Hello Patrick,
> Does your ISP implement authoritative DNS?
> Do you suspect a UDP issue?
My VPN is configured with IPs, not with domain names. Does DNS and/or UDP
matter anyway?
> Is a managed (switch) involved?
No, it is not. I do not use any switches in my testing setup.
GW1--ISP1_modem--.....--ISP2_modem--GW2
Has duplex ever been an issue?
I have never noticed any duplex issue.
On Sun, 18 Aug 2019 16:07:14 -0500
Patrick Dohman <dohmanpatr...@gmail.com> wrote:
> Does your ISP implement authoritative DNS?
> Do you suspect a UDP issue?
> Is a managed (switch) involved? Has duplex ever been an issue?
> Regards
> Patrick
>
> > On Aug 18, 2019, at 1:03 PM, Radek <r...@int.pl> wrote:
> >
> > Hello,
> >
> > I have two testing gateways (6.5/i386) with site-to-side VPN between its
> > LANs (OpenIKED).
> > Both gws are fully syspatched, have public IPs and the same iked/pf
> > configuration.
> >
> > Unfortunately, the network traffic over the VPN tunnel stalls few times a
> > day.
> >
> > On the one side I use a script to monitor VPN tunnel with ping, it restarts
> > iked and emails me if there is no ping over the VPN tunnel.
> > Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
> >
> >
> > In 6.3/i386 I have the same problem, but more frequently.
> > Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
> >
> > Do I have any bugs/deficiencies in my configs, missed something?
> > Is there any way to make it work uninterruptedly?
> > I would be very greatful if you could help me with this case.
> >
> > $cat /etc/hostname.enc0
> > up
> >
> > $cat /etc/hostname.vr3
> > inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
> > group trust
> >
> > $cat /etc/iked.conf
> > local_gw_RAC17 = "10.0.17.254" # lan_RAC
> > local_lan_RAC17 = "10.0.17.0/24"
> > remote_gw_MON = "1.2.3.5" # fw_MON
> > remote_lan_MON = "172.16.1.0/24"
> > ikev2 quick active esp \
> > from $local_gw_RAC17 to $remote_gw_MON \
> > from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
> > childsa enc chacha20-poly1305 \
> > psk "psk"
> >
> > $cat /etc/pf.conf
> > # RAC-fwTEST
> > ext_if = "vr0"
> > lan_rac_if = "vr3" # vr3 -
> > lan_rac_local = $lan_rac_if:network # 10.0.17.0/24
> > backup_if = "vr2" # vr2 - lewy port
> > backup_local = $backup_if:network # 10.0.117/24
> >
> > bud = "1.2.3.0/25"
> > rdk_wy = "1.2.3.4"
> > rdk_mon = "1.2.3.5"
> > panac_krz = "1.2.3.6"
> > panac_rac = "1.2.3.7"
> >
> > set fingerprints "/dev/null"
> > set skip on { lo, enc0 }
> > set block-policy drop
> > set optimization normal
> > set ruleset-optimization basic
> >
> > antispoof quick for {lo0, $lan_rac_if, $backup_if }
> >
> > match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to
> > $ext_if set prio (3, 7)
> >
> > block all
> >
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > pass out on egress keep state
> >
> > pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio
> > (3, 7) keep state
> >
> > ssh_port = "1071"
> > table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac,
> > 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
> > table <bruteforce> persist counters
> > block from <bruteforce>
> > pass in log quick inet proto tcp from <ssh_trust> to $ext_if port $ssh_port
> > flags S/SA \
> > set prio (7, 7) keep state \
> > (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
> > flush global)
> >
> > icmp_types = "{ echoreq, unreach }"
> > pass inet proto icmp all icmp-type $icmp_types \
> > set prio (7, 7) keep state
> >
> > table <vpn_peers> const { $rdk_mon, $panac_rac, $panac_krz }
> > pass out quick on egress proto esp from (egress:0) to <vpn_peers>
> > set prio (6, 7) keep state
> > pass out quick on egress proto udp from (egress:0) to <vpn_peers> port
> > {500, 4500} set prio (6, 7) keep state
> > pass in quick on egress proto esp from <vpn_peers> to (egress:0)
> > set prio (6, 7) keep state
> > pass in quick on egress proto udp from <vpn_peers> to (egress:0) port
> > {500, 4500} set prio (6, 7) keep state
> > pass out quick on trust received-on enc0 set prio (6, 7) keep state
> >
> > pass in on egress proto udp from any to (egress:0) port
> > {isakmp,ipsec-nat-t} set prio (6,7) keep state
> > pass in on egress proto {ah,esp} set prio (6,7) keep state
> >
> > # By default, do not permit remote connections to X11
> > block return in on ! lo0 proto tcp to port 6000:6010
> >
> > $cat iked_monitor.sh
> > #!/bin/sh
> > while true
> > do
> > vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " "
> > '{print $4}'`
> >
> > if [ "${vpn}" -eq 0 ] ; then
> > mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " "
> > '{print $4}'`
> > wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`
> >
> > if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
> > echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping
> > through VPN RACTEST-MON! restartng iked!" em...@example.com
> > rcctl restart iked
> > fi
> > fi
> > sleep 32
> > done
> >
> >
> > --
> > Radek
> >
>
--
Radek
