[Swan] ip address assignment
Paul Wouters
paul at nohats.ca
Wed May 9 15:45:11 UTC 2018
On Wed, 9 May 2018, Thomas Stein wrote:
> I do not have non of this routes. Maybe the output of ipsec status sheds some light?
> 000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate
> 000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> 000 #6: "my-vpn" esp.4535606b at 176.xxx.xxx.xxx esp.b238feb2 at 192.168.178.21 tun.0 at 176.xxx.xxx.xxx tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B username=myself
This looks buggy. You should not have those partial quick mode's and a
fully established IPsec SA.
> 000 Bare Shunt list:
> 000
> 000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0 no routed template covers this pair
> 000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0 no routed template covers this pair
> 000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0 no routed template covers this pair
And this suggests that the one IPsec SA that is up no longer has the
eroute, and all your packets are hitting the %trap and are awaiting a
functional tunnel.
Can you see if the issue goes away with our pre-release code? We did
make a number of changes in the reconnect/replace logic of connections.
https://download.libreswan.org/development/libreswan-3.24rc4.tar.gz
Paul
More information about the Swan
mailing list