[Openswan Users] question about conn host-to-host or host-to-network
Paul Wouters
paul at xelerance.com
Mon Oct 6 11:48:05 EDT 2008
On Mon, 6 Oct 2008, Christophe LAUVERNIER wrote:
> When i start the connection the tunnel seems to be on
> ipsec whack --status
> 000 #2: "linux-to-linux" esp.6e2045d2 at 192.168.42.154
> esp.b7de7312 at 192.168.42.254 tun.0 at 192.168.42.154 tun.0 at 192.168.42.254
> ref=0 refhim=4294901761
It's up (though the refhim number is kinda odd, but harmless)
> but when i start : service ipsec status there are no tunnels up
>
> [root at brennsecure etc]# service ipsec status
> IPsec running - pluto pid: 1277
> pluto pid 1277
> No tunnels up
> [root at brennsecure etc]#
that command might not very well on netkey. instead try:
ip xfrm state
> When i ping 192.168.42.154 from 192.168.42.254 i saw ESP packet but also
> icmp packets.
That's normal for NETKEY. A trick John Denker recently gave to see the
encrypted packets is to add a fake alias to the device and sniff there:
In your case:
> [root at brennsecure etc]# tcpdump -i eth0 -p esp or -p icmp
ifconfig eth0:fake 1.2.3.4
tcpdump -n -i eth0:fake
You will then both encrypted and decrypted traffic.
Paul
More information about the Users
mailing list