On 21.01.21 20:53, Kontakt wrote: > Hello, > I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1 > client causes it to disconnect after 3600s. the same configuration on > libreswan 3.23 (centos 7) does not cause such problems. conf file, > password, iptables, entries in routing table identical. > I checked sysctl - identical. the only difference is selinux (centos 7 has > enforce, centos 8 disabled). > > libreswan 3.23 (centos 7): > > *ipsec verify*Verifying installed system and configuration files > > Version check and ipsec on-path [OK] > Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64 > Checking for IPsec support in kernel [OK] > NETKEY: Testing XFRM related proc values > ICMP default / send_redirects [NOT DISABLED] > > Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY > will act on or cause sending of bogus ICMP redirects! > > ICMP default / accept_redirects [OK] > XFRM larval drop [OK] > Pluto ipsec.conf syntax [OK] > Two or more interfaces found, checking IP forwarding [OK] > Checking rp_filter [ENABLED] > / proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED] > / proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED] > / proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED] > / proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED] > / proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED] > rp_filter is not fully aware of IPsec and should be disabled > Checking that pluto is running [OK] > Pluto listening for IKE on udp 500 [OK] > Pluto listening for IKE / NAT-T on udp 4500 [OK] > Pluto ipsec.secret syntax [OK] > Checking 'ip' command [OK] > Checking 'iptables' command [OK] > Checking 'prelink' command does not interfere with FIPS [OK] > Checking for obsolete ipsec.conf options [OK] > > ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help > > *And for libreswan 4.1 (centos 8):* > * ipsec verify* > > Verifying installed system and configuration files > > Version check and ipsec on-path [OK] > Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64 > Checking for IPsec support in kernel [OK] > NETKEY: Testing XFRM related proc values > ICMP default / send_redirects [OK] > ICMP default / accept_redirects [OK] > XFRM larval drop [OK] > Pluto ipsec.conf syntax [OK] > Checking rp_filter [OK] > Checking that pluto is running [OK] > Pluto listening for IKE on udp 500 [OK] > Pluto listening for IKE / NAT-T on udp 4500 [OK] > Pluto ipsec.secret syntax [OK] > Checking 'ip' command [OK] > Checking 'iptables' command [OK] > Checking 'prelink' command does not interfere with FIPS [OK] > Checking for obsolete ipsec.conf options [OK] > > Where to look for the problem? > > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
Logs? of both sides? Seems the child negotiation somehow fails. But the reason should be in the logs. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
