
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div class="">I had a system that experienced intermittent internet connectivity and a series of dead peer detection triggers. After about an hour, the internet stabilized and the logs indicated that the tunnel had established itself. However, no traffic was


 allowed to traverse the tunnel. I noticed that the system’s peer was missing some ip xfrm policy rules. It had a rule for dir out, but was missing a rule for dir in and dir fwd. After recognizing this, I added the dir in and dir fwd rules by hand. Traffic


 was then able to traverse the tunnel.</div>


<div class=""><br class="">


</div>


<div class="">Has anyone else experienced behavior like this, or can think of a way to reproduce it? I was unable to reproduce it while mimicking a loss of internet connectivity.</div>


<div class=""><br class="">


</div>


<div class="">Here are the configuration files for the system and the system’s peer respectively. Both systems were running Libreswan 3.19.</div>


<div class=""><br class="">


</div>


<div class="">


<div class=""># begin conn tunisp1</div>


<div class="">conn tunisp1</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=A.B.C.D</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid=“@left"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftcert=client</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=A.B.C.D</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftcert=client</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=E.F.G.H</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="%fromcert"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=E.F.G.H</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-shared=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>keyingtries=0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpddelay=30</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpdtimeout=120</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>dpdaction=restart</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=0x1000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=tunisp1</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes256-sha2_256</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>


<div class=""># end conn tunisp1</div>


</div>


<div class=""><br class="">


</div>


<div class=""># begin conn tunisp6</div>


<div class="">conn tunisp6</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=A.B.C.D</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftid=“@left"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>leftsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>left=A.B.C.D</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=E.F.G.H</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightid="%fromcert"</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightsubnet=0.0.0.0/0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightcert=server</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>right=E.F.G.H</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightupdown=/usr/libexec/ipsec/inspeed_updown</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>rightcert=server</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-routing=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>encapsulation=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>keyingtries=0</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>mark=0x6000000/0xff000000</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>vti-interface=tunisp6</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2alg=aes256-sha2_256</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>auto=ignore</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>type=tunnel</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>compress=no</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>pfs=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikepad=yes</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>authby=rsasig</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>phase2=esp</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ikev2=permit</div>


<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>esn=no</div>


<div class=""><br class="">


</div>


<div class="">Let me know if any other information would be helpful.</div>


<div class=""><br class="webkit-block-placeholder">


</div>


<div class="">


<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">


Thanks!<br class="Apple-interchange-newline">


--</div>


<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">


cm</div>


</div>


<br class="">


</body>


</html>