<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">I managed to test a few scenarios:</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">## 1. One dropping route tunnel only</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Minutes after ipsec restart the route disappears, although the tunnel is still up.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Data can not be sent through the tunnel.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">## 2. One stable route tunnel + One dropping route tunnel<br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">The route doesnt disappear and data can be sent through the tunnel</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">## 3. Enabling more and more routes</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Eventually the routes start disconnecting again after having 4 or 5 tunnels setup.</div> <div id="bloop_sign_1498544292319284992" class="bloop_sign"></div> <div><br></div><p class="airmail_on">On 20 June 2017 at 16:03:13, Bob Cribbs (<a href="mailto:bob.cribbs@policystat.com">bob.cribbs@policystat.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div style="word-wrap:break-word"><div></div><div>




<title></title>



<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Sure, what log files do you think are relevant?</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
There doesnt seem to be anything in the `/var/log/auth.log` around
the time the routes disappear, there is nothing in
`/var/log/messages.log` file either.</div>
<div><br></div>
Or should i change pluto's log level to `all`?
<div>
<div id="bloop_sign_1497963652735643904" class="bloop_sign"></div>
<br>
<p class="airmail_on">On 20 June 2017 at 16:00:02, Paul Wouters
(<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>) wrote:</p>
<blockquote type="cite" class="clean_bq">
<div dir="auto">
<div>
<div><span>Can you arrange for some logfiles I can have a look
at?</span></div>
<div id="AppleMailSignature"><span><br></span></div>
<div id="AppleMailSignature"><span>Can you also try a 3.20rcX
release candidate?<br>
<br>
Sent from my iPhone</span></div>
<div><span><br>
On Jun 20, 2017, at 08:27, Bob Cribbs <<a href="mailto:bob.cribbs@policystat.com">bob.cribbs@policystat.com</a>>
wrote:<br>
<br></span></div>
<blockquote type="cite">
<div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>Hi,</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span><br></span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>Im experiencing a new problem with my upgrade process
(3.12->3.20), this time it's the routes.</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span><br></span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>I have ~70 tunnels setup on my server.</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>After ipsec is (re)started, all the routes come
up.</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>But then 1-2 minutes later, there are only a subset of those
that are still up, ~10 of them. It's always the same 10 that are
persisting.</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span>All the tunnels are still showing up as connected, including
those that are now missing the routes.</span></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<span><br></span></div>
<div class="bloop_container">
<div class="bloop_frame"></div>
</div>
<span>Sending data through the tunnel, only works for those that
have routes, for the other ones is timing out.</span>
<div><span><br></span></div>
<div><span>I tried downgrading from 3.20 -> 3.19 same
problem.</span></div>
<div><span>I tried downgrading further 3.19 -> 3.18. Routes seem
to be persisting on 3.18.</span></div>
<div><span><br></span></div>
<div><span>I suspect there is a problem with encapsulation and NAT
and keepalive.</span></div>
<div><span>On 3.12 and 3.18, i used `forceencaps=yes`</span></div>
<div><span>On 3.20 i tried `<span style="white-space:pre-wrap">encapsulation=yes`, and `</span><span style="white-space:pre-wrap">encapsulation=auto` routes are disconnecting
with either of them.</span></span></div>
<div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap"><br></span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div>
<div style="orphans: 2; widows: 2;">
<div style="font-family:'helvetica Neue',helvetica;font-size:14px">
<div>conn customer</div>
<div>        authby=secret</div>
<div>        dpddelay=40</div>
<div>        dpdtimeout=120</div>
<div>        dpdaction=restart</div>
<div>        auto=start</div>
<div>        encapsulation=yes</div>
<div>        pfs=yes</div>
<div>        ike=aes256-sha1</div>
<div>        phase2alg=aes256-sha1</div>
<div>        left=%defaultroute</div>
<div>        leftid=184.X.X.X</div>
<div>        leftsourceip=184.X.X.X</div>
<div>        leftsubnet=184.X.X.X/32</div>
<div>        right=72.Y.Y.Y</div>
<div>        rightid=72.Y.Y.Y</div>
<div>        rightsubnet=10.B.B.B/32</div>
</div>
</div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap"><br></span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">Once the route disappears, it doesnt come
back even if i try:</span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">``</span><span style="white-space:pre-wrap">`</span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">$ sudo ipsec auto --down
customer</span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">$ sudo ipsec auto --up customer</span></div>
<div style="orphans: 2; widows: 2;"><span style="white-space:pre-wrap">```</span></div>
<div id="bloop_sign_1497960635259272192" class="bloop_sign">
<br></div>
</div>
<div id="bloop_sign_1497960635259272192" class="bloop_sign">Am I
missing some config to keep the route up on the 3.20 version?</div>
<div id="bloop_sign_1497960635259272192" class="bloop_sign">
<br></div>
<div id="bloop_sign_1497960635259272192" class="bloop_sign">Thank
you.</div>
</div>
</blockquote>
<blockquote type="cite">
<div>
<span>_______________________________________________</span><br>
<span>Swan mailing list</span><br>
<span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br>

<span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>


</div></div></span></blockquote></body></html>