[Openswan Users] Loss problems with OpenSwan
Cristian Petrescu
cristian.petrescu at telemaxvoice.ro
Tue Apr 15 03:23:10 EDT 2014
Hello,
I have changed the configuration as below, the loss still appears
from time to time and disappears after ipsec restart, can anyone help?
Might there be a problem with NETKEY and IP routes? There isn't anything
suspicious in /var/log/secure
version 2.0
config setup
protostack=netkey
virtual_private=%v4:10.122.0.0/16
nhelpers=0
conn HOST1HOST2
dpdaction=restart_by_peer
dpdtimeout=60
dpddelay=10
left=<HOST1_public_ip>
leftsourceip=10.122.7.1
leftsubnets={10.122.7.1/32}
leftid=@HOST1
leftnexthop=%defaultroute
right=<HOST2_public_ip>
rightsourceip=10.122.4.2
rightsubnets={10.122.4.0/24}
rightid=@HOST2
rightnexthop=%defaultroute
auto=start
authby=secret
type=tunnel
HOST1 has two interfaces, one with the public IP and the other with
10.122.7.1 netmask 255.255.255.255
HOST2 has two interfaces, one with the public IP and the other with
10.122.4.2 netmask 255.255.255.0
net.ipv4.ip_forward = 1 on both machines.
Both machines run CentOS 6.4 ( 2.6.32-358.18.1.el6.x86_64 )
Best regards,
Cristi
On 09/04/2014 12:15, Cristian Petrescu wrote:
> Hello Nick,
> Thank you for your answer. I have to keep the private IP on both
> hosts. Considering what you've told me, I will eliminate lo:0 and
> assign the 10.122.1.1 IP to a free network card on HOST2. I will also
> add left/rightsourceip. I will have to wait few days to see if this
> has solved the issue.
>
> Best regards,
> Cristian
> On 09/04/2014 11:37, Nick Howitt wrote:
>>
>> Rather than your "subnets" set up have you considered doing a more
>> usual simple left/rightsubnet and adding a left/rightsourceip
>> (probably 10.22.1.1 and 10.122.3.2). Then remove the HOST1 assignment
>> to lo:0?
>>
>> Nick
>>
>> On 2014-04-09 09:15, Cristian Petrescu wrote:
>>
>>> Dear Users,
>>> I've been using OpenSwan CentOS 6.4 ( 2.6.32-358.2.1.el6.x86_64 ) for some time, it works well but from time to time we start experiencing around 2-3% loss on the connection. If we restart both openswan ends the loss goes away, I wasn't able to determine when and why the loss occurs. I've checked /var/log/secure and there isn't anything happening out of normal. I've had problems in the past with ksoftirqd reaching 100% but after setting /proc/sys/net/ipv4/xfrm4_gc_thresh to 100 and installing irqbalance that ksoftirqd was solved. Please help me solve this issue, below is the configuration:
>>>
>>> HOST2:
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>> #
>>> # Manual: ipsec.conf.5
>>> #
>>> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>>>
>>> version 2.0 # conforms to second version of ipsec.conf specification
>>>
>>> # basic configuration
>>> config setup
>>> protostack=netkey
>>> virtual_private=%v4:10.122.0.0/16
>>> oe=off
>>> nhelpers=0
>>>
>>> conn host1host2
>>> dpdaction=restart_by_peer
>>> dpdtimeout=60
>>> dpddelay=10
>>> left=<host2 public ip>
>>> leftsubnets={10.122.1.1/32,<host2 public ip>/32}
>>> leftid=@host2 <mailto:leftid=@host2>
>>> leftnexthop=%defaultroute
>>> right=<host1 public ip>
>>> rightsubnets={10.122.3.0/24,<host1 public ip>/32}
>>> rightid=@host1 <mailto:rightid=@host1>
>>> rightnexthop=%defaultroute
>>> auto=start
>>> authby=secret
>>> type=tunnel
>>>
>>> On HOST2, 10.122.1.1 is assigned to lo:0
>>> On HOST1, 10.122.3.2 is assigned to a network interface that is gateway for the equipments in that network in order to reach 10.122.1.1
>>> HOST2 and HOST1 have the same ipsec.conf configuration.
>>>
>>> Best regards,
>>> Cristi
>>>
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140415/3c845c31/attachment.html>
More information about the Users
mailing list