[Swan] [SPAM: 4.729] Re: Tunnel gets established, but machines can reach each other only for less than a minute
ud at blueaquan.com
ud at blueaquan.com
Mon Jan 30 07:32:19 EET 2023
Hi Paul
I changed the HO's statement to auto=add while keeping auto=start at the
Site Office. Also removed encapsulation statement at both ends, However
there is no change in status, both machines are unable to reach each
other. The tunnel is getting established as always, attaching the logs
from both sides FYI.
At Site Office
643271: "PLSUBNET" #1: initiating IKEv2 connection
643284: "PLSUBNET": local IKE proposals (IKE SA initiator selecting KE):
643290: "PLSUBNET":
1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521
645097: "PLSUBNET" #1: sent IKE_SA_INIT request
685003: "PLSUBNET": local ESP/AH proposals (IKE SA initiator emitting
ESP/AH proposals):
685026: "PLSUBNET":
1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED
685066: "PLSUBNET" #1: sent IKE_AUTH request {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
760199: "PLSUBNET" #1: authenticated using authby=secret and peer
ID_IPV4_ADDR 'A.B.C.D'
797979: "PLSUBNET" #2: negotiated connection
[10.10.128.0-10.10.128.255:0-65535 0] ->
[192.168.1.0-192.168.1.255:0-65535 0]
798003: "PLSUBNET" #2: IPsec SA established tunnel mode
{ESPinUDP=>0xf326adb4 <0x3227b8ff xfrm=AES_CBC_256-HMAC_SHA2_512_256
NATOA=none NATD=A.B.C.D:4500 DPD=active}
At HO
657566: "PLUTOSUBNET": local IKE proposals (IKE SA responder matching
remote proposals):
657597: "PLUTOSUBNET":
1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521
657625: "PLUTOSUBNET" #8: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_521[first-match]
659422: "PLUTOSUBNET" #8: sent IKE_SA_INIT reply {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
705240: "PLUTOSUBNET" #8: processing decrypted IKE_AUTH request:
SK{IDi,AUTH,SA,TSi,TSr}
705270: "PLUTOSUBNET" #8: IKEv2 mode peer ID is ID_IPV4_ADDR: 'W.X.Y.Z'
705323: "PLUTOSUBNET" #8: authenticated using authby=secret
705429: "PLUTOSUBNET": local ESP/AH proposals (IKE_AUTH responder
matching remote ESP/AH proposals):
705438: "PLUTOSUBNET":
1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED
705445: "PLUTOSUBNET" #9: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED SPI=3227b8ff chosen from
remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
741491: "PLUTOSUBNET" #9: negotiated connection
[192.168.1.0-192.168.1.255:0-65535 0] ->
[10.10.128.0-10.10.128.255:0-65535 0]
741513: "PLUTOSUBNET" #9: IPsec SA established tunnel mode
{ESPinUDP=>0x3227b8ff <0xf326adb4 xfrm=AES_CBC_256-HMAC_SHA2_512_256
NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
Thanks, Regards
BA
On 2023-01-30 06:29, Paul Wouters wrote:
> On Sun, 29 Jan 2023, ud at blueaquan.com wrote:
>
>> I have two sites which I am trying to connect using a site-to-site
>> VPN. Initially I had a lot of
>> challenges because at the HO, the Linux machine had a Public IP
>> directly configured, while at the
>> Site Office the Linux machine was behind an ISP router. Anyhow the
>> tunnel gets established now, but
>> machines on both sides cannot reach each other.
>
> On the HO use auto=add and not auto=ondemand or auto=start
> On the Site Office, use auto=start
>
> That should hopefully prevent two connections racing each other
> and one of them failing impacting the other.
>
>> The HO Configuration
>>
>> conn PLUTOSUBNET
>> also=EUROPA-PLUTO
>> leftsubnet=10.10.128.0/24
>> leftsourceip=10.10.128.100
>> rightsubnet=192.168.1.0/24
>> rightsourceip=192.168.1.1
>> auto=start
>
> you cannot use auto=start because you cannot initiate to a machine
> behind NAT. The other end should initiate to here.
>
>> encapsulation=yes
>
> It's better not to specify this and let the auto-detection handle this.
>
>> The Site Office configuration
>>
>> conn PLSUBNET
>> also=PLUTO-EUROPA
>> leftsubnet=10.10.128.0/24
>> leftsourceip=10.10.128.100
>> rightsubnet=192.168.1.0/24
>> rightsourceip=192.168.1.1
>> auto=start
>> conn PLUTO-EUROPA
>> type=tunnel
>> left=%defaultroute
>> leftid=W.X.Y.Z
>> right=A.B.C.D
>> authby=secret
>> ikev2=insist
>> pfs=no
>> ike=aes256-sha2_512+sha2_256-dh21
>> esp=aes256-sha2_512+sha1+sha2_256;dh21
>> dpddelay=5
>> dpdtimeout=120
>> dpdaction=restart
>> encapsulation=yes
>
> Same here, remove the encapsulation=yes here too.
>
>> The Logs from the HO machine
>
>> 980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait
>> 16 seconds for response
>> 984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait
>> 32 seconds for response
>> 634277: "PLUTOSUBNET" #9: proposal
>> 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen f
>
> Looks like state 8 and 9 are fighting here.
>
>> "PLUTOSUBNET" #10: negotiated connection
>> [192.168.1.0-192.168.1.255:0-65535 0] -> [10.10.128.0-10.10.
>> 128.255:0-65535 0]
>> "PLUTOSUBNET" #10: IPsec SA established tunnel mode
>> {ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_25
>> 6-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
>> "PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded
>> #9 try=4; drop this negotiatio
>> n
>> "PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and
>> NOT sending notification
>
> 9 won and 8 was deleted. This _should_ be fine. But perhaps the other
> end did something different.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230130/6fe861bc/attachment.htm>
More information about the Swan
mailing list