Hi, I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to build a VPN between them. It was working fine for some days, but I believe I changed something on one of the servers, not related to libreswan, that caused it to stop working. It appears they're not communicating, like a routing problem or protocol issue. I really have no idea how to troubleshoot this.
The server where I believe the problem is also has another libreswan VPN that also stopped working at the same time. Here's the config info I think could help troubleshooting this from the host with the problem. # ipsec status whack --showstates 000 #43: "mail03-arcade":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 4s; idle; 000 #43: pending CHILD SA for "mail03-arcade" 000 #44: "mail03-polaris":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 4s; idle; 000 #44: pending CHILD SA for "mail03-polaris" Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response Here's also a pastebin for "ipsec status" on the server that I believe has the problem: https://pastebin.com/sezgcCGK # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 68.195.111.41 0.0.0.0 UG 0 0 0 enp3s0 68.195.111.40 0.0.0.0 255.255.255.248 U 0 0 0 enp3s0 192.168.1.0 68.195.111.42 255.255.255.0 UG 0 0 0 enp3s0 # ip a l enp3s0 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 98:b7:85:00:90:12 brd ff:ff:ff:ff:ff:ff inet 68.195.111.45/29 brd 68.195.111.47 scope global enp3s0 valid_lft forever preferred_lft forever inet6 ::9ab7:85ff:fe00:9012/64 scope global dynamic mngtmpaddr valid_lft 3598sec preferred_lft 3598sec inet6 fe80::9ab7:85ff:fe00:9012/64 scope link valid_lft forever preferred_lft forever # cat /etc/ipsec.conf|grep -Ev '#|^$' config setup logfile=/var/log/pluto.log plutodebug="base" protostack=netkey include /etc/ipsec.d/*.conf conn mail03-polaris ikev2=insist authby=rsasig auto=start dpddelay=10 dpdtimeout=90 dpdaction=clear leftid=@mail03-polaris left=mail03.example.com leftrsasigkey=0sAwEAAc6MjfCgIevnKOqbiEa4Xtc3dIliJHwMq3UtJ4tnB1EVylAz+6XHWuC9K15re6vunBi45jqoI0zKQioLL9bMfvlLUHQFVL03EH1trAsmXc8YGN ... rightid=@polaris-mail03 right=polaris.example.com rightrsasigkey=0sAwEAAa9XC9vHpR61Gpu6AL8aRLFMztYeFOHzXXjnrfDuictzqJXn6zyjZvleg9oXuX6zOZFLz6oRoobNa5T+aTvAPH7DeJk2Jp4t+PZTbQB7krrdY... How do I enable a reasonable amount of logging? Even plutodebug="base" is entirely too detailed for me to identify any useful info. I'm using iptables and have rules that allow unimpeded traffic to and from each host. Thank you very much. I've spent hours trying to figure this out, so really appreciate your help.
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan