divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb
Log | Files | Refs | README | LICENSE
commit 3b3452dbf9d7797d5498b013c378d2fa84c1701d
parent 6d6b94bdf5163d2d8f932842bf205d78e7da54a9
Author: lostd <lostd@2f30.org>
Date:   Fri,  2 May 2014 13:47:47 +0300

Configuration testing commands

Diffstat:

Mguides/ipsec.md | 34++++++++++++++++++++++++++++++++++


1 file changed, 34 insertions(+), 0 deletions(-)

diff --git a/guides/ipsec.md b/guides/ipsec.md
@@ -15,6 +15,9 @@ key management daemon and have IPsec enabled and allowed through PF.
     pass quick on egress proto {esp, ah}
     pass in quick on egress proto udp to port {isakmp, ipsec-nat-t}
 
+The next part shows how we run mail message submission and POP version 3
+services through IPsec tunnels.
+
 
 #### Server configuration
 
@@ -54,6 +57,37 @@ for key management.
     pass out on egress proto udp from any port isakmp to any port isakmp \
         nat-to (egress) port 5000
 
+
+#### Testing the setup
+
+If all went OK, from a client you should see something like the following,
+when the server's IP address is 1.2.3.4 while the client's IP address is
+5.6.7.8.
+
+    $ ipsecctl -s flow
+    FLOWS:
+    flow esp in proto tcp from 1.2.3.4 port pop3 to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use
+    flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port pop3 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require
+    flow esp in proto tcp from 1.2.3.4 port submission to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use
+    flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port submission peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require
+
+    $ route -n show -encap
+    Routing tables
+
+    Encap:
+    Source      Port  Destination   Port  Proto  SA(Address/Proto/Type/Direction)
+    1.2.3.4/32   110   5.6.7.8/32      0      6     1.2.3.4/esp/use/in
+    5.6.7.8/32     0   1.2.3.4/32    110      6     1.2.3.4/esp/require/out
+    1.2.3.4/32   587   5.6.7.8/32      0      6     1.2.3.4/esp/use/in
+    5.6.7.8/32     0   1.2.3.4/32    587      6     1.2.3.4/esp/require/out
+
+    $ nc -v server.example.org 587
+    Connection to server.example.org 587 port [tcp/submission] succeeded!
+    $ nc -v server.example.org 110
+    Connection to server.example.org 110 port [tcp/pop3] succeeded!
+    +OK
+
+
 #### Notes
 
 There is no actual server and client in the protocol, however in this