[Swan] [SPAM: 4.729] Tunnel gets established, but machines can reach each other only for less than a minute
ud at blueaquan.com
ud at blueaquan.com
Sun Jan 29 17:33:51 EET 2023
Dear friends/ Team
I have two sites which I am trying to connect using a site-to-site VPN.
Initially I had a lot of challenges because at the HO, the Linux machine
had a Public IP directly configured, while at the Site Office the Linux
machine was behind an ISP router. Anyhow the tunnel gets established
now, but machines on both sides cannot reach each other.
However, when I reboot the Site Office machine and it comes up, tunnel
also gets established and both sides can reach each other for roughly
less than a minute and then it stops.
FYI, the machine at HO is running Libreswan 4.3 and the one at Site
Office is running Libreswan 4.4
What is changing when the machine comes up after a reboot...?
The HO Configuration
conn PLUTOSUBNET
also=EUROPA-PLUTO
leftsubnet=10.10.128.0/24
leftsourceip=10.10.128.100
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn EUROPA-PLUTO
type=tunnel
left=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes
The Site Office configuration
conn PLSUBNET
also=PLUTO-EUROPA
leftsubnet=10.10.128.0/24
leftsourceip=10.10.128.100
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn PLUTO-EUROPA
type=tunnel
left=%defaultroute
leftid=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes
The Logs from the HO machine
980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16
seconds for response
984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32
seconds for response
634277: "PLUTOSUBNET" #9: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_521[first-match]
636046: "PLUTOSUBNET" #9: sent IKE_SA_INIT reply {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
"PLUTOSUBNET" #9: processing decrypted IKE_AUTH request:
SK{IDi,AUTH,SA,TSi,TSr}
"PLUTOSUBNET" #9: IKEv2 mode peer ID is ID_IPV4_ADDR: 'W.X.Y.Z'
"PLUTOSUBNET" #9: authenticated using authby=secret
"PLUTOSUBNET": local ESP/AH proposals (IKE_AUTH responder matching
remote ESP/AH proposals):
"PLUTOSUBNET":
1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED
"PLUTOSUBNET" #10: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED
SPI=cff38461 chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
"PLUTOSUBNET" #10: negotiated connection
[192.168.1.0-192.168.1.255:0-65535 0] ->
[10.10.128.0-10.10.128.255:0-65535 0]
"PLUTOSUBNET" #10: IPsec SA established tunnel mode
{ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_256-HMAC_SHA2_512_256
NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
"PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded
#9 try=4; drop this negotiation
"PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and
NOT sending notification
Any help please.
Thanks, BA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230129/57a0bc4d/attachment.htm>
More information about the Swan
mailing list