[Swan] Intermittent connection issues

sandeep.vegiraju at accenture.com sandeep.vegiraju at accenture.com
Tue May 16 02:55:46 UTC 2017 

Thanks for the working around. The connections are stable after the life time settings.

Thanks,
Sandeep.

-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: Thursday, May 11, 2017 5:26 PM
To: Vegiraju, Sandeep <sandeep.vegiraju at accenture.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Intermittent connection issues

On Thu, 11 May 2017, sandeep.vegiraju at accenture.com wrote:

> We had an IPSEC tunnel setup between our RHEL server in AWS and LPAR’s
> in co-location. The connectivity is fine, but we are seeing
> intermittent connectivity issues and we need to refresh LPAR’s every time to get the issues resolved.
>
> Please suggest if any time out setting needs to be included as part of the configuration file.

> include /etc/ipsec.d/*.conf

You did not show your actualy connection definition.

> May 11 10:26:14: "T_XX.XX.XX.XX" #111298: max number of
> retransmissions (8) reached STATE_MAIN_I1.  No response (or no
> acceptable response) to our first IKEv1 message

> May 11 10:26:15: "T_XX.XX.XX.XX" #111392: ignoring informational
> payload NO_PROPOSAL_CHOSEN, msgid=00000000,
> length=16

The remote did not like your first initiation packet.

> May 11 07:23:39: "T_XX.XX.XX.XX" #96258: STATE_QUICK_R1: sent QR1,
> inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x23c8bf21
> <0xdfa30f1d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

Apparently your end does match when being a responder. As a workaround, you can try and set your ikelifetime and salifetime to 24h and hope that the other end will rekey to you before that time.

It does indicate that you seem to have a minor misconfiguration between the two endpoints.

Paul

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

More information about the Swan mailing list