On Sat, Oct 13, 2018 at 07:45:57PM -0400, Paul Wouters wrote: > Rekeying support got extended and improved, so please tryt 3.27. We do > know there is at least one interop issue left that we see on Cisco, so > I'm not guaranteeing your issue will be resolved.
Hi Paul, Upgraded to 3.27. Still getting the problem after a fast restart. If I wait, say, 15 seconds to restart, most but not all the subnets work. Sometimes a subnet will work from libreswan box but not behind it, sometimes the reverse, and sometimes not from either. The majority always work, but a different majority. The pattern is still that if I wait a minute to restart, all subnets connect. It's as if something has to reset on the Cisco for the restart to be clean. When I've spoken with the various admins on the Cisco side (this is for a private cloud setup at Rackspace), they haven't come up with much of an explanation. The problems may all be in routing from this end to subnets behind the Cisco. Subnets behind the Cisco can at least sometimes reach addresses on subnets here, which aren't working the other way. This does not cause it to start working from this side. It seems like off and on with a minute between is the only reliable method I've tried so far -- although as I mentioned previously it does look like it can also spontaneously recover. Proxyarp is (and has been) 0 for the LAN interface on the libreswan box. I suppose some other box on the LAN could have it on though. I can't see how that should affect traffic from the libreswan box itself even if it is the case, so likely not the problem. Thanks again for your help. Whit _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
