On Wednesday, 9 May 2018 17:45:11 CEST Paul Wouters wrote: > On Wed, 9 May 2018, Thomas Stein wrote: > > > I do not have non of this routes. Maybe the output of ipsec status sheds > > some light? > > > 000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); > > EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; > > import:admin initiate > > 000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin > > initiate > > 000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin > > initiate > > 000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin > > initiate > > 000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); > > EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin > > initiate > > 000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); > > EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; > > idle; import:admin initiate > > 000 #6: "my-vpn" [email protected] [email protected] > > [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B > > ESPout=0B! ESPmax=4194303B username=myself > > This looks buggy. You should not have those partial quick mode's and a > fully established IPsec SA. > > > 000 Bare Shunt list: > > 000 > > 000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0 no > > routed template covers this pair > > 000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0 no > > routed template covers this pair > > 000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0 no > > routed template covers this pair > > And this suggests that the one IPsec SA that is up no longer has the > eroute, and all your packets are hitting the %trap and are awaiting a > functional tunnel. > > Can you see if the issue goes away with our pre-release code? We did > make a number of changes in the reconnect/replace logic of connections. > > https://download.libreswan.org/development/libreswan-3.24rc4.tar.gz Now I have the routes in question. But still no internet connectivity.
000 000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "my-vpn" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=2KB! ESPmax=4194303B username=myself 000 000 Bare Shunt list: 000 rather /etc/ipsec.d # ip r 0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193 default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007 128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193 192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 200 Am I supposed to have some iptables rules? I have non so far: rather /etc/ipsec.d # iptables -nvL Chain INPUT (policy ACCEPT 3114K packets, 4431M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1543K packets, 110M bytes) pkts bytes target prot opt in out source destination rather /etc/ipsec.d # iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination rather /etc/ipsec.d # thanks and cheers t. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
