[Openswan Users] Weird tunnel issue

Peter McGill petermcgill at goco.net
Thu Oct 23 15:11:51 EDT 2014


So it is...

No I would expect --down to fully stop the tunnel, at least on openswan end.

But firewall/iptables is another thing which can prevent traffic flow... so
I mentioned it.

Something else to watch on interrop is that your using all the same
settings.
Can you get a screenshot, etc... of the fortigate configuration.

What are the syslog entries at the time the connection stops working?

Can you show us ipsec auto --status output, during the issue?

Peter McGill


-----Original Message-----
From: Jason J. W. Williams [mailto:jasonjwwilliams at gmail.com] 
Sent: October-23-14 12:50 PM
To: Peter McGill
Cc: <users at lists.openswan.org>
Subject: Re: Weird tunnel issue

The second file is what's included. Have not tried using iptables. Is "ipsec
auto --down" not sufficient?

-J

Sent via iPhone

> On Oct 23, 2014, at 9:28, "Peter McGill" <petermcgill at goco.net> wrote:
> 
> Well your ipsec.conf includes files in /etc/ipsec.conf.d which you haven't
> shown us, so we can't actually examine your configuration.
> 
> However, have you tried restarting and disabling the firewall (iptables
> rules) to see if that fixes the problem.
> 
> Peter McGill
> 519-284-3420 x204
> 
> -----Original Message-----
> Date: Wed, 22 Oct 2014 14:00:11 -0700
> From: "Jason J. W. Williams" <jasonjwwilliams at gmail.com>
> To: users at lists.openswan.org
> Subject: [Openswan Users] Weird tunnel issue
> Message-ID:
>    <CAHZAEpceRYd-EBco6_yPw=G9p88aCvY3ZeAb3Q+saqbaGo6VCg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi,
> 
> We've had a weird issue where the tunnel had been up for several days
> and then suddenly refused to route packets over the tunnel (couldn't
> ping). The tunnel according to "ipsec auto --status" was up. The other
> side is a Fortigate 200B and it also agreed the tunnel was up. But it
> refused to send traffic over the tunnel. Tried toggling the tunnel
> down and then up from both ends, and while the tunnel re-established
> still couldn't route. Only thing that corrected it was rebooting the
> box running the OpenSWAN client.
> 
> Client is an Ubuntu 14.04.1 x64 box:
> # ipsec --version
> Linux Openswan U2.6.38/K3.13.0-37-generic (netkey)
> 
> ipsec.conf: https://gist.github.com/williamsjj/4dc00138e62697aec602
> tunnel config: https://gist.github.com/williamsjj/910adcc5a071fc130b30
> 
> Any help is greatly appreciated.
> 
> -J
> 



More information about the Users mailing list