2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / src / trouble.html

<HTML>
<HEAD>
        <TITLE>FreeS/WAN troubleshooting</TITLE>
      <meta name="keywords" content="Linux, IPSEC, VPN, security, FreeSWAN, troubleshooting, debugging">
<!--
     Written by Claudia Schmeing for the Linux FreeS/WAN project
     Freely distributable under the GNU General Public License

     More information at www.freeswan.org
     Feedback to users@lists.freeswan.org

CVS information:
RCS ID:          $Id: trouble.html,v 1.21 2001/12/29 17:06:09 sandy Exp $
Last changed:    $Date: 2001/12/29 17:06:09 $
Revision number: $Revision: 1.21 $

CVS revision numbers do not correspond to FreeS/WAN release numbers.
-->
 
</HEAD>
<BODY>

<H1><A NAME="guide"></A>Linux FreeS/WAN Troubleshooting Guide</H1>

<H2><A NAME="overview"></A>Overview</H2>

<P>
Before we launch into how to establish, test and troubleshoot a
connection step by step, here's a brief overview that may allow you
to skim ahead to the most useful part of this document for you.</P>
<P>
There are several general places where you might have a problem:</P>
<OL>
        <LI><P><A HREF="#install">During install</A>.</P>
        <LI><P><A HREF="#before">Before connection negotiation</A>.</P>
        <LI><P><A HREF="#negotiation">During the negotiation process</A>.</P>
        <LI><P><A HREF="#use">Using an established connection</A>.</P>
</OL>
<P>This document also contains <A HREF="#notes">notes</A> which
expand on points made in these sections, and tips for <A HREF="#prob.report">problem
reporting</A>. If the other end of your connection is not FreeS/WAN,
see also our <A HREF="interop.html#interop.problem">interoperation</A>
document.</P>
<H2><A NAME="install"></A>1. During Install</H2>
<P>Instructions and tips are in our <A HREF="install.html">install
document</A>. If you encounter a problem, it may be:</P>
<UL>
        <LI><P>Missing library. See <A HREF="faq.html#gmp.h_missing">this</A>
        FAQ.</P>
        <LI><P>Missing utilities required for compile. See this <A HREF="install.html#tool.lib">checklist</A>.</P>
        <LI><P>Kernel version incompatibility. See <A HREF="faq.html#k.versions">this</A>
        FAQ.</P>
        <LI><P>Another compile problem. Find information in the out.* files,
        ie. out.kpatch, out.kbuild, created at compile time in the top-level
        Linux FreeS/WAN directory. Error messages generated by KLIPS during
        the boot sequence are accessible with the <VAR>dmesg</VAR> command 
        </P>
        <P>Check the list archives and the List in Brief to see if this is a
        known issue. If it is not, report it to the bugs list as described
        in our <A HREF="#prob.report">problem reporting</A> section. In some
        cases, you may be asked to provide debugging information using gdb;
        details <A HREF="#gdb">below</A>.</P>
        <LI><P>If your kernel compiles but you fail to install your new
        FreeS/WAN-enabled kernel, review the sections on <A HREF="install.html#newk">installing
        the patched kernel</A>, and <A HREF="install.html#testinstall">testing</A>
        to see if install succeeded.</P>
</UL>
<H2><A NAME="before"></A>2. Before Connection Negotiation</H2>
<H3><A NAME="plan"></A>2.1 Plan your tunnels</H3>
<P>Know your IPSec needs. For most people who begin experimenting
with IPSec in the field, your configuration will more or less
resemble one of the samples in our <A HREF="config.html">configuration
document</A> . Other folks may wish to create a testbed network in a
lab environment for intensive IPSec testing or proof-of-concept. They
may be interested in <A HREF="testing.html#testnet">this description</A>
of a sample testbed network.</P>
<H3>2.2 Configure Step by Step</H3>
<P>Draw a network schematic. This will assist others in helping you
should you mail the list for help.</P>
<P>For example:</P>
<PRE>Sunset==========West------------------East
         corporate LAN     untrusted net</PRE><P>
Add IPs to the diagram.</P>
<PRE>Sunset==========West------------------East
         corporate LAN     untrusted net

192.168.1.5                           N.N.N.235

         eth0(external)=N.N.N.222

         eth1(internal)=192.168.1.1;
         gateway for 192.168.0.0/24</PRE><P>
How many tunnels do you need to connect your sites sufficiently for
your purposes? Check our <A HREF="config.html#multitunnel">configuration
document</A> for why you might need multiple tunnels. How would you
name each tunnel?</P>
<P>Above, it is possible to make two tunnels: sunset-east and
west-east. If East does not need to access any resources on West, <STRONG>and
West is not masquerading</STRONG> (see below) we may only want to
create sunset-east. Sunset-east is a tunnel between IPSec-enabled
machines West and East, created to protect traffic between the net on
which Sunset resides, and East. However, it is safest to create all
potential tunnels in your configuration. This lowers the risk that
you will forget to configure a needed tunnel, and send important data
cleartext. As an added safeguard, by default, (at the time of
writing) Linux FreeS/WAN prevents you from routing cleartext packets
between IPSec gateways which are also linked by a tunnel. Reliance on
this behaviour is not a substitute for secure network design.</P>
<P>Take into account any masquerading and Network Address Translation
rules on your gateway. If you are masquerading packets from Sunset as
they leave West, Linux FreeS/WAN will treat these as though they
originated at West, not Sunset. For more detail, see this <A HREF="firewall.html#packets">packet
flow diagram</A>.</P>
<P>For each tunnel, think of a packet path that will allow you to
test that tunnel. Refer to <A HREF="#testgates">this discussion</A>.</P>
<H3><A NAME="ikepath"></A>2.3 Ensure a Clear Path for IKE</H3>
<P>Ensure that IKE packets can travel freely between your IPSec
gateways, as described <A HREF="firewall.html#packets">here</A>. If
they cannot, the connection negotiation, described below, will be
stuck in its first state.</P>
<H2><A NAME="negotiation"></A>3. During Negotiation</H2>
<H3><A NAME="establish"></A>3.1 Create a connection</H3>
<P>Bring up one of your connections, using the ipsec auto commands at
the command line: 
</P>
<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --add west-east</PRE><P>
then</P>
<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --up west-east</PRE><P>
At this stage of testing, do not bring up the connections by the
alternate method, using ipsec.conf's <VAR>auto=</VAR> directive. You
want to view the output as it happens.</P>
<P>If the resulting status report shows that you have established an
ISAKMP and an IPSec Security Association (aka &quot;SA&quot;, loosely
translated as &quot;tunnel&quot; or &quot;connection&quot;), your
tunnel is up. Repeat for each tunnel you are testing.</P>
<P>If negotiations for any one tunnel fail, troubleshoot as indicated
in the next section. If you have successfully established all desired
tunnels, proceed to <A HREF="#use">test your connection(s)</A> below.
If you find that each tunnel in a multitunnel config may be created
individually, but all may not be created at once, you may have
encountered an old (1.6) bug. Update your Linux FreeS/WAN.</P>
<H3><A NAME="state"></A>3.1.1 Determine Connection State</H3>
<P>When you bring a tunnel up from the command line, you see a report
on the negotiations involved in creating the connection, as these
happen. There are also: 
</P>
<UL>
        <LI><P>ipsec look, which provides a brief status report</P>
        <LI><P>ipsec auto --status, included in the barf</P>
        <LI><P>log files. More information about the log files is available
        <A HREF="#logusage">here</A>. 
        </P>
</UL>
<P>Often, the most relevant state information appears last in a log
or status report.</P>
<P>Negotiations will proceed through various states. You will know
these are done and a connection is established when you see both
messages:</P>
<PRE>    000 #21: &quot;myconn&quot; STATE_MAIN_I4 (ISAKMP SA established)...
    000 #2: &quot;myconn&quot; STATE_QUICK_I2 (sent QI2, IPsec SA established)...</PRE><P>
The key phrases are &quot;ISAKMP SA established&quot; and &quot;IPSec
SA established&quot;, which should appear with the relevant
connection name. Often, this happens at STATE_MAIN_I4 and
STATE_QUICK_I2, respectively.</P>
<P>A note on ipsec auto --status: this will tell you what states <STRONG>have
been achieved</STRONG>, rather than the current state. Since
determining the current state is rather more difficult to do, current
state information is not available from Linux FreeS/WAN. If you are
actively bringing a connection up, the status report's last states
for that connection likely reflect its current state. Beware, though,
of the case where a connection was correctly brought up but is now
downed: Linux FreeS/WAN will not notice this until it attempts to
rekey. Meanwhile, the last known state indicates that the connection
has been established.</P>
<P>Linux FreeS/WAN proceeds though IKE (Phase 1, Main Mode,
STATE_MAIN_*) negotiations first, then begins IPSec (Phase 2, Quick
Mode, STATE_QUICK_*) negotiations. If you do not see success, note
the place where negotiations stopped. This information is useful,
since there are common errors specific to certain points in the
process.</P>
<H3><A NAME="find.error"></A>3.2 Find a Negotiation Error</H3>
<P>Look for verbose error text in the logs. While ipsec --auto dialog
will tell you at which state Linux FreeS/WAN failed, it lacks detail.
You can get more detail by modifying it with the --verbose flag on
each invocation. For example:</P>
<PRE STYLE="margin-bottom: 0.2in">    ipsec auto --verbose --up west-east</PRE><P>
Complete information can be gleaned from the <A HREF="#logusage">log
files</A>.</P>
<P>The amount of description in the logs depends on ipsec.conf debug
settings, <VAR>klipsdebug</VAR>= and <VAR>plutodebug</VAR>=. See
the <A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> man page
for details. You will normally want to set these to
either &quot;none&quot; or &quot;all&quot;. Note that you must have
enabled the <VAR>klipsdebug</VAR> <A HREF="install.html#allbut">compile-time
option</A> for the <VAR>klipsdebug</VAR> configuration switch to
work.</P>
<P>For negotiation problems, <VAR>plutodebug</VAR> is most relevant.
<VAR>klipsdebug</VAR> applies mainly to attempts to use an
already-established connection. See also <A HREF="ipsec.html#parts">this</A>
description of the division of duties within Linux FreeS/WAN.</P>
<P>After raising your debug levels, restart Linux FreeS/WAN to ensure
that ipsec.conf is reread, then recreate the error to generate
verbose logs. 
</P>
<P>
This is a good time to produce a barf file, a collection of
information useful for debugging Linux FreeS/WAN on your system. Use
the command</P>
<PRE>
    ipsec barf &gt; barf.west
</PRE><P>
See also the <A HREF="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</A>
man page.</P>
<P>
Look at the logs within the resulting file, and find the failure
point. Are there a handful of lines which succinctly describe how
things are going wrong or contrary to your expectation? Sometimes the
failure point is not immediately obvious: Linux FreeS/WAN's errors
are usually not marked &quot;Error&quot;. Have a look in the <A HREF="faq.html">FAQ</A>
for what some common failures look like. Tip: problems snowball.
Focus your efforts on the first problem, which is likely to be the
cause of later errors.</P>
<P>Repeat the process to find meaningful error text on the peer IPSec
box. If the other end is not Linux FreeS/WAN, get it to produce
detailed log output while you replicate the error, then capture that
output to a file.</P>
<P>It is useful if both ends store information about the same event
from two perspectives. Sometimes you will require information which
only one side has. In this case, the peer can merely indicate the
presence of an error, and its approximate point in the negotiations.
If one side keeps retrying, it may be because there is a show stopper
on the other side. Have a look at the other side and figure out what
it doesn't like.</P>
<H3><A NAME="interpret.error"></A>3.2.1 Interpret a Negotiation Error</H3>
<P>To interpret Linux FreeS/WAN log text, use the following
resources:</P>
<UL>
        <LI><P><A HREF="faq.html">the FAQ</A> . Since this document is
        constantly updated, the snapshot's FAQ may have a new entry relevant
        to your problem.</P>
        <LI><P>our <A HREF="background.html">background document</A> .
        Special considerations which, while not central to Linux FreeS/WAN,
        are often tripped over. Includes problems with 
      <a href="background.html#MTU.trouble">packet fragmentation</a>,
      and considerations for
        testing opportunism.</P>
        <LI><P>the <A HREF="mail.html#lists">list archives</A>. Each of the
        searchable archives works differently, so it's worth checking each.
        Use a search term which is generic, but identifies your error, for
        example &quot;No connection is known for&quot;.</P>
        <P>Often, you will find that your question has been answered in the
        past. Finding an archived answer is quicker than asking the list.
        You may, however, find similar questions without answers. If you do,
        send their URLs to the list with your trouble report. The additional
        examples may help the list tech support person find your answer.</P>
        <LI><P>Look into the code where the error is being generated. The
        pluto code is nicely documented with comments and meaningful
        variable names.</P>
</UL>
<P>If you have failed to solve your problem with the help of these
resources, send a detailed problem report to the users list,
following these <A HREF="#prob.report">guidelines</A>.</P>
<H2><A NAME="use"></A>4. Using a Connection</H2>
<H3><A NAME="test"></A>4.1 Ping test</H3>
<P>Test a connection by sending packets through it. The simplest way
to do this is with ping. Remember, in the <A HREF="#before">planning
stage</A>, choosing a path which would test the tunnel? Now, ping
along that path. 
</P>
<P>If your ping returns, test any other connections you've brought
up. If they all check out, great. You may wish to <A HREF="#bigpacket">test
with large packets</A> for MTU problems.</P>
<P>If your ping fails to return, generate an ipsec barf debugging
report on each IPSec gateway. On a non-Linux FreeS/WAN
implementation, gather equivalent information. Use this, and the tips
in the next sections, to troubleshoot. Are you sure that both
endpoints are capable of hearing and responding to ping?</P>
<H4><A NAME="check.path"></A>4.1.1 Check your ping path</H4>
<P>IPSec may be dropping your ping packets since it does not &quot;think&quot;
they belong in the tunnels you have constructed. This is an error
about assumptions, and it takes two forms.</P>
<P>In the first, your ping is not returning because its path does not
fall within your tunnel. This ping does not test the tunnel you
intend to test. Referring to this <A HREF="#testgates">discussion</A>
about appropriate tests, determine an alternate ping path which <STRONG>would</STRONG>
test the tunnel. 
</P>
<P>In the second form of this error, you have not correctly
configured the functionality you want. In the example above, you may
have configured one of the possible tunnels between West and East
(say west-east) but not the tunnel required to secure the important
traffic you're now testing (say a sunset-east tunnel to secure
traffic between office net Sunset and laptop East). See also <A HREF="faq.html#cantping">this
FAQ </A>titled &quot;I can't ping&quot;. NAT and masquerading may
have an effect on which tunnels you need to configure; that's
discussed in &quot;<A HREF="#before">Before there's trouble</A>&quot;.</P>
<P>Both forms show identical symptoms. After all, the difference is
one of intent. In both forms, Linux FreeS/WAN receives a packet
destined for a peer IPSec gateway. Finding no active tunnel in which
this packet belongs, it drops the packet on the floor. If your debug
levels are appropriate, it logs this with a &quot;klipsdebug... no
eroute&quot; message, which is discussed in <A HREF="faq.html#no_eroute">this
FAQ</A>. 
</P>
<P>Note: When testing a tunnel that protects a multi-node subnet, you
may wish to try several subnet nodes as ping targets, in case one
node is routing incorrectly.</P>
<H3><A NAME="route.firewall"></A>4.2 Check Routing and Firewalling</H3>
<P>If you've confirmed your configuration assumptions, the problem is
almost certainly with routing or firewalling. Isolate the problem
using interface statistics, firewall statistics, or a packet sniffer.</P>
<P>Background:</P>
<UL>
        <LI><P>Linux FreeS/WAN supplies all the special routing it needs;
        you need only route packets out through your IPSec gateway. Verify
        that on the machines you are using for your ping-test, your routing
        is as expected. I have seen a tunnel &quot;fail&quot; because the
        subnet machine was not routing packets back to the IPSec gateway;
        rather, it routed them through an alternate gateway.</P>
        <LI><P>Linux FreeS/WAN requires special firewalling considerations,
        described in our <A HREF="firewall.html">firewalling</A> document.
        Check the firewall rules on your IPSec gateways and ensure that they
        allow IPSec traffic through. Be sure that no other machine - for
        example a router between the gateways - is blocking your IPSec
        packets.</P>
</UL>
<H4><A NAME="ifconfig"></A>4.2.1 View Interface and Firewall
Statistics</H4>
<P>Interface reports and firewall statistics can help you track down
lost packets at a glance. 
</P>
<P>Check any firewall statistics you may be keeping on your IPSec
gateways, for dropped packets.</P>
<P>Both <VAR>cat /proc/net/dev</VAR> and <VAR>ifconfig</VAR> display
interface statistics, and both are included in an ipsec barf. Use
either to check if any interface has dropped packets. If you find
that one has, test whether this is related to your ping. While you
ping continuously, print that interface's statistics several times.
Does its drop count increase in proportion to the ping? If so, check
why the packets are dropped there.</P>
<P>Check the firewall rules that apply to that interface. If the
interface is an IPSec interface, more information may be available in
the log. Grep for the word &quot;drop&quot; in a log which was
created with <VAR>klipsdebug=all</VAR> as the error happened.</P>
<P>See also <A HREF="#ifconfig1">this</A> detailed discussion by
KLIPS programmer Richard Guy Briggs on interpreting <VAR>ifconfig</VAR>.</P>
<H3><A NAME="sniff"></A>4.3 Sniff packets</H3>
<P>If you have checked configuration assumptions, routing, and
firewall rules, and your interface statistics yield no clue, it
remains for you to investigate the mystery of the lost packet by the
most thorough method: with a packet sniffer. Sniff packets at each
interface along the projected ping path until you find where your
packets disappear. In this way, you can isolate the problem area, and
narrow your troubleshooting focus.</P>
<P>Install an up-to-date sniffer (tcpdump, ethereal, ksnuffle) on
your IPSec gateway machines. A sniffer on the ping endpoints is also
useful. The sniffer should be somewhat modern (tcpdump 3.3+,
ethereal-0.8.18) so that you may view packets on the ipsec virtual
interface as well as the underlying physical one.</P>
<P>Working from your schematic, anticipate your ping's path. Which
machines will your ping be visible on, in which order? Now, which
interfaces will it be visible on, in which order? Within a machine
running Linux FreeS/WAN, this <A HREF="firewall.html#packets">packet
flow diagram</A> will help you anticipate the packet's path. Note
that from the perspective of the tunneled packet, the entire tunnel
is one hop. That's explained in <A HREF="faq.html#no_trace">this</A>
FAQ.</P>
<P>Ping, and as you do, sniff the packets. Examine each interface
along the projected path, checking for your ping's arrival. If it
doesn't arrive at the next stop, you have narrowed down where to look
for it. 
</P>
<P>Note that an encapsulated IPSec packet will look different, when
sniffed, from the plaintext packet which generated it. However, you
can observe plaintext packets entering an IPSec interface and the
resulting cyphertext packets as they emerge from the corresponding
physical interface. 
</P>
<P>Once you isolate where the packet is lost, take a closer look at
firewall rules, routing and configuration assumptions as they affect
that specific area. If the packet is lost on an IPSec gateway, comb
through <VAR>klipsdebug</VAR> output for anomalies. 
</P>
<P>If the packet goes through both gateways successfully and reaches
the ping target, but does not return, suspect routing. Check that the
ping target routes packets back to the IPSec gateway.</P>
<H3><A NAME="find.use.error"></A>4.4 Find a Connection Use Error</H3>
<P>The guidelines are the same as for the Pluto logs, <A HREF="#find.error">above</A>.</P>
<P>For connection use problems, set <VAR>klipsdebug=all</VAR>. Note
that you must have enabled the <VAR>klipsdebug</VAR> <A HREF="install.html#allbut">compile-time
option</A> to do this. Restart Linux FreeS/WAN so that it rereads the
configuration file, then recreate the error condition. When searching
through <VAR>klipsdebug</VAR> data, look especially for the keywords
&quot;drop&quot; (as in dropped packets) and &quot;error&quot;.</P>
<P>Often the problem with connection use is not software error, but
rather that the software is behaving contrary to expectation. 
</P>
<H4><A NAME="interpret.use.error"></A>4.4.1 Interpret a Connection
Use Error</H4>
<P>To interpret the Linux FreeS/WAN log text you've found, use the
same resources as indicated for troubleshooting <A HREF="#interpret.error">connection
negotiation</A>: <A HREF="faq.html">the FAQ</A> , our
<A HREF="background.html">background
document</A> , and the <A HREF="mail.html#lists">list archives</A>.
Looking in the KLIPS code is recommended only for the brave.</P>
<P>If you are still stuck, send a <A HREF="#prob.report">detailed
problem report</A> to the users' list.</P>
<H3><A NAME="bigpacket"></A>4.4 Test with Large Packets</H3>
<P>If each of your connections passed the ping test, you may wish to
test by pinging with large packets (2000 bytes or larger). If it does
not return, suspect MTU issues, and see this <A HREF="background.html#MTU.trouble">discussion</A>.</P>
<H3>4.5 Stress Tests</H3>
<P>In most users' view, a simple ping test, and perhaps a
large-packet ping test suffice to indicate a working IPSec
connection.</P>
<P>Some people might like to do additional stress tests prior to
production use. They may be interested in this <A HREF="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00224.html">testing
protocol</A> we use at interoperation conferences, aka &quot;bakeoffs&quot;.
We also have a <VAR>testing</VAR> directory that ships with the
release.</P>
<H2><A NAME="prob.report"></A>5. Problem Reporting</H2>
<H3>5.1 How to ask for help</H3>
<P>Ask for troubleshooting help on the users' mailing list,
<A HREF="mailto:users@lists.freeswan.org">users@lists.freeswan.org</A>.
While sometimes an initial query with a quick description of your
intent and error will twig someone's memory of a similar problem,
it's often necessary to send a second mail with a complete problem
report. 
</P>
<P>The essay <A HREF="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html">How
to Report Bugs Effectively</A> contains good guidelines. 
</P>
<P>When reporting problems to the mailing list(s), please include: 
</P>
<UL>
        <LI><P>a brief description of the problem</P>
        <LI><P>if it's a compile problem, the actual output from make,
        showing the problem. Try to edit it down to only the relevant part,
        but when in doubt, be as complete as you can. If it's a kernel
        compile problem, any relevant out.* files</P>
        <LI><P>if it's a run-time problem, pointers to where we can find the
        complete output from &quot;ipsec barf&quot; from BOTH ENDS (not just
        one of them). Remember that it's common outside the US and Canada to
        pay for download volume, so if you can't post barfs on the web and
        send the URL to the mailing list, at least compress them with tar or
        gzip.</P>
        <P>If you can, try to simplify the case that is causing the problem.
        In particular, if you clear your logs, start FreeS/WAN with no other
        connections running, cause the problem to happen, and then do <VAR>ipsec
        barf</VAR> on both ends immediately, that gives the smallest and
        least cluttered output.</P>
        <LI><P>any other error messages, complaints, etc. that you saw.
        Please send the complete text of the messages, not just a summary.</P>
        <LI><P>what your network setup is. Include subnets, gateway
        addresses, etc. The <A HREF="#before">network schematic</A> is a
        good format for this information.</P>
        <LI><P>exactly what you were trying to do with Linux FreeS/WAN, and
        exactly what went wrong</P>
        <LI><P>a fix, if you have one. But remember, you are sending mail to
        people all over the world; US residents and US citizens in
        particular, please read doc/exportlaws.html before sending code --
        even small bug fixes -- to the list or to us.</P>
        <LI><P>When in doubt about whether to include some seemingly-trivial
        item of information, include it. It is rare for problem reports to
        have too much information, and common for them to have too little.</P>
</UL>
<H3>5.2 Where to ask</H3>
<P>To report a problem, send mail about it to the users' list. If you
are certain that you have found a bug, report it to the bugs list. If
you encounter a problem while doing your own coding on the Linux
FreeS/WAN codebase and think it is of interest to the design team,
notify the design list. When in doubt, default to the users' list.
More information about the mailing lists is found <A HREF="mail.html#lists">here</A>.</P>
<P>For a number of reasons -- including export-control regulations
affecting almost any <STRONG>private</STRONG> discussion of
encryption software -- we prefer that problem reports and discussions
go to the lists, not directly to the team. Beware that the list goes
worldwide; US citizens, read this important information about your
<A HREF="politics.html#exlaw">export laws</A>. If you're using this
software, you really should be on the lists. To get onto them, visit
<A HREF="http://lists.freeswan.org/">lists.freeswan.org</A>.</P>
<P>If you do send private mail to our coders or want a private reply
from them, please make sure that the return address on your mail
(From or Reply-To header) is a valid one. They have more important
things to do than to unravel addresses that have been mangled in an
attempt to confuse spammers. 
</P>
<H2><A NAME="notes"></A>6. Additional Notes on Troubleshooting</H2>
<P>The following sections supplement the Guide: <A HREF="#system.info">information
available on your system</A>; <A HREF="#testgates">testing between
security gateways</A>; <A HREF="#ifconfig1">ifconfig reports for
KLIPS debugging</A>; <A HREF="#gdb">using GDB on Pluto</A>.</P>
<H3><A NAME="system.info"></A>6.1 Information available on your
system</H3>
<H4><A NAME="logusage"></A>6.1.1 Logs used</H4>
<P>Linux FreeS/WAN logs to:</P>
<UL>
        <LI><P STYLE="margin-bottom: 0in">/var/log/secure (or, on Debian,
        /var/log/auth.log) 
        </P>
        <LI><P>/var/log/messages 
        </P>
</UL>
<P>Check both places to get full information. If you find nothing,
check your <VAR>syslogd.conf(5)</VAR> to see where your
/etc/syslog.conf or equivalent is directing <VAR>authpriv</VAR>
messages.</P>
<H4><A NAME="pages"></A>6.1.2 man pages provided</H4>
<DL>
        <DT><A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> 
        </DT><DD>
        Manual page for IPSEC configuration file. 
        </DD><DT>
        <A HREF="manpage.d/ipsec.8.html">ipsec(8)</A> 
        </DT><DD STYLE="margin-bottom: 0.2in">
        Primary man page for ipsec utilities. 
        </DD></DL>
<P>
Other man pages are on <A HREF="manpages.html">this list</A> and in</P>
<UL>
        <LI><P STYLE="margin-bottom: 0in">/usr/local/man/man3 
        </P>
        <LI><P STYLE="margin-bottom: 0in">/usr/local/man/man5 
        </P>
        <LI><P>/usr/local/man/man8/ipsec_* 
        </P>
</UL>
<H4><A NAME="statusinfo"></A>6.1.3 Status information</H4>
<DL>
        <DT>ipsec auto --status 
        </DT><DD>
        Command to get status report from running system. Displays Pluto's
        state. Includes the list of connections which are currently &quot;added&quot;
        to Pluto's internal database; lists state objects reflecting ISAKMP
        and IPsec SAs being negotiated or installed. 
        </DD><DT>
        ipsec look 
        </DT><DD>
        Brief status info. 
        </DD><DT>
        ipsec barf 
        </DT><DD STYLE="margin-bottom: 0.2in">
        Copious debugging info. 
        </DD></DL>
<H3>
<A NAME="testgates"></A>6.2 Testing between security gateways</H3>
<P>Sometimes you need to test a subnet-subnet tunnel. This is a
tunnel between two security gateways, which protects traffic on
behalf of the subnets behind these gateways. On this network:</P>
<PRE>     Sunset==========West------------------East=========Sunrise
                     IPSec gateway         IPSec gateway
           local net       untrusted net       local net</PRE><P>
you might name this tunnel sunset-sunrise. You can test this tunnel
by having a machine behind one gateway ping a machine behind the
other gateway, but this is not always convenient or even possible.</P>
<P>Simply pinging one gateway from the other is not useful. Such a
ping does not normally go through the tunnel. <STRONG>The tunnel
handles traffic between the two protected subnets, not between the
gateways</STRONG> . Depending on the routing in place, a ping might</P>
<UL>
        <LI><P STYLE="margin-bottom: 0in">either succeed by finding an
        unencrypted route 
        </P>
        <LI><P>or fail by finding no route. Packets without an IPSEC eroute
        are discarded. 
        </P>
</UL>
<P><STRONG>Neither event tells you anything about the tunnel</STRONG>.
You can explicitly create an eroute to force such packets through the
tunnel, or you can create additional tunnels as described in our
<A HREF="config.html#multitunnel">configuration document</A>, but
those may be unnecessary complications in your situation.</P>
<P>The trick is to explicitly test between <STRONG>both gateways'
private-side IP addresses</STRONG>. Since the private-side interfaces
are on the protected subnets, the resulting packets do go via the
tunnel. Use either ping -I or traceroute -i, both of which allow you
to specify a source interface. (Note: unsupported on older Linuxes).
The same principles apply for a road warrior (or other) case where
only one end of your tunnel is a subnet.</P>
<H3><A NAME="ifconfig1"></A>6.3 ifconfig reports for KLIPS debugging</H3>
<P>When diagnosing problems using ifconfig statistics, you may wonder
what type of activity increments a particular counter for an ipsecN
device. Here's an index, posted by KLIPS developer Richard Guy
Briggs:</P>
<PRE>Here is a catalogue of the types of errors that can occur for which
statistics are kept when transmitting and receiving packets via klips.
I notice that they are not necessarily logged in the right counter.
. . .

Sources of ifconfig statistics for ipsec devices

rx-errors:
- packet handed to ipsec_rcv that is not an ipsec packet.
- ipsec packet with payload length not modulo 4.
- ipsec packet with bad authenticator length.
- incoming packet with no SA.
- replayed packet.
- incoming authentication failed.
- got esp packet with length not modulo 8.

tx_dropped:
- cannot process ip_options.
- packet ttl expired.
- packet with no eroute.
- eroute with no SA.
- cannot allocate sk_buff.
- cannot allocate kernel memory.
- sk_buff internal error.


The standard counters are:

struct enet_statistics
{
        int        rx_packets;                /* total packets received */
        int        tx_packets;                /* total packets transmitted */
        int        rx_errors;                /* bad packets received */
        int        tx_errors;                /* packet transmit problems */
        int        rx_dropped;                /* no space in linux buffers */
        int        tx_dropped;                /* no space available in linux */
        int        multicast;                /* multicast packets received */
        int        collisions;

        /* detailed rx_errors: */
        int        rx_length_errors;
        int        rx_over_errors;                /* receiver ring buff overflow */
        int        rx_crc_errors;                /* recved pkt with crc error */
        int        rx_frame_errors;        /* recv'd frame alignment error */
        int        rx_fifo_errors;                /* recv'r fifo overrun */
        int        rx_missed_errors;        /* receiver missed packet */

        /* detailed tx_errors */
        int        tx_aborted_errors;
        int        tx_carrier_errors;
        int        tx_fifo_errors;
        int        tx_heartbeat_errors;
        int        tx_window_errors;
};

of which I think only the first 6 are useful.</PRE><H3>
<A NAME="gdb"></A>6.4 Using GDB on Pluto</H3>
<P>You may need to use the GNU debugger, gdb(1), on Pluto. This
should be necessary only in unusual cases, for example if you
encounter a problem which the Pluto developer cannot readily
reproduce or if you are modifying Pluto. 
</P>
<P>Here are the Pluto developer's suggestions for doing this: 
</P>
<PRE>Can you get a core dump and use gdb to find out what Pluto was doing
when it died?

To get a core dump, you will have to set dumpdir to point to a
suitable directory (see <A HREF="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).

To get gdb to tell you interesting stuff:
        $ script
        $ cd dump-directory-you-chose
        $ gdb /usr/local/lib/ipsec/pluto core
        (gdb) where
        (gdb) quit
        $ exit

The resulting output will have been captured by the script command in
a file called &quot;typescript&quot;.  Send it to the list.

Do not delete the core file.  I may need to ask you to print out some
more relevant stuff.</PRE><P>
Note that the <VAR>dumpdir</VAR> parameter takes effect only when the
IPsec subsystem is restarted -- reboot or ipsec setup restart.</P>
<P><BR><BR>
</P>
</BODY>
</HTML>