Openswan ipsec tool
Zur Navigation springen
Zur Suche springen
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
start
- ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
stop
- ipsec setup --stop
ipsec_setup: Stopping Openswan IPsec...
restart
- ipsec setup --restart
ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
status
- ipsec setup --status
IPsec running - pluto pid: 9515 pluto pid 9515 No tunnels up
Anzeige der verfügbaren Verbindungen
- grep conn /etc/ipsec.conf
conn toc-ras
conn add
- ipsec auto --add toc-ras
conn up
- ipsec auto --up toc-ras
104 "toc-ras" #5: STATE_MAIN_I1: initiate
003 "toc-ras" #5: received Vendor ID payload [Openswan (this version) 2.6.38 ]
003 "toc-ras" #5: received Vendor ID payload [Dead Peer Detection]
106 "toc-ras" #5: STATE_MAIN_I2: sent MI2, expecting MR2
108 "toc-ras" #5: STATE_MAIN_I3: sent MI3, expecting MR3
003 "toc-ras" #5: received Vendor ID payload [CAN-IKEv2]
004 "toc-ras" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536}
117 "toc-ras" #6: STATE_QUICK_I1: initiate
004 "toc-ras" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b54fafa <0xd99615e0 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
conn delete
- ipsec auto --delete toc-ras
conn down
- ipsec auto --down toc-ras
reread secrets
- ipsec auto --rereadsecrets
status of all connections
- ipsec auto --status
status of one connection
- ipsec auto --status | grep toc-ras
000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 000 "toc-ras": myip=unset; hisip=unset; 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
have a look to the established connections
- ipsec look
toc Thu Feb 11 14:40:39 CET 2016 XFRM state: src 192.168.241.13 dst 192.168.252.5 proto esp spi 0x71b98466 reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 src 192.168.252.5 dst 192.168.241.13 proto esp spi 0x26aaf00e reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 XFRM policy: src 192.168.122.0/24 dst 192.168.56.0/24 dir out priority 2344 tmpl src 192.168.252.5 dst 192.168.241.13 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir fwd priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir in priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 XFRM done IPSEC mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. NEW_IPSEC_CONN mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ROUTING TABLES default via 192.168.252.1 dev eth0 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64
showdefaults ip, nexthop, interface
- ipsec showdefaults
routephys=eth0 routevirt=none routeaddr=192.168.252.5 routenexthop=192.168.252.1
collect debugging infos
- ipsec barf --short
Verifzierung
- ipsec verify
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K3.19.0-25-generic (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [FAILED] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
Nützlicher Logbefehl
- tail -f /var/log/auth.log | grep toc-ras
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: received Vendor ID payload [CAN-IKEv2]
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.241.13'
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536}
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:96ff6c59 proposal=AES(12)_256-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xde3cbbbf <0xd253bca2 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x26aaf00e) not found (maybe expired)
Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: received and ignored informational message
list ca certs
- ipsec auto --listcacerts
list certs
ipsec auto --listcerts