[Openswan Users] tools to monitor and get status on ipsec

Mittelsdorf, Bjoern Bjoern.Mittelsdorf at scheer-group.com
Tue Dec 20 02:09:03 EST 2016

Hi Kevin,

interesting question. I hope my uneducated answer will inspire more talented people to join the discussion :-)

We are using tcpdump to diagnose the tunnels. Monitoring the endpoint ips gives you hints about when the renegotiation fails while monitoring the tunneled packets shows firewall blocking and routing issues.
Of course there is no automation in this.

I was not able so far to get the pluto.log to log warnings or error messages I am able to understand but setting loglevel debug might be an option for you. In our cases it is of little help because in fact the tunnels are robust when configured correctly. Most issues we experience are as said above about routing and firewalls in the subnets.


-------- Forwarded Message --------
Subject: 	tools to monitor and get status on ipsec tunnels
Date: 	Sun, 18 Dec 2016 20:46:07 -0500
From: 	Kevin Oxley <koxley at ssi-corp.com>
To: 	users at lists.openswan.org

I'm looking for command lines and/or tools to get more visibility into my ipsec tunnels established using openswan.

At a basic level, I'd like to see how long a tunnel has been up and running, and a history of when each tunnel goes down and up so I can see if the tunnel is bouncing.
On a longer term basis, I'd like to have a monitoring capability to get email notifications when the tunnel changes state.

Any advice and/or pointers would be appreciated.

More information about the Users mailing list