[Openswan Users] Tunnel on demand?

Paul Wouters paul at xelerance.com
Wed Oct 25 12:38:22 EDT 2006


On Wed, 25 Oct 2006, Stefan Denker wrote:

> > Opportunistic Encryption can do that, but not to a Cisco box. And it
> > requires "first packet caching", which klips supports but netkey does
> > not.
>
> I guess i could switch to klips, but this wouldn't help me...
> But I guess retransmition of the first packet would deal with this.

Yes, but it can cause quite a delay...

> Before I get started I got another question: Which is the "official" way
> to see whether a connection is established or not? I know "ipsec auto
> --status" will give me the information needed, but it gives a lot more.
> :)

the easiest way used to be "ipsec eroute" but that only works with KLIPS,
and eroutes have been removed from klips in the development tree for
the merge with netkey. We are working on a replacement (one that also
tells the kernel the connname itself), but it hasn't been written yet.
So unfortunately, auto --status is currently your best bet.

> And (but this is maybe better posted to the developer mailing list)
> speaking of "ipsec auto --status": Which states (STATE_MAIN_I1,
> STATE_QUICK_R2) can a connection be in? Is there a documentation ( apart
> from *.c *g* ) of these somewhere?

Well, the appropriate RFC's. But you might find it easier to setup a few
test connections, or browse through a nightly testrun output, eg:

http://lists.openswan.org/pipermail/nightly/2006-October/001191.html

> And last but not least: Is there a nagios plugin to monitor the status
> of a tunnel? So people finding command lines offensive would at least be
> able to check the tunnels' status.

Not yet. One reason I had not written one yet was because I wasn't sure
how useful it was. Since if the IPsec tunnel to your nagios server is
down, you won't be able to run the check_ipsec test. And most of our
servers run Opportunistic Encryption, so we get notifications of nagios
already if a tunnel is down, because we can't ssh to it anymore.

Still, it would be a useful plugin for those people who don't use OE.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list