[Openswan Users] Monitoring connections

Will Roberts ironwill42 at gmail.com
Fri Aug 31 18:00:13 EDT 2012


I have a script that gets run periodically by Nagios to determine 
whether my VPN connections are working properly. The script ensures that 
the ipsec/xl2tp/ppp tunnel is established and then hits a website over 
the tunnel using cURL:

curl -s --interface ppp# http://website/ipCheck.php

This works fine as long as the website I specify is working. I'd love to 
be able to change website to the IP/hostname of the machine checking the 
connections, but if I do that the TCP connection is never established; 
the SYN packet goes from A -> B -> A, and the ACK goes from A -> B -> A, 
but never seems to be accepted by A.

Here's some output from tcpdump, A is, B is

21:56:28.772556 IP > 
ESP(spi=0x8840ec86,seq=0xe3), length 116
21:56:28.798553 IP > Flags [S], 
seq 1484492853, win 5040, options [mss 1260,sackOK,TS val 136311174 ecr 
0,nop,wscale 5], length 0
21:56:28.798601 IP > Flags [S.], 
seq 2675861561, ack 1484492854, win 5792, options [mss 1460,sackOK,TS 
val 136311182 ecr 136311174,nop,wscale 5], length 0
21:56:28.826462 IP > 
ESP(spi=0xfae7732b,seq=0x9b), length 116

and here's the SYN retrans:
21:56:31.768096 IP > 
ESP(spi=0x8840ec86,seq=0xe4), length 116

Is there some sort of networking rule in Linux that would prevent a 
machine from processing a packet sent from its own address over an 
external interface? (which makes some sense now that I write that out)


More information about the Users mailing list