Openswan and SSL not sending AWK for one tunnel.
I have two tunnels setup and both have SA established.
The issue I am having is that the TCP connection on the server side is dropping the packets and not sending the AWK for tunnel A but the same connection for tunnel B works perfectly. As you can see in the tcpdump. Configuration is identical and I cannot figure out why it works in one place but not the other. What would I need to check to solve this issue? Could this be a MTU problem if so how? Why would the server not send an ACK? Could it be due to the /31 subnet on the other side is using? Any help or ideas or guesses are welcome I have run out of ideas. 18:21:15.156533 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xe), length 100 18:21:15.156619 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360945 ecr 0], length 0 18:21:16.171512 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xf), length 100 18:21:16.171590 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360948 ecr 0], length 0 18:21:23.701551 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x10), length 100 18:21:23.701634 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360963 ecr 0], length 0 18:28:03.391500 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x19), length 84 18:28:03.391569 IP x.x.27.21.17427 > ne.https: Flags [R], seq 0, win 0, length 0 config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" nhelpers=0 conn a type=tunnel authby = secret left = x.x.8.81 leftsubnet=x.x.8.81/32 leftsourceip = x.x.8.81 right= x.x.27.2 rightid =x.x.x.x rightsubnets= {x.x.x.21/32,x.x.x.20/31} esp=aes-256-sha1 ike="aes256-sha1-modp1024" keyexchange = ike pfs = no auto = start aggrmode=no ikelifetime=86400s lifetime=3600s conn b type=tunnel authby = secret left = x.x.8.81 leftsubnet =x.x.8.81/32 leftsourceip = x.x.8.81 right= x.x.x.x rightid=x.x.x.x rightsubnets= {x.x.x.x/32,x.x.x.x/32,x.x.x.40/32} esp=aes256-sha1 ike="aes256-sha1-modp1024" keyexchange = ike pfs = no auto = start aggrmode=no ikelifetime=86400s lifetime=3600s |
All times are GMT -5. The time now is 05:21 AM. |