Hello everybody.
I would like to know if there is way to debug ipsec (ESP) packets (something
like klipsdebug=all with swan/KLIPS). Also I would like to know where/if I
could
see any statistics (dropped packets for example). I'm asking this because
this morning a couple of tunnels (same endpoints) on a linux 2.6.14.3 box
has
stopped responding (ipsec SA was established but there were apparently no
packets flow). This is my network diagram:
---priv1_net---|swan1
box|---eth0_pub_ip-*internet*-pub_ip_eth0---|2.6.14.3|---priv2_net
I was trying to ping a priv1_net system from a priv2_net box. I didn't
receive
any echo reply packet. So, I did a tcpdump -p -n ip host 'priv1_net system'
on
the 2.6.14.3 linux system and I *was* seeing the echo reply packet; then I
did
a tcpdump -p -n ip host 'priv1_net system' -i priv2_net_NIC (eth1) and I
was
not seeing any icmp packet (ODD!!!). The ike daemon for this 2.6.14.3 system
is Openswan 2.4.4
This is the first time I see this problem. I'm running 2.6.14.3 since 2005
12 12
(never rebooted).
To resolve the problem I have brought down and up both tunnels with the
following command:
ipsec auto --down tunnel
ipsec auto --up tunnel
I'm upgrading it to 2.6.15 since I have read this on the 2.6.15 changelog:
commit 9b78a82c1cf19aa813bdaa184fa840a3ba811750
Author: David S. Miller <davem@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Dec 22 07:39:48 2005 -0800
[IPSEC]: Fix policy updates missed by sockets
Maybe anyone could confirm this problem is resolved with this fix?
Any feedback are welcome.
TIA
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
