<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 21.01.21 20:53, Kontakt wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJYN4d5SyKZe+H1-hBpcF=yA+9aReGCr70MjHJvNbx8zMT4WaA@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">Hello,
I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1
client causes it to disconnect after 3600s. the same configuration on
libreswan 3.23 (centos 7) does not cause such problems. conf file,
password, iptables, entries in routing table identical.
I checked sysctl - identical. the only difference is selinux (centos 7 has
enforce, centos 8 disabled).
libreswan 3.23 (centos 7):
*ipsec verify*Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default / send_redirects [NOT DISABLED]
Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY
will act on or cause sending of bogus ICMP redirects!
ICMP default / accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE / NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help
*And for libreswan 4.1 (centos 8):*
* ipsec verify*
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default / send_redirects [OK]
ICMP default / accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE / NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
Where to look for the problem?
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<p><br>
</p>
<p><br>
</p>
<p>Logs? of both sides?</p>
<p>Seems the child negotiation somehow fails. But the reason should
be in the logs.<br>
</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Mit freundlichen Grüßen,
--
[*] sys4 AG
<a class="moz-txt-link-freetext" href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein</pre>
</body>
</html>