[Openswan Users] Established Tunnel Not Passing Traffic

Dave Ariens dave at ariens.ca
Thu Jun 27 18:04:39 UTC 2013


So far so good.  After applying the rekeys=yes to the connections, I
restarted (systemctl restart openswan) yet the problem seemed to recur
twice.  I then performed an ipsec auto --delete vps1/2 respectively, then
an add, then a restart--and it's been fine since.  Looking into the systemd
scripts, it looks like a restart is a stop then a start (ipsec _realsetup
then stop ipsec _realsetup start).

Could there be any artifacts of the previously established tunnel around
_somehow_?   There's lots I don't understand about IPsec but can you
enlighten me about what's going on?


On Thu, Jun 27, 2013 at 11:35 AM, <dave at ariens.ca> wrote:

> I will give that a shot. When I read up on it I understood that it was
> defaulted to 'yes'.
>
> Thanks
>
> www.ariens.ca
>   *From: *Giovanni Carbone
> *Sent: *Thursday, June 27, 2013 11:20 AM
> *To: *Dave Ariens; users at lists.openswan.org
> *Subject: *RE: [Openswan Users] Established Tunnel Not Passing Traffic
>
>  Try adding “rekey=yes” in the conn(s).
>
>
>
> Example:
>
>
>
> conn vps1
>
>     authby=secret
>
>     left=173.254.195.244
>
>     leftsourceip=192.168.200.10
>
>     leftsubnet=192.168.200.10/32
>
>     right=64.237.39.24
>
>     rightsubnet=192.168.100.10/32
>
>     auto=start
>
>     rekey=yes
>
>
>
>
>
>
>
> *From:* users-bounces at lists.openswan.org [mailto:
> users-bounces at lists.openswan.org] *On Behalf Of *Dave Ariens
> *Sent:* Thursday, June 27, 2013 4:26 PM
> *To:* users at lists.openswan.org
> *Subject:* [Openswan Users] Established Tunnel Not Passing Traffic
>
>
>
> Hey there guys (first time posting),
>
> I have two servers (VPS) one on the US east coast, another on US west
> coast.  They both have an IPsec tunnel to my Juniper SRX firewall (on my
> home network in Ontario, Canada).  This tunnel is rock solid and I never
> have any issues with it.
>
> I'm trying to configure an OpenSwan IPsec tunnel between the two VMs, and
> it's up and running, I can ping through the tunnel, but some time
> afterwards, traffic is unable to pass (tunnel remains established).
>
> This is really just a plain vanilla OpenSwan to OpenSwan implementation,
> below are some config details, and some logs.
>
> Can anyone help me identify why the tunnel stops passing traffic after
> some time < 15 minutes.  I know the traffic stopped shortly after midnight
> this morning (see logs below)
>
>
>
> [ariens at vps1 ~]$ pacman -Qs openswan
>
> local/openswan 2.6.38-1
>
>     Open Source implementation of IPsec for the Linux operating system
>
>
>
> VPS2:/etc/ipsec.conf
>
>
>
> version 2.0
>
> config setup
>
>
>
>     dumpdir=/var/run/pluto/
>
>     nat_traversal=yes
>
>     virtual_private=%v4:
> 10.0.0.0/8,%v4:!192.168.200.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<http://10.0.0.0/8,%25v4:%21192.168.200.0/24,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%25v6:fd00::/8,%25v6:fe80::/10>
>
>     oe=off
>
>     protostack=netkey
>
>
>
> conn home.ariens.ca
>
>
>
>     authby=secret
>
>     left=173.254.195.244
>
>     leftsourceip=192.168.200.10
>
>     leftsubnet=0/0
>
>     right=216.58.86.104
>
>     rightsubnet=10.0.0.0/8
>
>     auto=start
>
>
>
> conn vps1
>
>
>
>     authby=secret
>
>     left=173.254.195.244
>
>     leftsourceip=192.168.200.10
>
>     leftsubnet=192.168.200.10/32
>
>     right=64.237.39.24
>
>     rightsubnet=192.168.100.10/32
>
>     auto=start
>
>
>
> VPS1:/etc/ipsec.conf
>
>
>
> version 2.0
>
>
>
> config setup
>
>
>
>     dumpdir=/var/run/pluto/
>
>     nat_traversal=yes
>
>     virtual_private=%v4:
> 10.0.0.0/8,%v4:!192.168.100.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<http://10.0.0.0/8,%25v4:%21192.168.100.0/24,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%25v6:fd00::/8,%25v6:fe80::/10>
>
>     oe=off
>
>     protostack=netkey
>
>
>
> conn home.ariens.ca
>
>
>
>     authby=secret
>
>     left=64.237.39.24
>
>     leftsourceip=192.168.100.10
>
>     leftsubnet=0/0
>
>     right=216.58.86.104
>
>     rightsubnet=10.0.0.0/8
>
>     auto=start
>
>
>
> conn vps2
>
>     authby=secret
>
>     left=64.237.39.24
>
>     leftsourceip=192.168.100.10
>
>     leftsubnet=192.168.100.10/32
>
>     right=173.254.195.244
>
>     rightsubnet=192.168.200.10/32
>
>     auto=start
>
>
>
> Logs from VPS1:
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [Openswan (this version)
> 2.6.38 ]
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
> to=115
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: responding to
> Main Mode
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> STATE_MAIN_R1: sent MR1, expecting MI2
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> STATE_MAIN_R2: sent MR2, expecting MI3
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: Main mode
> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>
> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> Vendor ID payload [Openswan (this version) 2.6.38 ]
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> Vendor ID payload [Dead Peer Detection]
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> Vendor ID payload [RFC 3947] method set to=115
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: enabling
> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> STATE_MAIN_I2: sent MI2, expecting MR2
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> STATE_MAIN_I3: sent MI3, expecting MR3
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> Vendor ID payload [CAN-IKEv2]
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: Main mode
> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>
> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 00:09:01 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
> SA with MSGID:0xf86c4eb8
>
> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: "vps2" #13: received
> Delete SA payload: deleting ISAKMP State #13
>
> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received and ignored informational message
>
> Jun 27 00:48:54 vps1.layerzero.ca pluto[28819]: "vps2" #19: initiating
> Main Mode to replace #16
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [Openswan (this version)
> 2.6.38 ]
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
> to=115
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: responding to
> Main Mode
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> STATE_MAIN_R1: sent MR1, expecting MI2
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> STATE_MAIN_R2: sent MR2, expecting MI3
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: Main mode
> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>
> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> Vendor ID payload [Openswan (this version) 2.6.38 ]
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> Vendor ID payload [Dead Peer Detection]
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> Vendor ID payload [RFC 3947] method set to=115
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: enabling
> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> STATE_MAIN_I2: sent MI2, expecting MR2
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> STATE_MAIN_I3: sent MI3, expecting MR3
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> Vendor ID payload [CAN-IKEv2]
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: Main mode
> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>
> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 01:04:49 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
> SA with MSGID:0x4a2e1ab1
>
> Jun 27 01:05:27 vps1.layerzero.ca pluto[28819]: packet from
> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
> SA with MSGID:0x999b390f
>
> Logs for VPS2:
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: initiating
> Main Mode to replace #11
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> Vendor ID payload [Openswan (this version) 2.6.38 ]
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> Vendor ID payload [Dead Peer Detection]
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> Vendor ID payload [RFC 3947] method set to=115
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: enabling
> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> STATE_MAIN_I2: sent MI2, expecting MR2
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> STATE_MAIN_I3: sent MI3, expecting MR3
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> Vendor ID payload [CAN-IKEv2]
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: Main mode
> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>
> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload [Openswan (this version)
> 2.6.38 ]
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload [Dead Peer Detection]
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload [RFC 3947] method set to=115
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: responding to
> Main Mode
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> STATE_MAIN_R1: sent MR1, expecting MI2
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
> detected
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> STATE_MAIN_R2: sent MR2, expecting MI3
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: Main mode
> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>
> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_128 prf=oakley_sha group=modp2048}
>
> Jun 27 00:09:34 vps2.layerzero.ca pluto[29906]: packet from
> 64.237.39.24:500: Informational Exchange is for an unknown (expired?) SA
> with MSGID:0xb8f1bbda
>
>
>
>
>
>
>
> --
>
> www.ariens.ca
>
>
>
>
> Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice Privacy)
> precisiamo che le informazioni contenute in questo messaggio sono riservate
> e a uso esclusivo del destinatario. Ogni uso, copia o distribuzione non
> autorizzata è proibita e passibile di sanzioni ai termini di legge. Reitek
> non è responsabile di eventuali copie o distribuzioni non autorizzate. Se
> questo messaggio è stato ricevuto per errore, preghiamo gentilmente di
> eliminarlo e di informare il mittente. Grazie.
>
>
>


-- 
www.ariens.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130627/b900bfb4/attachment-0001.html>


More information about the Users mailing list