[Swan-dev] Ping loss

Andrew Cagney andrew.cagney at gmail.com
Sat Mar 27 19:30:32 UTC 2021 

On Sat, 27 Mar 2021 at 14:36, Paul Wouters <paul at nohats.ca> wrote:
>
> Begin forwarded message:
>
> > New commits:
> > commit d49d315ec8b71377a1fc9de9f0277d1396fec5c7
> > Author: Andrew Cagney <cagney at gnu.org>
> > Date:   Sat Mar 27 12:52:52 2021 -0400
> >
> >    testing: sprinkle ping-once
> >
> >    things are getting interesting for instance, replacing:
> >      ping -c 2 ...
> >      50% packet loss, but sometimes 100%
> >    with:
> >      ping-once --forget
> >      wait-for traffic status
> >      ping-once --up
>
> Remember an on-demand tunnel eats the first icmp packet, maybe two on
occasion if things are slow. That is why I usually now do a single ping
they triggers the tunnel and a second -c4 ping to show no packet loss.

Right, ping + sleep + ping-c4 is an improvement.  However, there's still no
guarantee that the sleep is long enough, and ping-c4 can miss the last
response.  Hence, this change:

- send a single packet, barely wait for a response:

 # one packet, which gets eaten by XFRM, so east does not initiate
road #
 ../../pluto/bin/ping-once.sh --forget -I 192.1.3.209 192.1.2.23
fired and forgotten
road #


- now wait for the negotiation to complete - notice how, at this point,
in/out bytes are, as expected, zero:

 # wait on OE IKE negotiation
road #
 ../../pluto/bin/wait-for.sh --match private-or-clear -- ipsec whack
--trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23,
type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=e
ast.testing.libreswan.org, E=user-east at testing.libreswan.org', lease=
10.0.10.1/32
road #


- next send out a packet that should travel through the tunnel; since a
response is expected, wait a long time for the response (at least when
compared to default ping):

 # should show established tunnel and no bare shunts
road #
 ../../pluto/bin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up


- finally confirm the packet was tunneled:

road #
 ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23,
type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='C=CA,
ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN
=east.testing.libreswan.org, E=user-east at testing.libreswan.org', lease=
10.0.10.1/32
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000


(I am so tempted to sanitize outBytes=84 to outBytes=1-ping)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210327/ae14c121/attachment.html>

More information about the Swan-dev mailing list