[Swan] No Traffic Received On Tunnels

Paul Wouters paul at nohats.ca
Tue Jul 9 20:31:56 UTC 2019


On Tue, 9 Jul 2019, Adam Tauno Williams wrote:

> I have a working ipsec server - let's call it X2.X2.X2.X2 - connected
> via GRE tunnels to three Cisco 890 series routers.  It works!

Yes it shows the new site is ipsec. You can run ipsec trafficstatus to
see byte counters, so if you do a ping (with proper source IP) then
you can check the outBytes to see if it got encrypted, and inBytes to
see if it got encrypted replies. Then you can likely narrow down the
specific issue.

Paul

> I am attempting to add a fourth, and I believe the association says it
> is up.  ISAKMP and SA show as ready on the Cisco side of the new site -
> let's call in X1.X1.X1.X1.
>
> The status messages appear the same as for a working side - called
> X3.X3.X3.X3.
>
> And I can see ESP packets leave the ipsec server (X2) for the new site
> (X1).  However neither side ever shows any packets received on their
> GRE tunnels.  Even when pinging just the other end of the tunnel.
>
> Any suggestions would be great, I am flumoxed.  I've verified the
> configs over and over, checked all the status logs, the routing tables,
> etc...
>
> I would expect a firewall, but the tunnel shows as status up.
>
> "ets-gre" is the new site, X1.X1.X1.X1
>
> 000 "ets-gre": X2.X2.X2.X2<X2.X2.X2.X2>:47/0---192.168.1.6...X1.X1.X1.X1<X1.X1.X1.X1>:47/0; erouted; eroute owner: #705
> 000 "ets-gre":     oriented; my_ip=unset; their_ip=unset
> 000 "ets-gre":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
> 000 "ets-gre":   our auth:secret, their auth:secret
> 000 "ets-gre":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
> 000 "ets-gre":   labeled_ipsec:no;
> 000 "ets-gre":   policy_label:unset;
> 000 "ets-gre":   ike_life: 86400s; ipsec_life: 43200s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "ets-gre":   retransmit-interval: 500ms; retransmit-timeout: 60s;
> 000 "ets-gre":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
> 000 "ets-gre":   policy: PSK+ENCRYPT+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
> 000 "ets-gre":   conn_prio: 32,32; interface: ens224; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
> 000 "ets-gre":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
> 000 "ets-gre":   newest ISAKMP SA: #704; newest IPsec SA: #705;
> 000 "ets-gre":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
> 000 "ets-gre":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
>
> 000 #705: "ets-gre":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 36540s; newest IPSEC; eroute owner; isakmp#704; idle; import:not set
> 000 #705: "ets-gre" esp.75dd8022 at 50.252.90.81 esp.2a981050 at X2.X2.X2.X2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=315KB! ESPmax=4194303B 
> 000 #704: "ets-gre":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 80041s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
>
>
>
> ip -s xfrm state
>
> src X1.X1.X1.X1 dst X2.X2.X2.X2    # NEW SITE
> 	proto esp spi 0x2a981050(714608720) reqid 16397(0x0000400d) mode transport
> 	replay-window 32 seq 0x00000000 flag  (0x00000000)
> 	auth-trunc hmac(sha1) 0x136809bee86d8e91$$$16b3dbb908f6728e3fc53 (160 bits) 96
> 	enc cbc(aes) 0xb1d125f75985802df444$$$81cb3aa7 (128 bits)
> 	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> 	sel src X1.X1.X1.X1/32 dst X2.X2.X2.X2/32 proto gre uid 0
> 	lifetime config:
> 	  limit: soft (INF)(bytes), hard (INF)(bytes)
> 	  limit: soft (INF)(packets), hard (INF)(packets)
> 	  expire add: soft 0(sec), hard 0(sec)
> 	  expire use: soft 0(sec), hard 0(sec)
> 	lifetime current:
> 	  0(bytes), 0(packets)
> 	  add 2019-07-09 14:00:54 use -
> 	stats:
> 	  replay-window 0 replay 0 failed 0
> 	  
> src X2.X2.X2.X2 dst X1.X1.X1.X1   # NEW SITE
> 	proto esp spi 0x75dd8022(1977450530) reqid 16397(0x0000400d) mode transport
> 	replay-window 32 seq 0x00000000 flag  (0x00000000)
> 	auth-trunc hmac(sha1) 0x7625a3b3aebab530277811$$$46f9ef26dbe8e6 (160 bits) 96
> 	enc cbc(aes) 0xc4f47296aa3fc2b1d5$$$$1bb376684b (128 bits)
> 	anti-replay context: seq 0x0, oseq 0xe59, bitmap 0x00000000
> 	sel src X2.X2.X2.X2/32 dst X1.X1.X1.X1/32 proto gre uid 0
> 	lifetime config:
> 	  limit: soft (INF)(bytes), hard (INF)(bytes)
> 	  limit: soft (INF)(packets), hard (INF)(packets)
> 	  expire add: soft 0(sec), hard 0(sec)
> 	  expire use: soft 0(sec), hard 0(sec)
> 	lifetime current:
> 	  323304(bytes), 3673(packets)
> 	  add 2019-07-09 14:00:54 use 2019-07-09 14:05:13
> 	stats:
> 	  replay-window 0 replay 0 failed 0
>
> src X3.X3.X3.X3 dst X2.X2.X2.X2   # WORKING SITE
> 	proto esp spi 0x7512490f(1964132623) reqid 16405(0x00004015) mode transport
> 	replay-window 32 seq 0x00000000 flag  (0x00000000)
> 	auth-trunc hmac(sha1) 0xa0ceadeee5a8$$$226b152ce306d83a6ed58ae64 (160 bits) 96
> 	enc cbc(aes) 0xb1d9d0b161b93aa859$$$c5c3c030bf1 (128 bits)
> 	anti-replay context: seq 0x164b, oseq 0x0, bitmap 0xffffffff
> 	sel src X3.X3.X3.X3/32 dst X2.X2.X2.X2/32 proto gre uid 0
> 	lifetime config:
> 	  limit: soft (INF)(bytes), hard (INF)(bytes)
> 	  limit: soft (INF)(packets), hard (INF)(packets)
> 	  expire add: soft 0(sec), hard 0(sec)
> 	  expire use: soft 0(sec), hard 0(sec)
> 	lifetime current:
> 	  1801839(bytes), 5707(packets)
> 	  add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
> 	stats:
> 	  replay-window 0 replay 0 failed 0
> 	  
> src X2.X2.X2.X2 dst X3.X3.X3.X3  # WORKING SITE
> 	proto esp spi 0xfe5da2d9(4267549401) reqid 16405(0x00004015) mode transport
> 	replay-window 32 seq 0x00000000 flag  (0x00000000)
> 	auth-trunc hmac(sha1) 0xad31b5e0ba8657***7516b02f75e4954c057b1fe (160 bits) 96
> 	enc cbc(aes) 0x6042b476e3e339***efba8435335b65c (128 bits)
> 	anti-replay context: seq 0x0, oseq 0x2a4d, bitmap 0x00000000
> 	sel src X2.X2.X2.X2/32 dst X3.X3.X3.X3/32 proto gre uid 0
> 	lifetime config:
> 	  limit: soft (INF)(bytes), hard (INF)(bytes)
> 	  limit: soft (INF)(packets), hard (INF)(packets)
> 	  expire add: soft 0(sec), hard 0(sec)
> 	  expire use: soft 0(sec), hard 0(sec)
> 	lifetime current:
> 	  2206891(bytes), 10829(packets)
> 	  add 2019-07-09 14:56:52 use 2019-07-09 14:56:52
> 	stats:
>
> -- 
> Adam Tauno Williams, awilliam at whitemice.org
> Multi-Modal Activists Against Auto Dependent Development
> resisting the unAmerican socialists of the Motorist hegemony
> http://www.mmaaadd.org
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>


More information about the Swan mailing list