Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Check the IPsec RA VPN tunnel state at the client (Debian/Ubuntu client)

An example of how to initiate a tunnel and check that it works, from the perspective of the client.

  1. Initiate the IPsec/IKEv2 tunnel.
    $ swanctl -i -c tunnel-1
    [IKE] establishing CHILD_SA tunnel-1{2}
    [ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
    [NET] sending packet: from 172.16.0.2[4500] to 10.10.2.3[4500] (257 bytes)
    [NET] received packet: from 10.10.2.3[4500] to 172.16.0.2[4500] (257 bytes)
    [ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
    [CFG] selected proposal: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ
    [IKE] CHILD_SA tunnel-1{2} established with SPIs ce859e81_i c8664004_o and TS 10.200.0.1/32 === 10.90.9.0/24
    initiate completed successfully

    This will yield an IPsec SA traffic selector installation like this:

    (local) 10.200.0.1/32 === (remote) 10.90.9.0/24
  2. Check that the server has given the client an IP address.
    $ ip -o add show | grep 10.200
    3: ens4 inet 10.200.0.1/32 scope global ens4\ valid_lft forever preferred_lft forever
    
  3. Check that an IPsec policy is present on the client.
    $ ip xfrm policy
    src 10.200.0.1/32 dst 10.90.9.0/24
      dir out priority 371327 ptype main
        tmpl src 172.16.0.2 dst 10.10.2.3
        proto esp spi 0xc8664004 reqid 1 mode tunnel
    src 10.90.9.0/24 dst 10.200.0.1/32
      dir fwd priority 371327 ptype main
        tmpl src 10.10.2.3 dst 172.16.0.2
        proto esp reqid 1 mode tunnel
    src 10.90.9.0/24 dst 10.200.0.1/32
      dir in priority 371327 ptype main
        tmpl src 10.10.2.3 dst 172.16.0.2
        proto esp reqid 1 mode tunnel
  4. Check that you can reach the workstations.
    $ ping -I 10.200.0.1 10.90.9.2 -c 1
    PING 10.90.9.2 (10.90.9.2) from 10.200.0.1 : 56(84) bytes of data.
    64 bytes from 10.90.9.2: icmp_seq=1 ttl=63 time=5.24 ms
    
    --- 10.90.9.2 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 5.241/5.241/5.241/0.000 ms