Re: [Swan] [SPAM: 4.729] Tunnel gets established, but machines can reach each other only for less than a minute

Sun, 29 Jan 2023 17:00:16 -0800 

On Sun, 29 Jan 2023, [email protected] wrote:


I have two sites which I am trying to connect using a site-to-site VPN.  
Initially I had a lot of
challenges because at the HO, the Linux machine had a Public IP directly 
configured, while at the
Site Office the Linux machine was behind an ISP router. Anyhow the tunnel gets 
established now, but
machines on both sides cannot reach each other.


On the HO use auto=add and not auto=ondemand or auto=start
On the Site Office, use auto=start

That should hopefully prevent two connections racing each other
and one of them failing impacting the other.


The HO Configuration

conn PLUTOSUBNET
        also=EUROPA-PLUTO
        leftsubnet=10.10.128.0/24
        leftsourceip=10.10.128.100
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.1
        auto=start


you cannot use auto=start because you cannot initiate to a machine
behind NAT. The other end should initiate to here.


        encapsulation=yes


It's better not to specify this and let the auto-detection handle this.


The Site Office configuration

conn PLSUBNET
        also=PLUTO-EUROPA
        leftsubnet=10.10.128.0/24
        leftsourceip=10.10.128.100
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.1
        auto=start
conn PLUTO-EUROPA
        type=tunnel
        left=%defaultroute
        leftid=W.X.Y.Z
        right=A.B.C.D
        authby=secret
        ikev2=insist
        pfs=no
        ike=aes256-sha2_512+sha2_256-dh21
        esp=aes256-sha2_512+sha1+sha2_256;dh21
        dpddelay=5
        dpdtimeout=120
        dpdaction=restart
        encapsulation=yes


Same here, remove the encapsulation=yes here too.


The Logs from the HO machine



980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16 seconds 
for response
984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32 seconds 
for response
634277: "PLUTOSUBNET" #9: proposal 
1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen f


Looks like state 8 and 9 are fighting here.


"PLUTOSUBNET" #10: negotiated connection [192.168.1.0-192.168.1.255:0-65535 0] 
-> [10.10.128.0-10.10.
128.255:0-65535 0]
"PLUTOSUBNET" #10: IPsec SA established tunnel mode {ESPinUDP=>0xcff38461 
<0x51123a6c xfrm=AES_CBC_25
6-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
"PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded #9 
try=4; drop this negotiatio
n
"PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and NOT 
sending notification


9 won and 8 was deleted. This _should_ be fine. But perhaps the other
end did something different.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to