<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Hi everyone,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">I have been suffering a random problem with libreswan v3.25 when connecting an AWS EC2 Instance running Libreswan and a Cisco ASA on the other end.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">The phase 1 ISAKMP is renegotiated and successfully reestablished while is associated with a concrete rightsubnet, specifically with the last one vpn/1x18. We have configured 18 rightsubnets.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">The problem comes when the phase 2 is renewed. Sometimes, in a complete random way, AWS EC2 Libreswan side cannot restart rightsubnets with a connection event (ping, netcat, telnet). Let me explain more details:</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- First, in my ipsec.d config it is configured ikelifetime=28800s and salifetime=28800s, but the phase 2 of every connection goes down after 30 minutes without traffic flow.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- When the problem is active. If any phase 2 is down I can reconnect it, ALWAYS, from the Cisco ASA side to the AWS EC2 side by sending some traffic, but <b>it is not possible to reconnect any subnet from AWS to the Cisco ASA side</b>.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- The only solution to this problem is to stop and restart the IPsec service. After the restart when a connection is Down we can reestablish it by sending some traffic from both sides.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- For some reason this state happens randomly, we have been testing a long time this problem and we can be working without this issue for 10 days. But since last Wednesday it is happening, at least, once a day.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><b>Troubleshooting done:<br></b></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Checked firewall on both sides</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Iptables is disabled an systemd masked on the AWS EC2 Libreswan side</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Selinux is disabled on the AWS EC2 Libreswan side</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Subnets configuration are the same in the same order on both sides</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Routes on both sides are checked, actually they are working well when the problem is not active.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- Sysctl.conf:</div><div class="gmail_default" style="color:rgb(7,55,99)"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_default" style="color:rgb(7,55,99)"><font face="monospace">net.ipv4.conf.all.rp_filter = 0<br>net.ipv4.conf.default.rp_filter = 0<br>net.ipv4.conf.eth0.rp_filter = 0<br>net.ipv4.conf.ip_vti0.rp_filter = 0<br>net.ipv4.conf.all.accept_redirects = 0<br>net.ipv4.conf.all.send_redirects = 0<br>net.ipv4.conf.default.send_redirects = 0<br>net.ipv4.conf.eth0.send_redirects = 0<br>net.ipv4.conf.default.accept_redirects = 0<br>net.ipv4.conf.eth0.accept_redirects = 0<br></font></div><div class="gmail_default" style="color:rgb(7,55,99)"><font face="monospace">net.ipv4.tcp_app_win=1380<br>net.ipv4.ip_forward=1</font><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(7,55,99)"><br></div></blockquote></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">- These are the<b> IPsec configuration files</b> (the "subnet.n" string is replacing the subnet numbers, but they are correctly set):</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><b>/etc/ipsec.conf</b></div><div class="gmail_default" style="color:rgb(7,55,99)"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_default" style="color:rgb(7,55,99)"><font face="monospace"># /etc/ipsec.conf - Libreswan IPsec configuration file<br><br>config setup<br><br>       plutodebug="all crypt"<br>plutostderrlog=/var/log/libreswan.log<br>       #      virtual_private=%v4:10.subnet.1.0/22,%v4:10.subnet.2.0/20,%v4:10.subnet.3.128/25,%v4:10.subnet.4.74/32,%v4:10.subnet.5.75/32,%v4:10..subnet.6.224/27,%v4:10.subnet.7.0/24,%v4:10.subnet.8.200/31,%v4:10.subnet.9.166/32,%v4:10.subnet.10.0/16,%v4:11.subnet.11.0/24,%v4:10.subnet.12.0/24,%v4:10.subnet.13.16/28,%v4:10.subnet.14.16/28,%v4:10.subnet.15.128/26,%v4:10.subnet.16.17/32,%v4:10.subnet.17.0/24,%v4:10.subnet.18.9/32<br><br></font></div></blockquote></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><b>/etc/ipsec.d/vpn.conf</b></div><div class="gmail_default" style="color:rgb(7,55,99)"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div class="gmail_default" style="color:rgb(7,55,99)"><font face="monospace">conn vpn<br>    type=tunnel<br>    authby=secret<br>    auto=start<br>    left=%defaultroute<br>    leftid=xxx.xxx.xxx.120<br>    leftsubnets=xxx.xxx.xxx.80/28<br>    right=xxx.xxx.xxx.45<br>    rightid=</font>xxx.xxx.xxx.45<font face="monospace"><br>    rightsubnets={10.subnet.1.0/22 10.subnet.2.0/20 10.subnet.3.128/25 10.subnet.4.74/32 10.subnet.5.75/32 10.subnet.6.224/27 10.subnet.7.0/24 10.subnet.8.200/31 10.subnet.9.166/32 10.subnet.10.0/16 10.subnet.11.0/24 10.subnet.12.16/28 10.subnet.13.16/28 10.subnet.14.128/26 10.subnet.15.17/32 10.subnet.16.0/24 10.subnet.17.0/24 10.subnet.18.9/32}<br>    leftsourceip=xxx.xxx.xxx.92<br>    ikev2=insist<br>    ike=aes256-sha2;dh14<br>    esp=aes256-sha256<br>    keyexchange=ike<br>    ikelifetime=28800s<br>    salifetime=28800s<br>    dpddelay=30<br>    dpdtimeout=120<br>    dpdaction=restart<br>    encapsulation=no</font><br></div></blockquote></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">We are testing libreswan in the staging environment but we want to promote it to the production environment.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">We tried to "force" to reconnect using the ping command to an IP in various rightsubnets, <b>you can find attached the log of 2 minutes of reconnection attempts</b> of vpn/1x11 (ping after 11:16:29), vpn/1x12 (ping after 11:16:53), vpn/1x13 (ping after 11:17:07), vpn/1x15 (ping after 11:17:19), vpn/1x16 (ping after 11:17:31). </div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Could you please help us with some possible cause we are missing here?</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Is there any troubleshooting we could do in order to know where the rekey request is lost or why is not trying to rekey at all when this problem is active?</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Thanks in advance,</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#073763">Best regards!</div><div><br></div>-- <br><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>
          <div><div>
          <div><div>
                  <div><div>
                  <div><br>

                    <img alt="Logo Especialidad" src="https://webs.paradigmadigital.com/pd-signature/img/Sistemaschico.png" width="60">

                    <p><strong><span style="margin-top:10px;font-size:17px;color:black">Miguel Ponce Antolín</span><span style="color:rgb(255,69,67);font-size:16px">.</span></strong><br>

                        <span style="font-size:11px;color:black">Sistemas</span>  

                        <span style="font-size:11px;color:black"> ·    +34 670 360 655</span><br>

                        

                        <img style="margin-top:10px;margin-bottom:10px" alt="Linea" src="https://webs.paradigmadigital.com/pd-signature/img/linea.png"><br>

                        <img alt="Logo Paradigma" src="https://webs.paradigmadigital.com/pd-signature/img/logo.png" width="14">  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/" target="_blank"><font size="1">paradig.ma</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a style="color:rgb(24,31,44);text-decoration:none" href="https://www.paradigmadigital.com/contacto" target="_blank"><font size="1">contáctanos</font></a>  

                        <span style="color:rgb(24,31,44);font-size:11px">·</span>  

                        <a href="https://twitter.com/paradigmate" target="_blank"><img style="margin-top:2px" alt="Twitter" src="https://webs.paradigmadigital.com/pd-signature/img/twitter.png" width="13"></a> 

                        <a href="https://www.youtube.com/user/ParadigmaTe?feature=watch" target="_blank"><img style="margin-top:2px" alt="Youtube" src="https://webs.paradigmadigital.com/pd-signature/img/youtube.png" width="13"></a> 

                        <a href="https://www.linkedin.com/company/paradigma-digital/" target="_blank"><img style="margin-top:2px" alt="Linkedin" src="https://webs.paradigmadigital.com/pd-signature/img/linkedin.png" width="13"></a> 

                        <a href="https://www.instagram.com/paradigma_digital/?hl=es" target="_blank"><img style="margin-top:2px" alt="Instagram" src="https://webs.paradigmadigital.com/pd-signature/img/instagram.png" width="13"></a> 
                    </p>
        </div>
      </div></div>
      </div></div>
      </div></div>
      </div></div></div></div></div></div>