IPsec tunneling diagnostics

From SaruWiki
Jump to navigation Jump to search

Basic connectivity between tunnel endpoints

Naturally, we won't be able to create a tunnel if the endpoints cannot reach each other in the first place. Therefor:

  • Try if the two end points can ping each other. Beware of firewalls on the endpoints (or in between) that block ICMP echo requests or echo replies.
  • Also, the machines on both sides should have no connection troubles between themselves and the local endpoint. Slightly more specific: your PC's on your local site should be able to ping the server that'll be your local tunnel endpoint.

Basic diagnostics for configuration files

If the tunnel doesn't work, then the first thing to check is the configuration files. All the following files should match

  • Your kernel should be compiled with the right parameters. Get the configuration file for your kernel. If you've compiled your own kernel, it's probably in /usr/src/linux-2.6.x.y/.config (with x and y of course kernel version numbers, like 2.6.27.5). If you use the stock Debian kernel, then you'll find the kernel configuration file under /boot as a file with a name like config-2.6.26.1-amd64. Check these with an editor for the following kernel options (verified on a vanilla 2.6.27.5 kernel):
    • CONFIG_NET_KEY=y
    • CONFIG_INET_ESP=y
    • CONFIG_INET_AH=y
    • CONFIG_INET_XFRM_MODE_TRANSPORT=y
    • CONFIG_INET_XFRM_MODE_TUNNEL=y
    • CONFIG_INET_IPCOMP=y



IKE diagnostics

Judging policy and SA database content

Firewalls and routing