Re: [Swan] No Traffic Received On Tunnels

Tue, 09 Jul 2019 13:32:52 -0700 

On Tue, 9 Jul 2019, Adam Tauno Williams wrote:


I have a working ipsec server - let's call it X2.X2.X2.X2 - connected
via GRE tunnels to three Cisco 890 series routers.  It works!


Yes it shows the new site is ipsec. You can run ipsec trafficstatus to
see byte counters, so if you do a ping (with proper source IP) then
you can check the outBytes to see if it got encrypted, and inBytes to
see if it got encrypted replies. Then you can likely narrow down the
specific issue.

Paul


I am attempting to add a fourth, and I believe the association says it
is up.  ISAKMP and SA show as ready on the Cisco side of the new site -
let's call in X1.X1.X1.X1.

The status messages appear the same as for a working side - called
X3.X3.X3.X3.

And I can see ESP packets leave the ipsec server (X2) for the new site
(X1).  However neither side ever shows any packets received on their
GRE tunnels.  Even when pinging just the other end of the tunnel.

Any suggestions would be great, I am flumoxed.  I've verified the
configs over and over, checked all the status logs, the routing tables,
etc...

I would expect a firewall, but the tunnel shows as status up.

"ets-gre" is the new site, X1.X1.X1.X1

000 "ets-gre": 
X2.X2.X2.X2<X2.X2.X2.X2>:47/0---192.168.1.6...X1.X1.X1.X1<X1.X1.X1.X1>:47/0; erouted; 
eroute owner: #705
000 "ets-gre":     oriented; my_ip=unset; their_ip=unset
000 "ets-gre":   xauth us:none, xauth them:none,  my_username=[any]; 
their_username=[any]
000 "ets-gre":   our auth:secret, their auth:secret
000 "ets-gre":   modecfg info: us:none, them:none, modecfg policy:push, 
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "ets-gre":   labeled_ipsec:no;
000 "ets-gre":   policy_label:unset;
000 "ets-gre":   ike_life: 86400s; ipsec_life: 43200s; replay_window: 32; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ets-gre":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ets-gre":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; 
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ets-gre":   policy: 
PSK+ENCRYPT+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "ets-gre":   conn_prio: 32,32; interface: ens224; metric: 0; mtu: unset; 
sa_prio:auto; sa_tfc:none;
000 "ets-gre":   nflog-group: unset; mark: unset; vti-iface:unset; 
vti-routing:no; vti-shared:no;
000 "ets-gre":   newest ISAKMP SA: #704; newest IPsec SA: #705;
000 "ets-gre":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "ets-gre":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>

000 #705: "ets-gre":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 36540s; newest IPSEC; eroute owner; isakmp#704; idle; import:not set
000 #705: "ets-gre" [email protected] [email protected] ref=0 
refhim=0 Traffic: ESPin=0B ESPout=315KB! ESPmax=4194303B 
000 #704: "ets-gre":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE 
in 80041s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set



ip -s xfrm state

src X1.X1.X1.X1 dst X2.X2.X2.X2    # NEW SITE
        proto esp spi 0x2a981050(714608720) reqid 16397(0x0000400d) mode 
transport
        replay-window 32 seq 0x00000000 flag  (0x00000000)
        auth-trunc hmac(sha1) 0x136809bee86d8e91$$$16b3dbb908f6728e3fc53 (160 
bits) 96
        enc cbc(aes) 0xb1d125f75985802df444$$$81cb3aa7 (128 bits)
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src X1.X1.X1.X1/32 dst X2.X2.X2.X2/32 proto gre uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2019-07-09 14:00:54 use -
        stats:
          replay-window 0 replay 0 failed 0
          
src X2.X2.X2.X2 dst X1.X1.X1.X1   # NEW SITE
        proto esp spi 0x75dd8022(1977450530) reqid 16397(0x0000400d) mode 
transport
        replay-window 32 seq 0x00000000 flag  (0x00000000)
        auth-trunc hmac(sha1) 0x7625a3b3aebab530277811$$$46f9ef26dbe8e6 (160 
bits) 96
        enc cbc(aes) 0xc4f47296aa3fc2b1d5$$$$1bb376684b (128 bits)
        anti-replay context: seq 0x0, oseq 0xe59, bitmap 0x00000000
        sel src X2.X2.X2.X2/32 dst X1.X1.X1.X1/32 proto gre uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          323304(bytes), 3673(packets)
          add 2019-07-09 14:00:54 use 2019-07-09 14:05:13
        stats:
          replay-window 0 replay 0 failed 0

src X3.X3.X3.X3 dst X2.X2.X2.X2   # WORKING SITE
        proto esp spi 0x7512490f(1964132623) reqid 16405(0x00004015) mode 
transport
        replay-window 32 seq 0x00000000 flag  (0x00000000)
        auth-trunc hmac(sha1) 0xa0ceadeee5a8$$$226b152ce306d83a6ed58ae64 (160 
bits) 96
        enc cbc(aes) 0xb1d9d0b161b93aa859$$$c5c3c030bf1 (128 bits)
        anti-replay context: seq 0x164b, oseq 0x0, bitmap 0xffffffff
        sel src X3.X3.X3.X3/32 dst X2.X2.X2.X2/32 proto gre uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          1801839(bytes), 5707(packets)
          add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
        stats:
          replay-window 0 replay 0 failed 0
          
src X2.X2.X2.X2 dst X3.X3.X3.X3  # WORKING SITE
        proto esp spi 0xfe5da2d9(4267549401) reqid 16405(0x00004015) mode 
transport
        replay-window 32 seq 0x00000000 flag  (0x00000000)
        auth-trunc hmac(sha1) 0xad31b5e0ba8657***7516b02f75e4954c057b1fe (160 
bits) 96
        enc cbc(aes) 0x6042b476e3e339***efba8435335b65c (128 bits)
        anti-replay context: seq 0x0, oseq 0x2a4d, bitmap 0x00000000
        sel src X2.X2.X2.X2/32 dst X3.X3.X3.X3/32 proto gre uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          2206891(bytes), 10829(packets)
          add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
        stats:

--
Adam Tauno Williams, [email protected]
Multi-Modal Activists Against Auto Dependent Development
resisting the unAmerican socialists of the Motorist hegemony
http://www.mmaaadd.org
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to