[Swan] disconnect after 3600s

Michael Schwartzkopff ms at sys4.de
Thu Jan 21 20:01:48 UTC 2021 

On 21.01.21 20:53, Kontakt wrote:
> Hello,
> I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1
> client causes it to disconnect after 3600s. the same configuration on
> libreswan 3.23 (centos 7) does not cause such problems. conf file,
> password, iptables, entries in routing table identical.
> I checked sysctl - identical. the only difference is selinux (centos 7 has
> enforce, centos 8 disabled).
>
> libreswan 3.23 (centos 7):
>
> *ipsec verify*Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
> Checking for IPsec support in kernel [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default / send_redirects [NOT DISABLED]
>
>   Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY
> will act on or cause sending of bogus ICMP redirects!
>
>          ICMP default / accept_redirects [OK]
>          XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
>  / proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED]
>  / proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED]
>  / proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED]
>  / proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED]
>  / proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running [OK]
>  Pluto listening for IKE on udp 500 [OK]
>  Pluto listening for IKE / NAT-T on udp 4500 [OK]
>  Pluto ipsec.secret syntax [OK]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking 'prelink' command does not interfere with FIPS [OK]
> Checking for obsolete ipsec.conf options [OK]
>
> ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help
>
> *And for libreswan 4.1 (centos 8):*
> * ipsec verify*
>
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64
> Checking for IPsec support in kernel [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default / send_redirects [OK]
>          ICMP default / accept_redirects [OK]
>          XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Checking rp_filter [OK]
> Checking that pluto is running [OK]
>  Pluto listening for IKE on udp 500 [OK]
>  Pluto listening for IKE / NAT-T on udp 4500 [OK]
>  Pluto ipsec.secret syntax [OK]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking 'prelink' command does not interfere with FIPS [OK]
> Checking for obsolete ipsec.conf options [OK]
>
> Where to look for the problem?
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan



Logs? of both sides?

Seems the child negotiation somehow fails. But the reason should be in
the logs.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210121/56beaf9a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210121/56beaf9a/attachment.sig>

More information about the Swan mailing list