Check the IPsec RA VPN tunnel state at the client (Debian/Ubuntu client)
An example of how to initiate a tunnel and check that it works, from the perspective of the client.
- Initiate the IPsec/IKEv2 tunnel.
$ swanctl -i -c tunnel-1
[IKE] establishing CHILD_SA tunnel-1{2} [ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] [NET] sending packet: from 172.16.0.2[4500] to 10.10.2.3[4500] (257 bytes) [NET] received packet: from 10.10.2.3[4500] to 172.16.0.2[4500] (257 bytes) [ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ] [CFG] selected proposal: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ [IKE] CHILD_SA tunnel-1{2} established with SPIs ce859e81_i c8664004_o and TS 10.200.0.1/32 === 10.90.9.0/24 initiate completed successfully
This will yield an IPsec SA traffic selector installation like this:
(local) 10.200.0.1/32 === (remote) 10.90.9.0/24
- Check that the server has given the client an IP address.
$ ip -o add show | grep 10.200
3: ens4 inet 10.200.0.1/32 scope global ens4\ valid_lft forever preferred_lft forever
- Check that an IPsec policy is present on the client.
$ ip xfrm policy
src 10.200.0.1/32 dst 10.90.9.0/24 dir out priority 371327 ptype main tmpl src 172.16.0.2 dst 10.10.2.3 proto esp spi 0xc8664004 reqid 1 mode tunnel src 10.90.9.0/24 dst 10.200.0.1/32 dir fwd priority 371327 ptype main tmpl src 10.10.2.3 dst 172.16.0.2 proto esp reqid 1 mode tunnel src 10.90.9.0/24 dst 10.200.0.1/32 dir in priority 371327 ptype main tmpl src 10.10.2.3 dst 172.16.0.2 proto esp reqid 1 mode tunnel
- Check that you can reach the workstations.
$ ping -I 10.200.0.1 10.90.9.2 -c 1
PING 10.90.9.2 (10.90.9.2) from 10.200.0.1 : 56(84) bytes of data. 64 bytes from 10.90.9.2: icmp_seq=1 ttl=63 time=5.24 ms --- 10.90.9.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 5.241/5.241/5.241/0.000 ms