[Swan] [SPAM: 4.729] Re: Tunnel gets established, but machines can reach each other only for less than a minute

ud at blueaquan.com ud at blueaquan.com
Sat Feb 4 20:27:49 EET 2023


Hi Paul
The xfrm stat  is having a non zero entry for "XfrmInTmplMismatch" which 
shows 94.  Further check on Google brought me to this page 
https://bugzilla.redhat.com/show_bug.cgi?id=1932202 and I seem to have 
exactly the same problem, however I am not knowledgeable enough to 
understand the solution applied on that page.
Attaching outputs from the commands mentioned in the bugzilla page FYI 
please.

/proc/net/xfrm_stat output
XfrmInError                 0
XfrmInBufferError           0
XfrmInHdrError              0
XfrmInNoStates              0
XfrmInStateProtoError       0
XfrmInStateModeError        0
XfrmInStateSeqError         0
XfrmInStateExpired          0
XfrmInStateMismatch         0
XfrmInStateInvalid          0
XfrmInTmplMismatch          94
XfrmInNoPols                0
XfrmInPolBlock              0
XfrmInPolError              0
XfrmOutError                0
XfrmOutBundleGenError       0
XfrmOutBundleCheckError     0
XfrmOutNoStates             0
XfrmOutStateProtoError      0
XfrmOutStateModeError       0
XfrmOutStateSeqError        0
XfrmOutStateExpired         0
XfrmOutPolBlock             0
XfrmOutPolDead              0
XfrmOutPolError             0
XfrmFwdHdrError             0
XfrmOutStateInvalid         0
XfrmAcquireError            0

$ sudo ip xfrm state

src A.B.C.D dst 10.10.128.100
     proto esp spi 0x8ba71c42 reqid 16389 mode tunnel
     replay-window 32 flag af-unspec
     auth-trunc hmac(sha512) 
0x1cfc53f76819609e059d010ca8ef92815361c34b3bff42d9e23baeaed8d85dedc2b5f7dcf9e6b9d8b754d5559e061c9bca48000d9cf3c6d979022278006cf6a3 
256
     enc cbc(aes) 
0xa6c31fc12ebdf2d8bd2aa9e91d565536c27e00979b3595dbbd3b41b40c377711
     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
     anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff
src 10.10.128.100 dst A.B.C.D
     proto esp spi 0x95a7b625 reqid 16389 mode tunnel
     replay-window 32 flag af-unspec
     auth-trunc hmac(sha512) 
0xb6d642fbc4a0ae8356fab535a5a6fe3988a183398c1ba26a27051ca2f849e29266177e2a8263c0b51030c33344444c50fbf66307e397de342f0a7500f040de67 
256
     enc cbc(aes) 
0x0698d495571406fc9c11522f645b25d29b33f8492c2ae851a35950eeb5e9ef14
     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
     anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000

$ sudo ip xfrm policy
src 10.10.128.0/24 dst 192.168.1.0/24
     dir out priority 2084814 ptype main
     tmpl src 10.10.128.100 dst A.B.C.D
         proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 10.10.128.0/24
     dir fwd priority 2084814 ptype main
     tmpl src A.B.C.D dst 10.10.128.100
         proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 10.10.128.0/24
     dir in priority 2084814 ptype main
     tmpl src A.B.C.D dst 10.10.128.100
         proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
     socket out priority 0 ptype main
src ::/0 dst ::/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     socket in priority 0 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
     dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
     dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
     dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
     dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
     dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
     dir in priority 1 ptype main

On 2023-02-03 22:14, Paul Wouters wrote:

> On Fri, 3 Feb 2023, ud at blueaquan.com wrote:
> 
>> Double checked this, rp_filter is disabled on all interfaces and ipv4 
>> forwarding is enabled.  I use
>> "nftables" on both ends and have double checked to rules to ensure 
>> packets from both these sites have
>> bi-directional traffic enabled.  In fact to rule out nftables, I 
>> flushed all rules at both ends briefly
>> for a min and tried to reach each other, but there's no change in 
>> status.
> 
> Then you need to do network captures to see if the packets are in fact
> making it to the machine or not. If they are, double check
> /proc/net/xfrm_stat for non-zero entries indicating problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230204/1274518d/attachment.htm>


More information about the Swan mailing list