[Swan] Trouble with connection dropping
zip
zip at fodvo.org
Sun Jun 8 23:45:49 EEST 2014
Using libreswan 3.8.1 between two household networks each running Fedora
20 latest patches; Left is 64bit, Right is 32bit.Both sides using
Shorewall firewall rules. Both networks have unique aspects such as
public WIFI networks and private sides; but 90% of the networks are the
same.
Left's internal IP address is 10.20.0.0/24, Right's side is
10.20.1.0/24, with .1 being the vpn/gateway/firewall host in both
houses. Both firewalls see the public IP address, tho Left must use
PPPOE (Roaring Penguin).
I'm having difficulties keeping the vpn up in both directions for more
than a few minutes to hours.
This isn't my first go-round with xxxSwan implementations. I used to
have it working long ago in the days of FreeSwan. But a DSL change in
my house some time back made things very tricky, so I gave up for a while.
Left's DSL connection must use PPPOE, so its MTU is 8 bytes less than
Right's MTU. In the config below I set the MTU to 1422. (in the old
days this MTU problem caused ssh untold grief, and why I stopped using it).
Back to the problem:
When I service restart both sides, the VPN starts up fine, both networks
can ping / ssh both directions. Then at some random point in time,
Right stops routing traffic through the VPN, but rather goes directly
out the public interface; so all ping/ssh traffic originating from Right
and its network stops. However Left can still ping any host in Right
including the firewall. ssh however doesn't work in either direction
after the failure.
The length of time it takes for the VPN to fail seems random, sometimes
its only a few minutes, other times it may be several hours. But it
always fails eventually. Once it fails, I have to service ipsec
stop/start both sides for it to resume.
Finding log output is difficult. From Left's side, I have
/var/log/secure logs but there isn't an immediate entry corresponding to
when the VPN drops. The log on Right's side... well for what I think is
an unrelated problem, /var/log/secure is empty and I've opened a Fedora
bug describing:
https://bugzilla.redhat.com/show_bug.cgi?id=1105828
so I don't know what's happening on Right's side. (Seems like problems
always happen in two's and three's).
ipsec.conf's are below (note for unknown reasons I've had to use
slightly different "rightnexthop" statements).
Left's ipsec.conf (comments removed and some long lines truncated)
cat /etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
#
# Add connections here
conn mnnet-ianet
left=216.160.0.218
leftsubnet=10.20.0.0/24
leftid=@bfoddy.homeip.net
leftrsasigkey=0sAQPOsHHTYfWwii+VGKWxtCP+TOIqzeJVM...8jIenOcQ==
leftnexthop=207.225.140.57
leftsourceip=10.20.0.1
#
right=66.43.233.66
rightsubnet=10.20.1.0/24
rightid=@hfoddy.homeip.net
rightrsasigkey=0sAQPcxb0y4U8u4pTaMlbXBvvuP0avB9mklzX8Nof...WZQ==
rightnexthop=167.142.225.132
rightsourceip=10.20.1.1
authby=rsasig
auto=start
mtu=1422
#
#
conn mnnet-iaguest
left=216.160.0.218
leftsubnet=10.20.0.0/24
leftid=@bfoddy.homeip.net
leftrsasigkey=0sAQPOsHHTYfWwii+VGKWxtCP+TOIqzeJVM...8jIenOcQ==#
leftnexthop=%defaultroute
leftnexthop=207.225.140.57
leftsourceip=10.20.0.1
#
right=66.43.233.66
rightsubnet=10.20.128.0/24
rightid=@hfoddy.homeip.net
rightrsasigkey=0sAQPcxb0y4U8u4pTaMlbXBvvuP0avB9mklzX8Nof...WZQ==
rightnexthop=167.142.225.132
rightsourceip=10.20.1.1
authby=rsasig
auto=start
mtu=1422
Right's ipsec.conf is the same except uses rightnexthop=%defaultroute vs
the ip address.
More information about the Swan
mailing list