Hi Paul
Also, an observation I could make is, when the machine at Site Office
tries to reach the HO VPN server, even though the ping does not happen,
I can see the traffic go up incrementally on both sides.
However when the HO tries to reach the Site Office, traffic from HO goes
out and likewise the In traffic at Site Office also goes up
incrementally, but there is no Out traffic from Site Office. Attaching
the observation FYI. Any thoughts...?
When Site Office tries to reach HO
At Site Office
Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B
Response at HO
Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B
When HO tries to reach Site Office
At HO
Traffic: ESPin=0B ESPout=8KB! ESPmax=0B
Response at Site Office
Traffic: ESPin=8KB ESPout=0B! ESPmax=0B
On 2023-02-01 02:22, Paul Wouters wrote:
So both agree on the tunnel and the traffic counters. It looks
operational.
I wonder if there is some kind of firewall on the network that allows
the initial packets but then starts blocking things ?
Sent using a virtual keyboard on a phone
On Jan 31, 2023, at 12:40, [email protected] wrote:
Hi Paul
Kindly find the output of ipsec whack --showstates from both sides
please.
At HO
000 #5: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_IKE_SA (established
IKE SA); EVENT_SA_REKEY in 28511s; newest ISAKMP; idle;
000 #6: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
established); EVENT_SA_REKEY in 28511s; newest IPSEC; eroute owner;
isakmp#5; idle;
000 #6: "PLUTOSUBNET" [email protected] [email protected]
[email protected] [email protected] Traffic: ESPin=168B ESPout=168B!
ESPmax=0B
At Site Office
000 #1: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA); EVENT_SA_REKEY in 27743s; newest ISAKMP; idle;
000 #2: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
established); EVENT_SA_REKEY in 27984s; newest IPSEC; eroute owner;
isakmp#1; idle;
000 #2: "PLSUBNET" [email protected] [email protected]
[email protected] [email protected] Traffic: ESPin=168B ESPout=168B!
ESPmax=0B
Thanks, Best
BA
On 2023-01-31 22:01, Paul Wouters wrote: On Mon, 30 Jan 2023,
[email protected] wrote:
I changed the HO's statement to auto=add while keeping auto=start at
the Site Office. Also removed encapsulation statement at both
ends, However there is no change in status, both machines are unable
to reach each other. The tunnel is getting established as
always, attaching the logs from both sides FYI.
Once the tunnel is not working, can you run on both ends:
ipsec whack --showstates
Let's see if both ends are still thinking the tunnel is up or not.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
