Hi Noel/users,
Does no-one have any suggestions as to what we can try here?
I've looked long and hard at this and feel that I have exhausted any
obvious settings to adjust.
The only thing slightly unusual about the setup is that we are using a
single interface, but this has been documented as working so it really
should not be an issue.
Packets not traversing the tunnel is confirmed by...
swanctl --list-sas
tunnel1: #1, ESTABLISHED, IKEv2, 88d5c48c82546516_i* a2d86821f1f52625_r
local '52.8.104.97' @ 48.138.201.70[4500]
remote '68.148.15.170' @ 68.148.15.170[4500]
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384
established 582s ago, reauth in 85216s
tunnel1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-256
installed 582s ago, rekeying in 2218s, expires in 3018s
in c675ba46, 0 bytes, 0 packets
out 9333b51f, 0 bytes, 0 packets
local 48.138.201.64/26
remote 198.168.248.0/2
and ...
ipsec listcounters
List of IKE counters:
ikeInitRekey 0
ikeRspRekey 0
ikeChildSaRekey 0
ikeInInvalid 0
ikeInInvalidSpi 0
ikeInInitReq 0
ikeInInitRsp 2
ikeOutInitReq 2
ikeOutInitRsp 0
ikeInAuthReq 0
ikeInAuthRsp 2
ikeOutAuthReq 2
ikeOutAuthRsp 0
ikeInCrChildReq 0
ikeInCrChildRsp 0
ikeOutCrChildReq 0
ikeOutCrChildRsp 0
ikeInInfoReq200
ikeInInfoRsp 0
ikeOutInfoReq 0
ikeOutInfoRsp 200
Any packets destined to the ip's on the rightsubnet from the left
vpn-gw itself do not escape, VPC flow logs confirm that no packets
from the vpn-gw destined for the rightsubnet traverse the vpc, and any
packets destined for the rightsubnet from the leftsubnet route to the
vpng-gw as expected but progress no further.
The problem seems to me to be tied in with the xfrm policy but this is
speculative.
Martians were detected only briefly 3 days ago with two singular
identical entries
kernel: IPv4: martian source 48.138.201.70 from 68.148.15.170, on dev eth0
All traffic between the VPN endpoints is encapsulated by NAT-T UDP 4500
tcpdump shows checksum errors for packets originating from the left
vpn-gw to the rightsubnet, but we do not see any
02:45:59.096217 IP (tos 0x0, ttl 255, id 63930, offset 0, flags
[none], proto TCP (6), length 60)
48.138.201.70.39268 > 198.168.248.4.13865: Flags [S], cksum 0xb5e1
(incorrect -> 0x6af2), seq 329764005, win 26883, options [mss
8961,sackOK,TS val 3337366083 ecr 0,nop,wscale 7], length 0
XfrmOutStateModeError count is not incremented in /proc/self/net/xfrm_stat
and we have mangle rules in place to clamp to mss to 1360.
I could not find any info out there relating to the IKE counters
I assume if we were traversing the tunnel successfully that we'd see
incremented values in ikeInInfoRsp & ikeOutInfoReq ??
also swanctl --list-sas naturally...
Hoping someone can help here.
Cheers
Lew
On Mon, 5 Jul 2021 at 19:54, Lewis Shobbrook
wrote:
>
> Thanks for your reply Noel,
> Landed in my spam folder...
> I'm testing with a curl to a known endpoint from the vpn gateway
> itself and also from the associated local subnet that is accepted on
> the other side.
> Here's the output of iptables-save which has changed quite a bit over
> various efforts to realise throughput.
>
> # Generated by iptables-save v1.8.4 on Mon Jul 5 09:52:05 2021
> *mangle
> :PREROUTING ACCEPT [131559:43589022]
> :INPUT ACCEPT [129402:43459544]
> :FORWARD ACCEPT [2155:129300]
> :OUTPUT ACCEPT [131976:29447953]
> :POSTROUTING ACCEPT [134131:29577253]
> -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
> SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
> -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
> SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
> COMMIT
> # Completed on Mon Jul 5 09:52:05 2021
> # Generated by iptables-save v1.8.4 on Mon Jul 5 09:52:05 2021
> *nat
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 48.138.201.64/26 -o eth0 -m policy --dir out --pol
> ipsec -j ACCEPT
> COMMIT
> # Completed on Mon Jul 5 09:52:05 2021
> # Generated by iptables-save v1.8.4 on Mon Jul 5 09:52:05 2021
> *filter
> :INPUT ACCEPT [42760:14832665]
> :FORWARD ACCEPT [774:46440]
> :OUTPUT ACCEPT [43602:9751014]
> COMMIT
>
>
> Cheers,
>
> Lew
>
>
>
> Lewis Shobbrook
> Team Lead - DevOps
>
> base2Services | The Cloud Services People
> T 1300 713 559 E l.shobbr...@base2services.com
> Lvl 21, 303 Collins St, Melbourne VIC 3000
> base2services.com.au
>
>
>
>
> On Mon, 5 Jul 2021 at 18:19,
> wrote:
> >
> > Hello Lew,
> >
> > How exactly are you testing the tunnel?
> > Also, please prov
