<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hey, Paul. I appreciate your response.<div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Do not use leftsourceip= if you specify more then one leftsubnet. Also,<br>
leftsourceip= must be an IP address within the (single) leftsubnet=<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> right=12.131.93.13<br>
> rightsubnets=" <a href="http://10.50.32.166/32" rel="noreferrer" target="_blank">10.50.32.166/32</a> <a href="http://10.50.32.239/32" rel="noreferrer" target="_blank">10.50.32.239/32</a> <a href="http://10.50.36.4/32" rel="noreferrer" target="_blank">10.50.36.4/32</a> "<br>
> rightsourceip=12.131.93.13<br>
<br>
The same applies here.<br></blockquote><div><br></div><div>Good to know, but I don't think it's getting used. We'll clean up the config.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> SAs come up, and we can ping their side.<br>
<br>
> 000 #3166924: "orthooklahoma3937/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 918s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166924: "orthooklahoma3937/1x1" <a href="mailto:esp.815a3ae9@12.131.93.13" target="_blank">esp.815a3ae9@12.131.93.13</a> <a href="mailto:esp.618dd3ad@172.20.109.76" target="_blank">esp.618dd3ad@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3167825: "orthooklahoma3937/1x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1148s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3167825: "orthooklahoma3937/1x2" <a href="mailto:esp.73c12328@12.131.93.13" target="_blank">esp.73c12328@12.131.93.13</a> <a href="mailto:esp.b76a1e64@172.20.109.76" target="_blank">esp.b76a1e64@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3165167: "orthooklahoma3937/1x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 82s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3165167: "orthooklahoma3937/1x3" <a href="mailto:esp.33a967a1@12.131.93.13" target="_blank">esp.33a967a1@12.131.93.13</a> <a href="mailto:esp.72596d49@172.20.109.76" target="_blank">esp.72596d49@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3166787: "orthooklahoma3937/2x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 891s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166787: "orthooklahoma3937/2x1" <a href="mailto:esp.970dcc23@12.131.93.13" target="_blank">esp.970dcc23@12.131.93.13</a> <a href="mailto:esp.207c2a70@172.20.109.76" target="_blank">esp.207c2a70@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3166964: "orthooklahoma3937/2x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 602s; newest IPSEC; eroute owner; isakmp#3166786; idle; import:admin initiate<br>
> 000 #3166964: "orthooklahoma3937/2x2" <a href="mailto:esp.61180b3@12.131.93.13" target="_blank">esp.61180b3@12.131.93.13</a> <a href="mailto:esp.50ff9d05@172.20.109.76" target="_blank">esp.50ff9d05@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=1KB ESPout=1KB! ESPmax=4194303B<br>
> 000 #3162278: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 437s; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3162278: "orthooklahoma3937/2x3" <a href="mailto:esp.e4c24f90@12.131.93.13" target="_blank">esp.e4c24f90@12.131.93.13</a> <a href="mailto:esp.cadf8591@172.20.109.76" target="_blank">esp.cadf8591@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<br>
> 000 #3162955: "orthooklahoma3937/2x3":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 399s; newest IPSEC; eroute owner; isakmp#3136241; idle; import:admin initiate<br>
> 000 #3162955: "orthooklahoma3937/2x3" <a href="mailto:esp.d783e492@12.131.93.13" target="_blank">esp.d783e492@12.131.93.13</a> <a href="mailto:esp.1d0a885d@172.20.109.76" target="_blank">esp.1d0a885d@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=42KB ESPout=0B! ESPmax=4194303B<br>
> 000 #3166786: "orthooklahoma3937/2x3":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26486s; newest ISAKMP; nodpd; idle; import:admin initiate<br>
> <br>
> We have duplicate SAs for some reason -- you can see that for 2x3, not sure if that matters.<br>
<br>
It should not matter. What seems to have happened is that when you<br>
established the IKE SA, and you were in the process of establishing all<br>
the IPsec SA's, the other end also started doing the same IPsec SA's.<br>
So you ended up with one connection which was initiated by you and<br>
responded to by you. One of them should vanish after a little while.<br>
<br></blockquote><div>Yeah, that's what I thought. They do come and go, but we consistently have two:<br><div>000 #439432: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 47s; isakmp#430186; idle; import:admin initiate</div><div>000 #439432: "orthooklahoma3937/2x3" <a href="mailto:esp.16ea20ad@12.131.93.13">esp.16ea20ad@12.131.93.13</a> <a href="mailto:esp.6916d827@172.20.109.76">esp.6916d827@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div><div>000 #449005: "orthooklahoma3937/2x3":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1873s; newest IPSEC; eroute owner; isakmp#430186; idle; import:admin initiate</div><div>000 #449005: "orthooklahoma3937/2x3" <a href="mailto:esp.523917e3@12.131.93.13">esp.523917e3@12.131.93.13</a> <a href="mailto:esp.51b2fd1a@172.20.109.76">esp.51b2fd1a@172.20.109.76</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B</div></div><div><br></div><div>^At the moment, we have two that our side has initiated. Still, as far as I can see, no big deal. Seems to be valid on both sides.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> It's the 1x1 SA that's pertinent. We NAT the source and target ips via PREROUTING and POSTROUTING rules, and I<br>
> can see traffic initiated by the customer hitting PREROUTING but never hitting POSTROUTING and never leaving the box.<br>
<br>
Are you using the policy matching for ipsec? See:<br></blockquote><div><br></div><div>We don't use policy matching, but we've never had to before. For inbound customer traffic, we PREROUTE to match the config, and then we POSTROUTE to NAT the traffic past our gateway. You can see the pings match the config and disappear. We do this for all our tunnels, so pretty sure it's not that, but correct me if I'm wrong. If it were a iptables error, I'd expect the behavior to be consistent, but it the connection works for a while, and then breaks. It's working now, for example:</div><div><br></div><div><div>working:</div><div><font face="monospace, monospace">18:46:43.944652 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: ESP(spi=0x760cc9e1,seq=0x6c047), length 100 << Into our gateway</font></div><div><font face="monospace, monospace">18:46:43.944652 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 4, seq 36054, length 40 << Through PREROUTING</font></div><div><font face="monospace, monospace">18:46:43.944700 IP 10.153.32.166 > <a href="http://172.20.75.204">172.20.75.204</a>: ICMP echo request, id 4, seq 36054, length 40 << Through POSTROUTING</font></div></div><div><br></div><div>not working from before:</div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">18:52:14.753803 IP 12.131.93.13.4500 > 172.20.109.76.4500: UDP-encap: <span style="color:rgb(34,34,34);font-family:monospace,monospace;white-space:normal"><< Into our gateway</span>
ESP(spi=0x57369ff6,seq=0x14254d), length 100
18:52:14.753803 IP 10.50.32.166 > <a href="http://10.253.1.53">10.253.1.53</a>: ICMP echo request, id 2, seq <span style="color:rgb(34,34,34);font-family:monospace,monospace;white-space:normal"><< Through PREROUTING</span>
16669, length 40
<< Vanish! >></pre></div><div>It's working now, so I don't have any useful xfrm state info to show, but I can produce that when it breaks again. Any more info I can provide?</div><br class="gmail-Apple-interchange-newline"><div>-Dharma</div></div></div></div></div></div>