ipsec connection established but no ipadres

[TheMachine]

I'am a bit stuck at this moment, have been searching internet for clues the last weeks, but can't find the complete answer.

The problem is

after i made a connection with sentinel vpn client, it picks up my roadwarrior connection from the server and it say's ipsec connection established. But my client machine doens't get a ip adres. Is there a parameter under ipsec.conf to provide a ipadres? I know you can tell sentinel to aquirre one via DHCP, IKE or one via manual.
Besides that should it be so that the server get's a extra ip adres for the tunnel ?

A little bit of background info
kernel 2.6.8 openswan.

If needed i'll post my logging or let ipsec barf ;-]

Thanx for reading so far!

[TheMachine]

I've got a connection established say's my ipsec logfile but i can't reach the other subnet yet.

The situation is as follows

subnet left (gw and firewall/router right (gw) subnet
192.168.2.0/24 ------ 213.46.154.122 62.195.126.177 ------ 192.168.1.0/24


I've no additional routing configured i've tried 'route add -net 192.168.1.0/24 gw 62.195.126.177'
but it fails with a message destination network can't be reached. (problebly a dumb mistake of mine ;] )

My firewall (arno's firewall) is configured to include 192.168.1.0/24 in its NAT configuration
The problem is that i don't now where to start from this point and IF my config is oké.

I really need some help at this point (i 'am gonna be crazy soon )

Any help would be appriated ver very much!!!!!!


-------------------BEGIN IPSEC.CONF FILE ------------------------------
version 2.0

config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=secret

conn roadwarrior-net
leftsubnet=192.168.2.0/24
also=roadwarrior

conn roadwarrior
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore
-------------------END IPSEC.CONF FILE ------------------------------


-----------------------IPSEC BARF OUTPUT------------------------------------
test
Thu May 5 20:26:23 CEST 2005
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.8 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.8 (root@detonator) (gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)) #10 SMP Sat Apr 30 21:33:06 CEST 2005
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.100 213.46.154.1 255.255.255.255 UGH 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
213.46.154.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 213.46.154.1 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
213.46.154.122 62.195.126.177
esp mode=tunnel spi=2114069197(0x7e0222cd) reqid=16413(0x0000401d)
E: aes-cbc a848d4ae fbcea369 539b3bc0 e51f7a1e
A: hmac-md5 392711d1 a297dafd 34a8c343 85646b66
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: May 5 20:13:28 2005 current: May 5 20:26:23 2005
diff: 775(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=3607 refcnt=0
62.195.126.177 213.46.154.122
esp mode=tunnel spi=1973175047(0x759c4307) reqid=16413(0x0000401d)
E: aes-cbc 1bb39168 15fe094b 84037e03 eecf9020
A: hmac-md5 723a8e1d 25240d06 7a84734d 19f9fd93
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: May 5 20:13:25 2005 current: May 5 20:26:23 2005
diff: 778(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=3607 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.1.100[any] 192.168.2.0/24[any] any
in prio high + 1073739488 ipsec
esp/tunnel/62.195.126.177-213.46.154.122/unique#16413
created: May 5 20:13:25 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1992 seq=26 pid=3608
refcnt=1
192.168.2.0/24[any] 192.168.1.100[any] any
out prio high + 1073739488 ipsec
esp/tunnel/213.46.154.122-62.195.126.177/unique#16413
created: May 5 20:13:28 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2009 seq=25 pid=3608
refcnt=1
192.168.1.100[any] 192.168.2.0/24[any] any
fwd prio high + 1073739488 ipsec
esp/tunnel/62.195.126.177-213.46.154.122/unique#16413
created: May 5 20:13:25 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2002 seq=24 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1955 seq=23 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused: May 5 20:13:28 2005
lifetime: 0(s) validtime: 0(s)
spid=1939 seq=22 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1923 seq=21 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1907 seq=20 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1891 seq=19 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1875 seq=18 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1283 seq=17 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1267 seq=16 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1251 seq=15 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1235 seq=14 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1219 seq=13 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1203 seq=12 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1964 seq=11 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused: May 5 20:13:25 2005
lifetime: 0(s) validtime: 0(s)
spid=1948 seq=10 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1932 seq=9 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1916 seq=8 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1900 seq=7 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 5 19:59:01 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1884 seq=6 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1292 seq=5 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1276 seq=4 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1260 seq=3 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1244 seq=2 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1228 seq=1 pid=3608
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 4 20:51:21 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1212 seq=0 pid=3608
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface eth0/eth0 213.46.154.122
000 interface eth0/eth0 213.46.154.122
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 213.46.154.122---213.46.154.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 32,32; interface: eth0;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "roadwarrior": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "roadwarrior": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior"[4]: 213.46.154.122---213.46.154.1...62.195.126.177[192.168.1.100]===?; unrouted; eroute owner: #0
000 "roadwarrior"[4]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior"[4]: policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 32,32; interface: eth0;
000 "roadwarrior"[4]: newest ISAKMP SA: #4; newest IPsec SA: #0;
000 "roadwarrior"[4]: IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "roadwarrior"[4]: IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "roadwarrior"[4]: IKE algorithm newest: AES_CBC_128-MD5-MODP1024
000 "roadwarrior"[4]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior"[4]: ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior-net": 192.168.2.0/24===213.46.154.122---213.46.154.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,32; interface: eth0;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "roadwarrior-net": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "roadwarrior-net": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior-net": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior-net"[2]: 192.168.2.0/24===213.46.154.122---213.46.154.1...62.195.126.177[192.168.1.100]===192.168.1.100/32; erouted; eroute owner: #5
000 "roadwarrior-net"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net"[2]: policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,32; interface: eth0;
000 "roadwarrior-net"[2]: newest ISAKMP SA: #0; newest IPsec SA: #5;
000 "roadwarrior-net"[2]: IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "roadwarrior-net"[2]: IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "roadwarrior-net"[2]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior-net"[2]: ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "roadwarrior-net"[2]: ESP algorithm newest: AES_128-HMAC_MD5; pfsgroup=<Phase1>
000
000 #4: "roadwarrior"[4] 62.195.126.177 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2546s; newest ISAKMP
000 #5: "roadwarrior-net"[2] 62.195.126.177 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2555s; newest IPSEC; eroute owner
000 #5: "roadwarrior-net"[2] 62.195.126.177 esp.7e0222cd@62.195.126.177 esp.759c4307@213.46.154.122 tun.0@62.195.126.177 tun.0@213.46.154.122
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:08:C7:BB:73:E2
inet addr:213.46.154.122 Bcast:255.255.255.255 Mask:255.255.254.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:422365 errors:0 dropped:0 overruns:0 frame:0
TX packets:320120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:367647171 (350.6 Mb) TX bytes:93132724 (88.8 Mb)
Interrupt:5 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 00:A0:4B:05:5C:FA
inet addr:192.168.2.1 Bcast:192.168.2.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:306705 errors:0 dropped:0 overruns:0 frame:0
TX packets:425648 errors:0 dropped:0 overruns:0 carrier:0
collisions:3702 txqueuelen:1000
RX bytes:48660807 (46.4 Mb) TX bytes:353138814 (336.7 Mb)
Interrupt:11 Base address:0x2080

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2319 errors:0 dropped:0 overruns:0 frame:0
TX packets:2319 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:240940 (235.2 Kb) TX bytes:240940 (235.2 Kb)

+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.8 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: detonator [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 147.154.46.213.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: Intel 82555 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth1: autonegotiation failed, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
detonator
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.2.1
+ _________________________ uptime
+ uptime
20:26:25 up 2 days, 48 min, 3 users, load average: 0.23, 0.06, 0.02
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 3587 2370 16 0 2056 1008 - R pts/1 0:00 | \_ /bin/sh /usr/libexec/ipsec/barf
5 0 22893 1 18 0 2052 988 wait4 S ? 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24 --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 22894 22893 18 0 2052 992 wait4 S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24 --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 22895 22894 16 0 2240 980 - S ? 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24
4 0 22935 22895 18 0 1300 264 - S ? 0:00 | \_ _pluto_adns
4 0 22896 22893 15 0 2052 988 pipe_w S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 22897 1 18 0 1364 376 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun
5 0 2526 1 18 0 2052 996 wait4 S pts/1 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24 --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 2527 2526 22 0 2052 1000 wait4 S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal yes --keep_alive --force_keepalive --disable_port_floating --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24 --crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 2538 2527 16 0 2304 1200 - S pts/1 0:00 | \_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24
4 0 2568 2538 21 0 1300 264 - S pts/1 0:00 | \_ _pluto_adns
4 0 2528 2526 15 0 2052 988 pipe_w S pts/1 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 2529 1 22 0 1364 384 pipe_w S pts/1 0:00 logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=213.46.154.122
routenexthop=213.46.154.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec/ipsec.conf 1

version 2.0

config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:192.168.10.0/24,%v4:192.168.2.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=secret

conn roadwarrior-net
leftsubnet=192.168.2.0/24
also=roadwarrior

conn roadwarrior
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec/ipsec.secrets
+ ipsec _secretcensor

#< /etc/ipsec/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto( manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
# RSA 2192 bits detonator Tue Dec 3 20:13:15 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQNya3eVN]
#IN KEY 0x4200 4 1 [keyid AQNya3eVN]
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
%any 82.175.221.208 192.168.2.222 192.168.2.1 192.168.10.2 192.168.2.240 192.168.1.100 192.168.1.1 213.46.154.122 192.168.2.106 62.195.126.177 62.194.163.42 : PSK "[sums to fdd2...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
+ '[' /etc/ipsec/ipsec.d/policies ']'
++ basename /etc/ipsec/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#

++ basename /etc/ipsec/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan-2.2.0/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#

0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15409 May 4 20:49 _confread
-rwxr-xr-x 1 root root 5076 May 4 20:49 _copyright
-rwxr-xr-x 1 root root 2391 May 4 20:49 _include
-rwxr-xr-x 1 root root 1475 May 4 20:49 _keycensor
-rwxr-xr-x 1 root root 3586 May 4 20:49 _plutoload
-rwxr-xr-x 1 root root 7167 May 4 20:49 _plutorun
-rwxr-xr-x 1 root root 10493 May 4 20:49 _realsetup
-rwxr-xr-x 1 root root 1975 May 4 20:49 _secretcensor
-rwxr-xr-x 1 root root 9016 May 4 20:49 _startklips
-rwxr-xr-x 1 root root 12313 May 4 20:49 _updown
-rwxr-xr-x 1 root root 7572 May 4 20:49 _updown_x509
-rwxr-xr-x 1 root root 1942 May 4 20:49 ipsec_pr.template
lrwxrwxrwx 1 root root 17 May 30 2004 setup -> /etc/init.d/ipsec
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1256
-rwxr-xr-x 1 root root 9196 May 4 20:49 _pluto_adns
-rwxr-xr-x 1 root root 19220 May 4 20:49 auto
-rwxr-xr-x 1 root root 10230 May 4 20:49 barf
-rwxr-xr-x 1 root root 816 May 4 20:49 calcgoo
-rwxr-xr-x 1 root root 75228 May 4 20:49 eroute
-rwxr-xr-x 1 root root 57592 May 4 20:49 klipsdebug
-rwxr-xr-x 1 root root 2461 May 4 20:49 look
-rwxr-xr-x 1 root root 7130 May 4 20:49 mailkey
-rwxr-xr-x 1 root root 16188 May 4 20:49 manual
-rwxr-xr-x 1 root root 1874 May 4 20:49 newhostkey
-rwxr-xr-x 1 root root 50588 May 4 20:49 pf_key
-rwxr-xr-x 1 root root 560860 May 4 20:49 pluto
-rwxr-xr-x 1 root root 7244 May 4 20:49 ranbits
-rwxr-xr-x 1 root root 19380 May 4 20:49 rsasigkey
-rwxr-xr-x 1 root root 766 May 4 20:49 secrets
-rwxr-xr-x 1 root root 17578 May 4 20:49 send-pr
lrwxrwxrwx 1 root root 17 May 4 20:49 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 May 4 20:49 showdefaults
-rwxr-xr-x 1 root root 4370 May 4 20:49 showhostkey
-rwxr-xr-x 1 root root 112572 May 4 20:49 spi
-rwxr-xr-x 1 root root 65860 May 4 20:49 spigrp
-rwxr-xr-x 1 root root 81436 May 4 20:49 starter
-rwxr-xr-x 1 root root 9940 May 4 20:49 tncfg
-rwxr-xr-x 1 root root 10195 May 4 20:49 verify
-rwxr-xr-x 1 root root 59032 May 4 20:49 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
eth0:367829621 422521 0 0 0 0 0 0 93137657 320209 0 0 0 0 0 0
lo: 240940 2319 0 0 0 0 0 0 240940 2319 0 0 0 0 0 0
eth1:48665907 306790 0 0 0 0 0 0 353320516 425799 0 0 0 3702 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 6401A8C0 019A2ED5 0007 0 0 0 FFFFFFFF 0 0 0
eth1 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 009A2ED5 00000000 0001 0 0 0 00FEFFFF 0 0 0
eth0 00000000 019A2ED5 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux detonator 2.6.8 #10 SMP Sat Apr 30 21:33:06 CEST 2005 i686 Pentium III (Katmai) GenuineIntel GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6. support detected '
native PFKEY (2.6. support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2917 237K HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
2879 227K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 LOG !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 2 LOG flags 0 level 7 prefix `INVALID INPUT packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LOG all -- eth0 * 192.168.2.0/24 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Spoofed packet: '
0 0 DROP all -- eth0 * 192.168.2.0/24 0.0.0.0/0
8 1140 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp spt:68 dpt:67
18 6356 DROP udp -- eth0 * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68
12 2258 VALID_CHECK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
12 2258 EXTIF_CHECK !icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 EXTIF_CHECK icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 10/sec burst 50
0 0 LOG icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 12/hour burst 1 LOG flags 0 level 7 prefix `ICMP flood: '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix `Dropped INPUT packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 269 packets, 64674 bytes)
pkts bytes target prot opt in out source destination
26 1240 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
224K 151M HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 2 LOG flags 0 level 7 prefix `INVALID FORWARD packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LOG all -- eth0 * 192.168.2.0/24 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Spoofed packet: '
0 0 DROP all -- eth0 * 192.168.2.0/24 0.0.0.0/0
224K 151M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 VALID_CHECK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 RESERVED_NET_CHECK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 !eth0 0.0.0.0/0 0.0.0.0/0
13 624 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
25 1890 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:27136 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:27136 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:50000 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:50000 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:7000 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:7000 flags:0x16/0x02
0 0 DROP tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:7001 flags:!0x16/0x02
0 0 ACCEPT tcp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:7001 flags:0x16/0x02
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:6881
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:27136
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1723
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:50000
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:7000
0 0 ACCEPT udp -- eth0 !eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:7001
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix `Dropped FORWARD packet: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3919 packets, 642K bytes)
pkts bytes target prot opt in out source destination
9 396 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3917 642K HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -f * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `FRAGMENTED PACKET (OUT): '
0 0 DROP all -f * eth1 0.0.0.0/0 0.0.0.0/0

Chain EXTIF_CHECK (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `TCP port 0 OS fingerprint: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `UDP port 0 OS fingerprint: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix `TCP source port 0: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 7 prefix `UDP source port 0: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 20,21,22,23,80,110,143,443,993,995 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `Possible DRDOS TCP attempt: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 20,21,22,23,80,110,143,443,993,995
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Blocked TCP ports violation: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Blocked UDP ports violation: '
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23
0 0 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
12 2258 RESERVED_NET_CHECK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:!0x16/0x02
5 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 flags:0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 flags:0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1723
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5000
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:20:9999 dpts:1057:65535 flags:!0x16/0x02 limit: avg 10/sec burst 50
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:20:9999 dpts:1057:65535 limit: avg 10/sec burst 50
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:20:9999 dpts:1057:65535 flags:!0x16/0x02 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `Lost TCP connection flood?: '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:20:9999 dpts:1057:65535 limit: avg 6/hour burst 1 LOG flags 0 level 7 prefix `Lost UDP connection flood?: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:20:9999 dpts:1057:65535 flags:!0x16/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:20:9999 dpts:1057:65535
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1057:65535 flags:!0x16/0x02 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Stealth scan (UNPRIV)?: '
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1056 flags:!0x16/0x02 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Stealth scan (PRIV)?: '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1056 limit: avg 2/min burst 2 LOG flags 0 level 7 prefix `Connection attempt (PRIV): '
2 481 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1056 limit: avg 2/min burst 2 LOG flags 0 level 7 prefix `Connection attempt (PRIV): '
2 88 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1057:65535 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Connection attempt (UNPRIV): '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1057:65535 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Connection attempt (UNPRIV): '
2 88 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
2 481 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
1 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 7 prefix `Other-IP connection attempt: '
1 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain HOST_BLOCK (3 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 210.204.129.27 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 7 prefix `Blocked hosts violation: '
0 0 DROP all -- * * 210.204.129.27 0.0.0.0/0

Chain RESERVED_NET_CHECK (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 10.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Class A address: '
0 0 LOG all -- * * 172.16.0.0/12 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Class B address: '
0 0 LOG all -- * * 192.168.0.0/16 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Class C address: '
0 0 LOG all -- * * 169.254.0.0/16 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Class M$ address: '
0 0 LOG all -- * * 0.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 1.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 2.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 5.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 7.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 23.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 27.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 31.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 36.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 37.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 39.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 41.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 42.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 58.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 59.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 60.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 70.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 71.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 72.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 73.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 74.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 75.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 76.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 77.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 78.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 79.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 83.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 84.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 85.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 86.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 87.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 88.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 89.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 90.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 91.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 92.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 93.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 94.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 95.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 96.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 97.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 98.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 99.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 100.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 101.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 102.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 103.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 104.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 105.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 106.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 107.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 108.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 109.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 110.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 111.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 112.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 113.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 114.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 115.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 116.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 117.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 118.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 119.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 120.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 121.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 122.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 123.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 124.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 125.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 126.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 127.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 197.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
1 668 LOG all -- * * 222.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 223.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 224.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 225.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 226.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 227.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 228.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 229.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 230.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 231.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 232.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 233.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 234.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 235.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 236.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 237.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 238.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 239.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 240.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 241.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 7 prefix `Reserved address: '
0 0 LOG all -- * * 242.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG fl

[adaptr]

Are you by any chance wondering why nobody responds to your post ?
Here's a free hint:
delete those 1000+ lines of crap and post them on a web page somewhere, then post a link to the page here.

Just FYI: why are there about a dozen SPs in your config ?
You should have two, no more and no less - one for each side of the tunnel.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

[TheMachine]

Oke point taken.....

How can i remove the security policyc's?

And in which conf file they are located ?

Noob's question i know, nut i need some directions on this.
I've crawled the internet a dozentime for info 'bout this subject but stil nog succes.

Any suggestions for howto ad the route ?

Thanx in advance..

[adaptr]

Some more crawling required, methinks...
This may help: http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/policygroups.html
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen

[TheAl]