Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ipsec01
- Tue Aug 13 16:51:47 CEST 2013
- + _________________________ version
- +
- + ipsec --version
- Linux Openswan U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64 (netkey)
- See `ipsec --copyright' for copyright information.
- + _________________________ /proc/version
- +
- + cat /proc/version
- Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.46-1
- + _________________________ /proc/net/ipsec_eroute
- +
- + test -r /proc/net/ipsec_eroute
- + _________________________ netstat-rn
- +
- + netstat -nr
- + head -n 100
- Kernel IP routing table
- Destination Gateway Genmask Flags MSS Window irtt Iface
- 0.0.0.0 yyy.yyy.27.137 0.0.0.0 UG 0 0 0 eth0
- 192.168.210.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
- yyy.yyy.27.136 0.0.0.0 255.255.255.248 U 0 0 0 eth0
- + _________________________ /proc/net/ipsec_spi
- +
- + test -r /proc/net/ipsec_spi
- + _________________________ /proc/net/ipsec_spigrp
- +
- + test -r /proc/net/ipsec_spigrp
- + _________________________ /proc/net/ipsec_tncfg
- +
- + test -r /proc/net/ipsec_tncfg
- + _________________________ /proc/net/pfkey
- +
- + test -r /proc/net/pfkey
- + cat /proc/net/pfkey
- sk RefCnt Rmem Wmem User Inode
- + _________________________ ip-xfrm-state
- +
- + ip xfrm state
- src zzz.zzz.2.74 dst yyy.yyy.27.141
- proto esp spi 0xc9d8f36d reqid 16385 mode tunnel
- replay-window 32 flag af-unspec
- auth-trunc hmac(sha1) 0x7f963e15ad3ed8d676c69a63b4e9f1472cec6a59 96
- enc cbc(des3_ede) 0x8c17a8e99b2134d12b64832b82d108e6dd2d04b9bb4d40af
- src yyy.yyy.27.141 dst zzz.zzz.2.74
- proto esp spi 0x179eb620 reqid 16385 mode tunnel
- replay-window 32 flag af-unspec
- auth-trunc hmac(sha1) 0xf27cf79a13d2ce96b784ddec7b86355c98de2a17 96
- enc cbc(des3_ede) 0xcaac99cb56872c820e7232e0fb9bef0db92b864827ede51e
- + _________________________ ip-xfrm-policy
- +
- + ip xfrm policy
- src 192.168.210.0/24 dst 10.41.35.0/24
- dir out priority 2344 ptype main
- tmpl src yyy.yyy.27.141 dst zzz.zzz.2.74
- proto esp reqid 16385 mode tunnel
- src 10.41.35.0/24 dst 192.168.210.0/24
- dir fwd priority 2344 ptype main
- tmpl src zzz.zzz.2.74 dst yyy.yyy.27.141
- proto esp reqid 16385 mode tunnel
- src 10.41.35.0/24 dst 192.168.210.0/24
- dir in priority 2344 ptype main
- tmpl src zzz.zzz.2.74 dst yyy.yyy.27.141
- proto esp reqid 16385 mode tunnel
- src ::/0 dst ::/0
- socket out priority 0 ptype main
- src ::/0 dst ::/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket out priority 0 ptype main
- src 0.0.0.0/0 dst 0.0.0.0/0
- socket in priority 0 ptype main
- + _________________________ /proc/crypto
- +
- + test -r /proc/crypto
- + cat /proc/crypto
- name : authenc(hmac(sha1),cbc(des3_ede))
- driver : authenc(hmac(sha1-ssse3),cbc(des3_ede-generic))
- module : authenc
- priority : 150
- refcnt : 3
- selftest : passed
- type : aead
- async : no
- blocksize : 8
- ivsize : 8
- maxauthsize : 20
- geniv : <built-in>
- name : cbc(des3_ede)
- driver : cbc(des3_ede-generic)
- module : kernel
- priority : 0
- refcnt : 3
- selftest : passed
- type : givcipher
- async : no
- blocksize : 8
- min keysize : 24
- max keysize : 24
- ivsize : 8
- geniv : eseqiv
- name : rfc3686(ctr(aes))
- driver : rfc3686(ctr(aes-aesni))
- module : ctr
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 20
- max keysize : 36
- ivsize : 8
- geniv : seqiv
- name : ctr(aes)
- driver : ctr(aes-aesni)
- module : ctr
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : chainiv
- name : cbc(camellia)
- driver : cbc(camellia-generic)
- module : cbc
- priority : 100
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : cbc(serpent)
- driver : cbc(serpent-generic)
- module : cbc
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 0
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : cbc(aes)
- driver : cbc(aes-aesni)
- module : cbc
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : cbc(cast5)
- driver : cbc(cast5-generic)
- module : cbc
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 8
- min keysize : 5
- max keysize : 16
- ivsize : 8
- geniv : <default>
- name : cbc(des3_ede)
- driver : cbc(des3_ede-generic)
- module : cbc
- priority : 0
- refcnt : 3
- selftest : passed
- type : blkcipher
- blocksize : 8
- min keysize : 24
- max keysize : 24
- ivsize : 8
- geniv : <default>
- name : cbc(des)
- driver : cbc(des-generic)
- module : cbc
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 8
- min keysize : 8
- max keysize : 8
- ivsize : 8
- geniv : <default>
- name : xcbc(aes)
- driver : xcbc(aes-aesni)
- module : xcbc
- priority : 300
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 16
- digestsize : 16
- name : hmac(rmd160)
- driver : hmac(rmd160-generic)
- module : hmac
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 20
- name : rmd160
- driver : rmd160-generic
- module : rmd160
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 20
- name : hmac(sha512)
- driver : hmac(sha512-generic)
- module : hmac
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 128
- digestsize : 64
- name : hmac(sha384)
- driver : hmac(sha384-generic)
- module : hmac
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 128
- digestsize : 48
- name : hmac(sha256)
- driver : hmac(sha256-generic)
- module : hmac
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 32
- name : hmac(sha1)
- driver : hmac(sha1-ssse3)
- module : hmac
- priority : 150
- refcnt : 5
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 20
- name : sha1
- driver : sha1-ssse3
- module : sha1_ssse3
- priority : 150
- refcnt : 3
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 20
- name : sha1
- driver : sha1-generic
- module : sha1_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 20
- name : hmac(md5)
- driver : hmac(md5-generic)
- module : hmac
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 16
- name : compress_null
- driver : compress_null-generic
- module : crypto_null
- priority : 0
- refcnt : 1
- selftest : passed
- type : compression
- name : digest_null
- driver : digest_null-generic
- module : crypto_null
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 1
- digestsize : 0
- name : ecb(cipher_null)
- driver : ecb-cipher_null
- module : crypto_null
- priority : 100
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 0
- max keysize : 0
- ivsize : 0
- geniv : <default>
- name : cipher_null
- driver : cipher_null-generic
- module : crypto_null
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 1
- min keysize : 0
- max keysize : 0
- name : camellia
- driver : camellia-generic
- module : camellia
- priority : 100
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : lzo
- driver : lzo-generic
- module : lzo
- priority : 0
- refcnt : 1
- selftest : passed
- type : compression
- name : cast6
- driver : cast6-generic
- module : cast6
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : cast5
- driver : cast5-generic
- module : cast5
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 8
- min keysize : 5
- max keysize : 16
- name : deflate
- driver : deflate-generic
- module : deflate
- priority : 0
- refcnt : 1
- selftest : passed
- type : compression
- name : tnepres
- driver : tnepres-generic
- module : serpent
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 0
- max keysize : 32
- name : serpent
- driver : serpent-generic
- module : serpent
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 0
- max keysize : 32
- name : blowfish
- driver : blowfish-generic
- module : blowfish_generic
- priority : 100
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 8
- min keysize : 4
- max keysize : 56
- name : ctr(blowfish)
- driver : ctr-blowfish-asm
- module : blowfish_x86_64
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 4
- max keysize : 56
- ivsize : 8
- geniv : <default>
- name : cbc(blowfish)
- driver : cbc-blowfish-asm
- module : blowfish_x86_64
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 8
- min keysize : 4
- max keysize : 56
- ivsize : 8
- geniv : <default>
- name : ecb(blowfish)
- driver : ecb-blowfish-asm
- module : blowfish_x86_64
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 8
- min keysize : 4
- max keysize : 56
- ivsize : 0
- geniv : <default>
- name : blowfish
- driver : blowfish-asm
- module : blowfish_x86_64
- priority : 200
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 8
- min keysize : 4
- max keysize : 56
- name : twofish
- driver : twofish-generic
- module : twofish_generic
- priority : 100
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : ctr(twofish)
- driver : ctr-twofish-3way
- module : twofish_x86_64_3way
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : cbc(twofish)
- driver : cbc-twofish-3way
- module : twofish_x86_64_3way
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : ecb(twofish)
- driver : ecb-twofish-3way
- module : twofish_x86_64_3way
- priority : 300
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 0
- geniv : <default>
- name : twofish
- driver : twofish-asm
- module : twofish_x86_64
- priority : 200
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : sha256
- driver : sha256-generic
- module : sha256_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 32
- name : sha224
- driver : sha224-generic
- module : sha256_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 28
- name : sha512
- driver : sha512-generic
- module : sha512_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 128
- digestsize : 64
- name : sha384
- driver : sha384-generic
- module : sha512_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 128
- digestsize : 48
- name : des3_ede
- driver : des3_ede-generic
- module : des_generic
- priority : 0
- refcnt : 3
- selftest : passed
- type : cipher
- blocksize : 8
- min keysize : 24
- max keysize : 24
- name : des
- driver : des-generic
- module : des_generic
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 8
- min keysize : 8
- max keysize : 8
- name : crc32c
- driver : crc32c-intel
- module : crc32c_intel
- priority : 200
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 1
- digestsize : 4
- name : __ghash
- driver : cryptd(__ghash-pclmulqdqni)
- module : cryptd
- priority : 50
- refcnt : 1
- selftest : passed
- type : ahash
- async : yes
- blocksize : 16
- digestsize : 16
- name : ghash
- driver : ghash-clmulni
- module : ghash_clmulni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ahash
- async : yes
- blocksize : 16
- digestsize : 16
- name : __ghash
- driver : __ghash-pclmulqdqni
- module : ghash_clmulni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 16
- digestsize : 16
- name : xts(aes)
- driver : xts-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 32
- max keysize : 64
- ivsize : 16
- geniv : <default>
- name : pcbc(aes)
- driver : pcbc-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : lrw(aes)
- driver : lrw-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 32
- max keysize : 48
- ivsize : 16
- geniv : <default>
- name : rfc3686(ctr(aes))
- driver : rfc3686-ctr-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 1
- min keysize : 20
- max keysize : 36
- ivsize : 8
- geniv : seqiv
- name : rfc4106(gcm(aes))
- driver : rfc4106-gcm-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : nivaead
- async : yes
- blocksize : 1
- ivsize : 8
- maxauthsize : 16
- geniv : seqiv
- name : __gcm-aes-aesni
- driver : __driver-gcm-aes-aesni
- module : aesni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : aead
- async : no
- blocksize : 1
- ivsize : 0
- maxauthsize : 0
- geniv : <built-in>
- name : ctr(aes)
- driver : ctr-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 1
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : chainiv
- name : __ctr-aes-aesni
- driver : __driver-ctr-aes-aesni
- module : aesni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 1
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : cbc(aes)
- driver : cbc-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 16
- geniv : <default>
- name : __ecb-aes-aesni
- driver : cryptd(__driver-ecb-aes-aesni)
- module : cryptd
- priority : 50
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 0
- geniv : <default>
- name : ecb(aes)
- driver : ecb-aes-aesni
- module : aesni_intel
- priority : 400
- refcnt : 1
- selftest : passed
- type : ablkcipher
- async : yes
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 0
- geniv : <default>
- name : __cbc-aes-aesni
- driver : __driver-cbc-aes-aesni
- module : aesni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 0
- geniv : <default>
- name : __ecb-aes-aesni
- driver : __driver-ecb-aes-aesni
- module : aesni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : blkcipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- ivsize : 0
- geniv : <default>
- name : __aes-aesni
- driver : __driver-aes-aesni
- module : aesni_intel
- priority : 0
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : aes
- driver : aes-aesni
- module : aesni_intel
- priority : 300
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : aes
- driver : aes-asm
- module : aes_x86_64
- priority : 200
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : aes
- driver : aes-generic
- module : aes_generic
- priority : 100
- refcnt : 1
- selftest : passed
- type : cipher
- blocksize : 16
- min keysize : 16
- max keysize : 32
- name : stdrng
- driver : krng
- module : kernel
- priority : 200
- refcnt : 2
- selftest : passed
- type : rng
- seedsize : 0
- name : md5
- driver : md5-generic
- module : kernel
- priority : 0
- refcnt : 1
- selftest : passed
- type : shash
- blocksize : 64
- digestsize : 16
- + __________________________/proc/sys/net/core/xfrm-star
- /usr/lib/ipsec/barf: 190: /usr/lib/ipsec/barf: __________________________/proc/sys/net/core/xfrm-star: not found
- + echo -n /proc/sys/net/core/xfrm_acq_expires:
- /proc/sys/net/core/xfrm_acq_expires: + cat /proc/sys/net/core/xfrm_acq_expires
- 30
- + echo -n /proc/sys/net/core/xfrm_aevent_etime:
- /proc/sys/net/core/xfrm_aevent_etime: + cat /proc/sys/net/core/xfrm_aevent_etime
- 10
- + echo -n /proc/sys/net/core/xfrm_aevent_rseqth:
- /proc/sys/net/core/xfrm_aevent_rseqth: + cat /proc/sys/net/core/xfrm_aevent_rseqth
- 2
- + echo -n /proc/sys/net/core/xfrm_larval_drop:
- /proc/sys/net/core/xfrm_larval_drop: + cat /proc/sys/net/core/xfrm_larval_drop
- 1
- + _________________________ /proc/sys/net/ipsec-star
- +
- + test -d /proc/sys/net/ipsec
- + _________________________ ipsec/status
- +
- + ipsec auto --status
- 000 using kernel interface: netkey
- 000 interface lo/lo ::1
- 000 interface lo/lo 127.0.0.1
- 000 interface lo/lo 127.0.0.1
- 000 interface eth0:1/eth0:1 192.168.210.166
- 000 interface eth0:1/eth0:1 192.168.210.166
- 000 interface eth0/eth0 yyy.yyy.27.141
- 000 interface eth0/eth0 yyy.yyy.27.141
- 000 %myid = (none)
- 000 debug none
- 000
- 000 virtual_private (%priv):
- 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
- 000 - disallowed 0 subnets:
- 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
- 000 private address space in internal use, it should be excluded!
- 000
- 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
- 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
- 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
- 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
- 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
- 000
- 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
- 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
- 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
- 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
- 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
- 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
- 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
- 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
- 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
- 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
- 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
- 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
- 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
- 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
- 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
- 000
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048}
- 000
- 000 "net1": 192.168.210.0/24===yyy.yyy.27.141<yyy.yyy.27.141>[+S=C]---yyy.yyy.27.137...zzz.zzz.2.74<zzz.zzz.2.74>[+S=C]===10.41.35.0/24; erouted; eroute owner: #2
- 000 "net1": myip=unset; hisip=unset;
- 000 "net1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
- 000 "net1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
- 000 "net1": newest ISAKMP SA: #1; newest IPsec SA: #2;
- 000 "net1": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
- 000 "net1": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
- 000 "net1": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
- 000 "net1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
- 000 "net1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
- 000 "net1": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<Phase1>
- 000
- 000 #2: "net1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27846s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
- 000 #2: "net1" esp.179eb620@zzz.zzz.2.74 esp.c9d8f36d@yyy.yyy.27.141 tun.0@zzz.zzz.2.74 tun.0@yyy.yyy.27.141 ref=0 refhim=4294901761
- 000 #1: "net1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2262s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
- 000
- + _________________________ ifconfig-a
- +
- + ifconfig -a
- eth0 Link encap:Ethernet HWaddr ac:16:2d:00:f4:be
- inet addr:yyy.yyy.27.141 Bcast:yyy.yyy.27.143 Mask:255.255.255.248
- inet6 addr: fe80::ae16:2dff:fe00:f4be/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:26825 errors:0 dropped:0 overruns:0 frame:0
- TX packets:24098 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:8137237 (7.7 MiB) TX bytes:10516102 (10.0 MiB)
- Interrupt:20 Memory:f7c00000-f7c20000
- eth0:1 Link encap:Ethernet HWaddr ac:16:2d:00:f4:be
- inet addr:192.168.210.166 Bcast:192.168.210.255 Mask:255.255.255.0
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- Interrupt:20 Memory:f7c00000-f7c20000
- lo Link encap:Local Loopback
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- UP LOOPBACK RUNNING MTU:16436 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
- + _________________________ ip-addr-list
- +
- + ip addr list
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether ac:16:2d:00:f4:be brd ff:ff:ff:ff:ff:ff
- inet 192.168.210.166/24 brd 192.168.210.255 scope global eth0:1
- inet yyy.yyy.27.141/29 brd yyy.yyy.27.143 scope global eth0
- inet6 fe80::ae16:2dff:fe00:f4be/64 scope link
- valid_lft forever preferred_lft forever
- + _________________________ ip-route-list
- +
- + ip route list
- default via yyy.yyy.27.137 dev eth0
- 192.168.210.0/24 dev eth0 proto kernel scope link src 192.168.210.166
- yyy.yyy.27.136/29 dev eth0 proto kernel scope link src yyy.yyy.27.141
- + _________________________ ip-rule-list
- +
- + ip rule list
- 0: from all lookup local
- 32766: from all lookup main
- 32767: from all lookup default
- + _________________________ ipsec_verify
- +
- + ipsec verify --nocolour
- Checking your system to see if IPsec got installed and started correctly:
- Version check and ipsec on-path [OK]
- Linux Openswan U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64 (netkey)
- Checking for IPsec support in kernel [OK]
- SAref kernel support [N/A]
- NETKEY: Testing XFRM related proc values [OK]
- [OK]
- [OK]
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for NAT-T on udp 4500 [OK]
- Checking for 'ip' command [OK]
- Checking /bin/sh is not /bin/dash [WARNING]
- Checking for 'iptables' command [OK]
- Opportunistic Encryption Support [DISABLED]
- + _________________________ mii-tool
- +
- + [ -x /sbin/mii-tool ]
- + /sbin/mii-tool -v
- SIOCGMIIREG on eth0 failed: Input/output error
- SIOCGMIIREG on eth0 failed: Input/output error
- eth0: negotiated 100baseTx-FD, link ok
- product info: vendor 00:55:00, model 9 rev 0
- basic mode: autonegotiation enabled
- basic status: autonegotiation complete, link ok
- capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
- advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
- link partner: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
- + _________________________ ipsec/directory
- +
- + ipsec --directory
- /usr/lib/ipsec
- + _________________________ hostname/fqdn
- +
- + hostname --fqdn
- ipsec01
- + _________________________ hostname/ipaddress
- +
- + hostname --ip-address
- 127.0.1.1
- + _________________________ uptime
- +
- + uptime
- 16:51:47 up 1:30, 3 users, load average: 0.00, 0.01, 0.05
- + _________________________ ps
- +
- + ps alxwf
- egrep -i ppid|pluto|ipsec|klips
- F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
- 0 0 5646 5238 20 0 4176 700 - S+ pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/barf
- 0 0 5733 5646 20 0 6296 596 - S+ pts/0 0:00 \_ egrep -i ppid|pluto|ipsec|klips
- 1 0 5549 1 20 0 4176 292 - S pts/0 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 --listen --crlcheckinterval 0 --ocspuri --nhelpers --dump /var/run/pluto/ --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
- 1 0 5551 5549 20 0 4176 316 - S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 --listen --crlcheckinterval 0 --ocspuri --nhelpers --dump /var/run/pluto/ --opts --stderrlog /var/log/pluto.log --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
- 4 0 5555 5551 20 0 70028 3628 - S pts/0 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 --stderrlog
- 1 0 5559 5555 30 10 70036 1172 - SN pts/0 0:00 | \_ pluto helper # 0
- 1 0 5560 5555 30 10 70036 1172 - SN pts/0 0:00 | \_ pluto helper # 1
- 1 0 5561 5555 30 10 70036 1168 - SN pts/0 0:00 | \_ pluto helper # 2
- 0 0 5586 5555 20 0 6080 344 - S pts/0 0:00 | \_ _pluto_adns
- 0 0 5552 5549 20 0 4176 672 - S pts/0 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
- 0 0 5550 1 20 0 4084 644 - S pts/0 0:00 logger -s -p daemon.error -t ipsec__plutorun
- + _________________________ ipsec/showdefaults
- +
- + ipsec showdefaults
- routephys=eth0
- routevirt=none
- routeaddr=192.168.210.166
- routenexthop=yyy.yyy.27.137
- + _________________________ ipsec/conf
- +
- + ipsec _include /etc/ipsec.conf
- + ipsec _keycensor
- #< /etc/ipsec.conf 1
- version 2.0 # conforms to second version of ipsec.conf specification
- config setup
- dumpdir=/var/run/pluto/
- nat_traversal=yes
- virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
- oe=off
- protostack=netkey
- plutostderrlog=/var/log/pluto.log
- conn net1
- # connection
- authby=secret
- auto=start
- keylife=8h
- # phase 1 IKA
- #ike=3des-sha1;modp1028
- ike=3des-sha1
- # phase 2
- type=tunnel
- phase2=esp
- #phase2alg=3des-sha1;modp1028
- phase2alg=3des-sha1
- #psf=yes
- #keyexchange=ike
- # esp=3des-sha1
- # Linux openswan
- left=yyy.yyy.27.141
- leftsubnet=192.168.210.0/24
- #leftnexthop=yyy.yyy.27.137
- leftnexthop=%defaultroute
- # juniper ISG 2000 at net1 networks
- right=zzz.zzz.2.74
- rightsubnet=10.41.35.0/24
- # rightnexthop=%defaultroute
- + _________________________ ipsec/secrets
- +
- + ipsec _include /etc/ipsec.secrets
- + ipsec _secretcensor
- #< /etc/ipsec.secrets 1
- # This file holds shared secrets or RSA private keys for inter-Pluto
- # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
- # RSA private key for this host, authenticating it to any other host
- # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
- # or configuration of other implementations, can be extracted conveniently
- # with "[sums to ef67...]".
- # this file is managed with debconf and will contain the automatically created RSA keys
- #< /var/lib/openswan/ipsec.secrets.inc 1
- yyy.yyy.27.141 zzz.zzz.2.74: PSK "[sums to c825...]"
- #> /etc/ipsec.secrets 11
- + _________________________ ipsec/listall
- +
- + ipsec auto --listall
- 000
- 000 List of Public Keys:
- 000
- 000 List of Pre-shared secrets (from /etc/ipsec.secrets)
- 000 1: PSK zzz.zzz.2.74 yyy.yyy.27.141
- + [ /etc/ipsec.d/policies ]
- + basename /etc/ipsec.d/policies/block
- + base=block
- + _________________________ ipsec/policies/block
- +
- + cat /etc/ipsec.d/policies/block
- # This file defines the set of CIDRs (network/mask-length) to which
- # communication should never be allowed.
- #
- # See /usr/share/doc/openswan/policygroups.html for details.
- #
- # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
- #
- + basename /etc/ipsec.d/policies/clear
- + base=clear
- + _________________________ ipsec/policies/clear
- +
- + cat /etc/ipsec.d/policies/clear
- # This file defines the set of CIDRs (network/mask-length) to which
- # communication should always be in the clear.
- #
- # See /usr/share/doc/openswan/policygroups.html for details.
- #
- # root name servers should be in the clear
- 192.58.128.30/32
- 198.41.0.4/32
- 192.228.79.201/32
- 192.33.4.12/32
- 128.8.10.90/32
- 192.203.230.10/32
- 192.5.5.241/32
- 192.112.36.4/32
- 128.63.2.53/32
- 192.36.148.17/32
- 193.0.14.129/32
- 199.7.83.42/32
- 202.12.27.33/32
- + basename /etc/ipsec.d/policies/clear-or-private
- + base=clear-or-private
- + _________________________ ipsec/policies/clear-or-private
- +
- + cat /etc/ipsec.d/policies/clear-or-private
- # This file defines the set of CIDRs (network/mask-length) to which
- # we will communicate in the clear, or, if the other side initiates IPSEC,
- # using encryption. This behaviour is also called "Opportunistic Responder".
- #
- # See /usr/share/doc/openswan/policygroups.html for details.
- #
- # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
- #
- + basename /etc/ipsec.d/policies/private
- + base=private
- + _________________________ ipsec/policies/private
- +
- + cat /etc/ipsec.d/policies/private
- # This file defines the set of CIDRs (network/mask-length) to which
- # communication should always be private (i.e. encrypted).
- # See /usr/share/doc/openswan/policygroups.html for details.
- #
- # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
- #
- + basename /etc/ipsec.d/policies/private-or-clear
- + base=private-or-clear
- + _________________________ ipsec/policies/private-or-clear
- +
- + cat /etc/ipsec.d/policies/private-or-clear
- # This file defines the set of CIDRs (network/mask-length) to which
- # communication should be private, if possible, but in the clear otherwise.
- #
- # If the target has a TXT (later IPSECKEY) record that specifies
- # authentication material, we will require private (i.e. encrypted)
- # communications. If no such record is found, communications will be
- # in the clear.
- #
- # See /usr/share/doc/openswan/policygroups.html for details.
- #
- # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
- #
- 0.0.0.0/0
- + _________________________ ipsec/ls-libdir
- +
- + ls -l /usr/lib/ipsec
- total 2432
- -rwxr-xr-x 1 root root 10576 May 27 2012 _copyright
- -rwxr-xr-x 1 root root 2430 May 27 2012 _include
- -rwxr-xr-x 1 root root 1475 May 27 2012 _keycensor
- -rwxr-xr-x 1 root root 14512 May 27 2012 _pluto_adns
- -rwxr-xr-x 1 root root 2567 May 27 2012 _plutoload
- -rwxr-xr-x 1 root root 8299 May 27 2012 _plutorun
- -rwxr-xr-x 1 root root 13684 May 27 2012 _realsetup
- -rwxr-xr-x 1 root root 1975 May 27 2012 _secretcensor
- -rwxr-xr-x 1 root root 12347 May 27 2012 _startklips
- -rwxr-xr-x 1 root root 6188 May 27 2012 _startnetkey
- -rwxr-xr-x 1 root root 4911 May 27 2012 _updown
- -rwxr-xr-x 1 root root 17776 May 27 2012 _updown.klips
- -rwxr-xr-x 1 root root 17537 May 27 2012 _updown.mast
- -rwxr-xr-x 1 root root 12700 May 27 2012 _updown.netkey
- -rwxr-xr-x 1 root root 234088 May 27 2012 addconn
- -rwxr-xr-x 1 root root 6167 May 27 2012 auto
- -rwxr-xr-x 1 root root 11317 May 27 2012 barf
- -rwxr-xr-x 1 root root 97992 May 27 2012 eroute
- -rwxr-xr-x 1 root root 30888 May 27 2012 ikeping
- -rwxr-xr-x 1 root root 77800 May 27 2012 klipsdebug
- -rwxr-xr-x 1 root root 2783 May 27 2012 look
- -rwxr-xr-x 1 root root 2189 May 27 2012 newhostkey
- -rwxr-xr-x 1 root root 73224 May 27 2012 pf_key
- -rwxr-xr-x 1 root root 982248 May 27 2012 pluto
- -rwxr-xr-x 1 root root 12349 May 27 2012 policy
- -rwxr-xr-x 1 root root 10552 May 27 2012 ranbits
- -rwxr-xr-x 1 root root 27360 May 27 2012 rsasigkey
- -rwxr-xr-x 1 root root 704 May 27 2012 secrets
- lrwxrwxrwx 1 root root 17 May 27 2012 setup -> /etc/init.d/ipsec
- -rwxr-xr-x 1 root root 1126 May 27 2012 showdefaults
- -rwxr-xr-x 1 root root 292312 May 27 2012 showhostkey
- -rwxr-xr-x 1 root root 180736 May 27 2012 spi
- -rwxr-xr-x 1 root root 85656 May 27 2012 spigrp
- -rwxr-xr-x 1 root root 81192 May 27 2012 tncfg
- -rwxr-xr-x 1 root root 14674 May 27 2012 verify
- -rwxr-xr-x 1 root root 64056 May 27 2012 whack
- + _________________________ ipsec/ls-execdir
- +
- + ls -l /usr/lib/ipsec
- total 2432
- -rwxr-xr-x 1 root root 10576 May 27 2012 _copyright
- -rwxr-xr-x 1 root root 2430 May 27 2012 _include
- -rwxr-xr-x 1 root root 1475 May 27 2012 _keycensor
- -rwxr-xr-x 1 root root 14512 May 27 2012 _pluto_adns
- -rwxr-xr-x 1 root root 2567 May 27 2012 _plutoload
- -rwxr-xr-x 1 root root 8299 May 27 2012 _plutorun
- -rwxr-xr-x 1 root root 13684 May 27 2012 _realsetup
- -rwxr-xr-x 1 root root 1975 May 27 2012 _secretcensor
- -rwxr-xr-x 1 root root 12347 May 27 2012 _startklips
- -rwxr-xr-x 1 root root 6188 May 27 2012 _startnetkey
- -rwxr-xr-x 1 root root 4911 May 27 2012 _updown
- -rwxr-xr-x 1 root root 17776 May 27 2012 _updown.klips
- -rwxr-xr-x 1 root root 17537 May 27 2012 _updown.mast
- -rwxr-xr-x 1 root root 12700 May 27 2012 _updown.netkey
- -rwxr-xr-x 1 root root 234088 May 27 2012 addconn
- -rwxr-xr-x 1 root root 6167 May 27 2012 auto
- -rwxr-xr-x 1 root root 11317 May 27 2012 barf
- -rwxr-xr-x 1 root root 97992 May 27 2012 eroute
- -rwxr-xr-x 1 root root 30888 May 27 2012 ikeping
- -rwxr-xr-x 1 root root 77800 May 27 2012 klipsdebug
- -rwxr-xr-x 1 root root 2783 May 27 2012 look
- -rwxr-xr-x 1 root root 2189 May 27 2012 newhostkey
- -rwxr-xr-x 1 root root 73224 May 27 2012 pf_key
- -rwxr-xr-x 1 root root 982248 May 27 2012 pluto
- -rwxr-xr-x 1 root root 12349 May 27 2012 policy
- -rwxr-xr-x 1 root root 10552 May 27 2012 ranbits
- -rwxr-xr-x 1 root root 27360 May 27 2012 rsasigkey
- -rwxr-xr-x 1 root root 704 May 27 2012 secrets
- lrwxrwxrwx 1 root root 17 May 27 2012 setup -> /etc/init.d/ipsec
- -rwxr-xr-x 1 root root 1126 May 27 2012 showdefaults
- -rwxr-xr-x 1 root root 292312 May 27 2012 showhostkey
- -rwxr-xr-x 1 root root 180736 May 27 2012 spi
- -rwxr-xr-x 1 root root 85656 May 27 2012 spigrp
- -rwxr-xr-x 1 root root 81192 May 27 2012 tncfg
- -rwxr-xr-x 1 root root 14674 May 27 2012 verify
- -rwxr-xr-x 1 root root 64056 May 27 2012 whack
- + _________________________ /proc/net/dev
- +
- + cat /proc/net/dev
- Inter-| Receive | Transmit
- face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
- lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
- eth0: 8137723 26829 0 0 0 0 0 150 10516468 24102 0 0 0 0 0 0
- + _________________________ /proc/net/route
- +
- + cat /proc/net/route
- Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
- eth0 00000000 891BF3C3 0003 0 0 0 00000000 0 0 0
- eth0 00D2A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
- eth0 881BF3C3 00000000 0001 0 0 0 F8FFFFFF 0 0 0
- + _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
- +
- + cat /proc/sys/net/ipv4/ip_no_pmtu_disc
- 0
- + _________________________ /proc/sys/net/ipv4/ip_forward
- +
- + cat /proc/sys/net/ipv4/ip_forward
- 1
- + _________________________ /proc/sys/net/ipv4/tcp_ecn
- +
- + cat /proc/sys/net/ipv4/tcp_ecn
- 2
- + _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
- +
- + cd /proc/sys/net/ipv4/conf
- + egrep ^ all/rp_filter default/rp_filter eth0/rp_filter lo/rp_filter
- all/rp_filter:0
- default/rp_filter:0
- eth0/rp_filter:0
- lo/rp_filter:0
- + _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
- +
- + cd /proc/sys/net/ipv4/conf
- + egrep ^ all/accept_redirects all/secure_redirects all/send_redirects default/accept_redirects default/secure_redirects default/send_redirects eth0/accept_redirects eth0/secure_redirects eth0/send_redirects lo/accept_redirects lo/secure_redirects lo/send_redirects
- all/accept_redirects:0
- all/secure_redirects:1
- all/send_redirects:0
- default/accept_redirects:0
- default/secure_redirects:1
- default/send_redirects:0
- eth0/accept_redirects:0
- eth0/secure_redirects:1
- eth0/send_redirects:0
- lo/accept_redirects:0
- lo/secure_redirects:1
- lo/send_redirects:0
- + _________________________ /proc/sys/net/ipv4/tcp_window_scaling
- +
- + cat /proc/sys/net/ipv4/tcp_window_scaling
- 1
- + _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
- +
- + cat /proc/sys/net/ipv4/tcp_adv_win_scale
- 1
- + _________________________ uname-a
- +
- + uname -a
- Linux ipsec01 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
- + _________________________ config-built-with
- +
- + test -r /proc/config_built_with
- + _________________________ distro-release
- +
- + test -f /etc/redhat-release
- + test -f /etc/debian-release
- + test -f /etc/SuSE-release
- + test -f /etc/mandrake-release
- + test -f /etc/mandriva-release
- + test -f /etc/gentoo-release
- + _________________________ /proc/net/ipsec_version
- +
- + test -r /proc/net/ipsec_version
- + test -r /proc/net/pfkey
- + uname -r
- + echo NETKEY (3.2.0-4-amd64) support detected
- NETKEY (3.2.0-4-amd64) support detected
- + _________________________ iptables
- +
- + test -r /sbin/iptables-save
- + iptables-save
- # Generated by iptables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *filter
- :INPUT ACCEPT [7439:429177]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [6918:2681120]
- -A FORWARD -i eth0:0 -j ACCEPT
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- # Generated by iptables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *mangle
- :PREROUTING ACCEPT [9309:667224]
- :INPUT ACCEPT [9309:667224]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [8235:3066592]
- :POSTROUTING ACCEPT [8235:3066592]
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- # Generated by iptables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *nat
- :PREROUTING ACCEPT [7:445]
- :INPUT ACCEPT [7:445]
- :OUTPUT ACCEPT [30:1968]
- :POSTROUTING ACCEPT [0:0]
- -A POSTROUTING -j MASQUERADE
- -A POSTROUTING -o eth0 -j MASQUERADE
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- + _________________________ iptables-nat
- +
- + iptables-save -t nat
- # Generated by iptables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *nat
- :PREROUTING ACCEPT [7:445]
- :INPUT ACCEPT [7:445]
- :OUTPUT ACCEPT [30:1968]
- :POSTROUTING ACCEPT [0:0]
- -A POSTROUTING -j MASQUERADE
- -A POSTROUTING -o eth0 -j MASQUERADE
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- + _________________________ iptables-mangle
- +
- + iptables-save -t mangle
- # Generated by iptables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *mangle
- :PREROUTING ACCEPT [9309:667224]
- :INPUT ACCEPT [9309:667224]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [8235:3066592]
- :POSTROUTING ACCEPT [8235:3066592]
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- + _________________________ ip6tables
- +
- + test -r /sbin/ip6tables-save
- + ip6tables-save
- # Generated by ip6tables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *mangle
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- + _________________________ ip6tables-mangle
- +
- + ip6tables-save -t mangle
- # Generated by ip6tables-save v1.4.14 on Tue Aug 13 16:51:47 2013
- *mangle
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- COMMIT
- # Completed on Tue Aug 13 16:51:47 2013
- + _________________________ ip6tables
- +
- + _________________________ /proc/modules
- +
- + test -f /proc/modules
- + cat /proc/modules
- xfrm_user 27310 2 - Live 0xffffffffa051e000
- ah6 12802 0 - Live 0xffffffffa0519000
- ah4 12755 0 - Live 0xffffffffa0514000
- esp6 12796 0 - Live 0xffffffffa050f000
- esp4 12792 2 - Live 0xffffffffa050a000
- xfrm4_mode_beet 12475 0 - Live 0xffffffffa0505000
- xfrm4_tunnel 12617 0 - Live 0xffffffffa0500000
- xfrm4_mode_tunnel 12496 4 - Live 0xffffffffa04f6000
- xfrm4_mode_transport 12490 0 - Live 0xffffffffa04f1000
- xfrm6_mode_transport 12490 0 - Live 0xffffffffa04ec000
- xfrm6_mode_ro 12430 0 - Live 0xffffffffa04e7000
- xfrm6_mode_beet 12522 0 - Live 0xffffffffa04e2000
- xfrm6_mode_tunnel 12581 2 - Live 0xffffffffa04dd000
- ipcomp 12507 0 - Live 0xffffffffa04d8000
- ipcomp6 12507 0 - Live 0xffffffffa04d3000
- xfrm6_tunnel 13032 1 ipcomp6, Live 0xffffffffa04ce000
- tunnel6 12592 1 xfrm6_tunnel, Live 0xffffffffa04bf000
- xfrm_ipcomp 12600 2 ipcomp,ipcomp6, Live 0xffffffffa04c9000
- af_key 31759 0 - Live 0xffffffffa04b6000
- iptable_filter 12536 1 - Live 0xffffffffa0608000
- ip6table_mangle 12540 0 - Live 0xffffffffa0603000
- ip6_tables 22175 1 ip6table_mangle, Live 0xffffffffa05f8000
- iptable_mangle 12536 0 - Live 0xffffffffa05e4000
- nfnetlink_log 17212 0 - Live 0xffffffffa05f2000
- nfnetlink 12906 1 nfnetlink_log, Live 0xffffffffa05e9000
- authenc 13417 2 - Live 0xffffffffa05d4000
- rmd160 16640 0 - Live 0xffffffffa05d9000
- sha1_ssse3 16983 2 - Live 0xffffffffa05ce000
- sha1_generic 12582 1 sha1_ssse3, Live 0xffffffffa05c9000
- hmac 12835 4 - Live 0xffffffffa05c4000
- crypto_null 12732 0 - Live 0xffffffffa05bf000
- camellia 29068 0 - Live 0xffffffffa05b6000
- lzo 12531 0 - Live 0xffffffffa05b1000
- cast6 16681 0 - Live 0xffffffffa05ab000
- cast5 24829 0 - Live 0xffffffffa05a3000
- deflate 12551 0 - Live 0xffffffffa059e000
- zlib_deflate 25638 1 deflate, Live 0xffffffffa0596000
- cts 12811 0 - Live 0xffffffffa0591000
- ctr 12979 0 - Live 0xffffffffa058c000
- gcm 19077 0 - Live 0xffffffffa0582000
- ccm 17727 0 - Live 0xffffffffa057c000
- serpent 29015 0 - Live 0xffffffffa0573000
- blowfish_generic 12464 0 - Live 0xffffffffa056e000
- blowfish_x86_64 21201 0 - Live 0xffffffffa0567000
- blowfish_common 16487 2 blowfish_generic,blowfish_x86_64, Live 0xffffffffa0561000
- twofish_generic 16569 0 - Live 0xffffffffa055b000
- twofish_x86_64_3way 25167 0 - Live 0xffffffffa0553000
- twofish_x86_64 12541 1 twofish_x86_64_3way, Live 0xffffffffa054e000
- twofish_common 20544 3 twofish_generic,twofish_x86_64_3way,twofish_x86_64, Live 0xffffffffa0547000
- ecb 12737 0 - Live 0xffffffffa0542000
- xcbc 12709 0 - Live 0xffffffffa053d000
- cbc 12754 2 - Live 0xffffffffa0538000
- sha256_generic 16797 0 - Live 0xffffffffa0532000
- sha512_generic 12625 0 - Live 0xffffffffa0526000
- des_generic 20851 2 - Live 0xffffffffa052b000
- tunnel4 12629 1 xfrm4_tunnel, Live 0xffffffffa04fb000
- rng_core 12652 0 - Live 0xffffffffa04c4000
- ipt_MASQUERADE 12594 2 - Live 0xffffffffa04b1000
- iptable_nat 12928 1 - Live 0xffffffffa045f000
- nf_nat 18242 2 ipt_MASQUERADE,iptable_nat, Live 0xffffffffa04ab000
- nf_conntrack_ipv4 14078 3 iptable_nat,nf_nat, Live 0xffffffffa045a000
- nf_defrag_ipv4 12483 1 nf_conntrack_ipv4, Live 0xffffffffa044d000
- nf_conntrack 52720 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffffa049d000
- ip_tables 22042 3 iptable_filter,iptable_mangle,iptable_nat, Live 0xffffffffa0453000
- x_tables 19118 7 iptable_filter,ip6table_mangle,ip6_tables,iptable_mangle,ipt_MASQUERADE,iptable_nat,ip_tables, Live 0xffffffffa0379000
- nfsd 216170 2 - Live 0xffffffffa0467000
- nfs 308313 0 - Live 0xffffffffa0400000
- nfs_acl 12511 2 nfsd,nfs, Live 0xffffffffa0374000
- auth_rpcgss 37143 2 nfsd,nfs, Live 0xffffffffa03f5000
- fscache 36739 1 nfs, Live 0xffffffffa036a000
- lockd 67306 2 nfsd,nfs, Live 0xffffffffa03e3000
- sunrpc 173730 6 nfsd,nfs,nfs_acl,auth_rpcgss,lockd, Live 0xffffffffa03b7000
- loop 22641 0 - Live 0xffffffffa02f8000
- snd_hda_codec_hdmi 30824 1 - Live 0xffffffffa02ef000
- snd_hda_codec_realtek 188858 1 - Live 0xffffffffa0383000
- tpm_infineon 12985 0 - Live 0xffffffffa02d5000
- i915 378417 1 - Live 0xffffffffa030c000
- hp_wmi 13329 0 - Live 0xffffffffa0307000
- coretemp 12898 0 - Live 0xffffffffa0302000
- crc32c_intel 12747 0 - Live 0xffffffffa02b0000
- snd_hda_intel 26259 0 - Live 0xffffffffa0268000
- snd_hda_codec 78031 3 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel, Live 0xffffffffa02da000
- drm_kms_helper 31370 1 i915, Live 0xffffffffa02ba000
- sparse_keymap 12760 1 hp_wmi, Live 0xffffffffa02b5000
- ghash_clmulni_intel 13173 0 - Live 0xffffffffa025c000
- drm 183952 2 i915,drm_kms_helper, Live 0xffffffffa0282000
- snd_hwdep 13186 1 snd_hda_codec, Live 0xffffffffa0229000
- snd_pcm 68083 3 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec, Live 0xffffffffa02c3000
- aesni_intel 50667 0 - Live 0xffffffffa024e000
- i2c_i801 16870 0 - Live 0xffffffffa0223000
- iTCO_wdt 17081 0 - Live 0xffffffffa022f000
- i2c_algo_bit 12841 1 i915, Live 0xffffffffa027d000
- snd_page_alloc 13003 2 snd_hda_intel,snd_pcm, Live 0xffffffffa0274000
- snd_timer 22917 1 snd_pcm, Live 0xffffffffa0261000
- iTCO_vendor_support 12704 1 iTCO_wdt, Live 0xffffffffa01f0000
- i2c_core 23876 5 i915,drm_kms_helper,drm,i2c_i801,i2c_algo_bit, Live 0xffffffffa0247000
- aes_x86_64 16843 1 aesni_intel, Live 0xffffffffa0217000
- psmouse 69265 0 - Live 0xffffffffa0235000
- evdev 17562 6 - Live 0xffffffffa021d000
- serio_raw 12931 0 - Live 0xffffffffa020c000
- tpm_tis 17454 0 - Live 0xffffffffa0211000
- rfkill 19012 1 hp_wmi, Live 0xffffffffa01ff000
- acpi_cpufreq 12935 0 - Live 0xffffffffa01eb000
- mperf 12453 1 acpi_cpufreq, Live 0xffffffffa010e000
- pcspkr 12579 0 - Live 0xffffffffa01c8000
- tpm 17862 2 tpm_infineon,tpm_tis, Live 0xffffffffa0143000
- tpm_bios 12948 1 tpm, Live 0xffffffffa0109000
- aes_generic 33026 2 aesni_intel,aes_x86_64, Live 0xffffffffa01f5000
- snd 52889 7 snd_hda_codec_hdmi,snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_timer, Live 0xffffffffa01d8000
- cryptd 14517 2 ghash_clmulni_intel,aesni_intel, Live 0xffffffffa01e6000
- soundcore 13065 1 snd, Live 0xffffffffa00c1000
- video 17683 1 i915, Live 0xffffffffa0206000
- processor 28157 1 acpi_cpufreq, Live 0xffffffffa01d0000
- button 12937 1 i915, Live 0xffffffffa00d1000
- wmi 13243 1 hp_wmi, Live 0xffffffffa00bc000
- ext4 350763 1 - Live 0xffffffffa0171000
- crc16 12343 1 ext4, Live 0xffffffffa0098000
- jbd2 62115 1 ext4, Live 0xffffffffa0160000
- mbcache 13114 1 ext4, Live 0xffffffffa004d000
- usb_storage 43870 0 - Live 0xffffffffa0137000
- usbhid 36418 0 - Live 0xffffffffa00ff000
- hid 81328 1 usbhid, Live 0xffffffffa0083000
- sg 25874 0 - Live 0xffffffffa007b000
- sr_mod 21899 0 - Live 0xffffffffa0070000
- cdrom 35401 1 sr_mod, Live 0xffffffffa0066000
- sd_mod 36136 3 - Live 0xffffffffa0043000
- crc_t10dif 12348 1 sd_mod, Live 0xffffffffa0028000
- ahci 24997 2 - Live 0xffffffffa005e000
- libahci 22860 1 ahci, Live 0xffffffffa0053000
- thermal 17383 0 - Live 0xffffffffa003d000
- libata 140630 2 ahci,libahci, Live 0xffffffffa0113000
- fan 12674 0 - Live 0xffffffffa0038000
- thermal_sys 18040 4 video,processor,thermal,fan, Live 0xffffffffa002e000
- xhci_hcd 73434 0 - Live 0xffffffffa014d000
- scsi_mod 162269 5 usb_storage,sg,sr_mod,sd_mod,libata, Live 0xffffffffa00d6000
- e1000e 120822 0 - Live 0xffffffffa009d000
- ehci_hcd 40215 0 - Live 0xffffffffa00c6000
- usbcore 128741 5 usb_storage,usbhid,xhci_hcd,ehci_hcd, Live 0xffffffffa0007000
- usb_common 12354 1 usbcore, Live 0xffffffffa0000000
- + _________________________ /proc/meminfo
- +
- + cat /proc/meminfo
- MemTotal: 3933684 kB
- MemFree: 3691832 kB
- Buffers: 11864 kB
- Cached: 157020 kB
- SwapCached: 0 kB
- Active: 99296 kB
- Inactive: 84012 kB
- Active(anon): 14460 kB
- Inactive(anon): 5792 kB
- Active(file): 84836 kB
- Inactive(file): 78220 kB
- Unevictable: 0 kB
- Mlocked: 0 kB
- SwapTotal: 8129532 kB
- SwapFree: 8129532 kB
- Dirty: 0 kB
- Writeback: 0 kB
- AnonPages: 14308 kB
- Mapped: 7048 kB
- Shmem: 5828 kB
- Slab: 23396 kB
- SReclaimable: 9428 kB
- SUnreclaim: 13968 kB
- KernelStack: 912 kB
- PageTables: 2476 kB
- NFS_Unstable: 0 kB
- Bounce: 0 kB
- WritebackTmp: 0 kB
- CommitLimit: 10096372 kB
- Committed_AS: 62508 kB
- VmallocTotal: 34359738367 kB
- VmallocUsed: 361380 kB
- VmallocChunk: 34359373364 kB
- HardwareCorrupted: 0 kB
- AnonHugePages: 0 kB
- HugePages_Total: 0
- HugePages_Free: 0
- HugePages_Rsvd: 0
- HugePages_Surp: 0
- Hugepagesize: 2048 kB
- DirectMap4k: 61440 kB
- DirectMap2M: 4016128 kB
- + _________________________ /proc/net/ipsec-ls
- +
- + test -f /proc/net/ipsec_version
- + _________________________ usr/src/linux/.config
- +
- + test -f /proc/config.gz
- + uname -r
- + test -f /lib/modules/3.2.0-4-amd64/build/.config
- + echo no .config file found, cannot list kernel properties
- no .config file found, cannot list kernel properties
- + _________________________ etc/syslog.conf
- +
- + _________________________ etc/syslog-ng/syslog-ng.conf
- +
- + cat /etc/syslog-ng/syslog-ng.conf
- cat: /etc/syslog-ng/syslog-ng.conf: No such file or directory
- + cat /etc/syslog.conf
- cat: /etc/syslog.conf: No such file or directory
- + _________________________ etc/resolv.conf
- +
- + cat /etc/resolv.conf
- nameserver 8.8.8.8
- nameserver 8.8.4.4
- + _________________________ lib/modules-ls
- +
- + ls -ltr /lib/modules
- total 4
- drwxr-xr-x 3 root root 4096 Aug 13 08:57 3.2.0-4-amd64
- + _________________________ fipscheck
- +
- + cat /proc/sys/crypto/fips_enabled
- 0
- + _________________________ /proc/ksyms-netif_rx
- +
- + test -r /proc/ksyms
- + test -r /proc/kallsyms
- + egrep netif_rx /proc/kallsyms
- ffffffff8128fa05 T netif_rx
- ffffffff8128fbc9 T netif_rx_ni
- + _________________________ lib/modules-netif_rx
- +
- + modulegoo kernel/net/ipv4/ipip.o netif_rx
- + set +x
- 3.2.0-4-amd64:
- + _________________________ kern.debug
- +
- + test -f /var/log/kern.debug
- + _________________________ klog
- +
- + sed -n 6069,$p /var/log/syslog
- + egrep+ i ipsec|klips|pluto
- cat
- Aug 13 16:45:55 ipsec01 ipsec_setup: Starting Openswan IPsec U2.6.37-g955aaafb-dirty/K3.2.0-4-amd64...
- Aug 13 16:45:55 ipsec01 kernel: [ 5047.149018] NET: Registered protocol family 15
- Aug 13 16:45:55 ipsec01 ipsec_setup: Using NETKEY(XFRM) stack
- Aug 13 16:45:55 ipsec01 kernel: [ 5047.220877] Initializing XFRM netlink socket
- Aug 13 16:45:55 ipsec01 ipsec_setup: multiple ip addresses, using 192.168.210.166 on eth0
- Aug 13 16:45:55 ipsec01 ipsec_setup: ...Openswan IPsec started
- Aug 13 16:45:55 ipsec01 pluto: adjusting ipsec.d to /etc/ipsec.d
- Aug 13 16:45:55 ipsec01 ipsec__plutorun: 002 added connection description "net1"
- Aug 13 16:45:55 ipsec01 ipsec__plutorun: 104 "net1" #1: STATE_MAIN_I1: initiate
- + _________________________ plog
- +
- + sed -n 1,$p /var/log/auth.log
- + egrep -i pluto
- + cat
- Aug 13 16:45:55 ipsec01 ipsec__plutorun: Starting Pluto subsystem...
- + _________________________ date
- +
- + date
- Tue Aug 13 16:51:47 CEST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement