[Openswan Users] Re: Re: Re: [Openswan dev] Help:How to add messages to show thetunnel'sstatus?

Henrik Nordstrom hno at marasystems.com
Wed Feb 18 08:14:57 CET 2004


On Wed, 18 Feb 2004, swcims wrote:

> I think the effective way is to find route rules which would be added by
> ipsec in /proc/net/route.This special route rule has
> gateway,destination,and its iface is ipsec0. I think if this rule occurs
> in /proc/net/route,that would mean ipsec up.

Well. As it is you who say when these is to be added or deleted on
manuallye keyed connections so you may just as well signal when you
add/delete the routes saving you from having to look into the routing
table.

And it does not say anything wrt the status of the other endpoint of the
tunnel or of the two endpoints at all agree about the tunnel.

But these routes do not really say anything other than that your policy
says that ipsec should be used for these destinations. It does not need to
exists a matching tunnel only because there is routes. When a packet is
routed to the ipsec device it is routed yet another time by the ipsec
eroute table which tells which ipsec tunnel the packet is to be sent via.  
If there is no matching eroute or if the eroute is blackholed then the
packet will be dropped.

Regards
Henrik



More information about the Users mailing list