Re: [Swan] Trouble with connection dropping

Sun, 08 Jun 2014 17:44:21 -0700 

On Sun, 8 Jun 2014, zip wrote:


Using libreswan 3.8.1 between two household networks each running Fedora 20


You mean libreswan-3.8-1 ?


Left's DSL connection must use PPPOE, so its MTU is 8 bytes less than Right's 
MTU.  In the config below I set the MTU to 1422.  (in the old days this MTU 
problem caused ssh untold grief, and why I stopped using it).


You might need to use TCP clamping:

ptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

If that does not help, try hardcoding it yourself:

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460


Back to the problem:

When I service restart both sides, the VPN starts up fine, both networks can 
ping / ssh both directions.  Then at some random point in time, Right stops 
routing traffic through the VPN, but rather goes directly out the public 
interface; so all ping/ssh traffic originating from Right and its network 
stops.  However Left can still ping any host in Right including the firewall. 
ssh however doesn't work in either direction after the failure.


Could it be that this coincides with your DHCP lease getting renewed
(even if it is renewed to the same IP address) ?


Finding log output is difficult.  From Left's side, I have /var/log/secure 
logs but there isn't an immediate entry corresponding to when the VPN drops. 
The log on Right's side... well for what I think is an unrelated problem, 
/var/log/secure is empty and I've opened a Fedora bug describing:

https://bugzilla.redhat.com/show_bug.cgi?id=1105828

so I don't know what's happening on Right's side.  (Seems like problems 
always happen in two's and three's).


You can use plutostderrlog=/var/log/pluto.log if you get tired of all the
ways rsyslog and systemd interfere with logging....


ipsec.conf's are below (note for unknown reasons I've had to use slightly 
different "rightnexthop" statements).


There are some bugs in the nexthop handling we addressed that will be in
libreswan-3.9. (already commited to git master on github)


config setup
       protostack=netkey



       mtu=1422


When the tunnel is up, do you see a route entry with the mtu specified?

I think you might be seeing the DHCP lease issue bug, which has also
been filed already for rhel by Patrick:

https://bugzilla.redhat.com/show_bug.cgi?id=1078593

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to