[Openswan Users] Sudden ARP issue?

Toby Chamberlain tjchamberlain at hotmail.com
Mon Jul 25 05:29:37 EDT 2016


I've been using OpenSWAN for a long time and have 2 L2TP/IPSec setups 
that have been working reliably for about 4-5 years now. Two nights ago 
they suddenly stopped working and I've been unable to get them up again. 
In the logs I see  the normal "STATE_QUICK_R2: IPsec SA established 
tunnel mode" followed by multiple:
ERROR: asynchronous network error report on eth0 (sport=4500) for 
message to client.remote.com port 4500, complainant openswan.local.com: 
No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated).

I have tried everything I can think of, and both ends have been rebooted 
multiple times as have both openswan and xl2tpd instances. A tcpdump on 
the server shows a cycle of nat-keep-alive from the client followed by 
multiple unanswered ARP requests:
18:53:35.154310 IP (tos 0x0, ttl 115, id 17780, offset 0, flags [none], 
proto UDP (17), length 176)
  client.remote.com.ipsec-nat-t > openswan.local.com.ipsec-nat-t: [udp 
sum ok] isakmp-nat-keep-alive
18:53:35.160552 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 
client.remote.com tell openswan.local.com, length 28
18:53:36.160544 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 
client.remote.com tell openswan.local.com, length 28
etc. etc.

I suspect the problem might be that the ARP requests are getting lost 
and so openswan doesn't know where to send the replies. Does any one 
know how to fix this or have any other ideas of what to try?

Further info: I'm using a fully updated Debian Jessie ("Linux Openswan 
U2.6.37/K3.16.0-4-686-pae (netkey)"). It stopped working at about 0:30 
in the morning, there was no server reboot or upgrade performed, nor was 
the ipsec.conf changed or openswan restarted. One of the remote clients 
was upgraded to Windows 10 about 6-8 hours earlier, but had been 
connecting reliably during that time after the upgrade. About 15 minutes 
before it stopped working one of our ISPs suffered an outage and its 
router was automatically rebooted to try to clear it. Only one of the 
affected clients uses this router/ISP. Other non-L2TP connections are 
working fine.


More information about the Users mailing list