|
|
Sponsored Content
Special Forums
IP Networking
Best tool to monitor VPN IPSEC Tunneling
Post 302930051 by marunmeera on Tuesday 30th of December 2014 12:04:56 AM
12-30-2014
Best tool to monitor VPN IPSEC Tunneling
|
|
9 More Discussions You Might Find Interesting
1. Cybersecurity
Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a... (3 Replies)
Discussion started by: eNTer
3 Replies
2. UNIX for Dummies Questions & Answers
Hello,
Does any one knows any tools or method to monitor users all activities on Solaris 8, including command and its result. Similar to 'script' ???
Thanks
nana (3 Replies)
Discussion started by: nana
3 Replies
3. UNIX for Advanced & Expert Users
Hello,
I am within a LAN system and I need to be able to tunnel out (and recv UDP) packets.
Currently the router automatically drops UDP packets.
My PC cant see the outside world, nor ping, but it can connect via SSH to a server on the "edge" of the network which can see everything. I... (2 Replies)
Discussion started by: ErNci
2 Replies
4. Solaris
Hi,
I have tried the following:
on PC1 (win xp) I have created ssh connection with port forwarding
(local 8888 to remote 8888) to server1.
>From server1 I have created another ssh connection with port
forwarding to server2(local 8888 to remote 1521).
When I try to connect to oracle... (3 Replies)
Discussion started by: goran00
3 Replies
5. UNIX for Advanced & Expert Users
Was wonder if there was a tool or program I could run to measure throughput on our CentoS 4.x server. Our current dedicated host provider is charging us by how much throughput we are using and I just want to see if their numbers add up to whatever I get using a throughput tool of some kind.
... (6 Replies)
Discussion started by: mcraul
6 Replies
6. AIX
Dear experts ,
Pls advice for any good Tool to monitor the CPU and performance of AIX the system ..
to keep monitoring to show me the utilization of that system .. (12 Replies)
Discussion started by: Mr.AIX
12 Replies
7. IP Networking
Hello,
I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue.
... (0 Replies)
Discussion started by: salukibob
0 Replies
8. IP Networking
Hi all,
I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (... (4 Replies)
Discussion started by: ivancd
4 Replies
9. IP Networking
Hi @all,
I try to connect 2 LANs with IPSec/Openswan
LAN 1: 192.168.0.0/24
LAN 2: 192.168.1.0/24
This is my Config:
conn HomeVPN # # Left security gateway, subnet behind it, nexthop toward right. left=192.168.1.29 ... (1 Reply)
Discussion started by: bahnhasser83
1 Replies
LEARN ABOUT DEBIAN
ipsec_policy
IPSEC_POLICY(8) [FIXME: manual] IPSEC_POLICY(8) NAME
ipsec_policy - list of existing policy SYNOPSIS
ipsec policy DESCRIPTION
Note that policy is only supported on the new NAST stack. It is not supported on any other stack. On the klips stack, use ipsec eroute, on the netkey stack, use ip xfrm lists the IPSEC policy tables (aka eroutes) which control what (if any) processing is applied to non-encrypted packets arriving for IPSEC processing and forwarding. A table entry consists of: + packet count, + source address with mask and source port (0 if all ports or not applicable) + a '->' separator for visual and automated parsing between src and dst + destination address with mask and destination port (0 if all ports or not applicable) + a '=>' separator for visual and automated parsing between selection criteria and SAID to use + SAID (Security Association IDentifier), comprised of: + protocol (proto), + address family (af), where '.' stands for IPv4 and ':' for IPv6 + Security Parameters Index (SPI), + effective destination (edst), where the packet should be forwarded after processing (normally the other security gateway) together indicate which Security Association should be used to process the packet, + a ':' separating the SAID from the transport protocol (0 if all protocols) + source identity text string with no whitespace, in parens, + destination identity text string with no whitespace, in parens Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs which have special meaning: + %drop means that matches are to be dropped + %reject means that matches are to be dropped and an ICMP returned, if possible to inform + %trap means that matches are to trigger an ACQUIRE message to the Key Management daemon(s) and a hold policy will be put in place to prevent subsequent packets also triggering ACQUIRE messages. + %hold means that matches are to stored until the policy is replaced or until that policy gets reaped + %pass means that matches are to allowed to pass without IPSEC processing EXAMPLES
1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0 () () means that 1,867 packets have been sent to an policy that has been set up to protect traffic between the subnet 172.31.252.0 with a subnet mask of 24 bits and the default address/mask represented by an address of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a security gateway on this end of the tunnel and the machine 192.168.43.1 on the other end of the tunnel with a Security Association IDentifier of tun0x130@192.168.43.1 which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end. 746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6 () () means that 746 packets have been sent to an policy that has been set up to protect traffic sent from any port on the host 192.168.2.110 to the SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security Association IDentifier of tun0x130@192.168.2.120 which means that it is a transport mode connection with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end. 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () () means that 125 packets have been sent to an policy that has been set up to protect traffic between the subnet 3049:1:: with a subnet mask of 64 bits and the default address/mask represented by an address of 0:0 with a subnet mask of 0 bits using the local machine as a security gateway on this end of the tunnel and the machine 3058:4::5 on the other end of the tunnel with a Security Association IDentifier of tun:130@3058:4::5 which means that it is a tunnel mode connection with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end. 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough means that 42 packets have been sent to an policy that has been set up to pass the traffic from the subnet 192.168.6.0 with a subnet mask of 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without any IPSEC processing with no identies defined for either end. 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) () means that 2112 packets have been sent to an policy that has been set up to hold the traffic from the host 192.168.8.55 and to host 192.168.9.47 until a key exchange from a Key Management daemon succeeds and puts in an SA or fails and puts in a pass or drop policy depending on the default configuration with the local client defined as "east" and no identy defined for the remote end. 2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => esp0xe6de@192.168.2.120:0 () () means that 2001 packets have been sent to an policy that has been set up to protect traffic between the host 192.168.2.110 and the host 192.168.2.120 using 192.168.2.110 as a security gateway on this end of the connection and the machine 192.168.2.120 on the other end of the connection with a Security Association IDentifier of esp0xe6de@192.168.2.120 which means that it is a transport mode connection with a Security Parameters Index of e6de in hexadecimal using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no identies defined for either end. 1984 3049:1::110/128 -> 3049:1::120/128 => ah:f5ed@3049:1::120 () () means that 1984 packets have been sent to an policy that has been set up to authenticate traffic between the host 3049:1::110 and the host 3049:1::120 using 3049:1::110 as a security gateway on this end of the connection and the machine 3049:1::120 on the other end of the connection with a Security Association IDentifier of ah:f5ed@3049:1::120 which means that it is a transport mode connection with a Security Parameters Index of f5ed in hexadecimal using Authentication Header protocol (51, IPPROTO_AH) with no identies defined for either end. SEE ALSO
ipsec(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), ipsec_pf_key(5), ipsec_eroute(5) HISTORY
Written for the Openswan project <http://www.openswan.org/> by Bart Trojanowski. [FIXME: source] 10/06/2010 IPSEC_POLICY(8)