I see in previous similar cases a suggestion has been made to get the following information, Please let me know what I should be looking to debug this issue. I did find the CHILD SA's as valid and dpd checks were successful too.
All around the same instance of time. ip -4 route show table 0 iptables-save ip xfrm policy ip xfrm state From: [email protected] [mailto:[email protected]] On Behalf Of Shukla, Sanjay Sent: Monday, June 18, 2012 6:51 PM To: [email protected] Subject: [strongSwan] ipsec status shows connection is established but ping does not work / stuck ipsec status shows connection is established but ping does not work / stuck, how can I debug this further ? how do I determine the problem here ? -sanjay [root@ffd-ipsec-180 ~]# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.6.2): uptime: 85 minutes, since Jun 18 17:24:52 2012 malloc: sbrk 622592, mmap 0, used 439696, free 182896 worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 194 loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown Listening IP addresses: 10.204.74.180 10.204.74.182 Connections: VIP_VIP_10.205.232.89: 10.204.74.182...10.205.232.89, dpddelay=30s VIP_VIP_10.205.232.89: local: [10.204.74.182] uses public key authentication VIP_VIP_10.205.232.89: cert: "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.204.74.182" VIP_VIP_10.205.232.89: remote: [%any] uses any authentication VIP_VIP_10.205.232.89: child: dynamic === dynamic TRANSPORT, dpdaction=restart VIP_VIP_10.205.232.89[5]: ESTABLISHED 79 minutes ago, 10.204.74.182[10.204.74.182]...10.205.232.89[10.205.232.89] VIP_VIP_10.205.232.89[5]: IKE SPIs: 6fdd015c0d95375a_i* 8643abee4f1f4cf1_r, rekeying in 83 minutes VIP_VIP_10.205.232.89[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 VIP_VIP_10.205.232.89{2}: INSTALLED, TRANSPORT, ESP SPIs: c5bd8da5_i cb1dc544_o VIP_VIP_10.205.232.89{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 963376 bytes_o (0s ago), rekeying in 12 minutes VIP_VIP_10.205.232.89{2}: 10.204.74.182/32 === 10.205.232.89/32 VIP_VIP_10.205.232.89[8]: ESTABLISHED 79 minutes ago, 10.204.74.182[10.204.74.182]...10.205.232.89[10.205.232.89] VIP_VIP_10.205.232.89[8]: IKE SPIs: efcd2d4ff0d6fa8a_i b7ea9e91ab8e70f8_r*, rekeying in 87 minutes VIP_VIP_10.205.232.89[8]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 VIP_VIP_10.205.232.89{3}: INSTALLED, TRANSPORT, ESP SPIs: c2e4e746_i cd9b6cd6_o VIP_VIP_10.205.232.89{3}: AES_CBC_128/HMAC_SHA1_96, 47432 bytes_i (1s ago), 0 bytes_o, rekeying in 13 minutes VIP_VIP_10.205.232.89{3}: 10.204.74.182/32 === 10.205.232.89/32 VIP_VIP_10.204.74.190[89]: ESTABLISHED 2 minutes ago, 10.204.74.182[10.204.74.182]...10.204.74.190[10.204.74.190] VIP_VIP_10.204.74.190[89]: IKE SPIs: ed04d602820d44e9_i* 16a268916130f735_r, rekeying in 2 hours VIP_VIP_10.204.74.190[89]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 [root@mh-ums-sec1 ~]# ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.6.2): uptime: 85 minutes, since Jun 18 17:24:52 2012 malloc: sbrk 622592, mmap 0, used 453216, free 169376 worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 199 loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown Listening IP addresses: 10.205.232.90 10.205.232.89 Connections: VIP_VIP_10.204.74.182: 10.205.232.89...10.204.74.182, dpddelay=30s VIP_VIP_10.204.74.182: local: [10.205.232.89] uses public key authentication VIP_VIP_10.204.74.182: cert: "C=US, ST=CT, L=Fairfield, O=IPC, CN=10.205.232.89" VIP_VIP_10.204.74.182: remote: [%any] uses any authentication VIP_VIP_10.204.74.182: child: dynamic === dynamic TRANSPORT, dpdaction=restart VIP_VIP_10.204.74.182[6]: ESTABLISHED 81 minutes ago, 10.205.232.89[10.205.232.89]...10.204.74.182[10.204.74.182] VIP_VIP_10.204.74.182[6]: IKE SPIs: 6fdd015c0d95375a_i 8643abee4f1f4cf1_r*, rekeying in 81 minutes VIP_VIP_10.204.74.182[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 VIP_VIP_10.204.74.182{3}: INSTALLED, TRANSPORT, ESP SPIs: cb1dc544_i c5bd8da5_o VIP_VIP_10.204.74.182{3}: AES_CBC_128/HMAC_SHA1_96, 383928 bytes_i (0s ago), 0 bytes_o, rekeying in 9 minutes VIP_VIP_10.204.74.182{3}: 10.205.232.89/32 === 10.204.74.182/32 VIP_VIP_10.204.74.182[5]: ESTABLISHED 81 minutes ago, 10.205.232.89[10.205.232.89]...10.204.74.182[10.204.74.182] VIP_VIP_10.204.74.182[5]: IKE SPIs: efcd2d4ff0d6fa8a_i* b7ea9e91ab8e70f8_r, rekeying in 89 minutes VIP_VIP_10.204.74.182[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 VIP_VIP_10.204.74.182{2}: INSTALLED, TRANSPORT, ESP SPIs: cd9b6cd6_i c2e4e746_o VIP_VIP_10.204.74.182{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 124288 bytes_o (1s ago), rekeying in 3 minutes VIP_VIP_10.204.74.182{2}: 10.205.232.89/32 === 10.204.74.182/32 -- [root@mh-ums-sec1 ~]# !pi ping -I10.205.232.89 10.204.74.182 PING 10.204.74.182 (10.204.74.182) from 10.205.232.89 : 56(84) bytes of data. --- 10.204.74.182 ping statistics --- 18 packets transmitted, 0 received, 100% packet loss, time 17003ms [root@ffd-ipsec-180 ~]# !pi ping -I10.204.74.182 10.205.232.89 PING 10.205.232.89 (10.205.232.89) from 10.204.74.182 : 56(84) bytes of data. --- 10.205.232.89 ping statistics --- 18 packets transmitted, 0 received, 100% packet loss, time 17002ms [cid:[email protected]]Please consider the environment before printing this email. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
<<inline: image001.jpg>>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
