I managed to test a few scenarios: ## 1. One dropping route tunnel only
Minutes after ipsec restart the route disappears, although the tunnel is still up. Data can not be sent through the tunnel. ## 2. One stable route tunnel + One dropping route tunnel The route doesnt disappear and data can be sent through the tunnel ## 3. Enabling more and more routes Eventually the routes start disconnecting again after having 4 or 5 tunnels setup. On 20 June 2017 at 16:03:13, Bob Cribbs ([email protected]) wrote: Sure, what log files do you think are relevant? There doesnt seem to be anything in the `/var/log/auth.log` around the time the routes disappear, there is nothing in `/var/log/messages.log` file either. Or should i change pluto's log level to `all`? On 20 June 2017 at 16:00:02, Paul Wouters ([email protected]) wrote: Can you arrange for some logfiles I can have a look at? Can you also try a 3.20rcX release candidate? Sent from my iPhone On Jun 20, 2017, at 08:27, Bob Cribbs <[email protected]> wrote: Hi, Im experiencing a new problem with my upgrade process (3.12->3.20), this time it's the routes. I have ~70 tunnels setup on my server. After ipsec is (re)started, all the routes come up. But then 1-2 minutes later, there are only a subset of those that are still up, ~10 of them. It's always the same 10 that are persisting. All the tunnels are still showing up as connected, including those that are now missing the routes. Sending data through the tunnel, only works for those that have routes, for the other ones is timing out. I tried downgrading from 3.20 -> 3.19 same problem. I tried downgrading further 3.19 -> 3.18. Routes seem to be persisting on 3.18. I suspect there is a problem with encapsulation and NAT and keepalive. On 3.12 and 3.18, i used `forceencaps=yes` On 3.20 i tried `encapsulation=yes`, and `encapsulation=auto` routes are disconnecting with either of them. ``` conn customer authby=secret dpddelay=40 dpdtimeout=120 dpdaction=restart auto=start encapsulation=yes pfs=yes ike=aes256-sha1 phase2alg=aes256-sha1 left=%defaultroute leftid=184.X.X.X leftsourceip=184.X.X.X leftsubnet=184.X.X.X/32 right=72.Y.Y.Y rightid=72.Y.Y.Y rightsubnet=10.B.B.B/32 ``` Once the route disappears, it doesnt come back even if i try: ``` $ sudo ipsec auto --down customer $ sudo ipsec auto --up customer ``` Am I missing some config to keep the route up on the 3.20 version? Thank you. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
