I had a system that experienced intermittent internet connectivity and a series of dead peer detection triggers. After about an hour, the internet stabilized and the logs indicated that the tunnel had established itself. However, no traffic was allowed to traverse the tunnel. I noticed that the system’s peer was missing some ip xfrm policy rules. It had a rule for dir out, but was missing a rule for dir in and dir fwd. After recognizing this, I added the dir in and dir fwd rules by hand. Traffic was then able to traverse the tunnel.
Has anyone else experienced behavior like this, or can think of a way to reproduce it? I was unable to reproduce it while mimicking a loss of internet connectivity. Here are the configuration files for the system and the system’s peer respectively. Both systems were running Libreswan 3.19. # begin conn tunisp1 conn tunisp1 left=A.B.C.D leftid=“@left" leftsubnet=0.0.0.0/0 leftcert=client left=A.B.C.D leftcert=client right=E.F.G.H rightid="%fromcert" rightsubnet=0.0.0.0/0 right=E.F.G.H authby=rsasig vti-routing=no vti-shared=yes encapsulation=yes keyingtries=0 dpddelay=30 dpdtimeout=120 dpdaction=restart mark=0x1000000/0xff000000 vti-interface=tunisp1 phase2alg=aes256-sha2_256 auto=ignore type=tunnel compress=no pfs=yes ikepad=yes authby=rsasig phase2=esp ikev2=permit esn=no # end conn tunisp1 # begin conn tunisp6 conn tunisp6 left=A.B.C.D leftid=“@left" leftsubnet=0.0.0.0/0 left=A.B.C.D right=E.F.G.H rightid="%fromcert" rightsubnet=0.0.0.0/0 rightcert=server right=E.F.G.H rightupdown=/usr/libexec/ipsec/inspeed_updown rightcert=server authby=rsasig vti-routing=no encapsulation=yes keyingtries=0 mark=0x6000000/0xff000000 vti-interface=tunisp6 phase2alg=aes256-sha2_256 auto=ignore type=tunnel compress=no pfs=yes ikepad=yes authby=rsasig phase2=esp ikev2=permit esn=no Let me know if any other information would be helpful. Thanks! -- cm
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
