[Swan] Ip Xfrm Policy rules lost after Dead Peer Detection

Craig Marker cmarker at inspeednetworks.com
Mon Sep 25 23:50:05 UTC 2017 

I had a system that experienced intermittent internet connectivity and a series of dead peer detection triggers. After about an hour, the internet stabilized and the logs indicated that the tunnel had established itself. However, no traffic was allowed to traverse the tunnel. I noticed that the system’s peer was missing some ip xfrm policy rules. It had a rule for dir out, but was missing a rule for dir in and dir fwd. After recognizing this, I added the dir in and dir fwd rules by hand. Traffic was then able to traverse the tunnel.

Has anyone else experienced behavior like this, or can think of a way to reproduce it? I was unable to reproduce it while mimicking a loss of internet connectivity.

Here are the configuration files for the system and the system’s peer respectively. Both systems were running Libreswan 3.19.

# begin conn tunisp1
conn tunisp1
left=A.B.C.D
leftid=“@left"
leftsubnet=0.0.0.0/0
leftcert=client
left=A.B.C.D
leftcert=client
right=E.F.G.H
rightid="%fromcert"
rightsubnet=0.0.0.0/0
right=E.F.G.H
authby=rsasig
vti-routing=no
vti-shared=yes
encapsulation=yes
keyingtries=0
dpddelay=30
dpdtimeout=120
dpdaction=restart
mark=0x1000000/0xff000000
vti-interface=tunisp1
phase2alg=aes256-sha2_256
auto=ignore
type=tunnel
compress=no
pfs=yes
ikepad=yes
authby=rsasig
phase2=esp
ikev2=permit
esn=no
# end conn tunisp1

# begin conn tunisp6
conn tunisp6
left=A.B.C.D
leftid=“@left"
leftsubnet=0.0.0.0/0
left=A.B.C.D
right=E.F.G.H
rightid="%fromcert"
rightsubnet=0.0.0.0/0
rightcert=server
right=E.F.G.H
rightupdown=/usr/libexec/ipsec/inspeed_updown
rightcert=server
authby=rsasig
vti-routing=no
encapsulation=yes
keyingtries=0
mark=0x6000000/0xff000000
vti-interface=tunisp6
phase2alg=aes256-sha2_256
auto=ignore
type=tunnel
compress=no
pfs=yes
ikepad=yes
authby=rsasig
phase2=esp
ikev2=permit
esn=no

Let me know if any other information would be helpful.

Thanks!
--
cm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170925/1594db2f/attachment.html>

More information about the Swan mailing list