[Openswan Users] Understanding log messages

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri May 11 13:26:56 EDT 2012 

On Friday 11 May 2012 10:57:18 Jason Voorhees wrote:

> Thanks Roel, those were two basic points that I wasn't sure whay they
> mean. If I want to comunicate "bank" to "cars" and "cars" to "bank"
> -both ways- is it only necessary one definition like the first one?:

You may be a little fuzzy on the networking concept. Unless you are using a 
specialized one-way connectionless protocol, all TCP/IP networking is two-way. 
In fact, the TCP protocol cannot work without two-way communication.

So yes, you need only one connection definition to allow traffic to flow both 
ways. Both ends must use similar configs.

> conn bank-cars
>        right=W.X.Y.Z
>        rightsubnet=10.108.3.0/24
>        left=A.B.C.D
>        leftid=172.31.64.41
>        leftsubnet=130.30.0.0/16
>        aggrmode=no
>        auto=start
> 
> What determines if traffic from "bank" to "cars" subnet or viceversa
> is allowed or not? Is it maybe an firewall/ACL/iptable rule?

Grossly oversimplified, the determining factor is (left subnet, right subnet). 
When IPSEC on whichever side is 'right' sees traffic sourced from the 
10.108.3.0/24 LAN and destined to the 130.30.0.0/16 LAN, it grabs the taffic, 
encrypts it, puts it in ESP packet, and sends it to A.B.C.D. If right's 
leftsubnet were 0.0.0.0/0, then right would send *all* traffic from 
10.108.3.0/24 through IPSEC.

Stated a little differently, the subnets specified in leftsubnet and 
rightsubnet determine which traffic is encrypted and sent through the VPN.

> How can I know if Juniper is configured to start the connection? It
> could be letting my connection in "add" status and just wait to be
> connected by the Juniper appliance?

Check the logs. If you see it sending 'STATE_MAIN_I1' (and the like), then it 
can initiate the conn. If it only sends 'STATE_MAIN_R1' (never sends 
'..._I1'), then it likely cannot initiate ('likely' because it's possible that 
the remote is always be quicker on the draw). The "_I" means 'initial packet'; 
'_R' means 'response packet'.

Whichever side receives your config (above) will send initial packets because 
you have stated 'auto=start'.

More information about the Users mailing list