[Swan] R: R: Packets dropped strangely
libreswan91 at iotti.biz
libreswan91 at iotti.biz
Tue Oct 9 19:46:50 UTC 2018
> -----Messaggio originale-----
> Da: Swan <swan-bounces at lists.libreswan.org> Per conto di
> libreswan91 at iotti.biz
> Inviato: martedì 9 ottobre 2018 21:36
> A: 'Paul Wouters' <paul at nohats.ca>
> Cc: swan at lists.libreswan.org
> Oggetto: [Swan] R: Packets dropped strangely
>
> > -----Messaggio originale-----
> > Da: Paul Wouters <paul at nohats.ca>
> > Inviato: martedì 9 ottobre 2018 18:54
> > A: libreswan91 at iotti.biz
> > Cc: swan at lists.libreswan.org
> > Oggetto: Re: [Swan] Packets dropped strangely
> >
> > On Tue, 9 Oct 2018, libreswan91 at iotti.biz wrote:
> >
> > > I have a CentOS 7 box with libreswan. It has libreswan-3.23-5.el7_5
> > > and
> > > kernel-3.10.0-514 from CentOS.
> > > I have two conns in my ipsec.conf, both go to the same remote vpn
> > > gateway. I split the two conns for simplicity, see below:
> >
> > Why is it "simpler"?
>
> I thought it would be simpler to expose the problem if I split the conns
in two
> separate sections. Indeed, I originally experienced the problem when I had
> only one conn section with all the rightsubnes in only one line.
>
> > If you just add the one rightsubnet of vpn174 into the rightsubnets=
> > of vpn does it work properly then?
Please forgive me, I fear in the previous reply I pasted the results from a
working subnet config (I did not restart, sorry).
Failing config:
rightsubnets={172.16.78.0/24,172.20.129.0/24,10.250.0.0/19,172.21.160.0/23,1
72.16.74.0/24}
]# cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 2
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 69
XfrmInTmplMismatch 119
XfrmInNoPols 13
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 275
XfrmOutStateProtoError 0
XfrmOutStateModeError 9
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
# ip xfrm pol
src 10.250.14.0/24 dst 172.16.78.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16397 mode tunnel
src 10.250.14.0/24 dst 172.31.0.0/16
dir out priority 2352 ptype main
tmpl src 8.9.10.11 dst 9.9.1.1
proto esp reqid 16393 mode tunnel
src 172.31.0.0/16 dst 10.250.14.0/24
dir fwd priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16393 mode tunnel
src 172.31.0.0/16 dst 10.250.14.0/24
dir in priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16393 mode tunnel
src 10.253.4.0/24 dst 172.31.0.0/16
dir out priority 2352 ptype main
tmpl src 8.9.10.11 dst 9.9.1.1
proto esp reqid 16389 mode tunnel
src 172.31.0.0/16 dst 10.253.4.0/24
dir fwd priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16389 mode tunnel
src 172.31.0.0/16 dst 10.253.4.0/24
dir in priority 2352 ptype main
tmpl src 9.9.1.1 dst 8.9.10.11
proto esp reqid 16389 mode tunnel
src 10.250.14.0/24 dst 172.16.74.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16413 mode tunnel
src 172.16.74.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16413 mode tunnel
src 172.16.74.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16413 mode tunnel
src 10.250.14.0/24 dst 172.21.160.0/23
dir out priority 2345 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16409 mode tunnel
src 172.21.160.0/23 dst 10.250.14.0/24
dir fwd priority 2345 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16409 mode tunnel
src 172.21.160.0/23 dst 10.250.14.0/24
dir in priority 2345 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16409 mode tunnel
src 10.250.14.0/24 dst 172.20.129.0/24
dir out priority 2344 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16401 mode tunnel
src 172.20.129.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16401 mode tunnel
src 172.20.129.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16401 mode tunnel
src 172.16.78.0/24 dst 10.250.14.0/24
dir fwd priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16397 mode tunnel
src 172.16.78.0/24 dst 10.250.14.0/24
dir in priority 2344 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16397 mode tunnel
src 10.250.14.0/24 dst 10.250.0.0/19
dir out priority 2349 ptype main
tmpl src 10.255.255.2 dst 1.1.2.12
proto esp reqid 16405 mode tunnel
src 10.250.0.0/19 dst 10.250.14.0/24
dir fwd priority 2349 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16405 mode tunnel
src 10.250.0.0/19 dst 10.250.14.0/24
dir in priority 2349 ptype main
tmpl src 1.1.2.12 dst 10.255.255.2
proto esp reqid 16405 mode tunnel
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
# ip xfrm state
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x9043a8ce reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x70becc40961b432b401d716a70a1a9ebbd02c98e0cf77f3b4042e288ba54b7ef 128
enc cbc(aes)
0xaf7a9f1b46e71ff600ccfb93c3639f2214611111d206fe255cdcfd956ff32384
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x17, oseq 0x0, bitmap 0x003fffff
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32535 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xcf9b51c502d74aab9023d3cb2b8de5e906bdc4e38b54b908a65001f300b4b233 128
enc cbc(aes)
0x5061d2ce1cd3a9820a6f7b3ce7cdd8ffaee7c169299ee55d977b852e8f2ae1cc
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xa, bitmap 0x00000000
src 9.9.1.1 dst 8.9.10.11
proto esp spi 0xf393847a reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb11833c98912af634fc035a5d099b8fe82437eaa 96
enc cbc(aes) 0x328cdbed23d73ea1e3d826ff15f7d350
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 8.9.10.11 dst 9.9.1.1
proto esp spi 0x65822770 reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xf60e912703130e243b9c4411251bac596b87af6c 96
enc cbc(aes) 0x84c0e2913c3911de541e5ba40e5d8b1e
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 9.9.1.1 dst 8.9.10.11
proto esp spi 0xa5d9a6a0 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x8357e854a5f3c6e508164b476529cbe2555ad1e6 96
enc cbc(aes) 0x828a9a320718de3eb0999ce3e0f13141
anti-replay context: seq 0x61, oseq 0x0, bitmap 0xffffffff
src 8.9.10.11 dst 9.9.1.1
proto esp spi 0xde227839 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x9c74168fea70e853b88a0cf599a5f81bd33eeb2b 96
enc cbc(aes) 0x78b63fa03df742a23714f08fac574703
anti-replay context: seq 0x0, oseq 0x61, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0xa418fbce reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x89f27e7c7b18c2ec7beee041ac6f454a7a02940fa4fe092849d324d6881094c5 128
enc cbc(aes)
0x15faccc576dc012bfbc7c5cf33114f532c6d68b30870a8fe59bced6829a5baad
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32518 reqid 16413 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x71eaa5abb2318753aff3cb9b5bf37d95116a9f617689f2652258124b8256d72f 128
enc cbc(aes)
0x4b935807effbdf12df1d2af3e11dc370ea780327e5b174e816c4a0aac155c98a
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x17, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0xc58bb49d reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x49992139bacc8da731acf562648fb4ae9ee13df09ba83d219c9fc42db7fb46b7 128
enc cbc(aes)
0x4d34bc6834c4eab506d5a58c5634cb19d364f664701042ed6add63fd6b7ac865
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x31, oseq 0x0, bitmap 0xffffffff
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32517 reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xee90574a7987be03a11349c6b4cdabbd3ec083d48dce52bacc82609c2af08eef 128
enc cbc(aes)
0xaaf1e17285382c7e603a8f56587c12b616d437693282661595a045e839417a16
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x50, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0xb8087992 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x2914c5939fd47f23d882d997078e74d6890d1ed653ec8eb34a292f0963b5a53f 128
enc cbc(aes)
0x3f06277f78ce71ddd05b7b8e817f337ce94bee8921028a7ff8cc490f2fd38c0f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32516 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xfc5c24a3c87c0e98c6c0f4d384c2c0ace4ff3fa4d4d848caa56fa62633b1893d 128
enc cbc(aes)
0x09534da8735b6c363901e2909176f130d3d15d2b64d0c5b76b80797012fa25a5
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x32c3a2f3 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xb7fdc978df7efa2910e8286e2e615dd5770a9c39c95bd3829c0ff6ccedf66ea1 128
enc cbc(aes)
0x6b6982e9d656b3e15e714b750675cdf75c1987c13308749014c7a03c47362de0
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xb, oseq 0x0, bitmap 0x000003ff
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32515 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x8741066e0756c0f8c5557ac8d22d1b254066fd677caecab60498af47d4b9b937 128
enc cbc(aes)
0x931ce802e57f7c8167387c3aa08d0b9062d430fad9415991130c47fd53f18aa9
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1, bitmap 0x00000000
src 1.1.2.12 dst 10.255.255.2
proto esp spi 0x23a68fc2 reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x9219a29b9b7fa7ce97e2d510fb9a56c4ed765c32c742732e56e36953151874c5 128
enc cbc(aes)
0x70c306a18b809bb8a2a3f8f28e86fea4e1dc4a087c3f6ca74b13a9ed5036fd71
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.255.255.2 dst 1.1.2.12
proto esp spi 0x58b32514 reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xab1a5d1e195231461ad7b66ea0f636f1f1cbeea84181404c55ce71b186b42fa7 128
enc cbc(aes)
0xaddedc66d525199f8e1e046d1e9f3962460b2e238b599d39b6028bafad14c49a
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
More information about the Swan
mailing list