How to Troubleshoot IPSec Issues

How to Troubleshoot IPSec Issues

Version 0.1 (02 May 2018)

Troubleshooting IPSec connections

Enable Logging

In case IPSec log files are required to troubleshoot connection issues or for other reasons, it can be enabled in the ipsec.conf file.

Note: Logging for the IPSec service is by default disabled.

  1. Login to the shell as root user
  2. Edit the ipsec.conf file
  3. root@ng-east:~#vi /etc/ipsec/ipsec.conf
  4. Change the logfile value
  5. Original value: logfile=/dev/null
    New value: logfile=/var/log/pluto.log

TCPDump

It can sometimes be beneficial to get a TCPDump for example to ensure that the traffic is going through the tunnel as expected. This can be performed on the node.

  1. Login to the shell as root user
  2. Start the tcpdump for IPSec

Format:

tcpdump -n -i  esp or udp port 500 or udp port 4500

Example:

root@nodegrid: # tcpdump -n -i eth1 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
06:04:39.591780 IP 100.0.1.10 > 100.0.2.11: ESP(spi=0x6416c1f2,seq=0x7), length 132
06:04:40.591634 IP 100.0.2.11 > 100.0.1.10: ESP(spi=0x153683f0,seq=0x8), length 132
06:04:40.591948 IP 100.0.1.10 > 100.0.2.11: ESP(spi=0x6416c1f2,seq=0x8), length 132
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel

Note: All other tcpdump functions are available as normal and can be used as needed.


    • Related Articles

    • IPSec Advanced Settings

      Version 0.1 (02 May 2018) Advanced IPSec Settings The available IPSec implementation supports a wide range of additional settings which can be used to adjust the behavior and security. The samples in this guide only highlight the basics. Below is a ...
    • How to Start IPsec Service on Boot Up

      Version 0.1 (02 May 2018) Start of IPSec service on boot By default, will the IPsec service not start on boot of the Nodegrid appliance. Follow the below steps to start the service automatically. Log-in as root user to the shell Navigate to the rc5.d ...
    • IPsec tunnel to AWS VPC with Certificates

      IPsec tunnel to AWS VPC with Certificates last tested on: 5.2.1 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...
    • How to create RSA Keys for IPSec

      Version 0.1 (02 May 2018) Prepare RSA keys In case Raw RSA keys will be used for the IPSec authentication then these keys need to be created before they can be used in the configuration later. Each RSA Key has a private key which needs to be stored ...
    • How to Create Certificates for IPSec

      Reversion 0.2 (30 Jun 2021) Overview Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec ...