[strongSwan-dev] Intermittent issue sending the outgoing packets over the tunnel

Thu, 08 Nov 2018 05:07:01 -0800 

Hi all,
I am using Strongswan 5.3.5 on Linux 4.4.0I have setup a site to site tunnel 
with Cisco ISR. Tunnel comes up fine but some times, Linux is not sending the 
outgoing packets over the tunnel. Issue is intermittent and reproducible only 
one few machines. 
I have enabled iptables tracing and see packet is dropped after hitting 
PREROUTING mangle table. 
2018-11-08T09:14:00.916017+00:00 ipsecgw02 kernel: [74044.919903] TRACE: 
raw:PREROUTING:policy:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172 
DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 
DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
OPT (020405B40101040201030305)2018-11-08T09:14:00.916027+00:00 ipsecgw02 
kernel: [74044.919917] TRACE: mangle:PREROUTING:rule:2 IN=tunc1 OUT= MAC= 
SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF 
PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 
ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916028+00:00 
ipsecgw02 kernel: [74044.919930] TRACE: mangle:PREROUTING:policy:3 IN=tunc1 
OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 
TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 
WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305) MARK=0x3

sankar@ipsecgw02:~$ sudo ip xfrm policysrc 0.0.0.0/0 dst 0.0.0.0/0        dir 
fwd priority 3075        mark 0x3/0xffffffff        tmpl src 182.156.75.158 dst 
192.168.102.80                proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst 
0.0.0.0/0        dir in priority 3075        mark 0x3/0xffffffff        tmpl 
src 182.156.75.158 dst 192.168.102.80                proto esp reqid 3 mode 
tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0        dir out priority 3075        mark 
0x3/0xffffffff        tmpl src 192.168.102.80 dst 182.156.75.158                
proto esp reqid 3 mode tunnel
sankar@ipsecgw02:~$ sudo ip xfrm statesrc 192.168.102.80 dst 182.156.75.158     
   proto esp spi 0x46394a21 reqid 3 mode tunnel        replay-window 32 flag 
af-unspec        mark 0x3/0xffffffff        aead rfc4106(gcm(aes)) 
0x83ff21ce5910815a0dd8d0cbdd79af34911d28540c79cad6347e1de27e9e48a0276f1769 128  
      encap type espinudp sport 4500 dport 4500 addr 0.0.0.0        anti-replay 
context: seq 0x0, oseq 0x21d, bitmap 0x00000000src 182.156.75.158 dst 
192.168.102.80        proto esp spi 0xc1f23c40 reqid 3 mode tunnel        
replay-window 32 flag af-unspec        mark 0x3/0xffffffff        aead 
rfc4106(gcm(aes)) 
0x62800cd6c8489b8478c0977f88bf64f5a8990894732a6cab92ec3da362deb998db9533ac 128  
      encap type espinudp sport 4500 dport 4500 addr 0.0.0.0        anti-replay 
context: seq 0x21d, oseq 0x0, bitmap 0xffffffff
Any help on how to troubleshoot the issue is highly appreciated.
Thanks,
Sankar

Reply via email to