[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

debugging ipsec

To: misc@openbsd.org
Subject: debugging ipsec
From: "Michael R. Jinks" <mjinks@saecos.com>
Date: Thu, 04 Jan 2001 13:59:36 -0600
Organization: Saecos Corporation

Is there some way to tell whether two gateways have negotiated an IPSec
tunnel?

When I fire off my ipsecadm commands, I see stuff show up in
/kern/ipsec, and I see flows showing up in `netstat -nr`, but so far
I've been unable to find out whether the two gateways are actually
succeeding in transacting any actual cryptographic traffic.  Packets
from each of my subnets are making it to the opposite gateway and then
disappearing without a trace, so I'm suspecting that maybe they aren't
being decrypted at the other end.

Or something.

But I'm getting no errors in my logs, neither when the gateways
initialize the SA's nor when I try to pass packets back and forth. 
/var/log/ipflog shows nothing but passed packets (with all blocking
rules set to log).  tcpdump sees ESP packets on the public NIC of each
gateway, but nothing coming in on enc0 and nothing on the private NIC.

This is sort of a repeat of a much longer post from yesterday; after
working most of the night on this and re-reading lots of docs, I'm still
bewildered about what could be going wrong.

-- 
Michael Jinks, IB // Technical Entity // Saecos Corporation
"No one speaks English and everything's broken."  -- T. Waits
"Tom Waits would have made a decent sysadmin."  -- M. Jinks

Follow-Ups:
- Re: debugging ipsec
  - From: Kevin Sindhu <kevin@tgivan.com>
- Re: debugging ipsec
  - From: "Angelos D. Keromytis" <angelos@keromytis.org>

Prev by Date: Re: ipnat rdr or bimap?
Next by Date: Re: debugging ipsec
Prev by thread: Re: IPV6 and freenet6.net
Next by thread: Re: debugging ipsec
Index(es):
- Date
- Thread