[Openswan Users] Openswan 2.6.22/CentOS 5.3: what should I see when it is working?

Tue Sep 1 13:51:57 EDT 2009

> Note that I've seen cisco routers be "happy" until the packet arrives,
> and it would still silently drop it. Can you get logs from the cisco?

Yes, I can get anything I want from the Cisco.  If it is doing the 
dropping, it looks silent.  It doesn't say anything.  What should I be 
looking for there?

Sorry for such basic questions.  Thanks for the help.

>> Is there any other sort of testing I can do?
> 
> ip xfrm policy
> ip xfrm state

Nice commands.

[root at pgKevTest09 ~]# ip xfrm policy
src 192.168.99.0/24 dst 192.168.10.0/24
         dir in priority 2344
         tmpl src x.x.x.x dst y.y.y.y
                 proto esp reqid 16385 mode tunnel
src 192.168.10.0/24 dst 192.168.99.0/24
         dir out priority 2344
         tmpl src y.y.y.y dst x.x.x.x
                 proto esp reqid 16385 mode tunnel
src 192.168.99.0/24 dst 192.168.10.0/24
         dir fwd priority 2344
         tmpl src x.x.x.x dst y.y.y.y
                 proto esp reqid 16385 mode tunnel

I'm a little confused by the in/out/fwd...why I need all three.  I 
_think_ that means that if I can cause traffic to originate from the box 
on the 192.168.99.0/24 address, I can get it through the tunnel.  ping 
-I, right?  I'm not sure how I force "normal" things, like a telnet 
session, to source from the eth0 IP as opposed to the ppp0 one.  But 
things certainly appear to be set up right.

[root at pgKevTest09 ~]# ip xfrm state
src y.y.y.y dst x.x.x.x
         proto esp spi 0x816a1105 reqid 16385 mode tunnel
         replay-window 32
         auth hmac(md5) 0xcd19fa251023780e8d223a1e8a8bffb4
         enc cbc(des3_ede) 
0xe425dae29d6c762cb5bf78cb11b0d3b0a13a20b8ce3050f8
src x.x.x.x dst y.y.y.y
         proto esp spi 0x032ade34 reqid 16385 mode tunnel
         replay-window 32
         auth hmac(md5) 0x422250de889e886b8ef5d93a8ea33fe1
         enc cbc(des3_ede) 
0x0064278dddb9f11e83d318eb8ebd35e40da922981c14691a

Kevin