Aug 18 2009 2.6.30-1-amd64 drwxr-xr-x 3 root root 4096 Jan 1 21:58 2.6.30-2-amd64 + _________________________ fipscheck + cat /proc/sys/crypto/fips_enabled 0 + _________________________ /proc/ksyms-netif_rx + test -r /proc/ksyms + test -r /proc/kallsyms + egrep netif_rx /proc/kallsyms ffffffff804110a3 T netif_rx ffffffff80411deb T netif_rx_ni ffffffff804110a3 u netif_rx [forcedeth] + _________________________ lib/modules-netif_rx + modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x 2.6.30-1-amd64: 2.6.30-2-amd64: + _________________________ kern.debug + test -f /var/log/kern.debug + _________________________ klog + sed -n '1612,$p' /var/log/syslog + egrep -i 'ipsec|klips|pluto' + case "$1" in + cat Feb 23 20:14:44 hollywood ipsec_setup: Starting Openswan IPsec U2.6.master-201008.git-g6cebcb2a-dirty/K2.6.30-2-amd64... Feb 23 20:14:44 hollywood ipsec_setup: Using NETKEY(XFRM) stack Feb 23 20:14:44 hollywood ipsec_setup: multiple default routes, using 64.34.169.65 on eth0 Feb 23 20:14:44 hollywood pluto: adjusting ipsec.d to /etc/ipsec.d Feb 23 20:14:44 hollywood ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Feb 23 20:14:44 hollywood ipsec_setup: ...Openswan IPsec started Feb 23 20:14:44 hollywood ipsec__plutorun: 002 added connection description "wonderproxy-L2TP-NAT" Feb 23 20:14:44 hollywood ipsec__plutorun: 002 added connection description "wonderproxy-L2TP" Feb 23 20:14:44 hollywood ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T Feb 23 20:14:44 hollywood ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19) Feb 23 20:14:44 hollywood ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T + _________________________ plog + sed -n '2833,$p' /var/log/auth.log + egrep -i pluto + case "$1" in + cat Feb 23 20:14:44 hollywood ipsec__plutorun: Starting Pluto subsystem... Feb 23 20:14:44 hollywood pluto[7007]: Starting Pluto (Openswan Version 2.6.master-201008.git-g6cebcb2a-dirty; Vendor ID OEH{gTnEDqgk) pid:7007 Feb 23 20:14:44 hollywood pluto[7007]: Setting NAT-Traversal port-4500 floating to on Feb 23 20:14:44 hollywood pluto[7007]: port floating activation criteria nat_t=1/port_float=1 Feb 23 20:14:44 hollywood pluto[7007]: NAT-Traversal support [enabled] Feb 23 20:14:44 hollywood pluto[7007]: using /dev/urandom as source of random entropy Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: starting up 1 cryptographic helpers Feb 23 20:14:44 hollywood pluto[7011]: using /dev/urandom as source of random entropy Feb 23 20:14:44 hollywood pluto[7007]: started helper pid=7011 (fd:7) Feb 23 20:14:44 hollywood pluto[7007]: Using Linux 2.6 IPsec interface code on 2.6.30-2-amd64 (experimental code) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : Ok (ret=0) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_add(): ERROR: Algorithm already exists Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : FAILED (ret=-17) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_add(): ERROR: Algorithm already exists Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : FAILED (ret=-17) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_add(): ERROR: Algorithm already exists Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : FAILED (ret=-17) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_add(): ERROR: Algorithm already exists Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : FAILED (ret=-17) Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_add(): ERROR: Algorithm already exists Feb 23 20:14:44 hollywood pluto[7007]: ike_alg_register_enc(): Activating : FAILED (ret=-17) Feb 23 20:14:44 hollywood pluto[7007]: Changed path to directory '/etc/ipsec.d/cacerts' Feb 23 20:14:44 hollywood pluto[7007]: Changed path to directory '/etc/ipsec.d/aacerts' Feb 23 20:14:44 hollywood pluto[7007]: Changed path to directory '/etc/ipsec.d/ocspcerts' Feb 23 20:14:44 hollywood pluto[7007]: Changing to directory '/etc/ipsec.d/crls' Feb 23 20:14:44 hollywood pluto[7007]: Warning: empty directory Feb 23 20:14:44 hollywood pluto[7007]: added connection description "wonderproxy-L2TP-NAT" Feb 23 20:14:44 hollywood pluto[7007]: added connection description "wonderproxy-L2TP" Feb 23 20:14:44 hollywood pluto[7007]: listening for IKE messages Feb 23 20:14:44 hollywood pluto[7007]: NAT-Traversal: Trying new style NAT-T Feb 23 20:14:44 hollywood pluto[7007]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19) Feb 23 20:14:44 hollywood pluto[7007]: NAT-Traversal: Trying old style NAT-T Feb 23 20:14:44 hollywood pluto[7007]: adding interface eth0:1/eth0:1 64.34.173.20:500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface eth0:1/eth0:1 64.34.173.20:4500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface eth0/eth0 64.34.169.81:500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface eth0/eth0 64.34.169.81:4500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface lo/lo 127.0.0.1:500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface lo/lo 127.0.0.1:4500 Feb 23 20:14:44 hollywood pluto[7007]: adding interface lo/lo ::1:500 Feb 23 20:14:44 hollywood pluto[7007]: loading secrets from "/etc/ipsec.secrets" Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [Openswan (this version) 2.6.master-201008.git-g6cebcb2a-dirty ] Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [Dead Peer Detection] Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [RFC 3947] method set to=109 Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109 Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109 Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109 Feb 23 20:14:53 hollywood pluto[7007]: packet from 96.255.200.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: responding to Main Mode from unknown peer 96.255.200.208 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: STATE_MAIN_R1: sent MR1, expecting MI2 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: STATE_MAIN_R2: sent MR2, expecting MI3 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3' Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[1] 96.255.200.208 #1: switched from "wonderproxy-L2TP-NAT" to "wonderproxy-L2TP-NAT" Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: deleting connection "wonderproxy-L2TP-NAT" instance with peer 96.255.200.208 {isakmp=#0/ipsec=#0} Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: new NAT mapping for #1, was 96.255.200.208:500, now 96.255.200.208:4500 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048} Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: the peer proposed: 64.34.173.20/32:17/1701 -> 192.168.1.3/32:17/0 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: responding to Quick Mode proposal {msgid:ce210253} Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: us: 64.34.173.20<64.34.173.20>[+S=C]:17/1701 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: them: 96.255.200.208[192.168.1.3,+S=C]:17/1701===192.168.1.3/32 Feb 23 20:14:53 hollywood pluto[7007]: | NAT-OA: 32 tunnel: 1 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Feb 23 20:14:53 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xb28b615c <0xa3dd0b72 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.3 NATD=96.255.200.208:4500 DPD=none} Feb 23 20:15:03 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb24174fc) not found (maybe expired) Feb 23 20:15:03 hollywood pluto[7007]: "wonderproxy-L2TP-NAT"[2] 96.255.200.208 #1: received and ignored informational message + _________________________ date + date Tue Feb 23 20:15:20 EST 2010