[Openswan Users] Tunnel hangs
Greg Scott
GregScott at Infrasupport.com
Mon Nov 14 13:13:50 EST 2011
OK . . . Now to work the original problem first posted on 11/2. That tunnel has gone offline at least twice that I know of since then. Plus I have other tunnels running various versions that continue to go offline and the only cure seems to be stop and restart Openswan.
> You should first upgrade that openswan 2.6.19 release. If the problem remains, then let's have a look.
I'm kind of afraid of that, although I have the hardware here to do so. I have a 2.6.29 tunnel at another customer that fails similarly. There was also another one with a third customer - I forget what version - 2.6.27 or 28 maybe? That 2.6.19 one here has been rock solid with several branch sites running different versions until the hang the other night with the 2.6.36 site.
> do you have dynamic tunnels or OE configured?
No. I'll paste in the complete config files from both sites below. The relevant tunnel is Superior-Everywhere. Public IP Addresses obfuscated and RSA keys truncated. First the right side - here are all definitions for all tunnels to/from the central site.
[root at lme-fw2 ipsec.d]# more hq-ipsec.conf
# /etc/ipsec.d/hq-ipsec.conf - IPsec configuration file.
# The HOME (HQ) office is always on the right. ("Make yerself RIGHT at home!",
# while the other branch sites have LEFT home.)
#
# Openswan bundled with fc5 - see the include directive from /etc/ipsec.conf.
#
# Here are some useful commands:
#
# ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets --verbose \
# --hostname Janesville-fw
# Generates a new hostkey into the specified file with hostname "Janesville-fw".
# Note that this command uses a random number generator, /dev/random. See
# http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel for a detailed discusssion.
# The /dev/random needs system activity from various drivers to generate a random
# stream of numbers. Without activity, the above command will block forever.
# One easy way to generate activity - start a new window, do "find /". This will
# generate lots of output and create the entropy that /dev/random needs.
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --left
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right > rightkey.txt
# Show this host's public key in a format suitable to insert into
# ipsec.conf. This host can be either the left or right key.
#
# /usr/sbin/ipsec auto --down london-farout
# Brings down the tunnel named london-farout
#
# /usr/sbin/ipsec auto --up london-farout
# Brings up the tunnel named london-farount
#
# /usr/local/sbin/ipsec look
# To observe all kinds of stuff about the IPSEC tunnels
#
# /usr/local/sbin/ipsec showhostkey > junk.tmp
# Generates a DNS key record into the file junk.tmp for later
# insertion into a DNS zone file
#
# These were some equivalent commands under prior versions of Open S/WAN
# /usr/sbin/ipsec showhostkey --left
# /usr/sbin/ipsec showhostkey --right
# /usr/sbin/ipsec showhostkey --left > junk.tmp
#
##version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn Columbia-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward right.
#
also=columbia
#
# Right security gateway, subnet behind it, next hop toward left.
#
also=hq
rightupdown=/etc/ipsec.d/hq-updown.sh
auto=start
conn DR-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward right.
#
also=DR
leftupdown=/etc/ipsec.d/DR-updown.sh
#
# Right security gateway, subnet behind it, next hop toward left.
#
also=hq
auto=start
conn EauClaire-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward right.
#
also=eauclaire
leftupdown=/etc/ipsec.d/eauclaire-updown.sh
#
# Right security gateway, subnet behind it, next hop toward left.
#
also=hq
auto=start
conn Superior-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward right.
#
also=superior
leftupdown=/etc/ipsec.d/superior-updown.sh
#
# Right security gateway, subnet behind it, next hop toward left.
#
also=hq
auto=start
include /etc/ipsec.d/sites.conf
[root at lme-fw2 ipsec.d]#
Here is the left side:
[root at Superior-fw ipsec.d]# more superior-ipsec.conf
# /etc/ipsec.d/superior-ipsec.conf - IPsec configuration file for LME Superior
# The HOME (HQ) office is always on the right. ("Make yerself RIGHT at home!",
# while the other branch sites have LEFT home.)
#
# Openswan bundled with fc5 - see thee include directive from /etc/ipsec.conf.
#
# Here are some useful commands:
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --left
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right > rightkey.txt
# Show this host's public key in a format suitable to insert into
# ipsec.conf. This host can be either the left or right key.
#
# /usr/sbin/ipsec auto --down london-farout
# Brings down the tunnel named london-farout
#
# /usr/sbin/ipsec auto --up london-farout
# Brings up the tunnel named london-farount
#
# /usr/local/sbin/ipsec look
# To observe all kinds of stuff about the IPSEC tunnels
#
# /usr/local/sbin/ipsec showhostkey > junk.tmp
# Generates a DNS key record into the file junk.tmp for later
# insertion into a DNS zone file
#
# These were some equivalent commands under prior versions of Open S/WAN
# /usr/sbin/ipsec showhostkey --left
# /usr/sbin/ipsec showhostkey --right
# /usr/sbin/ipsec showhostkey --left > junk.tmp
#
##version 2.0 # conforms to second version of ipsec.conf specification
# Commented out because version is declared in ipsec.conf
# basic configuration
conn Superior-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward right.
#
also=superior
leftupdown=/etc/ipsec.d/superior-updown.sh
#
# Right security gateway, subnet behind it, next hop toward left.
#
also=hq
auto=start
include /etc/ipsec.d/sites.conf
[root at Superior-fw ipsec.d]#
I put a copy of my sites.conf at all sites. This way, I can do branch to branch tunnels if I ever need one. Here it is:
[root at lme-fw2 ipsec.d]# more sites.conf
# /etc/ipsec.d/sites.conf - IPsec configuration file describing each site.
# The home office in is always on the right. ("Make yerself RIGHT at home!",
# while the other branch sites have LEFT home.)
#
# Openswan bundled with fc5 - see thee include directive from /etc/ipsec.conf.
#
# Here are some useful commands:
#
# ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets --verbose \
# --hostname Janesville-fw
# Generates a new hostkey into the specified file with hostname "Janesville-fw".
# Note that this command uses a random number generator, /dev/random. See
# http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel for a detailed discusssion.
# The /dev/random needs system activity from various drivers to generate a random
# stream of numbers. Without activity, the above command will block forever.
# One easy way to generate activity - start a new window, do "find /". This will
# generate lots of output and create the entropy that /dev/random needs.
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --left
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets --right > rightkey.txt
# Show this host's public key in a format suitable to insert into
# ipsec.conf. This host can be either the left or right key.
#
# /usr/sbin/ipsec auto --down london-farout
# Brings down the tunnel named london-farout
#
# /usr/sbin/ipsec auto --up london-farout
# Brings up the tunnel named london-farount
#
# /usr/local/sbin/ipsec look
# To observe all kinds of stuff about the IPSEC tunnels
#
# /usr/local/sbin/ipsec showhostkey > junk.tmp
# Generates a DNS key record into the file junk.tmp for later
# insertion into a DNS zone file
#
# These were some equivalent commands under prior versions of Open S/WAN
# /usr/sbin/ipsec showhostkey --left
# /usr/sbin/ipsec showhostkey --right
# /usr/sbin/ipsec showhostkey --left > junk.tmp
#
##version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn hq
right=1.2.248.50
rightnexthop=1.2.248.49
rightsubnet=192.168.0.0/16
rightsourceip=192.168.3.5
rightid=@hq.local
# RSA 2192 bits hq.lme.local Wed Jul 19 21:09:32 2006
rightrsasigkey=...
conn columbia
left=6.7.61.191
leftnexthop=6.7.61.129
leftsubnet=172.21.10.0/24
leftsourceip=172.21.10.1
leftid=@columbia.local
# RSA 2192 bits columbia.lme.local Thu Feb 22 06:46:43 2007
leftrsasigkey=0sAQOAZ4V...
conn DR
left=3.1.123.217
leftnexthop=173.160.123.218
leftsubnet=172.21.99.0/24
leftsourceip=172.21.99.100
leftid=@dr.local
# rsakey AQPLd3j2f
leftrsasigkey=0sAQPLd3j2...
conn eauclaire
left=6.1.82.82
leftnexthop=6.1.82.81
leftsubnet=172.21.11.0/24
leftsourceip=172.21.11.100
leftid=@eauclaire.local
# rsakey AQO+9c8a4
leftrsasigkey=0sAQO...
conn superior
left=2.7.22.228
leftnexthop=2.7.22.1
leftsubnet=172.21.5.0/24
leftsourceip=172.21.5.100
leftid=@superior.local
# rsakey AQNl6eslo
leftrsasigkey=0sAQNl6eslocF...
[root at lme-fw2 ipsec.d]#
The updown script is just a little hack I use to shorten the MTU and make my default source IP the LAN side.
[root at Superior-fw ipsec.d]# more superior-updown.sh
#!/bin/sh
LOCALNET=172.21.5.0/24
/usr/local/lib/ipsec/_updown $*
if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "route-client" ]; then
for dir in in out; do
ip xfrm policy update dir $dir src $LOCALNET dst $LOCALNET
done
fi
/sbin/ip route change 192.168.0.0/16 dev em1 src 172.21.5.100 mtu 1400
[root at Superior-fw ipsec.d]#
- Greg
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Thursday, November 03, 2011 8:36 AM
To: Greg Scott
Cc: users at openswan.org
Subject: Re: [Openswan Users] Tunnel hangs
On Wed, 2 Nov 2011, Greg Scott wrote:
> I have a couple of tunnels that continue to hang. Here are details on one that gave me trouble today. The right side is a central site running U2.6.19 on Fedora 9. The left side is remote, running U2.6.36 on Fedora 15. This tunnel went offline today for no apparent
> reason. The name of the tunnel with the problem is Superior-Everywhere. Here is an extract from /var/log/secure on the left side. The right side includes a few other tunnels and all of those are fine. It’s only the newer ipsec versions that give me trouble.
You should first upgrade that openswan 2.6.19 release. If the problem remains, then let's have a look.
The "initiate" messages are a little worrying, do you have dynamic tunnels or OE configured?
The netlink add_sa failure is also not good, but netkey does not really give you any debug
info, so it is hard to say what's going on there.
Paul
More information about the Users
mailing list