[Swan] Packets dropped strangely
Paul Wouters
paul at nohats.ca
Tue Oct 9 16:54:24 UTC 2018
On Tue, 9 Oct 2018, libreswan91 at iotti.biz wrote:
> I have a CentOS 7 box with libreswan. It has libreswan-3.23-5.el7_5 and
> kernel-3.10.0-514 from CentOS.
> I have two conns in my ipsec.conf, both go to the same remote vpn gateway. I
> split the two conns for simplicity, see below:
Why is it "simpler"? If you just add the one rightsubnet of vpn174 into
the rightsubnets= of vpn does it work properly then?
> The problem is that despite the conns being regularly established, in
> erouted state, with STATE_QUICK_[IR]2 (IPsec SA established), the packets
> coming from 172.16.74.0/24 (hence belonging to the second conn) are silently
> dropped by the kernel. I checked with the remote side admin, and my packets
> arrive to him, and he replies.
What does /proc/net/xfrm_stats show ?
Can you also show us ip xfrm pol and ip xfrm state output ?
> Do you have some advice to solve and/or further investigate the problem?
I would use one conn instead of two. But it should also work with two.
Perhaps the xfrm output will show us what is going on.
Paul
More information about the Swan
mailing list