[Swan] [SPAM: 4.729] Tunnel gets established, but machines can reach each other only for less than a minute

Paul Wouters paul at nohats.ca
Mon Jan 30 02:59:51 EET 2023 

On Sun, 29 Jan 2023, ud at blueaquan.com wrote:

> I have two sites which I am trying to connect using a site-to-site VPN.  Initially I had a lot of
> challenges because at the HO, the Linux machine had a Public IP directly configured, while at the
> Site Office the Linux machine was behind an ISP router. Anyhow the tunnel gets established now, but
> machines on both sides cannot reach each other.

On the HO use auto=add and not auto=ondemand or auto=start
On the Site Office, use auto=start

That should hopefully prevent two connections racing each other
and one of them failing impacting the other.

> The HO Configuration
> 
> conn PLUTOSUBNET
> 	also=EUROPA-PLUTO
> 	leftsubnet=10.10.128.0/24
> 	leftsourceip=10.10.128.100
> 	rightsubnet=192.168.1.0/24
> 	rightsourceip=192.168.1.1
> 	auto=start

you cannot use auto=start because you cannot initiate to a machine
behind NAT. The other end should initiate to here.

> 	encapsulation=yes

It's better not to specify this and let the auto-detection handle this.

> The Site Office configuration
> 
> conn PLSUBNET
> 	also=PLUTO-EUROPA
> 	leftsubnet=10.10.128.0/24
> 	leftsourceip=10.10.128.100
> 	rightsubnet=192.168.1.0/24
> 	rightsourceip=192.168.1.1
> 	auto=start
> conn PLUTO-EUROPA
> 	type=tunnel
> 	left=%defaultroute
> 	leftid=W.X.Y.Z
> 	right=A.B.C.D
> 	authby=secret
> 	ikev2=insist
> 	pfs=no
> 	ike=aes256-sha2_512+sha2_256-dh21
> 	esp=aes256-sha2_512+sha1+sha2_256;dh21
> 	dpddelay=5
> 	dpdtimeout=120
> 	dpdaction=restart
> 	encapsulation=yes

Same here, remove the encapsulation=yes here too.

> The Logs from the HO machine

> 980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16 seconds for response
> 984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32 seconds for response
> 634277: "PLUTOSUBNET" #9: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen f

Looks like state 8 and 9 are fighting here.

> "PLUTOSUBNET" #10: negotiated connection [192.168.1.0-192.168.1.255:0-65535 0] -> [10.10.128.0-10.10.
> 128.255:0-65535 0]
> "PLUTOSUBNET" #10: IPsec SA established tunnel mode {ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_25
> 6-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
> "PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded #9 try=4; drop this negotiatio
> n
> "PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and NOT sending notification

9 won and 8 was deleted. This _should_ be fine. But perhaps the other
end did something different.

Paul

More information about the Swan mailing list