<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 11pt; font-family: Tahoma,Arial,Helvetica,sans-serif'>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Hi Paul</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">The xfrm stat is having a non zero entry for "XfrmInTmplMismatch" which shows 94. Further check on Google brought me to this page <strong><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1932202">https://bugzilla.redhat.com/show_bug.cgi?id=1932202</a></strong> and I seem to have exactly the same problem, however I am not knowledgeable enough to understand the solution applied on that page.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Attaching outputs from the commands mentioned in the bugzilla page FYI please.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong>/proc/net/xfrm_stat output</strong></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-size: 9pt;">XfrmInError 0</span><br /><span style="font-size: 9pt;">XfrmInBufferError 0</span><br /><span style="font-size: 9pt;">XfrmInHdrError 0</span><br /><span style="font-size: 9pt;">XfrmInNoStates 0</span><br /><span style="font-size: 9pt;">XfrmInStateProtoError 0</span><br /><span style="font-size: 9pt;">XfrmInStateModeError 0</span><br /><span style="font-size: 9pt;">XfrmInStateSeqError 0</span><br /><span style="font-size: 9pt;">XfrmInStateExpired 0</span><br /><span style="font-size: 9pt;">XfrmInStateMismatch 0</span><br /><span style="font-size: 9pt;">XfrmInStateInvalid 0</span><br /><span style="font-size: 9pt;">XfrmInTmplMismatch 94</span><br /><span style="font-size: 9pt;">XfrmInNoPols 0</span><br /><span style="font-size: 9pt;">XfrmInPolBlock 0</span><br /><span style="font-size: 9pt;">XfrmInPolError 0</span><br /><span style="font-size: 9pt;">XfrmOutError 0</span><br /><span style="font-size: 9pt;">XfrmOutBundleGenError 0</span><br /><span style="font-size: 9pt;">XfrmOutBundleCheckError 0</span><br /><span style="font-size: 9pt;">XfrmOutNoStates 0</span><br /><span style="font-size: 9pt;">XfrmOutStateProtoError 0</span><br /><span style="font-size: 9pt;">XfrmOutStateModeError 0</span><br /><span style="font-size: 9pt;">XfrmOutStateSeqError 0</span><br /><span style="font-size: 9pt;">XfrmOutStateExpired 0</span><br /><span style="font-size: 9pt;">XfrmOutPolBlock 0</span><br /><span style="font-size: 9pt;">XfrmOutPolDead 0</span><br /><span style="font-size: 9pt;">XfrmOutPolError 0</span><br /><span style="font-size: 9pt;">XfrmFwdHdrError 0</span><br /><span style="font-size: 9pt;">XfrmOutStateInvalid 0</span><br /><span style="font-size: 9pt;">XfrmAcquireError 0</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">
<p><strong>$ sudo ip xfrm state</strong></p>
<p><span style="font-size: 9pt;">src A.B.C.D dst 10.10.128.100</span><br /><span style="font-size: 9pt;"> proto esp spi 0x8ba71c42 reqid 16389 mode tunnel</span><br /><span style="font-size: 9pt;"> replay-window 32 flag af-unspec</span><br /><span style="font-size: 9pt;"> auth-trunc hmac(sha512) 0x1cfc53f76819609e059d010ca8ef92815361c34b3bff42d9e23baeaed8d85dedc2b5f7dcf9e6b9d8b754d5559e061c9bca48000d9cf3c6d979022278006cf6a3 256</span><br /><span style="font-size: 9pt;"> enc cbc(aes) 0xa6c31fc12ebdf2d8bd2aa9e91d565536c27e00979b3595dbbd3b41b40c377711</span><br /><span style="font-size: 9pt;"> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</span><br /><span style="font-size: 9pt;"> anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff</span><br /><span style="font-size: 9pt;">src 10.10.128.100 dst A.B.C.D</span><br /><span style="font-size: 9pt;"> proto esp spi 0x95a7b625 reqid 16389 mode tunnel</span><br /><span style="font-size: 9pt;"> replay-window 32 flag af-unspec</span><br /><span style="font-size: 9pt;"> auth-trunc hmac(sha512) 0xb6d642fbc4a0ae8356fab535a5a6fe3988a183398c1ba26a27051ca2f849e29266177e2a8263c0b51030c33344444c50fbf66307e397de342f0a7500f040de67 256</span><br /><span style="font-size: 9pt;"> enc cbc(aes) 0x0698d495571406fc9c11522f645b25d29b33f8492c2ae851a35950eeb5e9ef14</span><br /><span style="font-size: 9pt;"> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</span><br /><span style="font-size: 9pt;"> anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000</span></p>
</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong>$ sudo ip xfrm policy</strong><br /><span style="font-size: 9pt;">src 10.10.128.0/24 dst 192.168.1.0/24 </span><br /><span style="font-size: 9pt;"> dir out priority 2084814 ptype main </span><br /><span style="font-size: 9pt;"> tmpl src 10.10.128.100 dst A.B.C.D</span><br /><span style="font-size: 9pt;"> proto esp reqid 16389 mode tunnel</span><br /><span style="font-size: 9pt;">src 192.168.1.0/24 dst 10.10.128.0/24 </span><br /><span style="font-size: 9pt;"> dir fwd priority 2084814 ptype main </span><br /><span style="font-size: 9pt;"> tmpl src A.B.C.D dst 10.10.128.100</span><br /><span style="font-size: 9pt;"> proto esp reqid 16389 mode tunnel</span><br /><span style="font-size: 9pt;">src 192.168.1.0/24 dst 10.10.128.0/24 </span><br /><span style="font-size: 9pt;"> dir in priority 2084814 ptype main </span><br /><span style="font-size: 9pt;"> tmpl src A.B.C.D dst 10.10.128.100</span><br /><span style="font-size: 9pt;"> proto esp reqid 16389 mode tunnel</span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket out priority 0 ptype main </span><br /><span style="font-size: 9pt;">src 0.0.0.0/0 dst 0.0.0.0/0 </span><br /><span style="font-size: 9pt;"> socket in priority 0 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 135 </span><br /><span style="font-size: 9pt;"> dir out priority 1 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 135 </span><br /><span style="font-size: 9pt;"> dir fwd priority 1 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 135 </span><br /><span style="font-size: 9pt;"> dir in priority 1 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 136 </span><br /><span style="font-size: 9pt;"> dir out priority 1 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 136 </span><br /><span style="font-size: 9pt;"> dir fwd priority 1 ptype main </span><br /><span style="font-size: 9pt;">src ::/0 dst ::/0 proto ipv6-icmp type 136 </span><br /><span style="font-size: 9pt;"> dir in priority 1 ptype main </span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">On 2023-02-03 22:14, Paul Wouters wrote:
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">On Fri, 3 Feb 2023, <a href="mailto:ud@blueaquan.com">ud@blueaquan.com</a> wrote:<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">Double checked this, rp_filter is disabled on all interfaces and ipv4 forwarding is enabled. I use<br />"nftables" on both ends and have double checked to rules to ensure packets from both these sites have<br />bi-directional traffic enabled. In fact to rule out nftables, I flushed all rules at both ends briefly<br />for a min and tried to reach each other, but there's no change in status.</blockquote>
<br />Then you need to do network captures to see if the packets are in fact<br />making it to the machine or not. If they are, double check<br />/proc/net/xfrm_stat for non-zero entries indicating problems.</blockquote>
</div>
</body></html>