25.10. Testing the installation

Reboot the both gateways to get FreeS/WAN started. Examine the /var/log/messages file for any signs of trouble. If all goes well you should see something like this in the /var/log/messages file:


Feb  2 05:22:35 deep ipsec_setup: Starting FreeS/WAN IPSEC snap2000jan31b...
Feb  2 05:22:35 deep ipsec_setup: KLIPS debug `none'
Feb  2 05:22:35 deep ipsec_setup: KLIPS ipsec0 on eth0 192.168.1.1/255.255.255.0 broadcast 192.168.1.255
Feb  2 05:22:36 deep ipsec_setup: Disabling core dumps:
Feb  2 05:22:36 deep ipsec_setup: Starting Pluto (debug `none'):
Feb  2 05:22:37 deep ipsec_setup: Loading Pluto database `deep-mail':
Feb  2 05:22:37 deep ipsec_setup: Enabling Pluto negotiation:
Feb  2 05:22:37 deep ipsec_setup: Routing for Pluto conns `deep-mail':
Feb  2 05:22:37 deep ipsec_setup: Initiating Pluto tunnel `deep-mail':
Feb  2 05:22:39 deep ipsec_setup: 102 "deep-mail" #1: STATE_MAIN_I1: initiate
Feb  2 05:22:39 deep ipsec_setup: 104 "deep-mail" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
Feb  2 05:22:39 deep ipsec_setup: 106 "deep-mail" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
Feb  2 05:22:39 deep ipsec_setup: 004 "deep-mail" #1: STATE_MAIN_I4: SA established
Feb  2 05:22:39 deep ipsec_setup: 110 "deep-mail" #2: STATE_QUICK_I1: initiate
Feb  2 05:22:39 deep ipsec_setup: 004 "deep-mail" #2: STATE_QUICK_I2: SA established
Feb  2 05:22:39 deep ipsec_setup: ...FreeS/WAN IPSEC started

Examine the /var/log/secure file for any signs of trouble. If all goes well you should see something like the following:

Feb 21 14:45:42 deep Pluto[432]: Starting Pluto (FreeS/WAN Version 1.3)
Feb 21 14:45:43 deep Pluto[432]: added connection description "deep-mail"
Feb 21 14:45:43 deep Pluto[432]: listening for IKE messages
Feb 21 14:45:43 deep Pluto[432]: adding interface ipsec0/eth0 192.168.1.1
Feb 21 14:45:43 deep Pluto[432]: loading secrets from "/etc/ipsec.secrets"
Feb 21 14:45:43 deep Pluto[432]: "deep-mail" #1: initiating Main Mode
Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #1: ISAKMP SA established
Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #2: initiating Quick Mode POLICY_RSASIG+POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_TUNNEL+POLICY_PFS
Feb 21 14:45:46 deep Pluto[432]: "deep-mail" #2: sent QI2, IPsec SA established
Feb 21 14:45:47 deep Pluto[432]: "deep-mail" #3: responding to Main Mode
Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #3: sent MR3, ISAKMP SA established
Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #4: responding to Quick Mode
Feb 21 14:45:50 deep Pluto[432]: "deep-mail" #4: IPsec SA established

On both gateways, the following entries should now exist in the /proc/net/ directory:

[root@deep] /# ls -l /proc/net/ipsec_*


-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_eroute
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_klipsdebug
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spi
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spigrp
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spinew
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_tncfg
-r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_version

The IPSEC interfaces should be attached on top of the specified physical interfaces. Confirm that with:

[root@deep] /# cat /proc/net/ipsec_tncfg


ipsec0 -> eth0 mtu=16260 -> 1500
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0

Now execute the following command to show minimal debugging information and see if the output looks something like this:

[root@deep] /# ipsec look


deep.openna.com Fri Feb  4 17:25:17 EST 2000
============-============
192.168.1.1/32     -> 192.168.1.2/32     => [email protected] [email protected] [email protected]
------------=------------
[email protected] AH_HMAC_MD5: dir=in ooowin=32 seq=115 bit=0xffffffff alen=128 aklen=16 life(c,s,h)=bytes(16140,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499
[email protected] AH_HMAC_MD5: dir=out ooowin=32 seq=2828 alen=128 aklen=16 life(c,s,h)=bytes(449488,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
[email protected] ESP_3DES: dir=in ooowin=32 seq=115 bit=0xffffffff eklen=24 life(c,s,h)=bytes(13380,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499
[email protected] ESP_3DES: dir=out ooowin=32 seq=2828 eklen=24 life(c,s,h)=bytes(381616,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
[email protected] IPIP: dir=in 192.168.1.2 -> 192.168.1.1 life(c,s,h)=add(51656,0,0)
[email protected] IPIP: dir=out 192.168.1.1 -> 192.168.1.2 life(c,s,h)=bytes(327581,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ipsec0
192.168.1.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
192.168.1.2     192.168.1.2     255.255.255.255 UGH       0 0          0 ipsec0
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

Try pinging 192.168.1.2 from the 192.168.1.1 client. If this works then you have set it up correctly. If it does not work check your network to make sure 208.164.186.1 can reach 208.164.186.2, and that TCP-IP forwarding is enabled, and make sure that no firewall rules are blocking the packets, or trying to masquerade them before the rules allowing IPSec related traffic. For this test to work, it is important to use pings that go from one subnet to the other.

  208.164.186.1 ---- 205.151.222.250 ---- 205.151.222.251 ---- 208.164.186.2
  |		   					  |
  192.168.1.0/24     		     			     192.168.1.0/24
  |						          |
  192.168.1.1					  	     192.168.1.2

A last note about testing the installation of FreeSWAN IPSEC, if you encounter a problem that you are unable to resolve, you can use the following command to view a collection of debugging information, contents of files, selections from logs, etc. Anything related to the IPSEC encryption/authentication system that you should send to the Linux-IPSEC Mailing List to help you. Use the following command to make an output of a collection of debugging information:

[root@deep] /# ipsec barf > result
This command is primarily provided as a convenience for remote debugging; A single command which packages up -and labels all information that might be relevant to diagnosing a problem in IPSEC.