j4ck said:Hi
After running racoon, are there any ways to find out whether tunnel had been established or not? Or checking racoon status? Besides investigating the racoon log file.
# /usr/local/sbin/setkey -D
# /usr/local/sbin/setkey -DP
rolfheinrich said:Have a look at setkey(8)() whether it serves your needs.
Examples:
# /usr/local/sbin/setkey -D
This will dump a list of Security Associations.
j4ck said:Thanks. Would you please explain each field and what information it shows? e.g. hard and soft fields?
# /usr/local/sbin/setkey -D
right after I initiated a L2TP/IPsec session from my iPhone to the FreeBSD 9.1 server. (using imaginary example IP addresses)192.168.0.1[4500] 179.229.99.144[4500]
esp-udp mode=transport spi=253776086(0x0f2050d6) reqid=1(0x00000001)
NAT OAi=179.80.100.10
NAT OAr=179.229.99.144
E: aes-cbc fe2f107d 3d0b25fd b5edb87b 1b70190f a06fb02e 38c21488 fb28e081 25b70447
A: hmac-sha1 2940a792 2dcd73c1 12f6d17f 34cdd45e 61dd62d4
seq=0x00000025 replay=4 flags=0x00000000 state=mature
created: May 1 11:48:34 2013 current: May 1 11:49:17 2013
diff: 43(s) hard: 3600(s) soft: 2880(s)
last: May 1 11:48:46 2013 hard: 0(s) soft: 0(s)
current: 9320(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 37 hard: 0 soft: 0
sadb_seq=1 pid=21130 refcnt=2
179.229.99.144[4500] 192.168.0.1[4500]
esp-udp mode=transport spi=122323115(0x074a80ab) reqid=1(0x00000001)
NAT OAi=179.229.99.144
NAT OAr=179.80.100.10
E: aes-cbc 018e9585 5ca333d6 3b3cd4da 9727aad0 48372e8e 3c6c8e7c dd624281 e814e49e
A: hmac-sha1 c53392b4 7d608259 71694ded b6d83498 87f6a741
seq=0x0000002f replay=4 flags=0x00000000 state=mature
created: May 1 11:48:34 2013 current: May 1 11:49:17 2013
diff: 43(s) hard: 3600(s) soft: 2880(s)
last: May 1 11:48:46 2013 hard: 0(s) soft: 0(s)
current: 4026(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 47 hard: 0 soft: 0
sadb_seq=0 pid=21130 refcnt=1
j4ck said:Is it right to suppose create time as the establishment time of the tunnel?
...
2013-05-01 11:48:34: INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->179.229.99.144[500] spi=122323115(0x74a80ab)
2013-05-01 11:48:34: INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->179.229.99.144[500] spi=253776086(0xf2050d6)
...
setkey -D
modified report:192.168.100.1 172.221.10.2
esp mode=tunnel spi=53644524(0x03328cec) reqid=0(0x00000000)
created: May 4 08:34:01 2013 current: May 4 08:37:07 2013
sadb_seq=3 pid=24340 refcnt=1
192.168.100.1 172.221.10.2
esp mode=tunnel spi=39375239(0x0258d187) reqid=0(0x00000000)
created: May 4 08:34:00 2013 current: May 4 08:37:07 2013
sadb_seq=2 pid=24340 refcnt=1
172.221.10.2 192.168.100.1
esp mode=tunnel spi=199300376(0x0be11518) reqid=0(0x00000000)
created: May 4 08:34:01 2013 current: May 4 08:37:07 2013
sadb_seq=1 pid=24340 refcnt=1
172.221.10.2 192.168.100.1
esp mode=tunnel spi=32297398(0x01ecd1b6) reqid=0(0x00000000)
created: May 4 08:34:00 2013 current: May 4 08:37:07 2013
sadb_seq=0 pid=24340 refcnt=1
j4ck said:Thanks. Why do you have two entries in your SAD but I have four of them?