Answer the question
In order to leave comments, you need to log in
A
A
Andrey2017-01-10 10:00:50
Andrey, 2017-01-10 10:00:50
How to test ipsec operation in l2tp tunnel with dynamic routing?
Good afternoon, colleagues!
I ask for your help in such a tricky business.
At first glance, a banal scheme. The client connects to the server using l2tp, gets the route using ospf, and everything starts working great.
I wanted to attach ipsec to this case (in transport mode) by hanging it at the beginning of 10.10.183.1 and the end of 10.10.183.2 of the tunnel.
There is a connection in Remote Peers.
The Installed SAs are empty. In politicians in statistics the same is empty.
There is silence in the logs.
Pings always go ...
Tell me, does encryption work in the tunnel? How can this be checked?
Here is the log output when the ipsec connection is broken:
echo: ipsec,debug,packet sockname 10.10.183.2[500]
echo: ipsec,debug,packet send packet from 10.10.183.2[500]
echo: ipsec,debug,packet send packet to 10.10.183.1[500]
echo: ipsec,debug,packet src4 10.10.183.2[500]
echo: ipsec,debug,packet dst4 10.10.183.1[500]
echo: ipsec,debug,packet 1 times of 92 bytes message will be sent to 10.10.183.1[500]
echo: ipsec,debug,packet 19fed9a5 04920b51 8025d5c9 bc00b14e 08100501 e9224332 0000005c 6f6a7e9e
echo: ipsec,debug,packet 06b94d13 171561db 81b1f730 88fff274 dc2679f9 e0ae2193 65cfa70c 3e3415a0
echo: ipsec,debug,packet cc807fb9 8e2935a7 a0442735 72c1499d f09747f4 5c851c6e bdb76bd8
echo: ipsec,debug,packet sendto Information delete.
echo: ipsec,debug,packet an undead schedule has been deleted.
echo: ipsec,debug,packet an undead schedule has been deleted.
[[email protected]_LEN] >
(228 messages discarded)
echo: ipsec,debug,packet 545ebc84 110f817b 1a08fdea 34082bb7 00000001 00000001 00000030 01010001
echo: ipsec,debug,packet 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0080 80030001
echo: ipsec,debug,packet 80020002 80040002 011101f4 0a0ab701
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet c33e3da8 72b6abb0 565b5d7d e55d6a64 4d763d94
echo: ipsec,debug,packet HASH for PSK validated.
echo: ipsec,debug,packet peer's ID:
echo: ipsec,debug,packet 011101f4 0a0ab701
echo: ipsec,debug,packet ===
echo: ipsec,debug ISAKMP-SA established 10.10.183.2[500]-10.10.183.1[500] spi:1a08fdea34082bb7:545ebc84110f817b
echo: ipsec,debug,packet ===
[[email protected]_LEN] >Here's what else comes up from time to time:
[[email protected]_LEN] >
(151 messages discarded)
echo: ipsec,debug,packet c9b4ebb7 00000020 00000001 01108d29 1a08fdea 34082bb7 545ebc84 110f817b
echo: ipsec,debug,packet 00000f2c
echo: ipsec,debug,packet hmac(hmac_sha1)
echo: ipsec,debug,packet HASH computed:
echo: ipsec,debug,packet 67adda30 5845fc95 da6b43f7 e9be928c 2c2d9326
echo: ipsec,debug,packet hash validated.
echo: ipsec,debug,packet begin.
echo: ipsec,debug,packet seen nptype=8(hash)
echo: ipsec,debug,packet seen nptype=11(notify)
echo: ipsec,debug,packet succeed.
echo: ipsec,debug,packet DPD R-U-There-Ack received
echo: ipsec,debug,packet received an R-U-THERE-ACK [[+comments_count]] answer(s)
@andrey71
C
CityCat4, 2017-01-10 @andrey71
If the SA is empty, then SA has not been installed, so ipsec is not working. Turn on the detailed ipsec log, it's really not easy to navigate there (in Mikrotik there is racoon, it throws out so much debugging that it's just more), but it's better to have a lot than not at all.
Similar questions
A
V
V
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question