[Swan] R: Packets dropped strangely
libreswan91 at iotti.biz
libreswan91 at iotti.biz
Tue Oct 9 19:35:56 UTC 2018
> -----Messaggio originale-----
> Da: Paul Wouters <paul at nohats.ca>
> Inviato: martedì 9 ottobre 2018 18:54
> A: libreswan91 at iotti.biz
> Cc: swan at lists.libreswan.org
> Oggetto: Re: [Swan] Packets dropped strangely
>
> On Tue, 9 Oct 2018, libreswan91 at iotti.biz wrote:
>
> > I have a CentOS 7 box with libreswan. It has libreswan-3.23-5.el7_5
> > and
> > kernel-3.10.0-514 from CentOS.
> > I have two conns in my ipsec.conf, both go to the same remote vpn
> > gateway. I split the two conns for simplicity, see below:
>
> Why is it "simpler"?
I thought it would be simpler to expose the problem if I split the conns in
two separate sections. Indeed, I originally experienced the problem when I
had only one conn section with all the rightsubnes in only one line.
> If you just add the one rightsubnet of vpn174 into the
> rightsubnets= of vpn does it work properly then?
No, I have the same results.
If for example, I use
rightsubnets={10.250.0.0/19,172.16.78.0/24,172.20.129.0/24,172.21.160.0/23,1
72.16.74.0/24} , then the packets from 172.16.74.x are dropped. With
rightsubnets={172.16.78.0/24,172.20.129.0/24,10.250.0.0/19,172.21.160.0/23,1
72.16.74.0/24} instead, packets from 172.16.74.x are accepted. In general,
as I rearrange the subnets in a different order, I have may (or may not)
have subnets from which I am unable to receive packets from.
> > The problem is that despite the conns being regularly established, in
> > erouted state, with STATE_QUICK_[IR]2 (IPsec SA established), the
> > packets coming from 172.16.74.0/24 (hence belonging to the second
> > conn) are silently dropped by the kernel. I checked with the remote
> > side admin, and my packets arrive to him, and he replies.
>
> What does /proc/net/xfrm_stats show ?
I have /proc/net/xfrm_stat, at least on the stock RH/CentOS kernel. It is
(with the filing rightsubnets):
# cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 2
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 69
XfrmInTmplMismatch 96
XfrmInNoPols 13
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 275
XfrmOutStateProtoError 0
XfrmOutStateModeError 9
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
The entry which increases when I have drops from my nc test command is
XfrmInTmplMismatch.
>
> Can you also show us ip xfrm pol
Here it is (I also currently have another connection between
leftsubnets={10.253.4.0/24,10.250.14.0/24} and rightsubnet=172.31.0.0/16
which works good; I changed the public ip addresses, since they are not all
mine):
# ip xfrm pol
src 10.250.14.0/24 dst 172.16.74.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16413 mode tunnel
src 10.250.14.0/24 dst 172.31.0.0/16
dir out priority 2352 ptype main
tmpl src 8.9.10.11 dst 9.9.1.1
proto esp reqid 16393 mode tunnel
src 172.31.0.0/16 dst 10.250.14.0/24
dir fwd priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16393 mode tunnel
src 172.31.0.0/16 dst 10.250.14.0/24
dir in priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16393 mode tunnel
src 10.253.4.0/24 dst 172.31.0.0/16
dir out priority 2352 ptype main
tmpl src 8.9.10.11 dst 9.9.1.1
proto esp reqid 16389 mode tunnel
src 172.31.0.0/16 dst 10.253.4.0/24
dir fwd priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16389 mode tunnel
src 172.31.0.0/16 dst 10.253.4.0/24
dir in priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16389 mode tunnel
src 172.16.74.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16413 mode tunnel
src 172.16.74.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16413 mode tunnel
src 10.250.14.0/24 dst 172.21.160.0/23
dir out priority 2345 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16409 mode tunnel
src 172.21.160.0/23 dst 10.250.14.0/24
dir fwd priority 2345 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16409 mode tunnel
src 172.21.160.0/23 dst 10.250.14.0/24
dir in priority 2345 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16409 mode tunnel
src 10.250.14.0/24 dst 172.16.78.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16401 mode tunnel
src 172.16.78.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16401 mode tunnel
src 172.16.78.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16401 mode tunnel
src 10.250.14.0/24 dst 10.250.0.0/19
dir out priority 2349 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16397 mode tunnel
src 10.250.0.0/19 dst 10.250.14.0/24
dir fwd priority 2349 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16397 mode tunnel
src 10.250.0.0/19 dst 10.250.14.0/24
dir in priority 2349 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16397 mode tunnel
src 10.250.14.0/24 dst 172.20.129.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16405 mode tunnel
src 172.20.129.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16405 mode tunnel
src 172.20.129.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16405 mode tunnel
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
> and ip xfrm state output ?
# ip xfrm state
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0xd17c9444 reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x9fbce1489a1031d57b3879c54addb3d2918d5ae3264375f339eebe86bf65badc 128
enc cbc(aes)
0xa9fb86c7ff10f798284ca2a235917770a29e9368abb69fc2d5cf7fe8618ad5f9
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x6, oseq 0x0, bitmap 0x0000001f
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b3137f reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x8885002584705da884babf34b114a3200eaee50910478e99a57ee3e9d04bbb2a 128
enc cbc(aes)
0xb1c0e9029430dd7cd9f1decb093f789999732cd781d18079291655882fc7bcaf
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x7, bitmap 0x00000000
src 9.9.1.1 dst 8.9.10.11
proto esp spi 0x6dbe6f1e reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x88e633bef9f211e763ba49d6bb48598680b3f508 96
enc cbc(aes) 0x1510377424f9417fcc6f020370cf3c49
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 8.9.10.11 dst 9.9.1.1
proto esp spi 0x09d40d8a reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3704e199fe339e66063c2e93b442d7c3b4490b49 96
enc cbc(aes) 0x8575a28b2fa93531c5673ca211187e23
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 9.9.1.1 dst 8.9.10.11
proto esp spi 0x12684ddf reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x77b0d5e6f053634f86eaf438f6c4b73841bf167a 96
enc cbc(aes) 0xd2bd63d6fe45b496bfb69a0b358e0f2b
anti-replay context: seq 0x64, oseq 0x0, bitmap 0xffffffff
src 8.9.10.11 dst 9.9.1.1
proto esp spi 0xd6241c6c reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x21b8e6bc2f2eb984102523b843cc89cf8d3f4adc 96
enc cbc(aes) 0x22493bc13ba347ba3256bc795f8d3d24
anti-replay context: seq 0x0, oseq 0x64, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x8e29f619 reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xef26e130019893fedb1c1cdfb68b0db83bb2131e18a1628f59fb826d1a65c5e0 128
enc cbc(aes)
0x5d605362527d8dfea5d7e8f481231f7e8f7218d627bca6f04047a83fa48fd6e8
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b31364 reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x6534b3c276a519565cbf9f1a13f584b74fc44defa83ac5aa3518af39c25e7649 128
enc cbc(aes)
0xdf5ac43930e48cecceb72826dee92bff42359cea57b686a2f017836d8336adab
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x4ed1494f reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x53952d4942bf9f3746571d88950e5e04e3b4112b080914f330b4587380134f9d 128
enc cbc(aes)
0x573e37856a1ab8ac39873014ceb69ffed3f9fb03d8e212419e2d3a5a82bd39ef
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x21, oseq 0x0, bitmap 0xffffffff
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b31363 reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x5a76b1a62bf91a075c38c0c27d4d51b6d266ed346c4ca86eb49ac22e52487179 128
enc cbc(aes)
0x4423019e9d32ee47ae2ab59f5f2ac74b55bcefc51452f760696d7685b4ea1c16
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x36, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0xc0c14131 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xa378bb2b9ab6f2497355ec535dc4210dbebc296dd7e95caa15d25e199e4c4a35 128
enc cbc(aes)
0x777545e3c1f96544f6e740926924d4e85557727d1bd1ca278c8eb201a2dfe7be
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x8, oseq 0x0, bitmap 0x0000007f
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b31362 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x11e03408798e6fc2f4f83bb35fa34efc036914c6a8df409f0327a1ae6d9b97ff 128
enc cbc(aes)
0x12d963c265d79d9d705d0aec279c1967deaf7d6f60b911241c32c8a4468e44a6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x7, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x9930638d reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x1576c418846f478f3137d26bf679905be1ec7780d21b74de68f7f7b7c250a848 128
enc cbc(aes)
0x47e0d2973669136b0638becfa064a96420161a4aa37c8fb692dccc3fc1778009
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b31360 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x97db6c207f0a05360c9697b3c7b727abadf741a1d9b9de9f59389ca3550cbd92 128
enc cbc(aes)
0xc22efa664c81e9248a41f55d3eb3fca4fd76ab37caca70f31da4281e0467099b
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x8fbc792a reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x8ec847331c9008814bb3128c05fb2e23d9e5eeb670255ec69ea7e0e5a728da04 128
enc cbc(aes)
0x9ba782a0d6976e4aec3d3a5ab52c256250be12b9200b685cab51bfc2266c4729
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b31361 reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x961ba6feeec96056d435ee93e0d708b3bbc3efc30a76f69f7e8f41178e30bbed 128
enc cbc(aes)
0x2a712d49ba4157f500b20aa121c8a98f8dc039c6dd6b73e1650b9054735fd63a
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>
> > Do you have some advice to solve and/or further investigate the problem?
>
> I would use one conn instead of two. But it should also work with two.
> Perhaps the xfrm output will show us what is going on.
>
> Paul
More information about the Swan
mailing list