Ipsec Lab issues
Closed this issue · 12 comments
Lab 4.3 at point 2, the third command fails:
$ scp ipsec2.example.com.p12 /root/oe-cert.conf root@ipsec2.example.com:/root/
ipsec2.example.com.p12 100% 3750 5.3MB/s 00:00
/root/oe-cert.conf: Permission denied
This is because we are logged into the woirkstation as lab-user, while the command seems to imply we should be logged in the ipsec1 machine.
Lab 4.4 at point 4:
the ping command returns 100% packet loss
Lab 4.4 at point 5:
presumambly because of the above only outBytes reports non-zero.
Lab 4.5 at point 4:
the tcpdump command won't work, it references eth0 when the interface on these VMs is called ens3 (also tcpdump is not installed on ipsec2)
I was not able to disagnose the issue, the troubleshooting lab doesn't point out what to look at and the amount output spewed by ipsec status wasa lot but cryptic to the uninitiated
I'll pick this up in the morning (I'm still in CET).
@lkerner it seems that I cannot get my guid for testing? It assigned me 4eaf, and then instructed me to:
ssh lab-user@workstation-4eaf.rhpds.opentlc.com
but that DNS entry does not seem to work at all. Looking in detail, it seems to be a CNAME record:
workstation-4eaf.rhpds.opentlc.com. 100 IN CNAME 0workstation-summitsppgenericte-vpiyflxp.srv.ravcloud.com.
but that CNAME target itself is non-existent
I added an instruction to wait a few seconds after starting the service that seems to prevent the race condition Simo ended up in.
@letoams I just repeated the lab.
I waited about 5 seconds after starting ipsec on both hosts
ping still fails
please provide instruction to figure out when it is safe to start pinging
also provide instructions on what to do if someone jumps the gun and ping "early", how do I fix the machine ?
I attempted to resolve the issue by stopping ipsec on both hosts.
When I do that ping works fine.
So I restarted ipsec on both hosts and waited a full minute.
Ping still fails.
At this point it is not aboutwaiting a few seconds, seem l;ike something is wrong in the instructions and I end up with some configuration issues.
Please advise.
When trying to follow troubleshooting (the two commands I run on ipsec2 were: ipsec auto --add private; ipsec whack --shuntstatus) I ended up pinging from the other host as on ipsec2 I had tcpdump occupying the shell.
And suddenly everything started working.
Is it possible both ends need to initiate some packet sending before ipsec decides to work ?
I noticed that for some reason, in my tests I always started pinging from ipsec2, not ipsec, is that a problem?
those things should all not matter :/
When I tried, I had similar behaviour - sending ping one way was not enough, pinging from other host started working. But I have not tried too many attempts (just two). Also:
- When using tcpdump, it should be specified it's meant to be run on ipsec1 (tcpdump is installed only there).
turns out this was due to firewalld :)
So I used the firewalld lab to figure out how configure firewalld for IPsec and added that to the IPsec lab instructions. I created a PR for Lucy