<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello,<br>I created a simple bash script that does ipsec auto --down every 50 minutes and then picks up the tunnel again after 5 seconds. </div><div class="gmail_default" style="font-family:tahoma,sans-serif">Interestingly, the problem for me concerns 1 connection out of about 15 others, only this one has a problem.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">pt., 22 sty 2021 o 17:51 António Silva <<a href="mailto:asilva@wirelessmundi.com">asilva@wirelessmundi.com</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Hi Paul,<div><br></div><div>Here is the full log:</div><div><div><br></div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: responding to Main Mode from unknown peer <a>95.61.168.133:500</a></div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: sent Main Mode R1</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: sent Main Mode R2</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: switched from "tunnel8"[3] 95.61.168.133 to "tunnel8"</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] <a>95.61.168.133</a>: deleting connection instance with peer 95.61.168.133 {isakmp=#0/ipsec=#0}</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: password file authentication method requested to authenticate user '<a>asilvapt@remote.local</a>'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: password file (/etc/ipsec.d/passwd) open.</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: success user(<a>asilvapt@remote.local</a>:(null))</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: User <a>asilvapt@remote.local</a>: Authentication Successful</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: xauth_inR1(STF_OK)</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 16:39:23 sol pluto[22331]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: modecfg_inR0(STF_OK)</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: the peer proposed: <a>0.0.0.0/0:0/0</a> -> <a>192.168.20.2/32:0/0</a></div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: responding to Quick Mode proposal {msgid:b5a1646d}</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: us: <a>0.0.0.0/0===92.211.123.17</a><92.211.123.17>[@xauth.remote.local,MS+XS+S=C]</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: them: 95.61.168.133[192.168.1.2,+MC+XC+S=C]===<a>192.168.20.2/32</a></div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESPinUDP=>0x2f0ed8e8 <0xfb5da4b1 xfrm=AES_GCM_16_128-NONE NATOA=none NATD=<a>95.61.168.133:4500</a> DPD=active <a>username=asilvapt@remote.local</a>}</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH username changed from '' to 'asilvaptremote.local'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH username changed from '' to 'asilvaptremote.local'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH username changed from '' to 'asilvaptremote.local'</div><div>Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: IPsec SA established tunnel mode {ESPinUDP=>0x2f0ed8e8 <0xfb5da4b1 xfrm=AES_GCM_16_128-NONE NATOA=none NATD=<a>95.61.168.133:4500</a> DPD=active <a>username=asilvapt@remote.local</a>}</div><div><br></div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: initiating IKEv1 Main Mode connection to replace #5</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main Mode request, replacing #5</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: responding to Main Mode from unknown peer <a>95.61.168.133:500</a></div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent Main Mode R1</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] <a>95.61.168.133</a>: queuing pending IPsec SA negotiating with 95.61.168.133 IKE SA #10 "tunnel8"[4] 95.61.168.133</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent Main Mode R2</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: password file authentication method requested to authenticate user '<a>asilvapt@remote.local</a>'</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: password file (/etc/ipsec.d/passwd) open.</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: success user(<a>asilvapt@remote.local</a>:(null))</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: User <a>asilvapt@remote.local</a>: Authentication Successful</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: xauth_inR1(STF_OK)</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 17:34:53 sol pluto[22331]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: modecfg_inR0(STF_OK)</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main Mode I2</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main Mode I3</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: XAUTH: Sending Username/Password request (MAIN_I4->XAUTH_R0)</div><div>Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: ignoring informational payload CERTIFICATE_UNAVAILABLE, msgid=00000000, length=12</div><div>Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: received and ignored notification payload: CERTIFICATE_UNAVAILABLE</div><div><br></div><div>Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: deleting state (STATE_MODE_CFG_R1) aged 3600.267468s and sending notification</div><div>Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: deleting state (STATE_QUICK_R2) aged 3600.089548s and sending notification</div><div>Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: ESP traffic information: in=14MB out=78MB <a>XAUTHuser=asilvapt@remote.local</a></div><div>Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH username changed from '' to 'asilvaptremote.local'</div><div>Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x2f0ed8e8) not found (maybe expired)</div><div>Jan 22 17:39:23 sol pluto[22331]: ignoring found existing connection instance "tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 17:39:54 sol pluto[22331]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 17:39:54 sol pluto[22331]: ignoring found existing connection instance "tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 17:40:24 sol pluto[22331]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 17:40:24 sol pluto[22331]: ignoring found existing connection instance "tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and IPsec state #0 - due to duplicate acquire?</div></div><div><br></div><div><br></div><div>Please let me know if you need more verbose in the logs. </div><div><br></div><div>Thanks.</div><div><br><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">--<br>Saludos / Regards / Cumprimentos</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">António Silva</div></div><br>
</div>
<div><br><blockquote type="cite"><div>On 22 Jan 2021, at 14:41, Paul Wouters <<a>paul@nohats.ca</a>> wrote:</div><br><div><div dir="auto">This is a different issue I have not seen before. It seems there is confusion about state between kernel and pluto ?<div><br></div><div>To say more, i would need to see the logs from a valid state going to this bad state.</div><div><br></div><div>Paul<br><br><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On Jan 22, 2021, at 07:03, António Silva <<a>asilva@wirelessmundi.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">Hi,<div><br><div>I’m having the same issue, after upgrading the server side to version 4.1, every hour the tunnel disconnects, restarting the client side only makes it work again.</div><div><br></div><div><br></div><div>Here is the logs from the server side when the tunnel is reconnecting after an 1h:</div><div><br></div><div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: initiating IKEv1 Main Mode connection to replace #89</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode request, replacing #89</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: responding to Main Mode from unknown peer <a>95.61.168.133:500</a></div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent Main Mode R1</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent Main Mode R2</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] <a>95.61.168.133</a>: queuing pending IPsec SA negotiating with 95.61.168.133 IKE SA #93 "tunnel8"[10] 95.61.168.133</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: password file authentication method requested to authenticate user '<a>asilvapt@remote.local</a>'</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: password file (/etc/ipsec.d/passwd) open.</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: success user(<a>asilvapt@remote.local</a>:(null))</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: User <a>asilvapt@remote.local</a>: Authentication Successful</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH: xauth_inR1(STF_OK)</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 12:37:36 sol pluto[24350]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: modecfg_inR0(STF_OK)</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode I2</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main Mode I3</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: XAUTH: Sending Username/Password request (MAIN_I4->XAUTH_R0)</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: ignoring informational payload CERTIFICATE_UNAVAILABLE, msgid=00000000, length=12</div><div>Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: received and ignored notification payload: CERTIFICATE_UNAVAILABLE</div><div>Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #89: deleting state (STATE_MODE_CFG_R1) aged 3600.266987s and sending notification</div><div>Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: deleting state (STATE_QUICK_R2) aged 3600.089852s and sending notification</div><div>Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: ESP traffic information: in=11MB out=30MB <a>XAUTHuser=asilvapt@remote.local</a></div><div>Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: Warning: XAUTH username changed from '' to 'asilvaptremote.local'</div><div>Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x3e9fbbf6) not found (maybe expired)</div><div>Jan 22 12:42:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:43:06 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:43:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:43:36 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:43:36 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:44:06 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:44:06 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:44:37 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:44:37 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:45:07 sol pluto[24350]: existing bare shunt found - refusing to add a duplicate</div><div>Jan 22 12:45:07 sol pluto[24350]: ignoring found existing connection instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE state #93 and IPsec state #0 - due to duplicate acquire?</div><div>Jan 22 12:45:12 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: received Delete SA payload: self-deleting ISAKMP State #93</div><div><br></div></div><div><br></div><div><br></div><div><br></div><div>My configuration:</div><div><div>conn tunnel8-aggr</div><div><span style="white-space:pre-wrap"> </span>aggrmode=yes</div><div><span style="white-space:pre-wrap"> </span>also=tunnel8</div><div><br></div><div>conn tunnel8</div><div><span style="white-space:pre-wrap"> </span>pfs=no</div><div><span style="white-space:pre-wrap"> </span>type=tunnel</div><div><span style="white-space:pre-wrap"> </span>auto=add</div><div><span style="white-space:pre-wrap"> </span>ikev2=no</div><div><span style="white-space:pre-wrap"> </span>phase2=esp</div><div><span style="white-space:pre-wrap"> </span>authby=secret</div><div><span style="white-space:pre-wrap"> </span>keyingtries=3</div><div><span style="white-space:pre-wrap"> </span>ikelifetime=24h</div><div><span style="white-space:pre-wrap"> </span>salifetime=1h</div><div><span style="white-space:pre-wrap"> </span>left=92.211.123.17</div><div><span style="white-space:pre-wrap"> </span>leftsubnet=<a>0.0.0.0/0</a></div><div><span style="white-space:pre-wrap"> </span><a>leftid=@xauth.remote.local</a></div><div><span style="white-space:pre-wrap"> </span>right=%any</div><div><span style="white-space:pre-wrap"> </span>rightid=%any</div><div><span style="white-space:pre-wrap"> </span>rightaddresspool=192.168.20.100-192.168.20.254</div><div><span style="white-space:pre-wrap"> </span>dpddelay=30</div><div><span style="white-space:pre-wrap"> </span>dpdtimeout=300</div><div><span style="white-space:pre-wrap"> </span>dpdaction=clear</div><div><span style="white-space:pre-wrap"> </span>leftxauthserver=yes</div><div><span style="white-space:pre-wrap"> </span>rightxauthclient=yes</div><div><span style="white-space:pre-wrap"> </span>leftmodecfgserver=yes</div><div><span style="white-space:pre-wrap"> </span>rightmodecfgclient=yes</div><div><span style="white-space:pre-wrap"> </span>modecfgpull=yes</div><div><span style="white-space:pre-wrap"> </span>fragmentation=yes</div><div><span style="white-space:pre-wrap"> </span>xauthby=file</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div>
<div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">--<br>Saludos / Regards / Cumprimentos</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">António Silva</div><br></div><br><br>
</div>
<div><br><blockquote type="cite"><div>On 21 Jan 2021, at 20:01, Michael Schwartzkopff <<a>ms@sys4.de</a>> wrote:</div><br><div>
<div>
<div>On 21.01.21 20:53, Kontakt wrote:<br>
</div>
<blockquote type="cite">
<pre>Hello,
I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1
client causes it to disconnect after 3600s. the same configuration on
libreswan 3.23 (centos 7) does not cause such problems. conf file,
password, iptables, entries in routing table identical.
I checked sysctl - identical. the only difference is selinux (centos 7 has
enforce, centos 8 disabled).
libreswan 3.23 (centos 7):
*ipsec verify*Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default / send_redirects [NOT DISABLED]
Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY
will act on or cause sending of bogus ICMP redirects!
ICMP default / accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED]
/ proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE / NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help
*And for libreswan 4.1 (centos 8):*
* ipsec verify*
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default / send_redirects [OK]
ICMP default / accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE / NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
Where to look for the problem?
</pre>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Swan mailing list
<a>Swan@lists.libreswan.org</a>
<a>https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote><p><br>
</p><p><br>
</p><p>Logs? of both sides?</p><p>Seems the child negotiation somehow fails. But the reason should
be in the logs.<br>
</p><p><br>
</p>
<pre cols="72">Mit freundlichen Grüßen,
--
[*] sys4 AG
<a>https://sys4.de</a>, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein</pre>
</div>
_______________________________________________<br>Swan mailing list<br><a>Swan@lists.libreswan.org</a><br><a>https://lists.libreswan.org/mailman/listinfo/swan</a><br></div></blockquote></div><br></div></div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a>Swan@lists.libreswan.org</a></span><br><span><a>https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></div></div></div></blockquote></div><br></div></div>_______________________________________________<br>
Swan mailing list<br>
<a>Swan@lists.libreswan.org</a><br>
<a rel="noreferrer">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</blockquote></div>