IPsec tunneling diagnostics
Jump to navigation Jump to search
Basic connectivity between tunnel endpoints
Naturally, we won't be able to create a tunnel if the endpoints cannot reach each other in the first place. Therefor:
- Try if the two end points can ping each other. Beware of firewalls on the endpoints (or in between) that block ICMP echo requests or echo replies.
- Also, the machines on both sides should have no connection troubles between themselves and the local endpoint. Slightly more specific: your PC's on your local site should be able to ping the server that'll be your local tunnel endpoint.
Basic diagnostics for configuration files
If the tunnel doesn't work, then the first thing to check is the configuration files. All the following files should match
- Your kernel should be compiled with the right parameters. Get the configuration file for your kernel. If you've compiled your own kernel, it's probably in /usr/src/linux-2.6.x.y/.config (with x and y of course kernel version numbers, like 22.214.171.124). If you use the stock Debian kernel, then you'll find the kernel configuration file under /boot as a file with a name like config-126.96.36.199-amd64. Check these with an editor for the following kernel options (verified on a vanilla 188.8.131.52 kernel):