[Openswan Users] Weird tunnel issue

Jason J. W. Williams jasonjwwilliams at gmail.com
Wed Dec 3 14:56:51 EST 2014 

Got some more debugging on this issue.

When the tunnel drops (after a network outage), I can only get the tunnel
passing traffic again by restarting the ipsec daemon. But the daemon
doesn't restart the tunnel on its own despite DPD being configured.
Restarting the tunnel from the Fortigate side, the Fortigate shows the
tunnel up but the no traffic will route on the OpenSWAN side.

ipsec.conf: https://gist.github.com/williamsjj/4dc00138e62697aec602
tunnel config: https://gist.github.com/williamsjj/910adcc5a071fc130b30

Fortigate Phase 1 Conf: http://www.screencast.com/t/9V3XmL9Gdxw
Fortigate Phase 2 Conf: http://www.screencast.com/t/EZq5VSbcMWS

Incident #1 error logs:
https://gist.github.com/williamsjj/0b1b58fe8bb216ccf275
Incident #2 error logs:
https://gist.github.com/williamsjj/d84bad0d8cc6b43ecef7

Any help/advice is greatly appreciated.

-J



On Thu, Oct 23, 2014 at 1:11 PM, Peter McGill <petermcgill at goco.net> wrote:

> So it is...
>
> No I would expect --down to fully stop the tunnel, at least on openswan
> end.
>
> But firewall/iptables is another thing which can prevent traffic flow... so
> I mentioned it.
>
> Something else to watch on interrop is that your using all the same
> settings.
> Can you get a screenshot, etc... of the fortigate configuration.
>
> What are the syslog entries at the time the connection stops working?
>
> Can you show us ipsec auto --status output, during the issue?
>
> Peter McGill
>
>
> -----Original Message-----
> From: Jason J. W. Williams [mailto:jasonjwwilliams at gmail.com]
> Sent: October-23-14 12:50 PM
> To: Peter McGill
> Cc: <users at lists.openswan.org>
> Subject: Re: Weird tunnel issue
>
> The second file is what's included. Have not tried using iptables. Is
> "ipsec
> auto --down" not sufficient?
>
> -J
>
> Sent via iPhone
>
> > On Oct 23, 2014, at 9:28, "Peter McGill" <petermcgill at goco.net> wrote:
> >
> > Well your ipsec.conf includes files in /etc/ipsec.conf.d which you
> haven't
> > shown us, so we can't actually examine your configuration.
> >
> > However, have you tried restarting and disabling the firewall (iptables
> > rules) to see if that fixes the problem.
> >
> > Peter McGill
> > 519-284-3420 x204
> >
> > -----Original Message-----
> > Date: Wed, 22 Oct 2014 14:00:11 -0700
> > From: "Jason J. W. Williams" <jasonjwwilliams at gmail.com>
> > To: users at lists.openswan.org
> > Subject: [Openswan Users] Weird tunnel issue
> > Message-ID:
> >    <CAHZAEpceRYd-EBco6_yPw=G9p88aCvY3ZeAb3Q+saqbaGo6VCg at mail.gmail.com>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Hi,
> >
> > We've had a weird issue where the tunnel had been up for several days
> > and then suddenly refused to route packets over the tunnel (couldn't
> > ping). The tunnel according to "ipsec auto --status" was up. The other
> > side is a Fortigate 200B and it also agreed the tunnel was up. But it
> > refused to send traffic over the tunnel. Tried toggling the tunnel
> > down and then up from both ends, and while the tunnel re-established
> > still couldn't route. Only thing that corrected it was rebooting the
> > box running the OpenSWAN client.
> >
> > Client is an Ubuntu 14.04.1 x64 box:
> > # ipsec --version
> > Linux Openswan U2.6.38/K3.13.0-37-generic (netkey)
> >
> > ipsec.conf: https://gist.github.com/williamsjj/4dc00138e62697aec602
> > tunnel config: https://gist.github.com/williamsjj/910adcc5a071fc130b30
> >
> > Any help is greatly appreciated.
> >
> > -J
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141203/b7fe4ee1/attachment.html>

More information about the Users mailing list