<div dir="ltr"><div><div style="font-size:13px">Hi All,</div><div style="font-size:13px"><br></div><div style="font-size:13px">This is my first post to this list and I've been trying to figure out this problem for a few weeks without asking for help because I thought I must be doing something stupid. Solving this really is beyond me, so I'd love some help from you packet mangling gurus out there. - Thanks Dave Harding for motivating me to say "me too". Just like Dave, please also forgive me if I'm doing something wrong or breaking mailing list etiquette.</div><div style="font-size:13px"><div style="font-size:small"><div style="font-size:13px"><div><br></div></div></div></div><div style="font-size:13px">The basic problem is that a ping sent from the machine that initiated the tunnel (we'll call this the ipsec initiatiator) and to the machine at the other end (we'll call this the ipsec responder) does not work until a ping first comes from the ipsec responder back to the ipsec initiator. At that point, ping responds only if the tunnel has had traffic pass through it in the last 30 seconds. Also, while the ping from the ipsec initiator to the ipsec responder does not work, the ipsec initiatiator cannot even ping itself.</div><div style="font-size:13px"><br></div><div style="font-size:13px"><div>It sounds like an arp-cache timeout problem to me, where a packet coming through the ipsec tunnel from the ipsec responder teaches the kernel of the ipsec initiator that the ipsec responder can be contacted via the ipsec tunnel. That's my hunch, but I don't know enough about this to actually track down the problem and fix it.</div><div><br></div><div><div>I have a more complex configuration and will eventually have firewalls, but I've stripped everything down to a single connection with no firewalls, so this is my basic configuration:</div><div><br></div><div>Machine Description</div><div>"core" AWS Microinstance NAT behind an AWS Virtual IP never initiates tunnel </div><div>"mdserver" Mum and Dads server with dynamic IP with NAT behind a router and initiates tunnel</div></div><div><br></div><div>I wrote myself a script to test this, and here is a snip of its relevant output when run on the ipsec initiator.<br></div></div><div style="font-size:13px"><br></div><div style="font-size:13px"><div><b>[root@mdserver ~]# /etc/ipsec.d/when_does_ping_stop 10.1.2.2 10.1.0.1 </b></div><div><b>Error: Ping "10.1.2.2" -> "10.1.0.1" failed.</b></div><div><b>Error: Ping "10.1.2.2" -> "10.1.2.2" failed.</b></div><div><b>[root@mdserver ~]# </b></div></div><div style="font-size:13px"><br></div><div style="font-size:13px">Then I ping from the ipsec responder to the ipsec initiator once as follows:</div><div style="font-size:13px"><br></div><div style><div style><b>[root@ip-172-31-6-188 ~]# ping -c 1 -w 3 10.1.2.2</b></div><div style><b>PING 10.1.2.2 (10.1.2.2) 56(84) bytes of data.</b></div><div style><b>64 bytes from <a href="http://10.1.2.2">10.1.2.2</a>: icmp_seq=1 ttl=64 time=36.7 ms</b></div><div style><b><br></b></div><div style><b>--- 10.1.2.2 ping statistics ---</b></div><div style><b>1 packets transmitted, 1 received, 0% packet loss, time 0ms</b></div><div style><b>rtt min/avg/max/mdev = 36.711/36.711/36.711/0.000 ms</b></div><div style><b>[root@ip-172-31-6-188 ~]# </b></div></div><div style="font-size:13px"><br></div><div style="font-size:13px">Then I re-run the same script on the ipsec initiator again.</div><div style="font-size:13px"><br></div><div style><div style="font-size:13px"><b>[root@mdserver ~]# /etc/ipsec.d/when_does_ping_stop 10.1.2.2 10.1.0.1 </b></div><div style="font-size:13px"><b>2015 Mar 20 11:04:28 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 1 seconds succeeded.</b></div><div style="font-size:13px"><b>2015 Mar 20 11:04:28 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 1 seconds succeeded.</b></div><div style="font-size:13px"><b>2015 Mar 20 11:04:29 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 2 seconds succeeded.</b></div><div style="font-size:13px"><b>2015 Mar 20 11:04:29 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 2 seconds succeeded.</b></div><div style="font-size:13px"><b><SNIP></b></div><div style><b style><div style>2015 Mar 20 11:11:15 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 29 seconds succeeded.</div><div style>2015 Mar 20 11:11:16 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 29 seconds succeeded.</div><div style>2015 Mar 20 11:11:44 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 30 seconds succeeded.</div><div style>2015 Mar 20 11:11:45 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 30 seconds succeeded.</div><div style>2015 Mar 20 11:12:14 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 31 seconds succeeded.</div><div style>2015 Mar 20 11:12:15 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 31 seconds succeeded.</div><div style>2015 Mar 20 11:12:45 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 32 seconds succeeded.</div><div style>2015 Mar 20 11:12:46 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 32 seconds succeeded.</div><div style>2015 Mar 20 11:13:17 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 33 seconds succeeded.</div><div style>2015 Mar 20 11:13:18 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 33 seconds succeeded.</div><div style>2015 Mar 20 11:13:50 Ping from 10.1.2.2 to 10.1.0.1 after a delay of 34 seconds failed, waiting up to 60 seconds for a successful response.2015 Mar 20 11:13:52 Ping from 10.1.2.2 to 10.1.2.2 after a delay of 34 seconds failed, waiting up to 60 seconds for a successful response.........................TIMEOUT</div><div style>TIMEOUT</div><div style>[root@mdserver ~]# </div></b></div></div><div style="font-size:13px"><br></div><div style="font-size:13px">Sometimes it stops after 31 seconds, in this case it was 34 seconds so there may have been some DNS traffic in there.<br></div><div style><div style="font-size:13px"><br></div><div style="font-size:13px">The config below shows the machine state with ipsec not running and is from a script called /etc/ipsec.d/show_ipsec_config which contains this active script:<br></div><div style="font-size:13px"><br></div><div style><div style><b>for cmd in "systemctl stop ipsec" \</b></div><div style><b> "cat /etc/redhat-release" \</b></div><div style><b> "rpm -q libreswan" \</b></div><div style><b> "cat /etc/ipsec.conf" \</b></div><div style><b> "ls /etc/ipsec.d/*{conf,secrets}" \</b></div><div style><b> "cat /etc/ipsec.d/*conf" \</b></div><div style><b> "sed 's/PSK \\\".*/PSK \\\"PRIVATE\\\"/' /etc/ipsec.d/*.secrets" \</b></div><div style><b> "iptables -L -n" \</b></div><div style><b> ; do</b></div><div style><b> echo -e "\n# ==== Output of $(hostname -s) command: \"$cmd\""</b></div><div style><b> eval $cmd</b></div><div style><b>done</b></div><div style><br></div><div style>For "mdserver" the script output is:</div><div style><br></div><div style><div><b>[root@mdserver ~]# /etc/ipsec.d/show_ipsec_config </b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "systemctl stop ipsec"</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "cat /etc/redhat-release"</b></div><div><b>Red Hat Enterprise Linux Server release 7.0 (Maipo)</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "rpm -q libreswan"</b></div><div><b>libreswan-3.8-6.el7_0.x86_64</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "cat /etc/ipsec.conf"</b></div><div><b>config setup</b></div><div><b> plutodebug="all crypt"</b></div><div><b> protostack=netkey</b></div><div><b> dumpdir=/var/run/pluto/</b></div><div><b> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20</a></b></div><div><b>include /etc/ipsec.d/*.conf</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "ls /etc/ipsec.d/*{conf,secrets}"</b></div><div><b>/etc/ipsec.d/amazoncore.conf /etc/ipsec.d/amazoncore.secrets</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "cat /etc/ipsec.d/*conf"</b></div><div><b>conn amazoncore</b></div><div><b> type=tunnel</b></div><div><b> authby=secret</b></div><div><b> auto=start</b></div><div><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div><div><b> forceencaps=yes</b></div><div><b> left=%defaultroute</b></div><div><b> leftid=10.1.2.2</b></div><div><b> leftsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></b></div><div><b> right=54.66.129.223</b></div><div><b> rightid=54.66.129.223</b></div><div><div><b> rightsourceip=10.1.0.1</b></div><div><b> rightsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "sed 's/PSK \".*/PSK \"PRIVATE\"/' /etc/ipsec.d/*.secrets"</b></div><div><b>54.66.129.223 <a href="http://10.1.2.2">10.1.2.2</a>: PSK "PRIVATE"</b></div><div><b><br></b></div><div><b># ==== Output of mdserver command: "iptables -L -n"</b></div><div><b>Chain INPUT (policy ACCEPT)</b></div><div><b>target prot opt source destination </b></div><div><b><br></b></div><div><b>Chain FORWARD (policy ACCEPT)</b></div><div><b>target prot opt source destination </b></div><div><b><br></b></div><div><b>Chain OUTPUT (policy ACCEPT)</b></div><div><b>target prot opt source destination </b></div><div><b>[root@mdserver ~]# </b></div></div></div><div style><br></div><div style><br></div><div style>... and for "<span style="font-size:13px">core (ip-172-31-6-188)" the script output is:</span></div><div style><span style="font-size:13px"><br></span></div><div style><div style><b>[root@ip-172-31-6-188 ~]# /etc/ipsec.d/show_ipsec_config</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "systemctl stop ipsec"</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "cat /etc/redhat-release"</b></div><div style><b>Red Hat Enterprise Linux Server release 7.0 (Maipo)</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "rpm -q libreswan"</b></div><div style><b>libreswan-3.8-6.el7_0.x86_64</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "cat /etc/ipsec.conf"</b></div><div style><b>config setup</b></div><div style><b> protostack=netkey</b></div><div style><b> dumpdir=/var/run/pluto/</b></div><div style><b> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,!%v4:172.31.0.0/20</a></b></div><div style><b>include /etc/ipsec.d/*.conf</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "ls /etc/ipsec.d/*{conf,secrets}"</b></div><div style><b>/etc/ipsec.d/forestlake.conf /etc/ipsec.d/forestlake.secrets</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "cat /etc/ipsec.d/*conf"</b></div><div style><b>conn forestlake</b></div><div style><b> type=tunnel</b></div><div style><b> authby=secret</b></div><div style><b> auto=add</b></div><div style><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div><div style><b> forceencaps=yes</b></div><div style><b> left=%defaultroute</b></div><div style><b> leftid=54.66.129.223</b></div><div style><b> leftsourceip=10.1.0.1</b></div><div style><b> leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></b></div><div style><b> right=%any</b></div><div style><div style><b> rightid=10.1.2.2</b></div><div style><b> rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "sed 's/PSK \".*/PSK \"PRIVATE\"/' /etc/ipsec.d/*.secrets"</b></div><div style><b>54.66.129.223 <a href="http://10.1.2.2">10.1.2.2</a>: PSK "PRIVATE"</b></div><div style><b><br></b></div><div style><b># ==== Output of ip-172-31-6-188 command: "iptables -L -n"</b></div><div style><b>Chain INPUT (policy ACCEPT)</b></div><div style><b>target prot opt source destination </b></div><div style><b><br></b></div><div style><b>Chain FORWARD (policy ACCEPT)</b></div><div style><b>target prot opt source destination </b></div><div style><b><br></b></div><div style><b>Chain OUTPUT (policy ACCEPT)</b></div><div style><b>target prot opt source destination </b></div><div style><b>[root@ip-172-31-6-188 ~]# </b></div><div style><b><br></b></div><div style><div><span style="font-family:Tahoma">Cheers,</span><br></div><div><div class="gmail_signature"><div dir="ltr"><font face="Tahoma"><br><font style="font-size:10pt">Paul Moore</font></font><div><font style="font-size:10pt"><font face="Tahoma">Astute Systems</font></font></div><div><a href="mailto:pmoore@astute-systems.com" target="_blank" style="font-family:Tahoma;font-size:13.6000003814697px">pmoore@astute-systems.com</a><span style="font-family:Tahoma;font-size:13.6000003814697px"> </span><font style="font-size:10pt"><font face="Tahoma"> </font></font><span style="font-family:Tahoma;font-size:13.6000003814697px">0481 268 522</span><span style="font-family:Tahoma;font-size:10pt"> </span><a href="http://www.linkedin.com/profile/view?id=465982" target="_blank" style="font-family:Tahoma;font-size:10pt"><img src="http://www.linkedin.com/img/webpromo/btn_in_20x15.png">View my profile</a></div></div></div></div></div></div></div></div></div></div>
</div>