[Swan] Trouble with connection dropping

zip zip at fodvo.org
Sun Jun 8 23:45:49 EEST 2014


Using libreswan 3.8.1 between two household networks each running Fedora 
20 latest patches; Left is 64bit, Right is 32bit.Both sides using 
Shorewall firewall rules.  Both networks have unique aspects such as 
public WIFI networks and private sides; but 90% of the networks are the 
same.

Left's internal IP address is 10.20.0.0/24, Right's side is 
10.20.1.0/24, with .1 being the vpn/gateway/firewall host in both 
houses.  Both firewalls see the public IP address, tho Left must use 
PPPOE (Roaring Penguin).

I'm having difficulties keeping the vpn up in both directions for more 
than a few minutes to hours.

This isn't my first go-round with xxxSwan implementations.  I used to 
have it working long ago in the days of FreeSwan.  But a DSL change in 
my house some time back made things very tricky, so I gave up for a while.

Left's DSL connection must use PPPOE, so its MTU is 8 bytes less than 
Right's MTU.  In the config below I set the MTU to 1422.  (in the old 
days this MTU problem caused ssh untold grief, and why I stopped using it).

Back to the problem:
When I service restart both sides, the VPN starts up fine, both networks 
can ping / ssh both directions.  Then at some random point in time, 
Right stops routing traffic through the VPN, but rather goes directly 
out the public interface; so all ping/ssh traffic originating from Right 
and its network stops.  However Left can still ping any host in Right 
including the firewall.  ssh however doesn't work in either direction 
after the failure.

The length of time it takes for the VPN to fail seems random, sometimes 
its only a few minutes, other times it may be several hours.  But it 
always fails eventually.  Once it fails, I have to service ipsec 
stop/start both sides for it to resume.

Finding log output is difficult.  From Left's side, I have 
/var/log/secure logs but there isn't an immediate entry corresponding to 
when the VPN drops.  The log on Right's side... well for what I think is 
an unrelated problem, /var/log/secure is empty and I've opened a Fedora 
bug describing:
https://bugzilla.redhat.com/show_bug.cgi?id=1105828
so I don't know what's happening on Right's side.  (Seems like problems 
always happen in two's and three's).


ipsec.conf's are below (note for unknown reasons I've had to use 
slightly different "rightnexthop" statements).

Left's ipsec.conf (comments removed and some long lines truncated)

cat /etc/ipsec.conf
config setup
         protostack=netkey
         dumpdir=/var/run/pluto/
         nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
#
# Add connections here
conn    mnnet-ianet
         left=216.160.0.218
         leftsubnet=10.20.0.0/24
         leftid=@bfoddy.homeip.net
         leftrsasigkey=0sAQPOsHHTYfWwii+VGKWxtCP+TOIqzeJVM...8jIenOcQ==
         leftnexthop=207.225.140.57
         leftsourceip=10.20.0.1
#
         right=66.43.233.66
         rightsubnet=10.20.1.0/24
         rightid=@hfoddy.homeip.net
         rightrsasigkey=0sAQPcxb0y4U8u4pTaMlbXBvvuP0avB9mklzX8Nof...WZQ==
         rightnexthop=167.142.225.132
         rightsourceip=10.20.1.1
         authby=rsasig
         auto=start
         mtu=1422
#
#
conn    mnnet-iaguest
         left=216.160.0.218
         leftsubnet=10.20.0.0/24
         leftid=@bfoddy.homeip.net
leftrsasigkey=0sAQPOsHHTYfWwii+VGKWxtCP+TOIqzeJVM...8jIenOcQ==# 
leftnexthop=%defaultroute
         leftnexthop=207.225.140.57
         leftsourceip=10.20.0.1
#
         right=66.43.233.66
         rightsubnet=10.20.128.0/24
         rightid=@hfoddy.homeip.net
rightrsasigkey=0sAQPcxb0y4U8u4pTaMlbXBvvuP0avB9mklzX8Nof...WZQ==
         rightnexthop=167.142.225.132
         rightsourceip=10.20.1.1
         authby=rsasig
         auto=start
         mtu=1422

Right's ipsec.conf is the same except uses rightnexthop=%defaultroute vs 
the ip address.





More information about the Swan mailing list