Open Dhariaj opened 6 years ago
Could you please post your ipsec configuration?
My intiial hunch is that you have DPD (dead peer detection) enabled so it seems there is a race condition between DPD and your netcat script.
Yes I do have DPD enabled
conn dev-lab authby=secret auto=start left=%defaultroute leftid=x.x.x.x right=x.x.x.x type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 auth=esp keyingtries=%forever keyexchange=ike leftsubnets=x.x.x.x/32 rightsubnet=x.x.x.x//32 dpddelay=30 dpdtimeout=120 dpdaction=restart_by_peer
Libreswan has workarounds for DPD sequence number bugs from other implementations. If sticking with openswan, disable dpd
Sent from my phone
On Jul 30, 2018, at 04:58, Dhariaj notifications@github.com wrote:
We have a ipsec tunnel established between Openswan and Cisco ASA and everything works . I have a cron job on the openswan server to netcat a host on the other end every minute and if the netcat fails then it restarts the openswan service. Once every couple netcat fails and the service gets restarted and netcat starts working again. I am not sure what might be causing this issue. I also a lot of messages like this
Jul 30 11:55:26 ip-1x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49217 Jul 30 11:55:26 ip-x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49218 Jul 30 11:55:26 ip-x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49219
var/log/secure is flooded with messages like this and I am not sure what might be causing this. Any help will be appreciated.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
is disabling as simple as just removing the three lines dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer or do I need to do something specific?
This is turning into an issues. The service just restarted again
@Dhariaj you can remove/commenting out the 3 lines (dpddelay, dpdtimeout and dpdaction)
Sure I can try.. if I comment it out then wont it use any defaults?
The default dpdacdtion is hold which means the eroute will be put into hold status. As such, your netcat script will then restart the connection.
Alternatively, you can disable your netcat (and leave your dpd directives alone).
Yes just delete those 3 lines
Sent from my phone
On Jul 30, 2018, at 09:10, Dhariaj notifications@github.com wrote:
This is turning into an issues. The service just restarted again
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
I have deleted the lines we will see what happens. I will update this with findings
On Mon, 30 Jul 2018, Dhariaj wrote:
I have deleted the lines we will see what happens. I will update this with findings
openswan most likely does not have this workaround code:
https://github.com/libreswan/libreswan/commit/f853f44177155f75ff2910a8fe2b96d95f8050e5
Ever since I incorporated the changes the service has restarted 3 times.
Sent from my iPhone
On Jul 30, 2018, at 4:05 PM, Paul Wouters (libreswan) notifications@github.com<mailto:notifications@github.com> wrote:
On Mon, 30 Jul 2018, Dhariaj wrote:
I have deleted the lines we will see what happens. I will update this with findings
openswan most likely does not have this workaround code:
https://github.com/libreswan/libreswan/commit/f853f44177155f75ff2910a8fe2b96d95f8050e5
Paul https://nohats.ca/swan.gif
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xelerance_Openswan_issues_312-23issuecomment-2D408992238&d=DwMFaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=zlvBpJO9aYsctlCCjVUbCuqoBcbRAbQPAOjVyzgux3Y&s=rD-4X_5CpI-CI8IwOrcREYMMKU4fcAmD7LvoRPqKTRQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AklEXAShrnbT6VRXAzuuRE8Fy8-5Fqs0Hpks5uL2bkgaJpZM4VmR14&d=DwMFaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=zlvBpJO9aYsctlCCjVUbCuqoBcbRAbQPAOjVyzgux3Y&s=8d6rY7bYSJgZgRDReti4ONqHYkkpvDLDDLz8fKAQBrE&e=.
Email transmitted across the Internet is normally not protected and may be intercepted and viewed by others. Therefore, you should refrain from sending any confidential or private information via unsecured email to PenFed. We will not ask you to send confidential information to us via email, such as your logon ID, password, account numbers, or Social Security number. We prohibit our employees from sending confidential information to you via email that is not encrypted. The recommended document submission method is FAX; a partial list of generic fax numbers can be found https://www.penfed.org/aboutUs/contactUs.asp#fax herehttps://www.penfed.org/aboutUs/contactUs.asp#fax.https://www.penfed.org/aboutUs/contactUs.asp#fax
If I understand you correctly, @Dhariaj you have incorporated the commit that @letoams had mentioned into your Openswan instance. If so, can you please undo the commit and comment out the 3 lines in your ipsec.conf related to dpd (dpddelay, dpdtimeout and dpdaction)
I did not incorporate the commit I simply deleted the three lines related to dpd values and restarted the service.
Sent from my iPhone
On Jul 31, 2018, at 3:30 PM, Samir notifications@github.com<mailto:notifications@github.com> wrote:
If I understand you correctly, @Dhariajhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Dhariaj&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=xLldIIj9kTgXHb_NFwX-YTLe52PsNS1LDaxe-NeOEGY&s=0Bpb_gNuwfwLnFH0mYAuLXqzI9IxvkBvA79EtadXPe4&e= you have incorporated the commit that @letoamshttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_letoams&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=xLldIIj9kTgXHb_NFwX-YTLe52PsNS1LDaxe-NeOEGY&s=kQ-JCV8waZLcfyhzJPwgHBcz8DxFCQ1xRIHPF5fQ8nM&e= had mentioned into your Openswan instance. If so, can you please undo the commit and comment out the 3 lines in your ipsec.conf related to dpd (dpddelay, dpdtimeout and dpdaction)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xelerance_Openswan_issues_312-23issuecomment-2D409340438&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=xLldIIj9kTgXHb_NFwX-YTLe52PsNS1LDaxe-NeOEGY&s=gvkhGHDl0G20lPClMLECfDvOEqRKryZx0VVRxO4CEdk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AklEXOpq3x-5FEjKC90lC4pMeYDAPWFZ04ks5uMLBugaJpZM4VmR14&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=xLldIIj9kTgXHb_NFwX-YTLe52PsNS1LDaxe-NeOEGY&s=Z12lzSPJhKkK1H7B203GFSr5AQbuFEEwsuoETkv2Zwo&e=.
Email transmitted across the Internet is normally not protected and may be intercepted and viewed by others. Therefore, you should refrain from sending any confidential or private information via unsecured email to PenFed. We will not ask you to send confidential information to us via email, such as your logon ID, password, account numbers, or Social Security number. We prohibit our employees from sending confidential information to you via email that is not encrypted. The recommended document submission method is FAX; a partial list of generic fax numbers can be found https://www.penfed.org/aboutUs/contactUs.asp#fax herehttps://www.penfed.org/aboutUs/contactUs.asp#fax.https://www.penfed.org/aboutUs/contactUs.asp#fax
Do the logs show anything? Is there any exception or error in them?
What log should I review? I normally look at the secure or messages log under the log folder.
Dharia, Jimmy
From: Samir notifications@github.com Reply-To: xelerance/Openswan reply@reply.github.com Date: Tuesday, July 31, 2018 at 9:45 PM To: xelerance/Openswan Openswan@noreply.github.com Cc: "Dharia, Jimmy" jimmy.dharia@penfed.org, Mention mention@noreply.github.com Subject: [EXTERNAL] Re: [xelerance/Openswan] intermittent issues routing traffic (#312)
Do the logs show anything? Is there any exception or error in them?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_xelerance_Openswan_issues_312-23issuecomment-2D409421576&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=O3eRBvv4FzGkUtRxXkPqm_vZ9DwmYRSScGf52sr-BfY&s=EgOVmmnczG9NwLzgnBFMY7QPrnHZpvNd5vK0PkBDXhk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AklEXBhi69PBscsyeo3FqX5pkpOAAH-5Fjks5uMQg7gaJpZM4VmR14&d=DwMCaQ&c=uUZbzTZZgO9xXVRZz77NpQ&r=7JWmtnrZy4WGjKQ01tyHzY4bGM7dWpE-dowS5b7_B20&m=O3eRBvv4FzGkUtRxXkPqm_vZ9DwmYRSScGf52sr-BfY&s=Q1uU9oS7XgJYHVb68m_C_xwuV4QHe67HdLvNyxHZfWk&e=.
Email transmitted across the Internet is normally not protected and may be intercepted and viewed by others. Therefore, you should refrain from sending any confidential or private information via unsecured email to PenFed. We will not ask you to send confidential information to us via email, such as your logon ID, password, account numbers, or Social Security number. We prohibit our employees from sending confidential information to you via email that is not encrypted. The recommended document submission method is FAX; a partial list of generic fax numbers can be found https://www.penfed.org/aboutUs/contactUs.asp#fax herehttps://www.penfed.org/aboutUs/contactUs.asp#fax.https://www.penfed.org/aboutUs/contactUs.asp#fax
@Dhariaj In your ipsec.conf, un-comment the plutodebug (if it isn't already un-commented). You should also check if your plutostderrlog line is un-commented and is pointing to a file that exists.
I uncommented the plutodebug="control parsing" I Don't see a plutostderrlog line should I add ti to the ipsec.conf file?
added the following lines plutodebug=all plutostderrlog=/var/log/openswan.log
We have a ipsec tunnel established between Openswan and Cisco ASA and everything works . I have a cron job on the openswan server to netcat a host on the other end every minute and if the netcat fails then it restarts the openswan service. Once every couple netcat fails and the service gets restarted and netcat starts working again. I am not sure what might be causing this issue. I also a lot of messages like this
Jul 30 11:55:26 ip-1x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49217 Jul 30 11:55:26 ip-x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49218 Jul 30 11:55:26 ip-x.x.x.x pluto[24341]: "dev-vendor/6x3" #1: DPD: unexpected R_U_THERE_ACK packet with sequence number 49219
var/log/secure is flooded with messages like this and I am not sure what might be causing this. Any help will be appreciated.