			Sentry5-IPSec/FreeSWAN - README
			--------------------------------


Compile Linux/router and create a link "linux"
==============================================

Checkout the latest source.

Creating a symbolic "linux" link for the target linux.
	remove or rename the default linux[2.4.5] directory.
	make a symbolic link for linux-2.4.20 
		cd src/linux
		ln -s linux-2.4.20 linux
		enable  CONFIG_BCM582X_ALIGN to use the bcm582x offload.

compile the linux[2.4-20].
	
compile router and install it.
	CRYPTO and BCM_IPSEC flags should be enabled for ipsec.
	This will also install the bcm582x components in the root filesystem.
	The bcm582x driver is loaded when ipsec gets started in rc.
	
		

Compiling FreeSwan:
===================

Freeswan & pluto: using freeswan-1.99 [with async hw-offload] as a module:
	cd src/linux/freeswan-1.99
	make -f Makefile.bcm all
	make -f Makefile.bcm install

Compiling different portions manually:
-------------------------------------

GMP: GNU Multiple Precision library used by pluto
	cd src/gmp;
	make -f Makefile.bcm all
	make -f Makefile.bcm install

AWK: using Mawk 
	cd src/mawk
	make -f Makefile.bcm all
	make -f Makefile.bcm install

Freeswan & pluto: using freeswan-1.99 as a module. 
	cd src/linux/freeswan-1.99
	in Makefile.bcm
		enable 
		BCM_IPSEC_OFFLOAD=1
		#BCM_PLUTO_OFFLOAD=1
		and their export lines
		for bcm582x hardware acceleration.[currently DEFAULT is 
IPSEC ACCELERATION ie Async mode] 
		[also :
		to compile async version do 
		make -f Makefile.bcm makeasync; 
		to compile sync[block] version do 
		make -f Makefile.bcm makeblock; 
		WARNING: changes done to files might be overwritten doing
makeasync, makeblocks.
		]
	make -f Makefile.bcm all
		This patches into the "linux" source tree as a module. and compiles the linux modules.
		[Note: if you see error message 
			"*** IPsec not in kernel config". 
		cd to src/linux; make menuconfig 
			select  Networking options -> IP Security Protocol
(FreeSwan/IPSEC) as a module, and all other options in IPSEC.
			then compile freeswan as described above]
	make -f Makefile.bcm install

Compiling Async bcm582x offload for Freeswan: [same is done by makeasync,
makeblock targets in makefile.bcm]
	copy .async files in freeswan-1.99/klips/net/ipsec to their
corresponding .h .c files
	then compile as above.
	Also done by makeasync; target for Makefile.bcm


HTML IPSec Configuration:
=========================
	Configuration is done using the ipsec configuration using HTML gui.
	Manual editing/ftp of ipsec.conf/ipsec.secets is not encouraged.
	ipsec.conf/secrets will be overwritten during load or reconfiguration.
	Refer the sample configurations for examples.

NVRAM Variables:
================
	Common parameters/General parameters:
	ipsec_setup

	Connection info:
	ipsec_conn_X
		left-right,leftnetwork-rightnetwork,ESP,AH,PSK,Extraparameters
	ipsec_conn_X_enable
		1 enable

	Where
		X is the connection number[1,2,3,..]	
		Empty or blank connection represents the end of all active
connections.

	All connections are named as connection-X in the ipsec.conf, and shall
be used as it for common parameter reference.


Sample Configurations:
======================


Lan/Wireless VPN to Internet  setup
====================================
	

  
	Windows PC[vpn]	--------|
				|
	  			|---[VPN](Lan)-Sentry5 -(Wan)---- <<<< INTERNET >>>>
				|
	Linux PC[vpn]	--------|


Configuring the Sentry5 platform 
=================================

	seting up a profile for any lan PC to connect to the LAN with 3des+md5 for
ESP and no AH with PSK.

	Here 172.16.1.192 is my LAN[eth1.2] addr and lans are
172.16.1.193[windows PC] 172.16.1.223[LinuxPC]

	Using the GUI interface configure :

	In GUI:
	left[172.16.1.192]		Right[0.0.0.0]	ESP[3des-md5-96] AH[none]	PSK[*****]  ExtraParams[auto=add]
	leftsubnet[0.0.0.0/0]	

	Note: 
		Common Parameters:	
		Common parameters here is empty. [used to add common
connection parameters syntax is name=value similar to freeswan]

		Extra parameters:
		[Extra parameters is used to add other features of
connections the syntax is name=value similar to freeswan.]
		eg:
		auto=add
		ikelifetime=1081s
		keylife=1081s

		

	After configuring the rc should have created the
/etc/init.d/ipsec.conf like below

****************************************************************
config setup
	interfaces="ipsec0=eth1.1 ipsec1=eth1.2 "
	plutoload=%search
	plutostart=%search
	uniqueids=yes

conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%dnsondemand
	rightrsasigkey=%dnsondemand


conn connection-1
	type=tunnel
	left=172.16.1.192
	leftsubnet=0.0.0.0/0
	right=0.0.0.0
	#rightsubnet=
	esp=3des-md5-96
	#auth=
	#ah=
	authby=secret
	auto=start
****************************************************************



Configuring a Freeswan client PC
=================================

ipsec.conf connection this lan-Freeswan-PC

	
conn roadwarrior-net
	authby=secret
      	type=tunnel
      	esp=3des 	# in freeswan 3des defaults to 3des-md5-96  in auto mode
	left=172.16.1.223
	right=172.16.1.192
	rightsubnet=0.0.0.0/0
	auto=start

also have a corresponging ipsec.secrets file 

**********************************************************************************
	sevice ipsec stop
	sevice ipsec start
	ping 172.16.1.192
**********************************************************************************


Configuring Windows 2000 with Marcus Müs ipsec.exe
========================================================
	
ipsec.conf for ipsec.exe here PSK is "mypassword"

	

conn roadwarrior-net
	left=172.16.1.193
	right=172.16.1.192
	rightsubnet=*
	presharedkey=mypassword
	network=auto
	auto=start
	

Setting up Marcus Müs ipsec.exe:
	Get [Windows 2000 VPN Tool] from http://vpn.ebootis.de/ 
		Download it here: http://vpn.ebootis.de/package.zip 
	Get ipsepol.exe from microsoft
		http://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

	install both of them to the same directory[ie ipsecpol.exe and
ipsec.exe in same directory.
	
	copy ipsec.conf [above] of windows to this directory.
	run ipsec


should see 

**********************************************************************************
C:\VPN>ipsec
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection roadwarrior-net:
        MyTunnel     : 172.16.1.193
        MyNet        : 172.16.1.193/255.255.255.255
        PartnerTunnel: 172.16.1.192
        PartnerNet   : *
        CA (ID)      : Preshared Key ******************
        PFS          : y
        Auto         : start
        Auth.Mode    : MD5
        Rekeying     : 3600S/50000K
        Activating policy...

C:\VPN>ping 172.16.1.192

Pinging 172.16.1.192 with 32 bytes of data:

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 172.16.1.192:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

C:\VPN>ping 172.16.1.192

Pinging 172.16.1.192 with 32 bytes of data:

Reply from 172.16.1.192: bytes=32 time<10ms TTL=64
Reply from 172.16.1.192: bytes=32 time<10ms TTL=64
**********************************************************************************

Note:
IPSEC for windows2000 can also be configurated using cli of ipsecpol, the eg
shown below is with AH.

eg:
ipsecpol -w REG -p FreeSwan -r Host-roadwarrior-net -t 172.16.1.192 -f
172.16.1.193/255.255.255.255=* -n AH[MD5]+ESP[md5,3DES]3600S/50000KPFS -a
PRESHARE:"transport PSK" -lan -1p > NUL:

ipsecpol -w REG -p FreeSwan -r roadwarrior-net-Host -t 172.16.1.193 -f
*=172.16.1.193/255.255.255.255 -n AH[MD5]+ESP[md5,3DES]3600S/50000KPFS -a
PRESHARE:"transport PSK" -lan -1p > NUL:


ipsecpol -w REG -p FreeSwan -x > NUL:


Manual Mode:
===========
		
	Common parameters:
		manualstart="connection-1"

	connection 1:
	left[172.16.1.192] 	right[172.16.1.223] ESP[3DES] AH[none]
ExtraParameters[
        espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
        espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
	spi=0x8001]
	

Note:
	If a manual and auto modes of connections are present. Specify the
modes explicity in the Common parameters.
	eg;
		Common parameters:
			manualstart="connection-1"
			plutoload="connection-2 connection-3"
			plutostart="connection-2 connection-3"
		

**************************************************
NOTE: THE COMPILATION/LOAD DETAILS/CONTENTS 
BELOW IS OUTDATED AS OF 21 MAY 2003.
**************************************************

Environment Variables
======================
	make sure the environment variables are set correctly

	LINUXDIR=/<sentry5 root>/src/linux/linux
	TARGET_OSTYPE=mipslinux
	export TARGET_OSTYPE
	export LINUXDIR


Compile Linux/router and create a link "linux"
==============================================

Checkout the latest source.

Creating a symbolic "linux" link for the target linux.
	remove or rename the default linux[2.4.5] directory.
	make a symbolic link for linux-2.4.20
		cd src/linux
		ln -s linux-2.4.20 linux

compile the linux[2.4-20].
	
compile router and install it.
	This will also install the bcm582x components in the root filesystem.
	
loading bcm582x driver:
	On the platform
		insmod bcm582x
		mknod /dev/cryptonet c <cryptonet MAJOR id(/proc/devices)> 1
		

compiling FreeSwan:
===================

GMP: GNU Multiple Precision library used by pluto
	cd src/gmp;
	make -f Makefile.bcm all
	make -f Makefile.bcm install

AWK: using Mawk 
	cd src/mawk
	make -f Makefile.bcm all
	make -f Makefile.bcm install

Freeswan & pluto: using freeswan-1.99 as a module. 
	cd src/linux/freeswan-1.99
	in Makefile.bcm
		enable 
		#BCM_IPSEC_OFFLOAD=1
		#BCM_PLUTO_OFFLOAD=1
		for bcm582x hardware acceleration.[currently default is no acceleration]
	make -f Makefile.bcm all
		This patches into the "linux" source tree as a module. and compiles the linux modules.
		[Note: if you see error message 
			"*** IPsec not in kernel config". 
		cd to src/linux; make menuconfig 
			select  Networking options -> IP Security Protocol
(FreeSwan/IPSEC) as a module, and all other options in IPSEC.
			then compile freeswan as described above]
	make -f Makefile.bcm install


On the target platform.
To start ipsec
	cd /etc/init.d/
	./ipsec stop	
	./ipsec start

The ipsec configuration files are /etc/ipsec.conf; /etc/ipsec.secrets, the default configuration files have to be modified to enable the interfaces and the secrets.

Sample Configuration:
====================

Setup - [old]
======
	Using PreShared keys for a Transport tunnel between two hosts 10.22.2.214 and 10.22.2.32 on  interface eth0.



/etc/ipsec.conf at 10.22.2.214
==============================

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.


# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces="ipsec0=eth0"
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none	
	plutodebug=none	
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes
	# Add iptables rules before pluto
	prepluto=/usr/local/lib/ipsec/iptables_rules



# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%dnsondemand
	rightrsasigkey=%dnsondemand


# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
	left=%defaultroute
	right=%opportunistic
	keylife=1h
	rekey=no
	# for initiator only OE, uncomment and uncomment this 
	# after putting your key in your forward map 
	#leftid=@myhostname.example.com
	# uncomment this next line to enable it
	#auto=route



conn s214-s32
	#PSK
	authby=secret
	#optional
	type=transport
	spi=0x6001
	esp=3des
	espenckey=0x12345678
	#ah=hmac-md5
	#ahkey=0x56781
	#auth=ah
	#endoptional
	left=10.22.2.214
	right=10.22.2.32
	#ikelifetime=20.0m
	#keylife=2.0m
	auto=start



/etc/ipsec.secrets for PreShared Key at 10.22.2.214
===================================================

10.22.2.214 10.22.2.32: PSK "testing PSK32214"


/etc/ipsec.conf at 10.22.2.32
==============================
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces="ipsec0=eth0"
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes



# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
	keyingtries=0
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%dnsondemand
	rightrsasigkey=%dnsondemand


# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
	left=%defaultroute
	right=%opportunistic
	keylife=1h
	rekey=no
	# for initiator only OE, uncomment and uncomment this 
	# after putting your key in your forward map 
	#leftid=@myhostname.example.com
	# uncomment this next line to enable it
	#auto=route

conn s214-s32
	authby=secret
        #optional
        type=transport
        spi=0x6001
        esp=3des
        espenckey=0x12345678
        #ah=hmac-md5
        #ahkey=0x56781
        #auth=ah
        #endoptional
	left=10.22.2.32
	right=10.22.2.214
	#ikelifetime=20.0m
	#keylife=2.0m
	auto=start


/etc/ipsec.secrets for PreShared Key at 10.22.2.32
==================================================
10.22.2.32 10.22.2.214: PSK "testing PSK32214"


Using RSASignature:
==================
	Generate RSA secrets  with the command 'ipsec' in /usr/local/sbin.

	eg:
		cd /usr/local/sbin;
		./ipsec newhostkey --bits 2048 --output ipsec.secrets

Using Freeswan with Firewall[iptables]/filters:
===============================================

	Make sure ports for pluto are open before pluto gets called.
		eg:
		prepluto=/usr/local/lib/ipsec/iptables_rules

	disable rp_filter:
		if using eth1.1[vlan-wan] as interface
		echo 0 > /proc/sys/net/ipv4/conf/eth1.1/rp_filter	
		before starting freeswan

Known Issues:
============
		If working with filesystem is mounted with nfs,
reconfiguration with rc might loose the nfs connection, hence a reboot might
be required.

Sentry5-IPSec/FreeSWAN Boot Console messages:
=============================================

***********************************************************************

CFE version 1.0.34 for BCM95380_RR (32bit,SP,LE)
Build Date: Thu Mar 20 17:08:29 PST 2003 (jfd@que)
Copyright (C) 2000,2001,2002 Broadcom Corporation.

Initializing Arena.
Initializing Devices.


CFE version 1.0.34 for BCM95380_RR (32bit,SP,LE)
Build Date: Thu Mar 20 17:08:29 PST 2003 (jfd@que)
Copyright (C) 2000,2001,2002 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
et1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
CPU type 0x24000: 100MHz
Total memory: 0x1000000 bytes (16MB)

Total memory used by CFE:  0x807AC560 - 0x81000000 (8731296)
Initialized Data:          0x807AC560 - 0x807AF110 (11184)
BSS Area:                  0x807AF110 - 0x807AFB90 (2688)
Local Heap:                0x807AFB90 - 0x80FAFB90 (8388608)
Stack Area:                0x80FAFB90 - 0x80FB1B90 (8192)
Text (code) segment:       0x80FB1BA0 - 0x80FFFFB4 (320532)
Boot area (physical):      0x0076B000 - 0x007AB000
Relocation Factor:         I:E13B1BA0 - D:007AB560

et0: link up
Device eth0:  hwaddr 00-10-18-80-00-75, ipaddr 192.168.1.170, mask
255.255.55.0
        gateway 192.168.1.1, nameserver not set
Loader:elf Filesys:tftp Dev:eth0 File:192.168.1.222:vmlinux Options:(null)
Loading: 0x80001000/2188056 0x80218000/278528 0x8025c000/211872 Entry at
0x8021a
040
Closing network.
et0: link down
Starting program at 0x8021a040
CPU revision is: 00024000
Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Primary data cache 4kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (root@s35) (gcc version 3.0 20010422 (prerelease) with
bcm4
710a0 modifications) #1 Thu May 22 15:40:15 PDT 2003
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS1,115200
ip=192.168.1.170:192.168.1.222:192.168
.1.1:255.255.255.0:switch-2:eth0 root=/dev/nfs rw
nfsroot=192.168.1.222:/home/gi
gis/nfsroot/router/install-mipsel,timeo=200,retrans=500
nfsaddrs=192.168.1.170:1
92.168.1.222 noinitrd
RTC: 2/1/2000, 21:07:51
CPU: BCM4710 rev 0 at 100 MHz
get_rtc_time: 2000-02-01 21:07:51.
Calibrating delay loop... 66.56 BogoMIPS
Memory: 13576k/16384k available (2136k kernel code, 2808k reserved, 168k data,
8
8k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: Probing PCI hardware
PCI: Fixing up bus 0
PCI: Fixing up bridge
PCI: Enabling device 01:00.0 (0004 -> 0006)
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI
en
abled
ttyS00 at 0xbf800000 (irq = 0) is a ST16650
ttyS01 at 0xbf800008 (irq = 2) is a ST16650
loop: loaded (max 8 devices)
fl: TFFS 5.1.4 Flash disk driver for DiskOnChip
fl: DOC device(s) found: 1
fl: _init: registered device at major: 101
Partition check:
 fla:<7>ldm_validate_partition_table(): Found an MS-DOS partition table, not a
d
ynamic disk.
 p1
fl: partition: 0: start_sect: 0, nr_sects: 55744 Fl_blk_size[]: 27872KB
fl: partition: 1: start_sect: 4, nr_sects: 55716 Fl_blk_size[]: 27858KB
fl: partition: 2: start_sect: 0, nr_sects: 0 Fl_blk_size[]: 0KB
fl: partition: 3: start_sect: 0, nr_sects: 0 Fl_blk_size[]: 0KB
PPP generic driver version 2.4.2
eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 2002.9.27.0 (BROADCOM
INT
ERNAL)
eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 2002.9.27.0 (BROADCOM
INT
ERNAL)
CFI: Found no Physically mapped flash device at location zero
Failed to do_map_probe
sflash: chipcommon not found
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
IPv4 over IPv4 tunneling driver
Linux IP multicast router 0.06 plus PIM-SM
IP-Config: Complete:
      device=eth0, addr=192.168.1.170, mask=255.255.255.0, gw=192.168.1.1,
     host=switch-2, domain=, nis-domain=(none),
     bootserver=192.168.1.222, rootserver=192.168.1.222, rootpath=
ip_conntrack version 2.1 (128 buckets, 1024 max) - 300 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Looking up port of RPC 100003/2 on 192.168.1.222
Looking up port of RPC 100005/1 on 192.168.1.222
VFS: Mounted root (nfs filesystem).
Mounted devfs on /dev
Freeing unused kernel memory: 88k freed
Algorithmics/MIPS FPU Emulator v1.5
insmod: et.o: no module by that name found
insmod: il.o: no module by that name found
insmod: wl.o: no module by that name found
Hit enter to continue...et0: 100Mbps FD link up
Added VLAN with VID == 1 to IF -:eth1:-
Added VLAN with VID == 2 to IF -:eth1:-
eth1.2: add 01:00:5e:00:00:01 mcast address to master interface
eth1.1: Setting MAC address to  08 00 20 b8 e4 86.
VLAN (eth1.1):  Underlying device (eth1) has same MAC, not checking
promiscious
mode.
eth1.1: add 01:00:5e:00:00:01 mcast address to master interface
eth1.1: No such process
killall: udhcpd: no process killed
et0: link down
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: whack: is Pluto running?  connect() for "/var/run/pluto.ctl"
failed
 (146 Connection refused)
ipsec_setup: Attempt to shut Pluto down failed!  Trying kill:
ipsec_setup: kill: Could not kill pid '637': No such process
ipsec_setup: /usr/local/lib/ipsec/eroute: Trouble openning PF_KEY family
socket
with error: KLIPS not loaded or enabled.
ipsec_setup: /usr/local/lib/ipsec/spi: Trouble openning PF_KEY family socket
wit
h error: KLIPS not loaded or enabled.
cat: /var/run/ipsec_setup.st: No such file or directory
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
WARNING:  Flushing all iptables rules.
klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
BCM582x offload enabled
ipsec_setup: Using /lib/modules/2.4.20/kernel/net/ipsec/ipsec.o
ipsec_setup: WARNING: eth1.1 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/eth1.1/rp_filter = `1', should be 0)
ipsec_setup: Setting /proc/sys/net/ipv4/conf/eth1.1/rp_filter to 0
ipsec_setup: WARNING: eth1.2 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/eth1.2/rp_filter = `1', should be 0)
ipsec_setup: Setting /proc/sys/net/ipv4/conf/eth1.2/rp_filter to 0
Using /lib/modules/2.4.20/drivers/char/bcm582x.o
pluto[275]: Starting Pluto (FreeS/WAN Version 1.99)
pluto[275]: with BCM582x offload
BCM582x driver v1.84:
 <BCM5823, Bus 1, Slot 2, IRQ 6>
FreeSwan582xif: BCM582x interface activated
FreeSwan582xif: Using global buffers
ipsec_setup: Stopping FreeS/WAN IPsec...
pluto[275]: shutting down
IPSEC EVENT: KLIPS device ipsec0 shut down.
IPSEC EVENT: KLIPS device ipsec1 shut down.
FreeSwan582xif: BCM582x interface deactivated
BCM582x offload disabled
klips_info:pfkey_cleanup: shutting down PF_KEY domain sockets.
klips_info:cleanup_module: ipsec module unloaded.
cat: /var/run/ipsec_setup.st: No such file or directory
40587    99.678   76591.0    138.0  1053644057680069.5    366.2         0
Hit enter to continue...ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Hit enter to continue...Hit enter to continue...Hit enter to
continue...klips_in
fo:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
FreeSwan582xif: BCM582x interface activated
FreeSwan582xif: Using global buffers
BCM582x offload enabled
ipsec_setup: Using /lib/modules/2.4.20/kernel/net/ipsec/ipsec.o
Hit enter to continue...pluto[638]: Starting Pluto (FreeS/WAN Version 1.99)
pluto[638]: with BCM582x offload
pluto[638]: added connection description "connection-2"
pluto[638]: listening for IKE messages
pluto[638]: adding interface ipsec1/eth1.2 172.16.1.192
pluto[638]: adding interface ipsec0/eth1.1 192.168.1.170
pluto[638]: loading secrets from "/etc/ipsec.secrets"
pluto[638]: "connection-2": cannot route Road Warrior template
pluto[638]: "connection-2": cannot initiate connection without knowing peer IP
a
ddress
Hit enter to continue...Hit enter to continue...Hit enter to
continue...pluto[63
8]: packet from 172.16.1.193:500: Informational Exchange is for an unknown
(expi
red?) SA
pluto[638]: packet from 172.16.1.193:500: Informational Exchange is for an
unkno
wn (expired?) SA
pluto[638]: packet from 172.16.1.193:500: ignoring Vendor ID payload
pluto[638]: "connection-2"[1] 172.16.1.193 #1: responding to Main Mode from
unkn
own peer 172.16.1.193
pluto[638]: "connection-2"[1] 172.16.1.193 #1: sent MR3, ISAKMP SA established
pluto[638]: "connection-2"[1] 172.16.1.193 #2: responding to Quick Mode
pluto[638]: "connection-2"[1] 172.16.1.193 #2: IPsec SA established

#
#
#
*****************************************************
	
End of Document
