How to monitor openswan IPSEC tunnels

J.L. viimati uuendatud:"28." August 2012 17:56

It has always been a pain to check wether an ipsec (openswan) tunnel is up or not. At least it is a bit tricky when you only have access to the gateway(s) responsible for the tunnel. ipsec auto status and other such commands give huge amounts of hard-to-decode data, that is, frankly of no use if you need a quick answer.

To monitor the connection then, one usually thinks that a ping or something similar from within the tunneled lan would be required. But it really makes no sence, if you start to think about it.

As it is, your gateway already is on your lan, at least with one interface anyway. Without it, you would have no means of buliding a tunnel at all.
So, right, the easyest way to check if your net-to-net tunnel is up is indeed to ping it. You just need to initiate the ping from the INTERNAL interface that is connected to your lan.

Let us say your internet connection is at eth0 and your lan is at eth1 with ip 192.168.0.1. On the other side you have similar setup, and eth1 on the lan side has an ip of 192.168.1.1 over there. You would then simply type the following:

root@192.168.0.1# ping -I eth1 192.168.1.1

And that is it! If the tunnel is up, you can reach your other gateway through it. You can also ping anything that is willing to respond on the subnet this way. Note that you can use 192.168.0.1 instead of eth1.
Should a simple ping render insufficient, one can use telnet to connect to the services:

root@192.168.0.1# telnet -b 192.168.0.1 192.168.1.1 25

One also has an option of using, say, netcat. Just set the source address! With netcat you have the option of sending udp also..

root@192.168.0.1# nc -s 192.168.0.1 192.168.1.1 25

And last but certainly not least one can use nmap after the same fashion.

root@192.168.0.1# nmap -sT -PN -S 192.168.0.1 192.168.1.1-255 -p 135

To see, for example, if anybody on the remote network is listening for msrpc.

One more thing. You are by no means limited to using only the network commands that have the luxury of selecting a source address. One can add (or change) the default route set by ipsec. It is usually set so that tunneled lan is routed through the default gateway. If you, instead, route it through your gateways lan interface, you will no longer need to specify your source ip.

Example:

You have:

root@192.168.0.1# route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     defaultgw       255.255.255.0   UG    0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
internet        *               255.255.255.0   U     0      0        0 eth0
default         defaultgw       0.0.0.0         UG    0      0        0 eth0

And you do:

root@192.168.0.1# route del -net  192.168.1.0 netmask 255.255.255.0 gw defaultgw

root@192.168.0.1# route add -net  192.168.1.0 netmask 255.255.255.0 gw 192.168.0.1

so you now have:

root@192.168.0.1# route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     192.168.0.1     255.255.255.0   UG    0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
internet        *               255.255.255.0   U     0      0        0 eth0
default         defaultgw       0.0.0.0         UG    0      0        0 eth0

And pinging 192.168.1.1 now works as well.

Any ideas or comments?