Talk:IPsec tunneling diagnostics: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
(a tip for people)
 
No edit summary
Line 4: Line 4:


-- [[Special:Contributions/174.62.124.8|174.62.124.8]] 23:48, 8 July 2012 (CEST)
-- [[Special:Contributions/174.62.124.8|174.62.124.8]] 23:48, 8 July 2012 (CEST)
: Good tips! Thanks, --[[User:Saruman!|Saruman!]] 20:05, 11 July 2012 (CEST)

Revision as of 19:05, 11 July 2012

Here's a specific tip for diagnosing ipsec tunnel difficulties. If nothing is happening -- the tunnel doesn't seem to be activating, and there isn't any output about it at all -- it's probable that your security policy configuration is incorrect, so nothing is even trying to use the tunnel. In my case, I got the direction of the traffic mixed up, and tried to say "inbound traffic from myself to machine XYZ should go through the tunnel" (and vice versa). Since I was just working with IP addresses, it was really easy to get them backwards and not notice that fact without a rigorous inspection. Once I reversed the direction and was able to get some output in my logs, my other issues were much easier to identify. :)

Here's my other specific tip. Output like "ERROR: phase1 negotiation failed due to time up." may mean "check your firewalls, you're probably blocking the port. and then when you're done, check your OTHER firewall." (If you're on Amazon EC2, that means to check your security groups, including (if you're in a VPC) both inbound and outbound rules, and subnet ACLs.

-- 174.62.124.8 23:48, 8 July 2012 (CEST)

Good tips! Thanks, --Saruman! 20:05, 11 July 2012 (CEST)