[Swan] [SPAM: 4.729] Re: Tunnel gets established, but machines can reach each other only for less than a minute

Fri Feb 3 17:18:25 EET 2023

Hi Paul
Also, an observation I could make is, when the machine at Site Office 
tries to reach the HO VPN server, even though the ping does not happen, 
I can see the traffic go up incrementally on both sides.
However when the HO tries to reach the Site Office, traffic from HO goes 
out and likewise the In traffic at Site Office also goes up 
incrementally,  but there is no Out traffic from Site Office. Attaching 
the observation FYI.  Any thoughts...?

When Site Office tries to reach HO

At Site Office
Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B
Response at HO
Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B

When HO tries to reach Site Office

At HO
Traffic: ESPin=0B ESPout=8KB! ESPmax=0B
Response at Site Office
Traffic: ESPin=8KB ESPout=0B! ESPmax=0B

On 2023-02-01 02:22, Paul Wouters wrote:

> So both agree on the tunnel and the traffic counters. It looks
> operational.
> 
> I wonder if there is some kind of firewall on the network that allows
> the initial packets but then starts blocking things ?
> 
> Sent using a virtual keyboard on a phone
> 
>> On Jan 31, 2023, at 12:40, ud at blueaquan.com wrote:
> 
>> Hi Paul
>> Kindly find the output of ipsec whack --showstates from both sides
>> please.
>> 
>> At HO
>> 
>> 000 #5: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_IKE_SA (established
>> IKE SA); EVENT_SA_REKEY in 28511s; newest ISAKMP; idle;
>> 000 #6: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
>> established); EVENT_SA_REKEY in 28511s; newest IPSEC; eroute owner;
>> isakmp#5; idle;
>> 000 #6: "PLUTOSUBNET" esp.e4688f53 at W.X.Y.Z esp.910e3384 at A.B.C.D
>> tun.0 at W.X.Y.Z tun.0 at A.B.C.D Traffic: ESPin=168B ESPout=168B!
>> ESPmax=0B
>> 
>> At Site Office
>> 
>> 000 #1: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
>> SA); EVENT_SA_REKEY in 27743s; newest ISAKMP; idle;
>> 000 #2: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
>> established); EVENT_SA_REKEY in 27984s; newest IPSEC; eroute owner;
>> isakmp#1; idle;
>> 000 #2: "PLSUBNET" esp.910e3384 at A.B.C.D esp.e4688f53 at 10.10.128.100
>> tun.0 at A.B.C.D tun.0 at 10.10.128.100 Traffic: ESPin=168B ESPout=168B!
>> ESPmax=0B
>> 
>> Thanks, Best
>> BA
>> 
>> On 2023-01-31 22:01, Paul Wouters wrote: On Mon, 30 Jan 2023,
>> ud at blueaquan.com wrote:
>> 
>> I changed the HO's statement to auto=add while keeping auto=start at
>> the Site Office. Also removed encapsulation statement at both
>> ends, However there is no change in status, both machines are unable
>> to reach each other. The tunnel is getting established as
>> always, attaching the logs from both sides FYI.
>> Once the tunnel is not working, can you run on both ends:
>> 
>> ipsec whack --showstates
>> 
>> Let's see if both ends are still thinking the tunnel is up or not.
>> 
>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230203/078f41ca/attachment.htm>