<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 11pt; font-family: Tahoma,Arial,Helvetica,sans-serif'>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Hi Paul<br />Also, an observation I could make is, when the machine at Site Office tries to reach the HO VPN server, even though the ping does not happen, I can see the traffic go up incrementally on both sides. <br />However when the HO tries to reach the Site Office, traffic from HO goes out and likewise the In traffic at Site Office also goes up incrementally, but there is no Out traffic from Site Office. Attaching the observation FYI. Any thoughts...?<br /><br /><strong>When Site Office tries to reach HO </strong><br /><br />At Site Office<br />Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B <br />Response at HO<br />Traffic: ESPin=8KB ESPout=8KB! ESPmax=0B <br /><br /><br /><strong>When HO tries to reach Site Office</strong><br /><br />At HO<br />Traffic: ESPin=0B ESPout=8KB! ESPmax=0B <br />Response at Site Office<br />Traffic: ESPin=8KB ESPout=0B! ESPmax=0B <br /><br /><br /><br /><br /><br /><br />On 2023-02-01 02:22, Paul Wouters wrote:
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">So both agree on the tunnel and the traffic counters. It looks<br />operational.<br /><br />I wonder if there is some kind of firewall on the network that allows<br />the initial packets but then starts blocking things ?<br /><br />Sent using a virtual keyboard on a phone<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">On Jan 31, 2023, at 12:40, <a href="mailto:ud@blueaquan.com">ud@blueaquan.com</a> wrote:</blockquote>
<br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><br /><br />Hi Paul<br />Kindly find the output of ipsec whack --showstates from both sides<br />please.<br /><br />At HO<br /><br />000 #5: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_IKE_SA (established<br />IKE SA); EVENT_SA_REKEY in 28511s; newest ISAKMP; idle;<br />000 #6: "PLUTOSUBNET":1208 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA<br />established); EVENT_SA_REKEY in 28511s; newest IPSEC; eroute owner;<br />isakmp#5; idle;<br />000 #6: "PLUTOSUBNET" esp.e4688f53@W.X.Y.Z esp.910e3384@A.B.C.D<br />tun.0@W.X.Y.Z tun.0@A.B.C.D Traffic: ESPin=168B ESPout=168B!<br />ESPmax=0B<br /><br />At Site Office<br /><br />000 #1: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE<br />SA); EVENT_SA_REKEY in 27743s; newest ISAKMP; idle;<br />000 #2: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA<br />established); EVENT_SA_REKEY in 27984s; newest IPSEC; eroute owner;<br />isakmp#1; idle;<br />000 #2: "PLSUBNET" esp.910e3384@A.B.C.D <a href="mailto:esp.e4688f53@10.10.128.100">esp.e4688f53@10.10.128.100</a><br />tun.0@A.B.C.D <a href="mailto:tun.0@10.10.128.100">tun.0@10.10.128.100</a> Traffic: ESPin=168B ESPout=168B!<br />ESPmax=0B<br /><br />Thanks, Best<br />BA<br /><br />On 2023-01-31 22:01, Paul Wouters wrote: On Mon, 30 Jan 2023,<br /><a href="mailto:ud@blueaquan.com">ud@blueaquan.com</a> wrote:<br /><br />I changed the HO's statement to auto=add while keeping auto=start at<br />the Site Office. Also removed encapsulation statement at both<br />ends, However there is no change in status, both machines are unable<br />to reach each other. The tunnel is getting established as<br />always, attaching the logs from both sides FYI.<br />Once the tunnel is not working, can you run on both ends:<br /><br />ipsec whack --showstates<br /><br />Let's see if both ends are still thinking the tunnel is up or not.<br /><br />Paul</blockquote>
</blockquote>
</div>
</body></html>