<p class="MsoNormal">Hi,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am running into an intermittent issue where no traffic
will pass on my site to site VPN.<span style=""> </span>The
tunnels are up but packets that match the subnets in the proposal do not enter
the tunnel.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Below I have replaced the local public IP address with<span style=""> </span><local-ip> and the remote public IP
address with <remote-ip>.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Here is the ipsec.conf</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">version 2.0</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">config setup</p>
<p class="MsoNormal"><span style="">
</span>interfaces="ipsec0=eth0"</p>
<p class="MsoNormal"><span style="">
</span>nat_traversal=yes</p>
<p class="MsoNormal"><span style="">
</span>virtual_private="%v4:<a href="http://192.168.1.0/24,%v4:192.168.50.0/24">192.168.1.0/24,%v4:192.168.50.0/24</a>"</p>
<p class="MsoNormal"><span style=""> </span>hidetos=yes</p>
<p class="MsoNormal"><span style="">
</span>syslog=daemon.debug</p>
<p class="MsoNormal"><span style="">
</span>plutodebug="all"</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn clear</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn clear-or-private</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn private-or-clear</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn private</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn block</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn packetdefault</p>
<p class="MsoNormal"><span style=""> </span>auto=ignore</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn peer-<remoteIP>-tunnel-44</p>
<p class="MsoNormal"><span style="">
</span>left=<localIP></p>
<p class="MsoNormal"><span style="">
</span>right=<remoteIP></p>
<p class="MsoNormal"><span style="">
</span>leftsubnet=<a href="http://192.168.44.0/24">192.168.44.0/24</a></p>
<p class="MsoNormal"><span style="">
</span>rightsubnet=<a href="http://192.168.50.0/24">192.168.50.0/24</a></p>
<p class="MsoNormal"><span style="">
</span>ike=3des-sha1-modp1536</p>
<p class="MsoNormal"><span style="">
</span>ikelifetime=28800s</p>
<p class="MsoNormal"><span style=""> </span>aggrmode=no</p>
<p class="MsoNormal"><span style=""> </span>dpddelay=30s</p>
<p class="MsoNormal"><span style="">
</span>dpdtimeout=120s</p>
<p class="MsoNormal"><span style="">
</span>dpdaction=clear</p>
<p class="MsoNormal"><span style=""> </span>esp=3des-sha1</p>
<p class="MsoNormal"><span style=""> </span>keylife=3600s</p>
<p class="MsoNormal"><span style="">
</span>rekeymargin=540s</p>
<p class="MsoNormal"><span style=""> </span>type=tunnel</p>
<p class="MsoNormal"><span style=""> </span>pfs=yes</p>
<p class="MsoNormal"><span style=""> </span>compress=no</p>
<p class="MsoNormal"><span style=""> </span>authby=secret</p>
<p class="MsoNormal"><span style=""> </span>auto=start</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn peer-<remote-ip>-tunnel-441</p>
<p class="MsoNormal"><span style=""> </span>left=<local-ip></p>
<p class="MsoNormal"><span style=""> </span>right=<remote-ip></p>
<p class="MsoNormal"><span style=""> </span>leftsubnet=<a href="http://192.168.44.0/24">192.168.44.0/24</a></p>
<p class="MsoNormal"><span style="">
</span>rightsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a></p>
<p class="MsoNormal"><span style="">
</span>ike=3des-sha1-modp1536</p>
<p class="MsoNormal"><span style="">
</span>ikelifetime=28800s</p>
<p class="MsoNormal"><span style=""> </span>aggrmode=no</p>
<p class="MsoNormal"><span style=""> </span>dpddelay=30s</p>
<p class="MsoNormal"><span style="">
</span>dpdtimeout=120s</p>
<p class="MsoNormal"><span style="">
</span>dpdaction=clear</p>
<p class="MsoNormal"><span style=""> </span>esp=3des-sha1</p>
<p class="MsoNormal"><span style=""> </span>keylife=3600s</p>
<p class="MsoNormal"><span style="">
</span>rekeymargin=540s</p>
<p class="MsoNormal"><span style=""> </span>type=tunnel</p>
<p class="MsoNormal"><span style=""> </span>pfs=yes</p>
<p class="MsoNormal"><span style=""> </span>compress=no</p>
<p class="MsoNormal"><span style=""> </span>authby=secret</p>
<p class="MsoNormal"><span style=""> </span>auto=start</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Setkey –D output</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">R1:/var/log# setkey -D</p>
<p class="MsoNormal"><local-ip> <remote-ip> </p>
<p class="MsoNormal"><span style=""> </span>esp
mode=tunnel spi=2048910691(0x7a1fe563) reqid=16389(0x00004005)</p>
<p class="MsoNormal"><span style=""> </span>E:
3des-cbc<span style=""> </span>9d7be258 3b9ff24c 7b5d6794
affdf8f4 e161eeba 8095bdbd</p>
<p class="MsoNormal"><span style=""> </span>A:
hmac-sha1<span style=""> </span>9a328e65 917521ad 4b404e3f
67b9389b d93a075b</p>
<p class="MsoNormal"><span style=""> </span>seq=0x00000000
replay=32 flags=0x00000000 state=mature </p>
<p class="MsoNormal"><span style=""> </span>created: Jun
25 15:33:23 2007<span style=""> </span>current: Jun 25
15:57:03 2007</p>
<p class="MsoNormal"><span style=""> </span>diff:
1420(s)<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>last:<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>current:
0(bytes)<span style=""> </span>hard: 0(bytes)<span style=""> </span>soft: 0(bytes)</p>
<p class="MsoNormal"><span style=""> </span>allocated:
0<span style=""> </span>hard: 0 soft: 0</p>
<p class="MsoNormal"><span style=""> </span>sadb_seq=1
pid=6498 refcnt=0</p>
<p class="MsoNormal"><remote-ip> <local-ip> </p>
<p class="MsoNormal"><span style=""> </span>esp
mode=tunnel spi=522862167(0x1f2a3e57) reqid=16389(0x00004005)</p>
<p class="MsoNormal"><span style=""> </span>E:
3des-cbc<span style=""> </span>c0c4e0a1 757745f6 20021b18
79ee0dd1 1db8aad8 ca5a1206</p>
<p class="MsoNormal"><span style=""> </span>A:
hmac-sha1<span style=""> </span>55d5b3e1 bd4ae006 0d573af1
ab74cb32 42447b18</p>
<p class="MsoNormal"><span style=""> </span>seq=0x00000000
replay=32 flags=0x00000000 state=mature </p>
<p class="MsoNormal"><span style=""> </span>created: Jun
25 15:33:23 2007<span style=""> </span>current: Jun 25
15:57:03 2007</p>
<p class="MsoNormal"><span style=""> </span>diff:
1420(s)<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>last:<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>current:
0(bytes)<span style=""> </span>hard: 0(bytes)<span style=""> </span>soft: 0(bytes)</p>
<p class="MsoNormal"><span style=""> </span>allocated:
0<span style=""> </span>hard: 0 soft: 0</p>
<p class="MsoNormal"><span style=""> </span>sadb_seq=2
pid=6498 refcnt=0</p>
<p class="MsoNormal"><local-ip> <remote-ip> </p>
<p class="MsoNormal"><span style=""> </span>esp
mode=tunnel spi=3379750229(0xc972e555) reqid=16385(0x00004001)</p>
<p class="MsoNormal"><span style=""> </span>E:
3des-cbc<span style=""> </span>3118fe5e 1adf9eaf af96692e
299df671 c28b1d06 da25ece4</p>
<p class="MsoNormal"><span style=""> </span>A:
hmac-sha1<span style=""> </span>5ae06280 cd83c245 fdbc20a5
63246d8e cf53a197</p>
<p class="MsoNormal"><span style=""> </span>seq=0x00000000
replay=32 flags=0x00000000 state=mature </p>
<p class="MsoNormal"><span style=""> </span>created: Jun
25 15:43:36 2007<span style=""> </span>current: Jun 25
15:57:03 2007</p>
<p class="MsoNormal"><span style=""> </span>diff:
807(s)<span style=""> </span>hard: 0(s)<span style=""> </span><span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>last:<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>current:
0(bytes)<span style=""> </span>hard: 0(bytes)<span style=""> </span>soft: 0(bytes)</p>
<p class="MsoNormal"><span style=""> </span>allocated:
0<span style=""> </span>hard: 0 soft: 0</p>
<p class="MsoNormal"><span style=""> </span>sadb_seq=3
pid=6498 refcnt=0</p>
<p class="MsoNormal"><remote-ip> <local-ip> </p>
<p class="MsoNormal"><span style=""> </span>esp
mode=tunnel spi=4117748431(0xf56fdacf) reqid=16385(0x00004001)</p>
<p class="MsoNormal"><span style=""> </span>E:
3des-cbc<span style=""> </span>e6e79257 b017a44a ee6b513d
a4594fd8 b4b85eb9 0f016f52</p>
<p class="MsoNormal"><span style=""> </span>A:
hmac-sha1<span style=""> </span>e6b5fd1e 4f2896a1 16293525
63516858 84755db0</p>
<p class="MsoNormal"><span style=""> </span>seq=0x00000000
replay=32 flags=0x00000000 state=mature </p>
<p class="MsoNormal"><span style=""> </span>created: Jun
25 15:43:36 2007<span style=""> </span>current: Jun 25
15:57:03 2007</p>
<p class="MsoNormal"><span style=""> </span>diff:
807(s)<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>last:<span style=""> </span>hard: 0(s)<span style=""> </span>soft: 0(s)</p>
<p class="MsoNormal"><span style=""> </span>current:
0(bytes)<span style=""> </span>hard: 0(bytes)<span style=""> </span>soft: 0(bytes)</p>
<p class="MsoNormal"><span style=""> </span>allocated:
0<span style=""> </span>hard: 0 soft: 0</p>
<p class="MsoNormal"><span style=""> </span>sadb_seq=0
pid=6498 refcnt=0</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">There are also 2 masquerade rules that are supposed to
masquerade all other traffic that is not destined for the tunnel.<span style=""> </span>They seem to be working fine.<span style=""> </span>Internet traffic passes without issues.</p>
<p class="MsoNormal"> 157 8715 MASQUERADE 0 -- any eth0 <a href="http://192.168.44.0/24">192.168.44.0/24</a> !192.168.50.0/24 <br> 45 4092 MASQUERADE 0 -- any eth0 <a href="http://192.168.44.0/24">
192.168.44.0/24</a> !192.168.1.0/24 <br></p>
<p class="MsoNormal">Ping to google – </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">R1:/var/log# ping -I eth1 <a href="http://www.google.com">www.google.com</a></p>
<p class="MsoNormal">PING <a href="http://www.l.google.com">www.l.google.com</a>
(<a href="http://64.233.167.147">64.233.167.147</a>) from <a href="http://192.168.44.254">192.168.44.254</a> eth1: 56(84) bytes of data.</p>
<p class="MsoNormal">64 bytes from <a href="http://py-in-f147.google.com">py-in-f147.google.com</a> (<a href="http://64.233.167.147">64.233.167.147</a>):
icmp_seq=1 ttl=244 time=36.1 ms</p>
<p class="MsoNormal">64 bytes from <a href="http://py-in-f147.google.com">py-in-f147.google.com</a> (<a href="http://64.233.167.147">64.233.167.147</a>):
icmp_seq=2 ttl=244 time=34.0 ms</p>
<p class="MsoNormal">64 bytes from <a href="http://py-in-f147.google.com">py-in-f147.google.com</a> (<a href="http://64.233.167.147">64.233.167.147</a>):
icmp_seq=3 ttl=244 time=34.3 ms</p>
<p class="MsoNormal">64 bytes from <a href="http://py-in-f147.google.com">py-in-f147.google.com</a> (<a href="http://64.233.167.147">64.233.167.147</a>):
icmp_seq=4 ttl=244 time=37.9 ms</p>
<p class="MsoNormal">64 bytes from <a href="http://py-in-f147.google.com">py-in-f147.google.com</a> (<a href="http://64.233.167.147">64.233.167.147</a>):
icmp_seq=5 ttl=244 time=34.0 ms</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Ping to tunnel – </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">R1:/var/log# ping -I eth1 <a href="http://192.168.50.5">192.168.50.5</a><span style=""> </span></p>
<p class="MsoNormal">PING <a href="http://192.168.50.5">192.168.50.5</a>
(<a href="http://192.168.50.5">192.168.50.5</a>) from <a href="http://192.168.44.254">192.168.44.254</a> eth1: 56(84) bytes of data.</p>
<p class="MsoNormal">From <local-ip> icmp_seq=1 Destination Host
Unreachable</p>
<p class="MsoNormal">From <local-ip> icmp_seq=2 Destination Host
Unreachable</p>
<p class="MsoNormal">From <local-ip> icmp_seq=3 Destination Host
Unreachable</p>
<p class="MsoNormal">From <local-ip> icmp_seq=4 Destination Host
Unreachable</p>
<p class="MsoNormal">From <local-ip> icmp_seq=5 Destination Host
Unreachable</p>
<p class="MsoNormal">From <local-ip> icmp_seq=6 Destination Host
Unreachable</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">From the setkey –D output, it appears that no packets are
entering the tunnel.<span style=""> </span>At times,
restarting ipsec resolves the issue and everything works fine.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Config on the other end:</p>
<p class="MsoNormal"> </p>
<span style="font-size: 12pt; font-family: "Times New Roman"; color: rgb(102, 102, 102);">conn peer-tunnel-44<br>
<br>
authby=secret<br>
<br>
ike=3des-sha1-96<br>
<br>
ikelifetime=28800s<br>
<br>
esp=3des-sha1-96<br>
<br>
keylife=3600s<br>
<br>
rekeymargin=540s<br>
<br>
type=tunnel<br>
<br>
right=<a href="http://0.0.0.0">0.0.0.0</a> <br>
rightsubnet=<a href="http://192.168.44.0/24">192.168.44.0/24</a><br>
<br>
rightnexthop=%direct<br>
<br>
left=<local-IP> <br>
leftsubnet=<a href="http://192.168.50.0/24">192.168.50.0/24</a> <br>
<br>
leftnexthop=%direct<br>
<br>
auto=add<br>
<br>
<br>
<br>
conn peer-tunnel-441<br>
<br>
authby=secret<br>
<br>
ike=3des-sha1-96<br>
<br>
ikelifetime=28800s<br>
<br>
esp=3des-sha1-96<br>
<br>
keylife=3600s<br>
<br>
rekeymargin=540s<br>
<br>
type=tunnel<br>
<br>
right=<a href="http://0.0.0.0">0.0.0.0</a> <br>
rightsubnet=<a href="http://192.168.44.0/24">192.168.44.0/24</a><br>
<br>
rightnexthop=%direct<br>
<br>
left=<local-ip><br>
leftsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a> <br>
<br>
leftnexthop=%direct<br>
<br>
auto=add<br><br>Thank you so much for any suggestions you may have regarding this issue.<br><br>-Robyn<br style="">
<br style="">
</span>