[Swan] No Traffic Received On Tunnels
Adam Tauno Williams
awilliam at whitemice.org
Tue Jul 9 19:39:38 UTC 2019
I have a working ipsec server - let's call it X2.X2.X2.X2 - connected
via GRE tunnels to three Cisco 890 series routers. It works!
I am attempting to add a fourth, and I believe the association says it
is up. ISAKMP and SA show as ready on the Cisco side of the new site -
let's call in X1.X1.X1.X1.
The status messages appear the same as for a working side - called
X3.X3.X3.X3.
And I can see ESP packets leave the ipsec server (X2) for the new site
(X1). However neither side ever shows any packets received on their
GRE tunnels. Even when pinging just the other end of the tunnel.
Any suggestions would be great, I am flumoxed. I've verified the
configs over and over, checked all the status logs, the routing tables,
etc...
I would expect a firewall, but the tunnel shows as status up.
"ets-gre" is the new site, X1.X1.X1.X1
000 "ets-gre": X2.X2.X2.X2<X2.X2.X2.X2>:47/0---192.168.1.6...X1.X1.X1.X1<X1.X1.X1.X1>:47/0; erouted; eroute owner: #705
000 "ets-gre": oriented; my_ip=unset; their_ip=unset
000 "ets-gre": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "ets-gre": our auth:secret, their auth:secret
000 "ets-gre": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "ets-gre": labeled_ipsec:no;
000 "ets-gre": policy_label:unset;
000 "ets-gre": ike_life: 86400s; ipsec_life: 43200s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ets-gre": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ets-gre": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ets-gre": policy: PSK+ENCRYPT+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "ets-gre": conn_prio: 32,32; interface: ens224; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ets-gre": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "ets-gre": newest ISAKMP SA: #704; newest IPsec SA: #705;
000 "ets-gre": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "ets-gre": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 #705: "ets-gre":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 36540s; newest IPSEC; eroute owner; isakmp#704; idle; import:not set
000 #705: "ets-gre" esp.75dd8022 at 50.252.90.81 esp.2a981050 at X2.X2.X2.X2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=315KB! ESPmax=4194303B
000 #704: "ets-gre":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 80041s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
ip -s xfrm state
src X1.X1.X1.X1 dst X2.X2.X2.X2 # NEW SITE
proto esp spi 0x2a981050(714608720) reqid 16397(0x0000400d) mode transport
replay-window 32 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0x136809bee86d8e91$$$16b3dbb908f6728e3fc53 (160 bits) 96
enc cbc(aes) 0xb1d125f75985802df444$$$81cb3aa7 (128 bits)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src X1.X1.X1.X1/32 dst X2.X2.X2.X2/32 proto gre uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-09 14:00:54 use -
stats:
replay-window 0 replay 0 failed 0
src X2.X2.X2.X2 dst X1.X1.X1.X1 # NEW SITE
proto esp spi 0x75dd8022(1977450530) reqid 16397(0x0000400d) mode transport
replay-window 32 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0x7625a3b3aebab530277811$$$46f9ef26dbe8e6 (160 bits) 96
enc cbc(aes) 0xc4f47296aa3fc2b1d5$$$$1bb376684b (128 bits)
anti-replay context: seq 0x0, oseq 0xe59, bitmap 0x00000000
sel src X2.X2.X2.X2/32 dst X1.X1.X1.X1/32 proto gre uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
323304(bytes), 3673(packets)
add 2019-07-09 14:00:54 use 2019-07-09 14:05:13
stats:
replay-window 0 replay 0 failed 0
src X3.X3.X3.X3 dst X2.X2.X2.X2 # WORKING SITE
proto esp spi 0x7512490f(1964132623) reqid 16405(0x00004015) mode transport
replay-window 32 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0xa0ceadeee5a8$$$226b152ce306d83a6ed58ae64 (160 bits) 96
enc cbc(aes) 0xb1d9d0b161b93aa859$$$c5c3c030bf1 (128 bits)
anti-replay context: seq 0x164b, oseq 0x0, bitmap 0xffffffff
sel src X3.X3.X3.X3/32 dst X2.X2.X2.X2/32 proto gre uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1801839(bytes), 5707(packets)
add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
stats:
replay-window 0 replay 0 failed 0
src X2.X2.X2.X2 dst X3.X3.X3.X3 # WORKING SITE
proto esp spi 0xfe5da2d9(4267549401) reqid 16405(0x00004015) mode transport
replay-window 32 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0xad31b5e0ba8657***7516b02f75e4954c057b1fe (160 bits) 96
enc cbc(aes) 0x6042b476e3e339***efba8435335b65c (128 bits)
anti-replay context: seq 0x0, oseq 0x2a4d, bitmap 0x00000000
sel src X2.X2.X2.X2/32 dst X3.X3.X3.X3/32 proto gre uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
2206891(bytes), 10829(packets)
add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
stats:
--
Adam Tauno Williams, awilliam at whitemice.org
Multi-Modal Activists Against Auto Dependent Development
resisting the unAmerican socialists of the Motorist hegemony
http://www.mmaaadd.org
More information about the Swan
mailing list