[Swan] disconnect after 3600s

Kontakt kontakt at smieci.de
Thu Jan 21 19:53:17 UTC 2021 

Hello,
I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1
client causes it to disconnect after 3600s. the same configuration on
libreswan 3.23 (centos 7) does not cause such problems. conf file,
password, iptables, entries in routing table identical.
I checked sysctl - identical. the only difference is selinux (centos 7 has
enforce, centos 8 disabled).

libreswan 3.23 (centos 7):

*ipsec verify*Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
Checking for IPsec support in kernel [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default / send_redirects [NOT DISABLED]

  Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY
will act on or cause sending of bogus ICMP redirects!

         ICMP default / accept_redirects [OK]
         XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
 / proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED]
 / proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED]
 / proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED]
 / proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED]
 / proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
 Pluto listening for IKE on udp 500 [OK]
 Pluto listening for IKE / NAT-T on udp 4500 [OK]
 Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]

ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help

*And for libreswan 4.1 (centos 8):*
* ipsec verify*

Verifying installed system and configuration files

Version check and ipsec on-path [OK]
Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64
Checking for IPsec support in kernel [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default / send_redirects [OK]
         ICMP default / accept_redirects [OK]
         XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
 Pluto listening for IKE on udp 500 [OK]
 Pluto listening for IKE / NAT-T on udp 4500 [OK]
 Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]

Where to look for the problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210121/1b9e9da3/attachment.html>

More information about the Swan mailing list