<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Can you arrange for some logfiles I can have a look at?</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Can you also try a 3.20rcX release candidate?<br><br>Sent from my iPhone</div><div><br>On Jun 20, 2017, at 08:27, Bob Cribbs <<a href="mailto:bob.cribbs@policystat.com">bob.cribbs@policystat.com</a>> wrote:<br><br></div><blockquote type="cite"><div><style>body{font-family:Helvetica,Arial;font-size:13px}</style><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Hi,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Im experiencing a new problem with my upgrade process (3.12->3.20), this time it's the routes.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">I have ~70 tunnels setup on my server.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">After ipsec is (re)started, all the routes come up.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">But then 1-2 minutes later, there are only a subset of those that are still up, ~10 of them. It's always the same 10 that are persisting.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">All the tunnels are still showing up as connected, including those that are now missing the routes.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div class="bloop_container"><div class="bloop_frame">  </div></div>Sending data through the tunnel, only works for those that have routes, for the other ones is timing out.<div><br></div><div>I tried downgrading from 3.20 -> 3.19 same problem.</div><div>I tried downgrading further 3.19 -> 3.18. Routes seem to be persisting on 3.18.</div><div><br></div><div>I suspect there is a problem with encapsulation and NAT and keepalive.</div><div>On 3.12 and 3.18, i used `forceencaps=yes`</div><div>On 3.20 i tried `<span style="white-space:pre-wrap">encapsulation=yes`, and `</span><span style="white-space:pre-wrap">encapsulation=auto` routes are disconnecting with either of them.</span></div><div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap"><br></span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div><div style="orphans: 2; widows: 2;"><div style="font-family:'helvetica Neue',helvetica;font-size:14px"><div>conn customer</div><div>        authby=secret</div><div>        dpddelay=40</div><div>        dpdtimeout=120</div><div>        dpdaction=restart</div><div>        auto=start</div><div>        encapsulation=yes</div><div>        pfs=yes</div><div>        ike=aes256-sha1</div><div>        phase2alg=aes256-sha1</div><div>        left=%defaultroute</div><div>        leftid=184.X.X.X</div><div>        leftsourceip=184.X.X.X</div><div>        leftsubnet=184.X.X.X/32</div><div>        right=72.Y.Y.Y</div><div>        rightid=72.Y.Y.Y</div><div>        rightsubnet=10.B.B.B/32</div></div></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap"><br></span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">Once the route disappears, it doesnt come back even if i try:</span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">``</span><span style="white-space:pre-wrap">`</span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">$ sudo ipsec auto --down customer</span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">$ sudo ipsec auto --up customer</span></div><div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div><div id="bloop_sign_1497960635259272192" class="bloop_sign"><br></div></div><div id="bloop_sign_1497960635259272192" class="bloop_sign">Am I missing some config to keep the route up on the 3.20 version?</div><div id="bloop_sign_1497960635259272192" class="bloop_sign"><br></div><div id="bloop_sign_1497960635259272192" class="bloop_sign">Thank you.</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>