[Swan] [SPAM: 4.729] Tunnel gets established, but machines can reach each other only for less than a minute

ud at blueaquan.com ud at blueaquan.com
Sun Jan 29 17:33:51 EET 2023


Dear friends/ Team
I have two sites which I am trying to connect using a site-to-site VPN.  
Initially I had a lot of challenges because at the HO, the Linux machine 
had a Public IP directly configured, while at the Site Office the Linux 
machine was behind an ISP router. Anyhow the tunnel gets established 
now, but machines on both sides cannot reach each other.

However, when I reboot the Site Office machine and it comes up, tunnel 
also gets established and both sides can reach each other for roughly 
less than a minute and then it stops.

FYI, the machine at HO is running Libreswan 4.3 and the one at Site 
Office is running Libreswan 4.4

What is changing when the machine comes up after a reboot...?

The HO Configuration

conn PLUTOSUBNET
     also=EUROPA-PLUTO
     leftsubnet=10.10.128.0/24
     leftsourceip=10.10.128.100
     rightsubnet=192.168.1.0/24
     rightsourceip=192.168.1.1
     auto=start
conn EUROPA-PLUTO
     type=tunnel
     left=W.X.Y.Z
     right=A.B.C.D
     authby=secret
     ikev2=insist
     pfs=no
     ike=aes256-sha2_512+sha2_256-dh21
     esp=aes256-sha2_512+sha1+sha2_256;dh21
     dpddelay=5
     dpdtimeout=120
     dpdaction=restart
     encapsulation=yes

The Site Office configuration

conn PLSUBNET
     also=PLUTO-EUROPA
     leftsubnet=10.10.128.0/24
     leftsourceip=10.10.128.100
     rightsubnet=192.168.1.0/24
     rightsourceip=192.168.1.1
     auto=start
conn PLUTO-EUROPA
     type=tunnel
     left=%defaultroute
     leftid=W.X.Y.Z
     right=A.B.C.D
     authby=secret
     ikev2=insist
     pfs=no
     ike=aes256-sha2_512+sha2_256-dh21
     esp=aes256-sha2_512+sha1+sha2_256;dh21
     dpddelay=5
     dpdtimeout=120
     dpdaction=restart
     encapsulation=yes

The Logs from the HO machine

980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16 
seconds for response
984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32 
seconds for response
634277: "PLUTOSUBNET" #9: proposal 
1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_521[first-match]
636046: "PLUTOSUBNET" #9: sent IKE_SA_INIT reply {auth=IKEv2 
cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
"PLUTOSUBNET" #9: processing decrypted IKE_AUTH request: 
SK{IDi,AUTH,SA,TSi,TSr}
"PLUTOSUBNET" #9: IKEv2 mode peer ID is ID_IPV4_ADDR: 'W.X.Y.Z'
"PLUTOSUBNET" #9: authenticated using authby=secret
"PLUTOSUBNET": local ESP/AH proposals (IKE_AUTH responder matching 
remote ESP/AH proposals):
"PLUTOSUBNET":   
1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED
"PLUTOSUBNET" #10: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED 
SPI=cff38461 chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
"PLUTOSUBNET" #10: negotiated connection 
[192.168.1.0-192.168.1.255:0-65535 0] -> 
[10.10.128.0-10.10.128.255:0-65535 0]
"PLUTOSUBNET" #10: IPsec SA established tunnel mode 
{ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_256-HMAC_SHA2_512_256 
NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
"PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded 
#9 try=4; drop this negotiation
"PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and 
NOT sending notification

Any help please.

Thanks, BA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230129/57a0bc4d/attachment.htm>


More information about the Swan mailing list