[Swan] Routes dropping
Paul Wouters
paul at nohats.ca
Tue Jun 20 12:59:52 UTC 2017
Can you arrange for some logfiles I can have a look at?
Can you also try a 3.20rcX release candidate?
Sent from my iPhone
> On Jun 20, 2017, at 08:27, Bob Cribbs <bob.cribbs at policystat.com> wrote:
>
> Hi,
>
> Im experiencing a new problem with my upgrade process (3.12->3.20), this time it's the routes.
>
> I have ~70 tunnels setup on my server.
> After ipsec is (re)started, all the routes come up.
> But then 1-2 minutes later, there are only a subset of those that are still up, ~10 of them. It's always the same 10 that are persisting.
> All the tunnels are still showing up as connected, including those that are now missing the routes.
>
> Sending data through the tunnel, only works for those that have routes, for the other ones is timing out.
>
> I tried downgrading from 3.20 -> 3.19 same problem.
> I tried downgrading further 3.19 -> 3.18. Routes seem to be persisting on 3.18.
>
> I suspect there is a problem with encapsulation and NAT and keepalive.
> On 3.12 and 3.18, i used `forceencaps=yes`
> On 3.20 i tried `encapsulation=yes`, and `encapsulation=auto` routes are disconnecting with either of them.
>
> ```
> conn customer
> authby=secret
> dpddelay=40
> dpdtimeout=120
> dpdaction=restart
> auto=start
> encapsulation=yes
> pfs=yes
> ike=aes256-sha1
> phase2alg=aes256-sha1
> left=%defaultroute
> leftid=184.X.X.X
> leftsourceip=184.X.X.X
> leftsubnet=184.X.X.X/32
> right=72.Y.Y.Y
> rightid=72.Y.Y.Y
> rightsubnet=10.B.B.B/32
> ```
>
> Once the route disappears, it doesnt come back even if i try:
> ```
> $ sudo ipsec auto --down customer
> $ sudo ipsec auto --up customer
> ```
>
> Am I missing some config to keep the route up on the 3.20 version?
>
> Thank you.
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170620/a47175df/attachment-0001.html>
More information about the Swan
mailing list