Charles, Unbelievably long time getting back to this, but ipsec look yields: firewall: -root- # ipsec look firewall Thu May 5 09:21:55 UTC 2005 ipsec0->eth0 mtu=16260(1500)->1500 ================================================== 216.x.y.64/26 dev eth0 proto kernel scope link src 216.x.y.89 216.x.y.64/26 dev ipsec0 proto kernel scope link src 216.x.y.89 default via 216.x.y.65 dev eth0
firewall: -root- Anything wrong with the above? Eth0 is external, to ISP. TIA, Rick -----Original Message----- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 11:22 AM To: Tibbs, Richard Subject: Re: ipsec question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tibbs, Richard wrote: | Charles, | I have transitioned the same certs and keys from openvpn (where they | work very clearly) to ipsec. I have a subnet to subnet tunnel that is | "authorized", but how can I tell from auth.log or elsewhere if the | certificates verify, etc.? I use RSA keys in production, so don't have examples of log messages for certs. In general, however, if the tunnel comes up, your certs are verifying. I didn't see anything in your logs about the connections being established...in my logs (with RSA keys, connection name is "SanAntonio") it looks like the following: Mar 20 09:34:54 tempest pluto[999]: "SanAntonio" #1: initiating Main Mode Mar 20 09:34:55 tempest pluto[999]: "SanAntonio" #1: Main mode peer ID is ID_FQDN: '@defender.core.newtek.com' Mar 20 09:34:55 tempest pluto[999]: "SanAntonio" #1: ISAKMP SA established Mar 20 09:34:55 tempest pluto[999]: "SanAntonio" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK Mar 20 09:34:56 tempest pluto[999]: "SanAntonio" #2: sent QI2, IPsec SA established ...I didn't see anything similar in your logs. Are you actually starting any connections? You can verify the ipsec links are up with "ipsec look". If you need more info, you can set higher debugging levels, and probably get lots of details on the keys, secrets, and/or certs as the connection is negotiated. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCPvSTLywbqEHdNFwRAg/pAJwMdnaRlEFVcFTugwcwNoG5NYOztwCfWESB Z+C50+yoB8Ou7RYnzGkKbxo= =TBi3 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
