[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: silly vpn problems ?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: silly vpn problems ?
- From: chakl_(_at_)_syscall_(_dot_)_de (Olaf Schreck)
- Date: Wed, 26 May 2004 21:35:22 +0200
> after spending weeks on reading,tutorials, other postings and f** manuals
> about setting up vpn using ipsec (isakmpd) without success, i decided trying
> to find help in this mailinglist.
You should go for more structured debugging rather than just dumping
your config. Try to narrow down the problem and provide logs that
show what you did, what works and what doesn't.
- drop all firewall rules (pass all) first, and turn them back on once
you've got the VPN setup running. At this point you might know whether
the VPN is fine, and you excluded the firewall problem class temporarily.
- verify that both VPN gateways can talk IP to each other (ping and/or
otherwise connect). This excludes the connectivity/routing problem class.
- start the isakmpd's on both gateways and sniff the ISAKMP negotiation
(tcpdump -vvn -i fxp0 -s 1500 udp port 500 [syntax typed from memory,
check the man page]). This will tell you whether the gateways succeed
or fail establishing the tunnel, and usually reveals configuration
- if configured and negotiated correctly, both protected networks should
be able to talk IP to each other (still assuming no firewall rules).
If this is the case, the VPN is working, goto firewall debugging.
Otherwise, you most certainly have an isakmpd config error.
- enable isakmpd debugging and check the syslog output, might give a clue
if things don't work.
Olaf Schreck chakl_(_at_)_syscall_(_dot_)_de syscall() Network Solutions, Berlin
Visit your host, monkey.org