[Swan] [SPAM: 4.729] Re: Tunnel gets established, but machines can reach each other only for less than a minute

Sat, 04 Feb 2023 10:28:49 -0800 


Hi Paul
The xfrm stat is having a non zero entry for "XfrmInTmplMismatch" which shows 94. Further check on Google brought me to this page https://bugzilla.redhat.com/show_bug.cgi?id=1932202 and I seem to have exactly the same problem, however I am not knowledgeable enough to understand the solution applied on that page. Attaching outputs from the commands mentioned in the bugzilla page FYI please. 

/proc/net/xfrm_stat output
XfrmInError                 0
XfrmInBufferError           0
XfrmInHdrError              0
XfrmInNoStates              0
XfrmInStateProtoError       0
XfrmInStateModeError        0
XfrmInStateSeqError         0
XfrmInStateExpired          0
XfrmInStateMismatch         0
XfrmInStateInvalid          0
XfrmInTmplMismatch          94
XfrmInNoPols                0
XfrmInPolBlock              0
XfrmInPolError              0
XfrmOutError                0
XfrmOutBundleGenError       0
XfrmOutBundleCheckError     0
XfrmOutNoStates             0
XfrmOutStateProtoError      0
XfrmOutStateModeError       0
XfrmOutStateSeqError        0
XfrmOutStateExpired         0
XfrmOutPolBlock             0
XfrmOutPolDead              0
XfrmOutPolError             0
XfrmFwdHdrError             0
XfrmOutStateInvalid         0
XfrmAcquireError            0

$ sudo ip xfrm state

src A.B.C.D dst 10.10.128.100
    proto esp spi 0x8ba71c42 reqid 16389 mode tunnel
    replay-window 32 flag af-unspec

    auth-trunc hmac(sha512) 
0x1cfc53f76819609e059d010ca8ef92815361c34b3bff42d9e23baeaed8d85dedc2b5f7dcf9e6b9d8b754d5559e061c9bca48000d9cf3c6d979022278006cf6a3 
256
    enc cbc(aes) 
0xa6c31fc12ebdf2d8bd2aa9e91d565536c27e00979b3595dbbd3b41b40c377711

    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff
src 10.10.128.100 dst A.B.C.D
    proto esp spi 0x95a7b625 reqid 16389 mode tunnel
    replay-window 32 flag af-unspec

    auth-trunc hmac(sha512) 
0xb6d642fbc4a0ae8356fab535a5a6fe3988a183398c1ba26a27051ca2f849e29266177e2a8263c0b51030c33344444c50fbf66307e397de342f0a7500f040de67 
256
    enc cbc(aes) 
0x0698d495571406fc9c11522f645b25d29b33f8492c2ae851a35950eeb5e9ef14

    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000

$ sudo ip xfrm policy
src 10.10.128.0/24 dst 192.168.1.0/24
    dir out priority 2084814 ptype main
    tmpl src 10.10.128.100 dst A.B.C.D
        proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 10.10.128.0/24
    dir fwd priority 2084814 ptype main
    tmpl src A.B.C.D dst 10.10.128.100
        proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 10.10.128.0/24
    dir in priority 2084814 ptype main
    tmpl src A.B.C.D dst 10.10.128.100
        proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
    dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
    dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
    dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
    dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
    dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
    dir in priority 1 ptype main

On 2023-02-03 22:14, Paul Wouters wrote:


On Fri, 3 Feb 2023, [email protected] wrote:


Double checked this, rp_filter is disabled on all interfaces and ipv4 
forwarding is enabled.  I use
"nftables" on both ends and have double checked to rules to ensure 
packets from both these sites have
bi-directional traffic enabled.  In fact to rule out nftables, I 
flushed all rules at both ends briefly
for a min and tried to reach each other, but there's no change in 
status.


Then you need to do network captures to see if the packets are in fact
making it to the machine or not. If they are, double check
/proc/net/xfrm_stat for non-zero entries indicating problems.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to