<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Hello,<br>

        I have changed the configuration as below, the loss still

      appears from time to time and disappears after ipsec restart, can

      anyone help? Might there be a problem with NETKEY and IP routes?

      There isn't anything suspicious in /var/log/secure<br>

      <br>

      version 2.0     <br>

      <br>

      config setup<br>

              protostack=netkey<br>

              virtual_private=%v4:10.122.0.0/16<br>

              nhelpers=0<br>

      <br>

      conn HOST1HOST2<br>

              dpdaction=restart_by_peer<br>

              dpdtimeout=60<br>

              dpddelay=10<br>

      <br>

              left=<HOST1_public_ip><br>

              leftsourceip=10.122.7.1<br>

              leftsubnets={10.122.7.1/32}<br>

              leftid=@HOST1<br>

      <br>

              leftnexthop=%defaultroute<br>

              right=<HOST2_public_ip><br>

              rightsourceip=10.122.4.2<br>

              rightsubnets={10.122.4.0/24}<br>

              rightid=@HOST2<br>

              rightnexthop=%defaultroute<br>

      <br>

              auto=start<br>

              authby=secret<br>

              type=tunnel<br>

      <br>

      HOST1 has two interfaces, one with the public IP and the other

      with 10.122.7.1 netmask 255.255.255.255<br>

      HOST2 has two interfaces, one with the public IP and the other

      with 10.122.4.2 netmask 255.255.255.0<br>

      <br>

      net.ipv4.ip_forward = 1 on both machines. <br>

      <br>

      Both machines run CentOS 6.4 (  2.6.32-358.18.1.el6.x86_64 )<br>

      <br>

      Best regards,<br>

      Cristi<br>

      <br>

      <br>

      On 09/04/2014 12:15, Cristian Petrescu wrote:<br>

    </div>

    <blockquote cite="mid:53450FA2.2030002@telemaxvoice.ro" type="cite">

      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

      <div class="moz-cite-prefix">Hello Nick,<br>

          Thank you for your answer. I have to keep the private IP on

        both hosts. Considering what you've told me, I will eliminate

        lo:0 and assign the 10.122.1.1 IP to a free network card on

        HOST2. I will also add left/rightsourceip. I will have to wait

        few days to see if this has solved the issue.<br>

        <br>

        Best regards,<br>

        Cristian<br>

        On 09/04/2014 11:37, Nick Howitt wrote:<br>

      </div>

      <blockquote

        cite="mid:40ab88cf44fed208118b31d9d938aba1@poweredbyclear.com"

        type="cite">

        <p>Rather than your "subnets" set up have you considered doing a

          more usual simple left/rightsubnet and adding a

          left/rightsourceip (probably 10.22.1.1 and 10.122.3.2). Then

          remove the HOST1 assignment to lo:0?</p>

        <p>Nick</p>

        <p>On 2014-04-09 09:15, Cristian Petrescu wrote:</p>

        <blockquote type="cite" style="padding-left:5px;

          border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->

          <pre>Dear Users,

  I've been using OpenSwan CentOS 6.4 ( 2.6.32-358.2.1.el6.x86_64 ) for some time, it works well but from time to time we start experiencing around 2-3% loss on the connection. If we restart both openswan ends the loss goes away, I wasn't able to determine when and why the loss occurs. I've checked /var/log/secure and there isn't anything happening out of normal. I've had problems in the past with ksoftirqd reaching 100% but after setting /proc/sys/net/ipv4/xfrm4_gc_thresh to 100 and installing irqbalance that ksoftirqd was solved. Please help me solve this issue, below is the configuration:

HOST2:

# /etc/ipsec.conf - Openswan IPsec configuration file

#

# Manual:     ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        protostack=netkey

        virtual_private=%v4:10.122.0.0/16

        oe=off

        nhelpers=0

conn host1host2

        dpdaction=restart_by_peer

        dpdtimeout=60

        dpddelay=10

        left=<host2 public ip>

        leftsubnets={10.122.1.1/32,<host2 public ip>/32}

        <a moz-do-not-send="true" href="mailto:leftid=@host2">leftid=@host2</a>

        leftnexthop=%defaultroute

        right=<host1 public ip>

        rightsubnets={10.122.3.0/24,<host1 public ip>/32}

        <a moz-do-not-send="true" href="mailto:rightid=@host1">rightid=@host1</a>

        rightnexthop=%defaultroute

        auto=start

        authby=secret

        type=tunnel

On HOST2, 10.122.1.1 is assigned to lo:0

On HOST1, 10.122.3.2 is assigned to a network interface that is gateway for the equipments in that network in order to reach 10.122.1.1

HOST2 and HOST1 have the same ipsec.conf configuration.

Best regards,

Cristi

_______________________________________________

<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>

<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>

Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>

Building and Integrating Virtual Private Networks with Openswan:

<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>

</pre>

        </blockquote>

      </blockquote>

      <br>

    </blockquote>

    <br>

  </body>

</html>