[Openswan Users] Traffic not passing through established tunnels.

Sridhar Srinivasan ssridhar at barracuda.com
Tue Apr 7 09:53:32 EDT 2009 

Hi Paul,
Paul Wouters wrote:
> On Fri, 3 Apr 2009, Sridhar Srinivasan wrote:
>
>>
>> I created site-to-site vpn using openswan 2.6.21 with netkey on two 
>> gateways.
>> There were multiple subnets on both ends and one connection for every 
>> subnet
>> pair. With around 30 connections between the same pair of 
>> gateways,some tunnels
>> were not getting established. They were stuck in QUICK_I1/QUICK_R1 
>> state.
>
> That's not good. Did you have these problems with older versions too? 
> Or is
> this a new deployment?
Yes I had tried with openswan 2.6.19 and 2.6.20. Even in these versions 
I faced
similar problems.
>
>> So I was periodically checking the tunnels that were not established and
>> bringing it up (asynchronous) through a script. Now I see that all 
>> the tunnels are getting established. But there are some tunnels on 
>> which the traffic is
>> not passing when I try to ping.
>>
>> The esp packet corresponding to ping is
>> 06:54:51.759350 IP 104.1.1.1 > 101.1.1.1: ESP(spi=0x8eaac093,seq=0x3b),
>
> Your cure might have caused this problem. The ip xfrm output looked 
> okay though.
> But you'd have to check the state of the tunnel on the other endpoint 
> too. It
> might not agree with this one.
>
On the local endpoint:

ipsec auto --status shows

000 #779: "VPN_RH2-172.19.0.0-10.29.0.0":500 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 28014s; newest IPSEC; eroute owner; 
isakmp#621; idle; import:admin initiate
000 #779: "VPN_RH2-172.19.0.0-10.29.0.0" esp.a775caf0 at 101.1.1.1 
esp.99beb28 at 104.1.1.1 tun.0 at 101.1.1.1 tun.0 at 104.1.1.1 ref=0 
refhim=4294901761

ip xfrm policy shows

src 172.19.0.0/16 dst 10.29.0.0/16
        dir out priority 2608 ptype main
        tmpl src 104.1.1.1 dst 101.1.1.1
                proto esp reqid 16781 mode tunnel

ip xfrm state shows

src 104.1.1.1 dst 101.1.1.1
        proto esp spi 0x8eaac093 reqid 16781 mode tunnel
        replay-window 32
        auth hmac(sha1) 0xb70a170fc3cb655b1e1a0525fefd95beeda4dd68
        enc cbc(des3_ede) 0x3e612b0a0b799bd3fc581da8e41987fb637973736f759c2d
        sel src 0.0.0.0/0 dst 0.0.0.0/0


The spi seems to be different from the phase 2 SAs.

Thanks,
-Sridhar.

----------------------------------
Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam

More information about the Users mailing list