On Wed, 9 May 2018, Thomas Stein wrote:
I do not have non of this routes. Maybe the output of ipsec status sheds some light?
000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate 000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #6: "my-vpn" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B username=myself
This looks buggy. You should not have those partial quick mode's and a fully established IPsec SA.
000 Bare Shunt list: 000 000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0 no routed template covers this pair 000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0 no routed template covers this pair 000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0 no routed template covers this pair
And this suggests that the one IPsec SA that is up no longer has the eroute, and all your packets are hitting the %trap and are awaiting a functional tunnel. Can you see if the issue goes away with our pre-release code? We did make a number of changes in the reconnect/replace logic of connections. https://download.libreswan.org/development/libreswan-3.24rc4.tar.gz Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
