Openswan ipsec tool: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| Zeile 138: | Zeile 138: | ||
=collect debugging infos= | =collect debugging infos= | ||
*ipsec barf --short | *ipsec barf --short | ||
| + | =Verifzierung= | ||
| + | *ipsec verify | ||
| + | <pre> | ||
| + | Checking your system to see if IPsec got installed and started correctly: | ||
| + | Version check and ipsec on-path [OK] | ||
| + | Linux Openswan U2.6.38/K3.19.0-25-generic (netkey) | ||
| + | Checking for IPsec support in kernel [OK] | ||
| + | SAref kernel support [N/A] | ||
| + | NETKEY: Testing XFRM related proc values [FAILED] | ||
| + | |||
| + | Please disable /proc/sys/net/ipv4/conf/*/send_redirects | ||
| + | or NETKEY will cause the sending of bogus ICMP redirects! | ||
| + | |||
| + | [FAILED] | ||
| + | |||
| + | Please disable /proc/sys/net/ipv4/conf/*/accept_redirects | ||
| + | or NETKEY will accept bogus ICMP redirects! | ||
| + | |||
| + | [OK] | ||
| + | Checking that pluto is running [OK] | ||
| + | Pluto listening for IKE on udp 500 [OK] | ||
| + | Pluto listening for NAT-T on udp 4500 [FAILED] | ||
| + | Two or more interfaces found, checking IP forwarding [FAILED] | ||
| + | Checking NAT and MASQUERADEing [OK] | ||
| + | Checking for 'ip' command [OK] | ||
| + | Checking /bin/sh is not /bin/dash [WARNING] | ||
| + | Checking for 'iptables' command [OK] | ||
| + | Opportunistic Encryption Support [DISABLED] | ||
| + | </pre> | ||
=list ca certs= | =list ca certs= | ||
Version vom 11. Februar 2016, 13:45 Uhr
start
- ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
stop
- ipsec setup --stop
ipsec_setup: Stopping Openswan IPsec...
restart
- ipsec setup --restart
ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
status
- ipsec setup --status
IPsec running - pluto pid: 9515 pluto pid 9515 No tunnels up
Anzeige der verfügbaren Verbindungen
- grep conn /etc/ipsec.conf
conn toc-ras
conn add
- ipsec auto --add toc-ras
conn up
- ipsec auto --up toc-ras
104 "toc-ras" #5: STATE_MAIN_I1: initiate
003 "toc-ras" #5: received Vendor ID payload [Openswan (this version) 2.6.38 ]
003 "toc-ras" #5: received Vendor ID payload [Dead Peer Detection]
106 "toc-ras" #5: STATE_MAIN_I2: sent MI2, expecting MR2
108 "toc-ras" #5: STATE_MAIN_I3: sent MI3, expecting MR3
003 "toc-ras" #5: received Vendor ID payload [CAN-IKEv2]
004 "toc-ras" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536}
117 "toc-ras" #6: STATE_QUICK_I1: initiate
004 "toc-ras" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b54fafa <0xd99615e0 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
conn delete
- ipsec auto --delete toc-ras
conn down
- ipsec auto --down toc-ras
reread secrets
- ipsec auto --rereadsecrets
status of all connections
- ipsec auto --status
status of one connection
- ipsec auto --status | grep toc-ras
000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 000 "toc-ras": myip=unset; hisip=unset; 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
have a look to the established connections
- ipsec look
toc Thu Feb 11 14:40:39 CET 2016 XFRM state: src 192.168.241.13 dst 192.168.252.5 proto esp spi 0x71b98466 reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 src 192.168.252.5 dst 192.168.241.13 proto esp spi 0x26aaf00e reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 XFRM policy: src 192.168.122.0/24 dst 192.168.56.0/24 dir out priority 2344 tmpl src 192.168.252.5 dst 192.168.241.13 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir fwd priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir in priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 XFRM done IPSEC mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. NEW_IPSEC_CONN mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ROUTING TABLES default via 192.168.252.1 dev eth0 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64
showdefaults ip, nexthop, interface
- ipsec showdefaults
routephys=eth0 routevirt=none routeaddr=192.168.252.5 routenexthop=192.168.252.1
collect debugging infos
- ipsec barf --short
Verifzierung
- ipsec verify
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K3.19.0-25-generic (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [FAILED] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
list ca certs
ipsec auto --listcacerts
list certs
ipsec auto --listcerts