How to monitor openswan IPSEC tunnels

J.L. viimati uuendatud:"28." August 2012 17:56

It has always been a pain to check wether an ipsec (openswan) tunnel is up or not. At least it is a bit tricky when you only have access to the gateway(s) responsible for the tunnel. ipsec auto status and other such commands give huge amounts of hard-to-decode data, that is, frankly of no use if you need a quick answer.

To monitor the connection then, one usually thinks that a ping or something similar from within the tunneled lan would be required. But it really makes no sence, if you start to think about it.

As it is, your gateway already is on your lan, at least with one interface anyway. Without it, you would have no means of buliding a tunnel at all.
So, right, the easyest way to check if your net-to-net tunnel is up is indeed to ping it. You just need to initiate the ping from the INTERNAL interface that is connected to your lan.

Let us say your internet connection is at eth0 and your lan is at eth1 with ip On the other side you have similar setup, and eth1 on the lan side has an ip of over there. You would then simply type the following:

root@ ping -I eth1

And that is it! If the tunnel is up, you can reach your other gateway through it. You can also ping anything that is willing to respond on the subnet this way. Note that you can use instead of eth1.
Should a simple ping render insufficient, one can use telnet to connect to the services:

root@ telnet -b 25

One also has an option of using, say, netcat. Just set the source address! With netcat you have the option of sending udp also..

root@ nc -s 25

And last but certainly not least one can use nmap after the same fashion.

root@ nmap -sT -PN -S -p 135

To see, for example, if anybody on the remote network is listening for msrpc.

One more thing. You are by no means limited to using only the network commands that have the luxury of selecting a source address. One can add (or change) the default route set by ipsec. It is usually set so that tunneled lan is routed through the default gateway. If you, instead, route it through your gateways lan interface, you will no longer need to specify your source ip.


You have:

root@ route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface     defaultgw   UG    0      0        0 eth0     *        U     0      0        0 eth1
internet        *        U     0      0        0 eth0
default         defaultgw         UG    0      0        0 eth0

And you do:

root@ route del -net netmask gw defaultgw

root@ route add -net netmask gw

so you now have:

root@ route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   UG    0      0        0 eth1     *        U     0      0        0 eth1
internet        *        U     0      0        0 eth0
default         defaultgw         UG    0      0        0 eth0

And pinging now works as well.

Any ideas or comments?

Trackback URI | Comments RSS

Sinu mõtted: