[Swan] Traffic _stops_ routing down tunnel

Paul Moore pmoore at astute-systems.com
Fri Mar 20 03:22:05 EET 2015


Hi All,

This is my first post to this list and I've been trying to figure out this
problem for a few weeks without asking for help because I thought I must be
doing something stupid. Solving this really is beyond me, so I'd love some
help from you packet mangling gurus out there. - Thanks Dave Harding for
motivating me to say "me too". Just like Dave, please also forgive me if
I'm doing something wrong or breaking mailing list etiquette.

The basic problem is that a ping sent from the machine that initiated the
tunnel (we'll call this the ipsec initiatiator) and to the machine at the
other end (we'll call this the ipsec responder) does not work until a ping
first comes from the ipsec responder back to the ipsec initiator. At that
point, ping responds only if the tunnel has had traffic pass through it in
the last 30 seconds. Also, while the ping from the ipsec initiator to the
ipsec responder does not work, the ipsec initiatiator cannot even ping
itself.

It sounds like an arp-cache timeout problem to me, where a packet coming
through the ipsec tunnel from the ipsec responder teaches the kernel of the
ipsec initiator that the ipsec responder can be contacted via the ipsec
tunnel. That's my hunch, but I don't know enough about this to actually
track down the problem and fix it.

I have a more complex configuration and will eventually have firewalls, but
I've stripped everything down to a single connection with no firewalls, so
this is my basic configuration:

Machine        Description
"core"            AWS Microinstance NAT behind an AWS Virtual IP never
initiates tunnel
"mdserver"    Mum and Dads server with dynamic IP with NAT behind a router
and initiates tunnel

I wrote myself a script to test this, and here is a snip of its relevant
output when run on the ipsec initiator.

*[root at mdserver ~]# /etc/ipsec.d/when_does_ping_stop 10.1.2.2 10.1.0.1 *
*Error: Ping "10.1.2.2" -> "10.1.0.1" failed.*
*Error: Ping "10.1.2.2" -> "10.1.2.2" failed.*
*[root at mdserver ~]# *

Then I ping from the ipsec responder to the ipsec initiator once as follows:

*[root at ip-172-31-6-188 ~]# ping -c 1 -w 3 10.1.2.2*
*PING 10.1.2.2 (10.1.2.2) 56(84) bytes of data.*
*64 bytes from 10.1.2.2 <http://10.1.2.2>: icmp_seq=1 ttl=64 time=36.7 ms*

*--- 10.1.2.2 ping statistics ---*
*1 packets transmitted, 1 received, 0% packet loss, time 0ms*
*rtt min/avg/max/mdev = 36.711/36.711/36.711/0.000 ms*
*[root at ip-172-31-6-188 ~]# *

Then I re-run the same script on the ipsec initiator again.

*[root at mdserver ~]# /etc/ipsec.d/when_does_ping_stop 10.1.2.2 10.1.0.1 *
*2015 Mar 20 11:04:28 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 1
seconds succeeded.*
*2015 Mar 20 11:04:28 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 1
seconds succeeded.*
*2015 Mar 20 11:04:29 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 2
seconds succeeded.*
*2015 Mar 20 11:04:29 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 2
seconds succeeded.*
*<SNIP>*
*2015 Mar 20 11:11:15 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 29
seconds succeeded.2015 Mar 20 11:11:16 Ping from 10.1.2.2 to 10.1.2.2 after
a delay of 29 seconds succeeded.2015 Mar 20 11:11:44 Ping from 10.1.2.2 to
10.1.0.1 after a delay of 30 seconds succeeded.2015 Mar 20 11:11:45 Ping
from 10.1.2.2 to 10.1.2.2 after a delay of 30 seconds succeeded.2015 Mar 20
11:12:14 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 31 seconds
succeeded.2015 Mar 20 11:12:15 Ping from 10.1.2.2 to 10.1.2.2 after a delay
of 31 seconds succeeded.2015 Mar 20 11:12:45 Ping from 10.1.2.2 to 10.1.0.1
after a delay of 32 seconds succeeded.2015 Mar 20 11:12:46 Ping from
10.1.2.2 to 10.1.2.2 after a delay of 32 seconds succeeded.2015 Mar 20
11:13:17 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 33 seconds
succeeded.2015 Mar 20 11:13:18 Ping from 10.1.2.2 to 10.1.2.2 after a delay
of 33 seconds succeeded.2015 Mar 20 11:13:50 Ping from 10.1.2.2 to 10.1.0.1
after a delay of 34 seconds failed, waiting up to 60 seconds for a
successful response.2015 Mar 20 11:13:52 Ping from 10.1.2.2 to 10.1.2.2
after a delay of 34 seconds failed, waiting up to 60 seconds for a
successful response.........................TIMEOUTTIMEOUT[root at mdserver
~]# *

Sometimes it stops after 31 seconds, in this case it was 34 seconds so
there may have been some DNS traffic in there.

The config below shows the machine state with ipsec not running and is from
a script called /etc/ipsec.d/show_ipsec_config which contains this active
script:

*for cmd in "systemctl stop ipsec" \*
*           "cat /etc/redhat-release" \*
*           "rpm -q libreswan" \*
*           "cat /etc/ipsec.conf" \*
*           "ls /etc/ipsec.d/*{conf,secrets}" \*
*           "cat /etc/ipsec.d/*conf" \*
*           "sed 's/PSK \\\".*/PSK \\\"PRIVATE\\\"/'
/etc/ipsec.d/*.secrets" \*
*           "iptables -L -n" \*
*           ; do*
*  echo -e "\n# ==== Output of $(hostname -s) command: \"$cmd\""*
*  eval $cmd*
*done*

For "mdserver" the script output is:

*[root at mdserver ~]# /etc/ipsec.d/show_ipsec_config *

*# ==== Output of mdserver command: "systemctl stop ipsec"*

*# ==== Output of mdserver command: "cat /etc/redhat-release"*
*Red Hat Enterprise Linux Server release 7.0 (Maipo)*

*# ==== Output of mdserver command: "rpm -q libreswan"*
*libreswan-3.8-6.el7_0.x86_64*

*# ==== Output of mdserver command: "cat /etc/ipsec.conf"*
*config setup*
*        plutodebug="all crypt"*
*        protostack=netkey*
*        dumpdir=/var/run/pluto/*
*
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20*
*include /etc/ipsec.d/*.conf*

*# ==== Output of mdserver command: "ls /etc/ipsec.d/*{conf,secrets}"*
*/etc/ipsec.d/amazoncore.conf  /etc/ipsec.d/amazoncore.secrets*

*# ==== Output of mdserver command: "cat /etc/ipsec.d/*conf"*
*conn amazoncore*
*        type=tunnel*
*        authby=secret*
*        auto=start*
*        ike=aes256-sha1;modp1536,3des-md5;modp1024*
*        forceencaps=yes*
*        left=%defaultroute*
*        leftid=10.1.2.2*
*        leftsubnet=10.1.2.0/24 <http://10.1.2.0/24>*
*        right=54.66.129.223*
*        rightid=54.66.129.223*
*        rightsourceip=10.1.0.1*
*        rightsubnet=10.1.0.0/16 <http://10.1.0.0/16>*

*# ==== Output of mdserver command: "sed 's/PSK \".*/PSK \"PRIVATE\"/'
/etc/ipsec.d/*.secrets"*
*54.66.129.223 10.1.2.2 <http://10.1.2.2>: PSK "PRIVATE"*

*# ==== Output of mdserver command: "iptables -L -n"*
*Chain INPUT (policy ACCEPT)*
*target     prot opt source               destination         *

*Chain FORWARD (policy ACCEPT)*
*target     prot opt source               destination         *

*Chain OUTPUT (policy ACCEPT)*
*target     prot opt source               destination         *
*[root at mdserver ~]# *


... and for "core (ip-172-31-6-188)" the script output is:

*[root at ip-172-31-6-188 ~]# /etc/ipsec.d/show_ipsec_config*

*# ==== Output of ip-172-31-6-188 command: "systemctl stop ipsec"*

*# ==== Output of ip-172-31-6-188 command: "cat /etc/redhat-release"*
*Red Hat Enterprise Linux Server release 7.0 (Maipo)*

*# ==== Output of ip-172-31-6-188 command: "rpm -q libreswan"*
*libreswan-3.8-6.el7_0.x86_64*

*# ==== Output of ip-172-31-6-188 command: "cat /etc/ipsec.conf"*
*config setup*
*        protostack=netkey*
*        dumpdir=/var/run/pluto/*
*
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20*
*include /etc/ipsec.d/*.conf*

*# ==== Output of ip-172-31-6-188 command: "ls
/etc/ipsec.d/*{conf,secrets}"*
*/etc/ipsec.d/forestlake.conf  /etc/ipsec.d/forestlake.secrets*

*# ==== Output of ip-172-31-6-188 command: "cat /etc/ipsec.d/*conf"*
*conn forestlake*
*        type=tunnel*
*        authby=secret*
*        auto=add*
*        ike=aes256-sha1;modp1536,3des-md5;modp1024*
*        forceencaps=yes*
*        left=%defaultroute*
*        leftid=54.66.129.223*
*        leftsourceip=10.1.0.1*
*        leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>*
*        right=%any*
*        rightid=10.1.2.2*
*        rightsubnet=10.1.2.0/24 <http://10.1.2.0/24>*

*# ==== Output of ip-172-31-6-188 command: "sed 's/PSK \".*/PSK
\"PRIVATE\"/' /etc/ipsec.d/*.secrets"*
*54.66.129.223 10.1.2.2 <http://10.1.2.2>: PSK "PRIVATE"*

*# ==== Output of ip-172-31-6-188 command: "iptables -L -n"*
*Chain INPUT (policy ACCEPT)*
*target     prot opt source               destination         *

*Chain FORWARD (policy ACCEPT)*
*target     prot opt source               destination         *

*Chain OUTPUT (policy ACCEPT)*
*target     prot opt source               destination         *
*[root at ip-172-31-6-188 ~]# *

Cheers,

Paul Moore
Astute Systems
pmoore at astute-systems.com      0481 268 522       View my profile
<http://www.linkedin.com/profile/view?id=465982>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150320/4881d5ae/attachment-0001.html>


More information about the Swan mailing list