Check the IPsec RA VPN tunnel state at the client (Fedora/RHEL/Centos client)
An example of how to check that the IPsec RA VPN tunnel works, from the perspective of the client.
- Check that the server has given the client an IP address.
$ ip -o address show | grep 10.200
Here we see that the client has the virtual IP address3: ens4 inet 10.200.0.1/32 scope global ens4\ valid_lft forever preferred_lft forever
10.200.0.1
. - Check that an IPsec policy is present on the client.
$ ip xfrm policy
Here we see that the client has IPsec policies as we expect for our workstation subnet.src 10.200.0.1/32 dst 10.90.9.0/24 dir out priority 371327 ptype main tmpl src 172.16.0.1 dst 10.10.2.3 proto esp spi 0xc540ea9b reqid 1 mode tunnel src 10.90.9.0/24 dst 10.200.0.1/32 dir fwd priority 371327 ptype main tmpl src 10.10.2.3 dst 172.16.0.1 proto esp reqid 1 mode tunnel src 10.90.9.0/24 dst 10.200.0.1/32 dir in priority 371327 ptype main tmpl src 10.10.2.3 dst 172.16.0.1 proto esp reqid 1 mode tunnel
- Check the connectivity across the tunnel to the server.
$ ping 10.90.9.2 -I 10.200.0.1 -c 1
PING 10.90.9.2 (10.90.9.2) from 10.200.0.1 : 56(84) bytes of data. 64 bytes from 10.90.9.2: icmp_seq=1 ttl=63 time=6.75 ms --- 10.90.9.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 6.754/6.754/6.754/0.000 ms