openswan ipsec -- VPN error

Vinod Parmar

unread,

Oct 13, 2008, 7:33:21 AM10/13/08

to VG...@googlegroups.com

Hi all,

I have configured VPN as per guide given in http://megaz.arbuz.com/2005/01/28/linux-vpn-guide

my l2tpd start correctly. but when i start ipsec it shows

ipsec_setup: Starting Openswan IPsec U2.6.14/K2.6.18-8.el5...
ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack
ipsec_setup:
ipsec_setup:
ipsec_setup: pluto appears to be running already (`/var/run/pluto/pluto.pid' exists), will not start another

when i run command service ipsec status

it shows

IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!

I coudent find the exact error.

I also attached output of ipsec barf command.

my /var/log.secure log is

Oct 13 16:21:48 ahd2 pluto[31252]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Oct 13 16:21:48 ahd2 pluto[31252]: Could not change to directory '/etc/ipsec.d/cacerts': /root
Oct 13 16:21:48 ahd2 pluto[31252]: Could not change to directory '/etc/ipsec.d/aacerts': /root
Oct 13 16:21:48 ahd2 pluto[31252]: Could not change to directory '/etc/ipsec.d/ocspcerts': /root
Oct 13 16:21:48 ahd2 pluto[31252]: Could not change to directory '/etc/ipsec.d/crls'
Oct 13 16:21:48 ahd2 pluto[31252]: Changing back to directory '/root' failed - (2 No such file or directory)
Oct 13 16:21:48 ahd2 pluto[31252]: Changing back to directory '/root' failed - (2 No such file or directory)

--
With Regards,
Vinod Parmar
(Mobile : - 9924533889)

ipsec.barf.output.txt

Alok Thaker

unread,

Oct 13, 2008, 10:49:32 AM10/13/08

to VG...@googlegroups.com

Dude are u starting ipsec service with root .i.e not at all good.

Alok

> ahd2.sibridgetech.com
> Mon Oct 13 16:50:54 IST 2008
> + _________________________ version
> + ipsec --version
> Linux Openswan U2.6.14/K2.6.18-8.el5 (netkey)
> See `ipsec --copyright' for copyright information.
> + _________________________ /proc/version
> + cat /proc/version
> Linux version 2.6.18-8.el5 (brewb...@ls20-bc2-14.build.redhat.com) (gcc
> version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Fri Jan 26 14:15:21 EST
> 2007
> + _________________________ /proc/net/ipsec_eroute
> + test -r /proc/net/ipsec_eroute
> + _________________________ netstat-rn
> + netstat -nr
> + head -n 100
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 210.211.251.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> eth1
> 0.0.0.0 210.211.251.1 0.0.0.0 UG 0 0 0
> eth1
> + _________________________ /proc/net/ipsec_spi
> + test -r /proc/net/ipsec_spi
> + _________________________ /proc/net/ipsec_spigrp
> + test -r /proc/net/ipsec_spigrp
> + _________________________ /proc/net/ipsec_tncfg
> + test -r /proc/net/ipsec_tncfg
> + _________________________ /proc/net/pfkey
> + test -r /proc/net/pfkey
> + cat /proc/net/pfkey
> sk RefCnt Rmem Wmem User Inode
> ede27400 2 0 0 0 35844
> + _________________________ ip-xfrm-state
> + ip xfrm state
> + _________________________ ip-xfrm-policy
> + ip xfrm policy
> src ::/0 dst ::/0
> dir in priority 0
> src ::/0 dst ::/0
> dir in priority 0
> src ::/0 dst ::/0
> dir in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir in priority 0
> src ::/0 dst ::/0
> dir out priority 0
> src ::/0 dst ::/0
> dir out priority 0
> src ::/0 dst ::/0
> dir out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 0
> + _________________________ /proc/crypto
> + test -r /proc/crypto
> + cat /proc/crypto
> name : sha512
> driver : sha512-generic
> module : sha512
> priority : 0
> type : digest
> blocksize : 128
> digestsize : 64
>
> name : sha384
> driver : sha384-generic
> module : sha512
> priority : 0
> type : digest
> blocksize : 96
> digestsize : 48
>
> name : deflate
> driver : deflate-generic
> module : deflate
> priority : 0
> type : compression
>
> name : twofish
> driver : twofish-generic
> module : twofish
> priority : 0
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
> name : tnepres
> driver : tnepres-generic
> module : serpent
> priority : 0
> type : cipher
> blocksize : 16
> min keysize : 0
> max keysize : 32
>
> name : serpent
> driver : serpent-generic
> module : serpent
> priority : 0
> type : cipher
> blocksize : 16
> min keysize : 0
> max keysize : 32
>
> name : aes
> driver : aes-generic
> module : aes
> priority : 100
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
> name : blowfish
> driver : blowfish-generic
> module : blowfish
> priority : 0
> type : cipher
> blocksize : 8
> min keysize : 4
> max keysize : 56
>
> name : des3_ede
> driver : des3_ede-generic
> module : des
> priority : 0
> type : cipher
> blocksize : 8
> min keysize : 24
> max keysize : 24
>
> name : des
> driver : des-generic
> module : des
> priority : 0
> type : cipher
> blocksize : 8
> min keysize : 8
> max keysize : 8
>
> name : sha256
> driver : sha256-generic
> module : sha256
> priority : 0
> type : digest
> blocksize : 64
> digestsize : 32
>
> name : md5
> driver : md5-generic
> module : md5
> priority : 0
> type : digest
> blocksize : 64
> digestsize : 16
>
> name : compress_null
> driver : compress_null-generic
> module : crypto_null
> priority : 0
> type : compression
>
> name : digest_null
> driver : digest_null-generic
> module : crypto_null
> priority : 0
> type : digest
> blocksize : 1
> digestsize : 0
>
> name : cipher_null
> driver : cipher_null-generic
> module : crypto_null
> priority : 0
> type : cipher
> blocksize : 1
> min keysize : 0
> max keysize : 0
>
> name : arc4
> driver : arc4-generic
> module : arc4
> priority : 0
> type : cipher
> blocksize : 1
> min keysize : 1
> max keysize : 256
>
> name : crc32c
> driver : crc32c-generic
> module : kernel
> priority : 0
> type : digest
> blocksize : 32
> digestsize : 4
>
> name : sha1
> driver : sha1-generic
> module : kernel
> priority : 0
> type : digest
> blocksize : 64
> digestsize : 20
>
> + __________________________/proc/sys/net/core/xfrm-star
> /usr/libexec/ipsec/barf: line 191:
> __________________________/proc/sys/net/core/xfrm-star: No such file or
> directory
> + for i in '/proc/sys/net/core/xfrm_*'
> + echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
> /proc/sys/net/core/xfrm_aevent_etime: + cat
> /proc/sys/net/core/xfrm_aevent_etime
> 10
> + for i in '/proc/sys/net/core/xfrm_*'
> + echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
> /proc/sys/net/core/xfrm_aevent_rseqth: + cat
> /proc/sys/net/core/xfrm_aevent_rseqth
> 2
> + _________________________ /proc/sys/net/ipsec-star
> + test -d /proc/sys/net/ipsec
> + _________________________ ipsec/status
> + ipsec auto --status
> 000 using kernel interface: netkey
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000
> 000
> + _________________________ ifconfig-a
> + ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:1C:F0:D0:30:48
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::21c:f0ff:fed0:3048/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2366064 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2507992 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:742288903 (707.9 MiB) TX bytes:1780754208 (1.6 GiB)
> Interrupt:233 Base address:0xc000
>
> eth1 Link encap:Ethernet HWaddr 00:1C:F0:D0:27:A1
> inet addr:210.211.251.134 Bcast:210.211.251.255
> Mask:255.255.255.0
> inet6 addr: fe80::21c:f0ff:fed0:27a1/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2464087 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2210409 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1791058114 (1.6 GiB) TX bytes:719283911 (685.9 MiB)
> Interrupt:217 Base address:0x4000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:2128 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2128 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:3426597 (3.2 MiB) TX bytes:3426597 (3.2 MiB)
>
> sit0 Link encap:IPv6-in-IPv4
> NOARP MTU:1480 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> + _________________________ ip-addr-list
> + ip addr list
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
> 1000
> link/ether 00:1c:f0:d0:30:48 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> inet6 fe80::21c:f0ff:fed0:3048/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
> 1000
> link/ether 00:1c:f0:d0:27:a1 brd ff:ff:ff:ff:ff:ff
> inet 210.211.251.134/24 brd 210.211.251.255 scope global eth1
> inet6 fe80::21c:f0ff:fed0:27a1/64 scope link
> valid_lft forever preferred_lft forever
> 4: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
> + _________________________ ip-route-list
> + ip route list
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
> 210.211.251.0/24 dev eth1 proto kernel scope link src 210.211.251.134
> 169.254.0.0/16 dev eth1 scope link
> default via 210.211.251.1 dev eth1
> + _________________________ ip-rule-list
> + ip rule list
> 0: from all lookup 255
> 32766: from all lookup main
> 32767: from all lookup default
> + _________________________ ipsec_verify
> + ipsec verify --nocolour
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.14/K2.6.18-8.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
>
> Opportunistic Encryption DNS checks:
> Looking for TXT in forward dns zone: ahd2.sibridgetech.com [MISSING]
> Does the machine have at least one non-private address? [OK]
> Looking for TXT in reverse dns zone: 134.251.211.210.in-addr.arpa.
> [MISSING]
> + _________________________ mii-tool
> + '[' -x /sbin/mii-tool ']'
> + /sbin/mii-tool -v
> eth0: negotiated 100baseTx-FD flow-control, link ok
> product info: vendor 00:40:63, model 52 rev 9
> basic mode: autonegotiation enabled
> basic status: autonegotiation complete, link ok
> capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
> link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
> eth1: negotiated 100baseTx-FD flow-control, link ok
> product info: vendor 00:40:63, model 52 rev 9
> basic mode: autonegotiation enabled
> basic status: autonegotiation complete, link ok
> capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
> advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
> link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
> + _________________________ ipsec/directory
> + ipsec --directory
> /usr/libexec/ipsec
> + _________________________ hostname/fqdn
> + hostname --fqdn
> ahd2.sibridgetech.com
> + _________________________ hostname/ipaddress
> + hostname --ip-address
> 72.232.136.138
> + _________________________ uptime
> + uptime
> 16:51:06 up 6 days, 22:51, 2 users, load average: 0.00, 0.00, 0.00
> + _________________________ ps
> + ps alxwf
> + egrep -i 'ppid|pluto|ipsec|klips'
> F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
> 0 0 32184 27913 18 0 4448 1116 wait S+ pts/1 0:00
> \_ /bin/sh /usr/libexec/ipsec/barf
> 0 0 32275 32184 18 0 1804 484 pipe_w S+ pts/1 0:00
> \_ egrep -i ppid|pluto|ipsec|klips
> 5 0 31252 1 15 0 3052 952 - Ss ? 0:00
> /usr/libexec/ipsec/pluto
> 1 0 31253 31252 31 10 3060 576 - SN ? 0:00 \_
> pluto helper # 0
> 0 0 31278 31252 18 0 1564 292 - S ? 0:00 \_
> _pluto_adns
> + _________________________ ipsec/showdefaults
> + ipsec showdefaults
> ipsec showdefaults: cannot find defaults file `/var/run/pluto/ipsec.info'
> + _________________________ ipsec/conf
> + ipsec _include /etc/ipsec.conf
> + ipsec _keycensor
>
> #< /etc/ipsec.conf 1
> version 2.0
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> overridemtu=1410
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> conn %default
> keyingtries=3
> compress=yes
> disablearrivalcheck=no
> authby=secret
> type=tunnel
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> conn roadwarrior-net
> leftsubnet=192.168.0.0/16
> also=roadwarrior
> conn roadwarrior-all
> leftsubnet=0.0.0.0/0
> also=roadwarrior
> conn roadwarrior-l2tp
> leftprotoport=17/0
> rightprotoport=17/1701
> also=roadwarrior
> conn roadwarrior-l2tp-updatedwin
> leftprotoport=17/1701
> rightprotoport=17/1701
> also=roadwarrior
> conn roadwarrior
> pfs=no
> left=210.211.251.134
> leftnexthop=210.211.251.1
> right=%any
> rightsubnet=vhost:%no,%priv
> auto=add
> #Disable Opportunistic Encryption
>
> #> /etc/ipsec.conf 41
> + _________________________ ipsec/secrets
> + ipsec _include /etc/ipsec.secrets
> + ipsec _secretcensor
>
> #< /etc/ipsec.secrets 1
> ##include /etc/ipsec.d/*.secrets
>
> 210.211.251.134 %any: PSK "[sums to e0a6...]"
> + _________________________ ipsec/listall
> + ipsec auto --listall
> 000
> 000 List of Public Keys:
> 000
> 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
> + '[' /etc/ipsec.d/policies ']'
> + for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/block
> + base=block
> + _________________________ ipsec/policies/block
> + cat /etc/ipsec.d/policies/block
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should never be allowed.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
>
> + for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/clear
> + base=clear
> + _________________________ ipsec/policies/clear
> + cat /etc/ipsec.d/policies/clear
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be in the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
>
> # root name servers should be in the clear
> 192.58.128.30/32
> 198.41.0.4/32
> 192.228.79.201/32
> 192.33.4.12/32
> 128.8.10.90/32
> 192.203.230.10/32
> 192.5.5.241/32
> 192.112.36.4/32
> 128.63.2.53/32
> 192.36.148.17/32
> 193.0.14.129/32
> 199.7.83.42/32
> 202.12.27.33/32
> + for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/clear-or-private
> + base=clear-or-private
> + _________________________ ipsec/policies/clear-or-private
> + cat /etc/ipsec.d/policies/clear-or-private
> # This file defines the set of CIDRs (network/mask-length) to which
> # we will communicate in the clear, or, if the other side initiates IPSEC,
> # using encryption. This behaviour is also called "Opportunistic
> Responder".
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> + for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/private
> + base=private
> + _________________________ ipsec/policies/private
> + cat /etc/ipsec.d/policies/private
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be private (i.e. encrypted).
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> + for policy in '$POLICIES/*'
> ++ basename /etc/ipsec.d/policies/private-or-clear
> + base=private-or-clear
> + _________________________ ipsec/policies/private-or-clear
> + cat /etc/ipsec.d/policies/private-or-clear
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should be private, if possible, but in the clear otherwise.
> #
> # If the target has a TXT (later IPSECKEY) record that specifies
> # authentication material, we will require private (i.e. encrypted)
> # communications. If no such record is found, communications will be
> # in the clear.
> #
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
> #
>
> 0.0.0.0/0
> + _________________________ ipsec/ls-libdir
> + ls -l /usr/libexec/ipsec
> total 2272
> -rwxr-xr-x 1 root root 5996 Jun 11 23:59 _copyright
> -rwxr-xr-x 1 root root 2379 Jun 11 23:59 _include
> -rwxr-xr-x 1 root root 1475 Jun 11 23:59 _keycensor
> -rwxr-xr-x 1 root root 10028 Jun 11 23:59 _pluto_adns
> -rwxr-xr-x 1 root root 2632 Jun 11 23:59 _plutoload
> -rwxr-xr-x 1 root root 7602 Jun 11 23:59 _plutorun
> -rwxr-xr-x 1 root root 13746 Jun 11 23:59 _realsetup
> -rwxr-xr-x 1 root root 1975 Jun 11 23:59 _secretcensor
> -rwxr-xr-x 1 root root 9752 Jun 11 23:59 _startklips
> -rwxr-xr-x 1 root root 9752 Jun 11 23:59 _startklips.old
> -rwxr-xr-x 1 root root 4988 Jun 11 23:59 _startnetkey
> -rwxr-xr-x 1 root root 4949 Jun 11 23:59 _updown
> -rwxr-xr-x 1 root root 14030 Jun 11 23:59 _updown.klips
> -rwxr-xr-x 1 root root 14030 Jun 11 23:59 _updown.klips.old
> -rwxr-xr-x 1 root root 13739 Jun 11 23:59 _updown.mast
> -rwxr-xr-x 1 root root 13739 Jun 11 23:59 _updown.mast.old
> -rwxr-xr-x 1 root root 8337 Jun 11 23:59 _updown.netkey
> -rwxr-xr-x 1 root root 183808 Jun 11 23:59 addconn
> -rwxr-xr-x 1 root root 6129 Jun 11 23:59 auto
> -rwxr-xr-x 1 root root 10758 Jun 11 23:59 barf
> -rwxr-xr-x 1 root root 90028 Jun 11 23:59 eroute
> -rwxr-xr-x 1 root root 20072 Jun 11 23:59 ikeping
> -rwxr-xr-x 1 root root 69744 Jun 11 23:59 klipsdebug
> -rwxr-xr-x 1 root root 1836 Jun 11 23:59 livetest
> -rwxr-xr-x 1 root root 2591 Jun 11 23:59 look
> -rwxr-xr-x 1 root root 1921 Jun 11 23:59 newhostkey
> -rwxr-xr-x 1 root root 60780 Jun 11 23:59 pf_key
> -rwxr-xr-x 1 root root 982244 Jun 11 23:59 pluto
> -rwxr-xr-x 1 root root 10176 Jun 11 23:59 ranbits
> -rwxr-xr-x 1 root root 20532 Jun 11 23:59 rsasigkey
> -rwxr-xr-x 1 root root 766 Jun 11 23:59 secrets
> lrwxrwxrwx 1 root root 30 Oct 13 11:25 setup ->
> ../../../etc/rc.d/init.d/ipsec
> -rwxr-xr-x 1 root root 1054 Jun 11 23:59 showdefaults
> -rwxr-xr-x 1 root root 219660 Jun 11 23:59 showhostkey
> -rwxr-xr-x 1 root root 22684 Jun 11 23:59 showpolicy
> -rwxr-xr-x 1 root root 148008 Jun 11 23:59 spi
> -rwxr-xr-x 1 root root 77276 Jun 11 23:59 spigrp
> -rwxr-xr-x 1 root root 69384 Jun 11 23:59 tncfg
> -rwxr-xr-x 1 root root 12526 Jun 11 23:59 verify
> -rwxr-xr-x 1 root root 50568 Jun 11 23:59 whack
> + _________________________ ipsec/ls-execdir
> + ls -l /usr/libexec/ipsec
> total 2272
> -rwxr-xr-x 1 root root 5996 Jun 11 23:59 _copyright
> -rwxr-xr-x 1 root root 2379 Jun 11 23:59 _include
> -rwxr-xr-x 1 root root 1475 Jun 11 23:59 _keycensor
> -rwxr-xr-x 1 root root 10028 Jun 11 23:59 _pluto_adns
> -rwxr-xr-x 1 root root 2632 Jun 11 23:59 _plutoload
> -rwxr-xr-x 1 root root 7602 Jun 11 23:59 _plutorun
> -rwxr-xr-x 1 root root 13746 Jun 11 23:59 _realsetup
> -rwxr-xr-x 1 root root 1975 Jun 11 23:59 _secretcensor
> -rwxr-xr-x 1 root root 9752 Jun 11 23:59 _startklips
> -rwxr-xr-x 1 root root 9752 Jun 11 23:59 _startklips.old
> -rwxr-xr-x 1 root root 4988 Jun 11 23:59 _startnetkey
> -rwxr-xr-x 1 root root 4949 Jun 11 23:59 _updown
> -rwxr-xr-x 1 root root 14030 Jun 11 23:59 _updown.klips
> -rwxr-xr-x 1 root root 14030 Jun 11 23:59 _updown.klips.old
> -rwxr-xr-x 1 root root 13739 Jun 11 23:59 _updown.mast
> -rwxr-xr-x 1 root root 13739 Jun 11 23:59 _updown.mast.old
> -rwxr-xr-x 1 root root 8337 Jun 11 23:59 _updown.netkey
> -rwxr-xr-x 1 root root 183808 Jun 11 23:59 addconn
> -rwxr-xr-x 1 root root 6129 Jun 11 23:59 auto
> -rwxr-xr-x 1 root root 10758 Jun 11 23:59 barf
> -rwxr-xr-x 1 root root 90028 Jun 11 23:59 eroute
> -rwxr-xr-x 1 root root 20072 Jun 11 23:59 ikeping
> -rwxr-xr-x 1 root root 69744 Jun 11 23:59 klipsdebug
> -rwxr-xr-x 1 root root 1836 Jun 11 23:59 livetest
> -rwxr-xr-x 1 root root 2591 Jun 11 23:59 look
> -rwxr-xr-x 1 root root 1921 Jun 11 23:59 newhostkey
> -rwxr-xr-x 1 root root 60780 Jun 11 23:59 pf_key
> -rwxr-xr-x 1 root root 982244 Jun 11 23:59 pluto
> -rwxr-xr-x 1 root root 10176 Jun 11 23:59 ranbits
> -rwxr-xr-x 1 root root 20532 Jun 11 23:59 rsasigkey
> -rwxr-xr-x 1 root root 766 Jun 11 23:59 secrets
> lrwxrwxrwx 1 root root 30 Oct 13 11:25 setup ->
> ../../../etc/rc.d/init.d/ipsec
> -rwxr-xr-x 1 root root 1054 Jun 11 23:59 showdefaults
> -rwxr-xr-x 1 root root 219660 Jun 11 23:59 showhostkey
> -rwxr-xr-x 1 root root 22684 Jun 11 23:59 showpolicy
> -rwxr-xr-x 1 root root 148008 Jun 11 23:59 spi
> -rwxr-xr-x 1 root root 77276 Jun 11 23:59 spigrp
> -rwxr-xr-x 1 root root 69384 Jun 11 23:59 tncfg
> -rwxr-xr-x 1 root root 12526 Jun 11 23:59 verify
> -rwxr-xr-x 1 root root 50568 Jun 11 23:59 whack
> + _________________________ /proc/net/dev
> + cat /proc/net/dev
> Inter-| Receive | Transmit
> face |bytes packets errs drop fifo frame compressed multicast|bytes
> packets errs drop fifo colls carrier compressed
> lo: 3426597 2128 0 0 0 0 0 0 3426597
> 2128 0 0 0 0 0 0
> eth0:742341090 2366268 0 0 0 0 0 0 1780947300
> 2508232 0 0 0 0 0 0
> eth1:1791252525 2464331 0 0 0 0 0 0 719335932
> 2210617 0 0 0 0 0 0
> sit0: 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0
> + _________________________ /proc/net/route
> + cat /proc/net/route
> Iface Destination Gateway Flags RefCnt Use Metric Mask
> MTU Window IRTT
> eth0 0000A8C0 00000000 0001 0 0 0
> 00FFFFFF 0 0 0
> eth1 00FBD3D2 00000000 0001 0 0 0
> 00FFFFFF 0 0 0
> eth1 0000FEA9 00000000 0001 0 0 0
> 0000FFFF 0 0 0
> eth1 00000000 01FBD3D2 0003 0 0 0
> 00000000 0 0 0
> + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
> + cat /proc/sys/net/ipv4/ip_no_pmtu_disc
> 0
> + _________________________ /proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
> 1
> + _________________________ /proc/sys/net/ipv4/tcp_ecn
> + cat /proc/sys/net/ipv4/tcp_ecn
> 0
> + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
> lo/rp_filter
> all/rp_filter:1
> default/rp_filter:0
> eth0/rp_filter:0
> eth1/rp_filter:0
> lo/rp_filter:0
> + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/accept_redirects all/secure_redirects all/send_redirects
> default/accept_redirects default/secure_redirects default/send_redirects
> eth0/accept_redirects eth0/secure_redirects eth0/send_redirects
> eth1/accept_redirects eth1/secure_redirects eth1/send_redirects
> lo/accept_redirects lo/secure_redirects lo/send_redirects
> all/accept_redirects:0
> all/secure_redirects:1
> all/send_redirects:1
> default/accept_redirects:1
> default/secure_redirects:1
> default/send_redirects:1
> eth0/accept_redirects:1
> eth0/secure_redirects:1
> eth0/send_redirects:1
> eth1/accept_redirects:1
> eth1/secure_redirects:1
> eth1/send_redirects:1
> lo/accept_redirects:1
> lo/secure_redirects:1
> lo/send_redirects:1
> + _________________________ /proc/sys/net/ipv4/tcp_window_scaling
> + cat /proc/sys/net/ipv4/tcp_window_scaling
> 1
> + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
> + cat /proc/sys/net/ipv4/tcp_adv_win_scale
> 2
> + _________________________ uname-a
> + uname -a
> Linux ahd2.sibridgetech.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007
> i686 i686 i386 GNU/Linux
> + _________________________ config-built-with
> + test -r /proc/config_built_with
> + _________________________ distro-release
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/redhat-release
> + cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 5 (Tikanga)
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/debian-release
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/SuSE-release
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/mandrake-release
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/mandriva-release
> + for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release
> /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release
> + test -f /etc/gentoo-release
> + _________________________ /proc/net/ipsec_version
> + test -r /proc/net/ipsec_version
> + test -r /proc/net/pfkey
> ++ uname -r
> + echo 'NETKEY (2.6.18-8.el5) support detected '
> NETKEY (2.6.18-8.el5) support detected
> + _________________________ iptables
> + test -r /sbin/iptables
> + iptables -L -v -n
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 420 129K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
> 3203 251K eth0_in all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 27399 19M eth1_fwd all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0
> 25139 5992K eth0_fwd all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 403 31051 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0
> 2803 500K eth0_out all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain Drop (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:113
> 27 1897 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> icmp type 3 code 4
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> icmp type 11
> 27 1897 dropInvalid all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> multiport dports 135,445
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpts:137:139
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp spt:137 dpts:1024:65535
> 10 472 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
> multiport dports 135,139,445
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:1900
> 11 520 dropNotSyn tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp spt:53
>
> Chain Reject (8 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:113
> 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> icmp type 3 code 4
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> icmp type 11
> 0 0 dropInvalid all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
> multiport dports 135,445
> 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpts:137:139
> 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp spt:137 dpts:1024:65535
> 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
> multiport dports 135,139,445
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:1900
> 0 0 dropNotSyn tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp spt:53
>
> Chain all2fw (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:all2fw:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain all2loc (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:all2loc:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain all2net (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:all2net:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain dropBcast (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
> ADDRTYPE match dst-type BROADCAST
> 0 0 DROP all -- * * 0.0.0.0/0
> 224.0.0.0/4
>
> Chain dropInvalid (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
> state INVALID
>
> Chain dropNotSyn (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp flags:!0x17/0x02
>
> Chain dynamic (4 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain eth0_fwd (1 references)
> pkts bytes target prot opt in out source
> destination
> 2139 182K dynamic all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
> 25139 5992K loc2net all -- * eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain eth0_in (1 references)
> pkts bytes target prot opt in out source
> destination
> 446 50830 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
> state INVALID,NEW
> 3203 251K loc2fw all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain eth0_out (1 references)
> pkts bytes target prot opt in out source
> destination
> 2803 500K fw2loc all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain eth1_fwd (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
> state INVALID,NEW
> 27399 19M net2loc all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
>
> Chain eth1_in (1 references)
> pkts bytes target prot opt in out source
> destination
> 27 1897 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
> state INVALID,NEW
> 420 129K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain eth1_out (1 references)
> pkts bytes target prot opt in out source
> destination
> 403 31051 fw2net all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain fw2all (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:fw2all:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain fw2loc (1 references)
> pkts bytes target prot opt in out source
> destination
> 2803 500K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain fw2net (1 references)
> pkts bytes target prot opt in out source
> destination
> 388 30014 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 15 1037 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain loc2all (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:loc2all:REJECT:'
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain loc2fw (1 references)
> pkts bytes target prot opt in out source
> destination
> 2757 201K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:53
> 126 8229 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:53
> 320 42601 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain loc2net (1 references)
> pkts bytes target prot opt in out source
> destination
> 23000 5810K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:25
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:110
> 50 2396 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:443
> 1372 69932 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:53
> 158 10342 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:53
> 559 98905 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain logdrop (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain logreject (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain net2fw (1 references)
> pkts bytes target prot opt in out source
> destination
> 393 127K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:500
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:4500
> 27 1897 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
> 17 1425 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:'
> 17 1425 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain net2loc (1 references)
> pkts bytes target prot opt in out source
> destination
> 27399 19M ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:net2loc:DROP:'
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain reject (15 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
> ADDRTYPE match src-type BROADCAST
> 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
> 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
> 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
> reject-with tcp-reset
> 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-port-unreachable
> 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-unreachable
> 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-prohibited
>
> Chain shorewall (0 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain smurfs (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> ADDRTYPE match src-type BROADCAST LOG flags 0 level 6 prefix
> `Shorewall:smurfs:DROP:'
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
> ADDRTYPE match src-type BROADCAST
> 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0
> LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
> 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
> + _________________________ iptables-nat
> + iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 2208 packets, 188K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 11 packets, 749 bytes)
> pkts bytes target prot opt in out source
> destination
> 1971 163K eth1_masq all -- * eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 11 packets, 749 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain eth1_masq (1 references)
> pkts bytes target prot opt in out source
> destination
> 1960 163K SNAT all -- * * 192.168.0.0/24
> 0.0.0.0/0 to:210.211.251.134
> + _________________________ iptables-mangle
> + iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 56165 packets, 26M bytes)
> pkts bytes target prot opt in out source
> destination
> 56165 26M tcpre all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain INPUT (policy ACCEPT 3623 packets, 380K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 52538 packets, 25M bytes)
> pkts bytes target prot opt in out source
> destination
> 52538 25M tcfor all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 3206 packets, 531K bytes)
> pkts bytes target prot opt in out source
> destination
> 3206 531K tcout all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT 55744 packets, 26M bytes)
> pkts bytes target prot opt in out source
> destination
> 55744 26M tcpost all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain tcfor (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain tcout (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain tcpost (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain tcpre (1 references)
> pkts bytes target prot opt in out source
> destination
> + _________________________ /proc/modules
> + test -f /proc/modules
> + cat /proc/modules
> ipcomp6 11977 0 - Live 0xf8f4b000
> ipcomp 11465 0 - Live 0xf8f47000
> ah6 10561 0 - Live 0xf8f36000
> ah4 10305 0 - Live 0xf8f32000
> esp6 11585 0 - Live 0xf8f2e000
> esp4 11585 0 - Live 0xf8f2a000
> xfrm4_tunnel 6593 0 - Live 0xf8df1000
> xfrm4_mode_tunnel 6849 0 - Live 0xf8e64000
> xfrm4_mode_transport 6209 0 - Live 0xf8e61000
> xfrm6_mode_transport 6337 0 - Live 0xf8e36000
> xfrm6_mode_tunnel 6721 0 - Live 0xf8e14000
> xfrm6_tunnel 11233 1 ipcomp6, Live 0xf8e3a000
> sha512 13120 0 - Live 0xf8f60000
> tunnel4 7365 1 xfrm4_tunnel, Live 0xf8dee000
> tunnel6 7365 1 xfrm6_tunnel, Live 0xf8e11000
> deflate 7873 0 - Live 0xf8e07000
> zlib_deflate 21977 1 deflate, Live 0xf8f18000
> twofish 46017 0 - Live 0xf8f3a000
> serpent 29249 0 - Live 0xf8f21000
> aes 31617 0 - Live 0xf8f0f000
> blowfish 12609 0 - Live 0xf8e02000
> des 21569 0 - Live 0xf8f01000
> sha256 15297 0 - Live 0xf8df4000
> md5 8129 0 - Live 0xf8ddc000
> crypto_null 6721 0 - Live 0xf8dc8000
> af_key 40657 2 - Live 0xf8e73000
> arc4 6209 0 - Live 0xf8dcb000
> ppp_mppe 10437 0 - Live 0xf8dea000
> ppp_generic 30165 1 ppp_mppe, Live 0xf8e6a000
> slhc 10561 1 ppp_generic, Live 0xf8de6000
> i915 21569 2 - Live 0xf8e0a000
> drm 65493 3 i915, Live 0xf8e17000
> tun 14657 0 - Live 0xf8dd7000
> autofs4 23749 2 - Live 0xf8dfb000
> hidp 23105 2 - Live 0xf8ddf000
> ip6table_filter 6849 1 - Live 0xf8dc5000
> ip6_tables 18181 1 ip6table_filter, Live 0xf8dd1000
> iptable_raw 6209 0 - Live 0xf8dc2000
> xt_comment 5953 0 - Live 0xf8dce000
> xt_policy 7617 0 - Live 0xf8dbf000
> ipt_ULOG 11717 0 - Live 0xf8d8e000
> ipt_TTL 6337 0 - Live 0xf8db8000
> ipt_ttl 5953 0 - Live 0xf8db5000
> ipt_TOS 6337 0 - Live 0xf8db2000
> ipt_tos 5825 0 - Live 0xf8daf000
> ipt_TCPMSS 8129 0 - Live 0xf8dac000
> ipt_SAME 6465 0 - Live 0xf8da9000
> ipt_REJECT 9537 4 - Live 0xf8da5000
> ipt_REDIRECT 6209 0 - Live 0xf8d9b000
> ipt_recent 12497 0 - Live 0xf8da0000
> ipt_owner 6081 0 - Live 0xf8d98000
> ipt_NETMAP 6209 0 - Live 0xf8d95000
> ipt_MASQUERADE 7745 0 - Live 0xf8d92000
> ipt_LOG 10177 12 - Live 0xf8d53000
> ipt_iprange 5953 0 - Live 0xf8d84000
> ipt_hashlimit 12745 0 - Live 0xf8d89000
> ipt_ECN 7105 0 - Live 0xf8d81000
> ipt_ecn 6337 0 - Live 0xf8d7e000
> ipt_DSCP 6337 0 - Live 0xf8d7b000
> ipt_dscp 5824 0 - Live 0xf8d71000
> ipt_CLUSTERIP 12357 0 - Live 0xf8d76000
> ipt_ah 5953 0 - Live 0xf8d6e000
> ipt_addrtype 5953 4 - Live 0xf8d6b000
> ip_nat_tftp 5953 0 - Live 0xf8d61000
> ip_nat_snmp_basic 13253 0 - Live 0xf8d66000
> ip_nat_sip 8129 0 - Live 0xf8d5e000
> ip_nat_pptp 9925 0 - Live 0xf8d5a000
> ip_nat_irc 6721 0 - Live 0xf8d57000
> ip_nat_h323 11201 0 - Live 0xf8d33000
> ip_nat_ftp 7361 0 - Live 0xf8d50000
> ip_nat_amanda 6465 0 - Live 0xf8d4d000
> ip_conntrack_tftp 8249 1 ip_nat_tftp, Live 0xf8d37000
> ip_conntrack_sip 11313 1 ip_nat_sip, Live 0xf8d49000
> ip_conntrack_pptp 15569 1 ip_nat_pptp, Live 0xf8a96000
> ip_conntrack_netbios_ns 6977 0 - Live 0xf8d30000
> ip_conntrack_irc 10801 1 ip_nat_irc, Live 0xf8d2c000
> ip_conntrack_h323 51677 1 ip_nat_h323, Live 0xf8d3b000
> ip_conntrack_ftp 11697 1 ip_nat_ftp, Live 0xf8d28000
> ts_kmp 6209 5 - Live 0xf8d15000
> ip_conntrack_amanda 8901 1 ip_nat_amanda, Live 0xf8d11000
> xt_tcpmss 6337 0 - Live 0xf8d0e000
> xt_pkttype 6081 0 - Live 0xf8d0b000
> xt_physdev 6993 0 - Live 0xf8d08000
> bridge 53341 1 xt_physdev, Live 0xf8d19000
> xt_NFQUEUE 6209 0 - Live 0xf8d05000
> xt_multiport 7233 4 - Live 0xf8d02000
> xt_MARK 6465 0 - Live 0xf8cff000
> xt_mark 5953 0 - Live 0xf8cfc000
> xt_mac 6081 0 - Live 0xf8cf9000
> xt_limit 6721 0 - Live 0xf8cf6000
> xt_length 6081 0 - Live 0xf8cf3000
> xt_helper 6593 0 - Live 0xf8cf0000
> xt_dccp 7365 0 - Live 0xf8ced000
> xt_conntrack 6593 0 - Live 0xf8cea000
> xt_CONNMARK 6465 0 - Live 0xf8ce7000
> xt_connmark 6209 0 - Live 0xf8ce4000
> xt_CLASSIFY 5953 0 - Live 0xf8cc2000
> xt_tcpudp 7105 23 - Live 0xf8cb7000
> xt_state 6209 19 - Live 0xf8cb4000
> iptable_nat 11205 1 - Live 0xf8c76000
> ip_nat 20973 12
> ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat,
> Live 0xf8cbb000
> ip_conntrack 53153 24
> ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat,
> Live 0xf8cc5000
> iptable_mangle 6849 1 - Live 0xf8c6d000
> nfnetlink 10713 2 ip_nat,ip_conntrack, Live 0xf8c69000
> iptable_filter 7105 1 - Live 0xf8c0d000
> ip_tables 17029 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter,
> Live 0xf8c89000
> x_tables 17349 46
> ip6_tables,xt_comment,xt_policy,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_multiport,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables,
> Live 0xf8c70000
> rfcomm 42457 0 - Live 0xf8c53000
> l2cap 29505 10 hidp,rfcomm, Live 0xf8c42000
> bluetooth 53925 5 hidp,rfcomm,l2cap, Live 0xf8c7a000
> sunrpc 142973 1 - Live 0xf8c90000
> ib_iser 34325 0 - Live 0xf8c5f000
> rdma_cm 26057 1 ib_iser, Live 0xf8c4b000
> ib_addr 10565 1 rdma_cm, Live 0xf8c09000
> ib_cm 33581 1 rdma_cm, Live 0xf8c20000
> ib_sa 16589 2 rdma_cm,ib_cm, Live 0xf8c1a000
> ib_mad 36437 2 ib_cm,ib_sa, Live 0xf8c38000
> ib_core 49217 5 ib_iser,rdma_cm,ib_cm,ib_sa,ib_mad, Live 0xf8c2a000
> iscsi_tcp 25409 0 - Live 0xf8c12000
> libiscsi 26945 2 ib_iser,iscsi_tcp, Live 0xf8aa0000
> scsi_transport_iscsi 29001 4 ib_iser,iscsi_tcp,libiscsi, Live 0xf8ac0000
> acpi_cpufreq 12485 1 - Live 0xf8a9b000
> dm_mirror 29713 0 - Live 0xf8ab7000
> dm_multipath 21577 0 - Live 0xf8a89000
> dm_mod 56665 2 dm_mirror,dm_multipath, Live 0xf8aa8000
> video 19269 0 - Live 0xf8a90000
> sbs 18533 0 - Live 0xf8a4f000
> i2c_ec 9025 1 sbs, Live 0xf8a85000
> button 10705 0 - Live 0xf8a47000
> battery 13637 0 - Live 0xf8a55000
> asus_acpi 19289 0 - Live 0xf8a7f000
> ac 9157 0 - Live 0xf8a4b000
> ipv6 251137 34 ipcomp6,ah6,esp6,xfrm6_mode_transport,xfrm6_tunnel,tunnel6,
> Live 0xf8ac9000
> lp 15849 0 - Live 0xf88c1000
> sg 35933 0 - Live 0xf8a38000
> snd_hda_intel 21333 1 - Live 0xf89ee000
> snd_hda_codec 144321 1 snd_hda_intel, Live 0xf8a5a000
> snd_seq_dummy 7877 0 - Live 0xf8839000
> snd_seq_oss 32705 0 - Live 0xf8a23000
> snd_seq_midi_event 11073 1 snd_seq_oss, Live 0xf89ce000
> snd_seq 49841 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event, Live
> 0xf8a15000
> snd_seq_device 11853 3 snd_seq_dummy,snd_seq_oss,snd_seq, Live 0xf89ca000
> snd_pcm_oss 42849 0 - Live 0xf8a09000
> snd_mixer_oss 19137 1 snd_pcm_oss, Live 0xf89e0000
> snd_pcm 71621 3 snd_hda_intel,snd_hda_codec,snd_pcm_oss, Live 0xf89f6000
> parport_pc 29157 1 - Live 0xf88f7000
> snd_timer 24901 2 snd_seq,snd_pcm, Live 0xf89c2000
> snd 51909 11
> snd_hda_intel,snd_hda_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,
> Live 0xf89d2000
> i2c_i801 11469 0 - Live 0xf88c6000
> parport 37513 2 lp,parport_pc, Live 0xf88d3000
> via_rhine 27597 0 - Live 0xf88cb000
> mii 9409 1 via_rhine, Live 0xf8870000
> soundcore 13217 1 snd, Live 0xf885b000
> i2c_core 23745 2 i2c_ec,i2c_i801, Live 0xf8878000
> serio_raw 10693 0 - Live 0xf8826000
> pcspkr 7105 0 - Live 0xf8821000
> snd_page_alloc 13641 2 snd_hda_intel,snd_pcm, Live 0xf883f000
> ata_piix 17609 2 - Live 0xf8855000
> libata 96857 1 ata_piix, Live 0xf88de000
> sd_mod 22977 3 - Live 0xf884e000
> scsi_mod 130637 7
> ib_iser,iscsi_tcp,libiscsi,scsi_transport_iscsi,sg,libata,sd_mod, Live
> 0xf89a1000
> ext3 123081 1 - Live 0xf8981000
> jbd 56553 1 ext3, Live 0xf8861000
> ehci_hcd 32845 0 - Live 0xf8844000
> ohci_hcd 23261 0 - Live 0xf8832000
> uhci_hcd 25421 0 - Live 0xf882a000
> + _________________________ /proc/meminfo
> + cat /proc/meminfo
> MemTotal: 1027224 kB
> MemFree: 32088 kB
> Buffers: 199484 kB
> Cached: 548596 kB
> SwapCached: 0 kB
> Active: 515120 kB
> Inactive: 338596 kB
> HighTotal: 122816 kB
> HighFree: 252 kB
> LowTotal: 904408 kB
> LowFree: 31836 kB
> SwapTotal: 2096440 kB
> SwapFree: 2096440 kB
> Dirty: 264 kB
> Writeback: 0 kB
> AnonPages: 105640 kB
> Mapped: 43340 kB
> Slab: 70428 kB
> PageTables: 4144 kB
> NFS_Unstable: 0 kB
> Bounce: 0 kB
> CommitLimit: 2610052 kB
> Committed_AS: 365632 kB
> VmallocTotal: 114680 kB
> VmallocUsed: 7436 kB
> VmallocChunk: 107000 kB
> HugePages_Total: 0
> HugePages_Free: 0
> HugePages_Rsvd: 0
> Hugepagesize: 4096 kB
> + _________________________ /proc/net/ipsec-ls
> + test -f /proc/net/ipsec_version
> + _________________________ usr/src/linux/.config
> + test -f /proc/config.gz
> ++ uname -r
> + test -f /lib/modules/2.6.18-8.el5/build/.config
> ++ uname -r
> + cat /lib/modules/2.6.18-8.el5/build/.config
> CONFIG_XFRM=y
> CONFIG_XFRM_USER=y
> CONFIG_NET_KEY=m
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> # CONFIG_IP_FIB_TRIE is not set
> CONFIG_IP_FIB_HASH=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
> CONFIG_IP_ROUTE_VERBOSE=y
> # CONFIG_IP_PNP is not set
> CONFIG_IP_MROUTE=y
> CONFIG_IP_PIMSM_V1=y
> CONFIG_IP_PIMSM_V2=y
> CONFIG_INET_AH=m
> CONFIG_INET_ESP=m
> CONFIG_INET_IPCOMP=m
> CONFIG_INET_XFRM_TUNNEL=m
> CONFIG_INET_TUNNEL=m
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
> CONFIG_INET_XFRM_MODE_TUNNEL=m
> CONFIG_INET_DIAG=m
> CONFIG_INET_TCP_DIAG=m
> CONFIG_IP_VS=m
> # CONFIG_IP_VS_DEBUG is not set
> CONFIG_IP_VS_TAB_BITS=12
> CONFIG_IP_VS_PROTO_TCP=y
> CONFIG_IP_VS_PROTO_UDP=y
> CONFIG_IP_VS_PROTO_ESP=y
> CONFIG_IP_VS_PROTO_AH=y
> CONFIG_IP_VS_RR=m
> CONFIG_IP_VS_WRR=m
> CONFIG_IP_VS_LC=m
> CONFIG_IP_VS_WLC=m
> CONFIG_IP_VS_LBLC=m
> CONFIG_IP_VS_LBLCR=m
> CONFIG_IP_VS_DH=m
> CONFIG_IP_VS_SH=m
> CONFIG_IP_VS_SED=m
> CONFIG_IP_VS_NQ=m
> CONFIG_IP_VS_FTP=m
> CONFIG_IPV6=m
> CONFIG_IPV6_PRIVACY=y
> CONFIG_IPV6_ROUTER_PREF=y
> CONFIG_IPV6_ROUTE_INFO=y
> CONFIG_INET6_AH=m
> CONFIG_INET6_ESP=m
> CONFIG_INET6_IPCOMP=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_IPV6_TUNNEL=m
> # CONFIG_IPV6_SUBTREES is not set
> CONFIG_IPV6_MULTIPLE_TABLES=y
> CONFIG_IPV6_ROUTE_FWMARK=y
> CONFIG_IP_NF_CONNTRACK=m
> CONFIG_IP_NF_CT_ACCT=y
> CONFIG_IP_NF_CONNTRACK_MARK=y
> CONFIG_IP_NF_CONNTRACK_SECMARK=y
> CONFIG_IP_NF_CONNTRACK_EVENTS=y
> CONFIG_IP_NF_CONNTRACK_NETLINK=m
> CONFIG_IP_NF_CT_PROTO_SCTP=m
> CONFIG_IP_NF_FTP=m
> CONFIG_IP_NF_IRC=m
> CONFIG_IP_NF_NETBIOS_NS=m
> CONFIG_IP_NF_TFTP=m
> CONFIG_IP_NF_AMANDA=m
> CONFIG_IP_NF_PPTP=m
> CONFIG_IP_NF_H323=m
> CONFIG_IP_NF_SIP=m
> CONFIG_IP_NF_QUEUE=m
> CONFIG_IP_NF_IPTABLES=m
> CONFIG_IP_NF_MATCH_IPRANGE=m
> CONFIG_IP_NF_MATCH_TOS=m
> CONFIG_IP_NF_MATCH_RECENT=m
> CONFIG_IP_NF_MATCH_ECN=m
> CONFIG_IP_NF_MATCH_DSCP=m
> CONFIG_IP_NF_MATCH_AH=m
> CONFIG_IP_NF_MATCH_TTL=m
> CONFIG_IP_NF_MATCH_OWNER=m
> CONFIG_IP_NF_MATCH_ADDRTYPE=m
> CONFIG_IP_NF_MATCH_HASHLIMIT=m
> CONFIG_IP_NF_FILTER=m
> CONFIG_IP_NF_TARGET_REJECT=m
> CONFIG_IP_NF_TARGET_LOG=m
> CONFIG_IP_NF_TARGET_ULOG=m
> CONFIG_IP_NF_TARGET_TCPMSS=m
> CONFIG_IP_NF_NAT=m
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=m
> CONFIG_IP_NF_TARGET_REDIRECT=m
> CONFIG_IP_NF_TARGET_NETMAP=m
> CONFIG_IP_NF_TARGET_SAME=m
> CONFIG_IP_NF_NAT_SNMP_BASIC=m
> CONFIG_IP_NF_NAT_IRC=m
> CONFIG_IP_NF_NAT_FTP=m
> CONFIG_IP_NF_NAT_TFTP=m
> CONFIG_IP_NF_NAT_AMANDA=m
> CONFIG_IP_NF_NAT_PPTP=m
> CONFIG_IP_NF_NAT_H323=m
> CONFIG_IP_NF_NAT_SIP=m
> CONFIG_IP_NF_MANGLE=m
> CONFIG_IP_NF_TARGET_TOS=m
> CONFIG_IP_NF_TARGET_ECN=m
> CONFIG_IP_NF_TARGET_DSCP=m
> CONFIG_IP_NF_TARGET_TTL=m
> CONFIG_IP_NF_TARGET_CLUSTERIP=m
> CONFIG_IP_NF_RAW=m
> CONFIG_IP_NF_ARPTABLES=m
> CONFIG_IP_NF_ARPFILTER=m
> CONFIG_IP_NF_ARP_MANGLE=m
> CONFIG_IP6_NF_QUEUE=m
> CONFIG_IP6_NF_IPTABLES=m
> CONFIG_IP6_NF_MATCH_RT=m
> CONFIG_IP6_NF_MATCH_OPTS=m
> CONFIG_IP6_NF_MATCH_FRAG=m
> CONFIG_IP6_NF_MATCH_HL=m
> CONFIG_IP6_NF_MATCH_OWNER=m
> CONFIG_IP6_NF_MATCH_IPV6HEADER=m
> CONFIG_IP6_NF_MATCH_AH=m
> CONFIG_IP6_NF_MATCH_EUI64=m
> CONFIG_IP6_NF_FILTER=m
> CONFIG_IP6_NF_TARGET_LOG=m
> CONFIG_IP6_NF_TARGET_REJECT=m
> CONFIG_IP6_NF_MANGLE=m
> CONFIG_IP6_NF_TARGET_HL=m
> CONFIG_IP6_NF_RAW=m
> CONFIG_IP_DCCP=m
> CONFIG_INET_DCCP_DIAG=m
> CONFIG_IP_DCCP_ACKVEC=y
> CONFIG_IP_DCCP_CCID2=m
> CONFIG_IP_DCCP_CCID3=m
> CONFIG_IP_DCCP_TFRC_LIB=m
> # CONFIG_IP_DCCP_DEBUG is not set
> CONFIG_IP_SCTP=m
> # CONFIG_IPX is not set
> CONFIG_IPW2100=m
> CONFIG_IPW2100_MONITOR=y
> # CONFIG_IPW2100_DEBUG is not set
> CONFIG_IPW2200=m
> CONFIG_IPW2200_MONITOR=y
> CONFIG_IPW2200_RADIOTAP=y
> CONFIG_IPW2200_PROMISCUOUS=y
> CONFIG_IPW2200_QOS=y
> # CONFIG_IPW2200_DEBUG is not set
> CONFIG_IPPP_FILTER=y
> CONFIG_IPMI_HANDLER=m
> # CONFIG_IPMI_PANIC_EVENT is not set
> CONFIG_IPMI_DEVICE_INTERFACE=m
> CONFIG_IPMI_SI=m
> CONFIG_IPMI_WATCHDOG=m
> CONFIG_IPMI_POWEROFF=m
> CONFIG_HW_RANDOM=y
> CONFIG_HW_RANDOM_INTEL=m
> CONFIG_HW_RANDOM_AMD=m
> CONFIG_HW_RANDOM_GEODE=m
> CONFIG_HW_RANDOM_VIA=m
> CONFIG_SECURITY_NETWORK_XFRM=y
> CONFIG_CRYPTO_DEV_PADLOCK=m
> CONFIG_CRYPTO_DEV_PADLOCK_AES=y
> + _________________________ etc/syslog.conf
> + _________________________ etc/syslog-ng/syslog-ng.conf
> + cat /etc/syslog-ng/syslog-ng.conf
> cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
> + cat /etc/syslog.conf
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;news.none;authpriv.none;cron.none
> /var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> # Log all the mail messages in one place.
> mail.* -/var/log/maillog
>
>
> # Log cron stuff
> cron.* /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.* /var/log/boot.log
>
> #
> # INN
> #
> news.=crit /var/log/news/news.crit
> news.=err /var/log/news/news.err
> news.notice /var/log/news/news.notice
> + _________________________ etc/resolv.conf
> + cat /etc/resolv.conf
> nameserver 202.54.10.2
> nameserver 202.54.29.5
> + _________________________ lib/modules-ls
> + ls -ltr /lib/modules
> total 8
> drwxr-xr-x 6 root root 4096 Oct 2 21:42 2.6.18-8.el5
> + _________________________ /proc/ksyms-netif_rx
> + test -r /proc/ksyms
> + test -r /proc/kallsyms
> + egrep netif_rx /proc/kallsyms
> c05a2c07 T __netif_rx_schedule
> c05a3961 T netif_rx
> c05a4d04 T netif_rx_ni
> c05a3961 U netif_rx [ppp_generic]
> c05a4d04 U netif_rx_ni [tun]
> c05a3961 U netif_rx [ipv6]
> c05a2c07 U __netif_rx_schedule [via_rhine]
> + _________________________ lib/modules-netif_rx
> + modulegoo kernel/net/ipv4/ipip.o netif_rx
> + set +x
> 2.6.18-8.el5:
> + _________________________ kern.debug
> + test -f /var/log/kern.debug
> + _________________________ klog
> + sed -n '643,$p' /var/log/messages
> + egrep -i 'ipsec|klips|pluto'
> + case "$1" in
> + cat
> Oct 13 16:47:09 ahd2 ipsec_setup: Starting Openswan IPsec
> U2.6.14/K2.6.18-8.el5...
> Oct 13 16:47:09 ahd2 ipsec_setup: WARNING: overridemtu= is ignored when
> using the NETKEY stack
> Oct 13 16:47:09 ahd2 ipsec_setup:
> Oct 13 16:47:09 ahd2 ipsec_setup:
> Oct 13 16:47:09 ahd2 ipsec_setup: pluto appears to be running already

> (`/var/run/pluto/pluto.pid' exists), will not start another

> + _________________________ plog
> + sed -n '475,$p' /var/log/secure
> + egrep -i pluto
> + case "$1" in
> + cat
> Oct 13 16:21:33 ahd2 ipsec__plutorun: Starting Pluto subsystem...
> Oct 13 16:21:33 ahd2 pluto[31069]: Starting Pluto (Openswan Version 2.6.14;
> Vendor ID OEoSJUweaqAX) pid:31069
> Oct 13 16:21:33 ahd2 pluto[31069]: Setting NAT-Traversal port-4500 floating
> to on
> Oct 13 16:21:33 ahd2 pluto[31069]: port floating activation criteria
> nat_t=1/port_float=1
> Oct 13 16:21:33 ahd2 pluto[31069]: including NAT-Traversal patch (Version
> 0.6c)
> Oct 13 16:21:33 ahd2 pluto[31069]: using /dev/urandom as source of random
> entropy
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> OAKLEY_TWOFISH_CBC: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> OAKLEY_SERPENT_CBC: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_512: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_hash(): Activating
> OAKLEY_SHA2_256: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: starting up 1 cryptographic helpers
> Oct 13 16:21:33 ahd2 pluto[31077]: using /dev/urandom as source of random
> entropy
> Oct 13 16:21:33 ahd2 pluto[31069]: started helper pid=31077 (fd:7)
> Oct 13 16:21:33 ahd2 pluto[31069]: Using Linux 2.6 IPsec interface code on
> 2.6.18-8.el5 (experimental code)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: Ok (ret=0)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_add(): ERROR: Algorithm already
> exists
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_add(): ERROR: Algorithm already
> exists
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_add(): ERROR: Algorithm already
> exists
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_add(): ERROR: Algorithm already
> exists
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): WARNING: enc
> alg=0 not found in constants.c:oakley_enc_names
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_add(): ERROR: Algorithm already
> exists
> Oct 13 16:21:33 ahd2 pluto[31069]: ike_alg_register_enc(): Activating
> <NULL>: FAILED (ret=-17)
> Oct 13 16:21:33 ahd2 pluto[31069]: Could not change to directory
> '/etc/ipsec.d/cacerts': /
> Oct 13 16:21:33 ahd2 pluto[31069]: Could not change to directory
> '/etc/ipsec.d/aacerts': /
> Oct 13 16:21:33 ahd2 pluto[31069]: Could not change to directory
> '/etc/ipsec.d/ocspcerts': /
> Oct 13 16:21:33 ahd2 pluto[31069]: Could not change to directory
> '/etc/ipsec.d/crls'
> Oct 13 16:21:33 ahd2 pluto[31069]: Changing back to directory '/' failed -

> (2 No such file or directory)

> Oct 13 16:21:33 ahd2 pluto[31069]: Changing back to directory '/' failed -

> (2 No such file or directory)

> Oct 13 16:21:33 ahd2 pluto[31069]: added connection description
> "roadwarrior-net"
> Oct 13 16:21:33 ahd2 pluto[31069]: added connection description
> "roadwarrior-all"
> Oct 13 16:21:33 ahd2 pluto[31069]: added connection description
> "roadwarrior-l2tp"
> Oct 13 16:21:33 ahd2 pluto[31069]: added connection description
> "roadwarrior-l2tp-updatedwin"
> Oct 13 16:21:33 ahd2 pluto[31069]: added connection description
> "roadwarrior"
> Oct 13 16:21:33 ahd2 pluto[31069]: listening for IKE messages
> Oct 13 16:21:33 ahd2 pluto[31069]: FATAL ERROR: bind() failed in
> find_raw_ifaces4(). Errno 98: Address already in use
> Oct 13 16:21:33 ahd2 pluto[31069]: "roadwarrior": deleting connection
> Oct 13 16:21:33 ahd2 pluto[31069]: "roadwarrior-l2tp-updatedwin": deleting
> connection
> Oct 13 16:21:33 ahd2 pluto[31069]: "roadwarrior-l2tp": deleting connection
> Oct 13 16:21:33 ahd2 pluto[31069]: "roadwarrior-all": deleting connection
> Oct 13 16:21:33 ahd2 pluto[31069]: "roadwarrior-net": deleting connection
> Oct 13 16:21:48 ahd2 pluto[31252]: Starting Pluto (Openswan Version 2.6.14;
> Vendor ID OEoSJUweaqAX) pid:31252
> Oct 13 16:21:48 ahd2 pluto[31252]: Setting NAT-Traversal port-4500 floating
> to off
> Oct 13 16:21:48 ahd2 pluto[31252]: port floating activation criteria
> nat_t=0/port_float=1
> Oct 13 16:21:48 ahd2 pluto[31252]: including NAT-Traversal patch (Version
> 0.6c) [disabled]
> Oct 13 16:21:48 ahd2 pluto[31252]: using /dev/urandom as source of random
> entropy