[Openswan Users] Weird tunnel issue

Jason J. W. Williams jasonjwwilliams at gmail.com
Wed Dec 3 15:48:02 EST 2014 

Thanks Peter. Implementing all of your suggestions. nat_traversal was
already set to yes since I built that Gist but the rest of your suggestions
still apply.

-J

On Wed, Dec 3, 2014 at 1:31 PM, Peter McGill <petermcgill at goco.net> wrote:

> First of all your NAT Traversal settings don’t match.
>
> You have nat_traversal=no in ipsec.conf,
>
> but forceencaps=yes in tunnel.conf which is ignored because of ipsec.conf,
>
> and nat traversal enabled in fortigate (disabled in openswan).
>
>
>
> Also, your keylife settings don’t match, that is how long the phase 2 tunnel is good for.
>
> This is likely the cause of your issue, same thing happened to me when these were out of sync with a cisco device.
>
> Ie) Tunnel is up for a while, then drops and doesn’t come back (at least not for an hour or more).
>
> This happens because one side thinks the tunnel hasn’t expired, and the other side has expired the tunnel.
>
>
>
> Openswan defaults to 8 hours for phase 2 and 1 hour for phase 1, for some reason other vendors sometimes switch the two.
>
> You’ve correctly altered ikelifetime in tunnel.conf (openswan) to 8h to match the fortigate 8 hours.
>
> But you have not set keylife=1800 in tunnel.conf (openswan) to match the 30 minutes (1800) set in fortigate phase 2.
>
> Also, I would majorly increase the Kbytes keylife setting on the fortigate, you wouldn’t want the tunnel to expire before the 30 minutes,
>
> or you could run into the same issue again.
>
>
>
> Also DPD is disabled on the openswan and enabled on the fortigate.
>
> To setup DPD to match the fortigate settings, try the following in your tunnel.conf:
>
>                     dpddelay=10
>
>                     dpdtimeout=40
>
>                     dpdaction=restart
>
> Note: 10 seconds is pretty low, I run mine at 30 and 120. 30 between each keepalive and restart tunnel at 120 (3/4 failed keep alives).
>
>
>
> 1 final note, you don’t specify dh group 5 in your openswan tunnel.conf, but you do in the fortigate.
>
> It doesn’t appear to be causing a problem, but you may wish to know you can specify it in tunnel.conf as follows:
>
>                     ike=3des-md5-modp1536
>
> It doesn’t work on the esp line, but esp defaults to whatever ike uses, so it works…
>
>
>
>
>
> Peter McGill
>
> 519-284-3420 x204
>
>
>
> *From:* Jason J. W. Williams [mailto:jasonjwwilliams at gmail.com]
> *Sent:* December-03-14 2:57 PM
>
> *To:* Peter McGill
> *Cc:* <users at lists.openswan.org>
> *Subject:* Re: Weird tunnel issue
>
>
>
> Got some more debugging on this issue.
>
>
>
> When the tunnel drops (after a network outage), I can only get the tunnel
> passing traffic again by restarting the ipsec daemon. But the daemon
> doesn't restart the tunnel on its own despite DPD being configured.
> Restarting the tunnel from the Fortigate side, the Fortigate shows the
> tunnel up but the no traffic will route on the OpenSWAN side.
>
>
>
> ipsec.conf: https://gist.github.com/williamsjj/4dc00138e62697aec602
> tunnel config: https://gist.github.com/williamsjj/910adcc5a071fc130b30
>
>
>
> Fortigate Phase 1 Conf: http://www.screencast.com/t/9V3XmL9Gdxw
>
> Fortigate Phase 2 Conf: http://www.screencast.com/t/EZq5VSbcMWS
>
>
>
> Incident #1 error logs:
> https://gist.github.com/williamsjj/0b1b58fe8bb216ccf275
>
> Incident #2 error logs:
> https://gist.github.com/williamsjj/d84bad0d8cc6b43ecef7
>
>
>
> Any help/advice is greatly appreciated.
>
>
>
> -J
>
>
>
>
>
>
>
> On Thu, Oct 23, 2014 at 1:11 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> So it is...
>
> No I would expect --down to fully stop the tunnel, at least on openswan
> end.
>
> But firewall/iptables is another thing which can prevent traffic flow... so
> I mentioned it.
>
> Something else to watch on interrop is that your using all the same
> settings.
> Can you get a screenshot, etc... of the fortigate configuration.
>
> What are the syslog entries at the time the connection stops working?
>
> Can you show us ipsec auto --status output, during the issue?
>
> Peter McGill
>
>
>
> -----Original Message-----
> From: Jason J. W. Williams [mailto:jasonjwwilliams at gmail.com]
> Sent: October-23-14 12:50 PM
> To: Peter McGill
> Cc: <users at lists.openswan.org>
> Subject: Re: Weird tunnel issue
>
> The second file is what's included. Have not tried using iptables. Is
> "ipsec
> auto --down" not sufficient?
>
> -J
>
> Sent via iPhone
>
> > On Oct 23, 2014, at 9:28, "Peter McGill" <petermcgill at goco.net> wrote:
> >
> > Well your ipsec.conf includes files in /etc/ipsec.conf.d which you
> haven't
> > shown us, so we can't actually examine your configuration.
> >
> > However, have you tried restarting and disabling the firewall (iptables
> > rules) to see if that fixes the problem.
> >
> > Peter McGill
> > 519-284-3420 x204
> >
> > -----Original Message-----
> > Date: Wed, 22 Oct 2014 14:00:11 -0700
> > From: "Jason J. W. Williams" <jasonjwwilliams at gmail.com>
> > To: users at lists.openswan.org
> > Subject: [Openswan Users] Weird tunnel issue
> > Message-ID:
> >    <CAHZAEpceRYd-EBco6_yPw=G9p88aCvY3ZeAb3Q+saqbaGo6VCg at mail.gmail.com>
> > Content-Type: text/plain; charset=UTF-8
> >
> > Hi,
> >
> > We've had a weird issue where the tunnel had been up for several days
> > and then suddenly refused to route packets over the tunnel (couldn't
> > ping). The tunnel according to "ipsec auto --status" was up. The other
> > side is a Fortigate 200B and it also agreed the tunnel was up. But it
> > refused to send traffic over the tunnel. Tried toggling the tunnel
> > down and then up from both ends, and while the tunnel re-established
> > still couldn't route. Only thing that corrected it was rebooting the
> > box running the OpenSWAN client.
> >
> > Client is an Ubuntu 14.04.1 x64 box:
> > # ipsec --version
> > Linux Openswan U2.6.38/K3.13.0-37-generic (netkey)
> >
> > ipsec.conf: https://gist.github.com/williamsjj/4dc00138e62697aec602
> > tunnel config: https://gist.github.com/williamsjj/910adcc5a071fc130b30
> >
> > Any help is greatly appreciated.
> >
> > -J
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141203/ce914801/attachment-0001.html>

More information about the Users mailing list