Talk:IPsec tunneling diagnostics

From SaruWiki
Revision as of 19:05, 11 July 2012 by Saruman! (talk | contribs)
Jump to navigation Jump to search

Here's a specific tip for diagnosing ipsec tunnel difficulties. If nothing is happening -- the tunnel doesn't seem to be activating, and there isn't any output about it at all -- it's probable that your security policy configuration is incorrect, so nothing is even trying to use the tunnel. In my case, I got the direction of the traffic mixed up, and tried to say "inbound traffic from myself to machine XYZ should go through the tunnel" (and vice versa). Since I was just working with IP addresses, it was really easy to get them backwards and not notice that fact without a rigorous inspection. Once I reversed the direction and was able to get some output in my logs, my other issues were much easier to identify. :)

Here's my other specific tip. Output like "ERROR: phase1 negotiation failed due to time up." may mean "check your firewalls, you're probably blocking the port. and then when you're done, check your OTHER firewall." (If you're on Amazon EC2, that means to check your security groups, including (if you're in a VPC) both inbound and outbound rules, and subnet ACLs.

-- 174.62.124.8 23:48, 8 July 2012 (CEST)

Good tips! Thanks, --Saruman! 20:05, 11 July 2012 (CEST)