LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Openswan and SSL not sending AWK for one tunnel. (https://www.linuxquestions.org/questions/linux-networking-3/openswan-and-ssl-not-sending-awk-for-one-tunnel-4175411462/)

Nemus 06-14-2012 11:54 AM
Openswan and SSL not sending AWK for one tunnel.
 
I have two tunnels setup and both have SA established.

The issue I am having is that the TCP connection on the server side is dropping the packets and not sending the AWK for tunnel A but the same connection for tunnel B works perfectly.

As you can see in the tcpdump.

Configuration is identical and I cannot figure out why it works in one place but not the other.

What would I need to check to solve this issue?

Could this be a MTU problem if so how?

Why would the server not send an ACK?

Could it be due to the /31 subnet on the other side is using?

Any help or ideas or guesses are welcome I have run out of ideas.


18:21:15.156533 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xe), length 100
18:21:15.156619 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360945 ecr 0], length 0
18:21:16.171512 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xf), length 100
18:21:16.171590 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360948 ecr 0], length 0
18:21:23.701551 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x10), length 100
18:21:23.701634 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360963 ecr 0], length 0
18:28:03.391500 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x19), length 84
18:28:03.391569 IP x.x.27.21.17427 > ne.https: Flags [R], seq 0, win 0, length 0


config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0


conn a
type=tunnel
authby = secret
left = x.x.8.81
leftsubnet=x.x.8.81/32
leftsourceip = x.x.8.81
right= x.x.27.2
rightid =x.x.x.x
rightsubnets= {x.x.x.21/32,x.x.x.20/31}
esp=aes-256-sha1
ike="aes256-sha1-modp1024"
keyexchange = ike
pfs = no
auto = start
aggrmode=no
ikelifetime=86400s
lifetime=3600s

conn b
type=tunnel
authby = secret
left = x.x.8.81
leftsubnet =x.x.8.81/32
leftsourceip = x.x.8.81
right= x.x.x.x
rightid=x.x.x.x
rightsubnets= {x.x.x.x/32,x.x.x.x/32,x.x.x.40/32}
esp=aes256-sha1
ike="aes256-sha1-modp1024"
keyexchange = ike
pfs = no
auto = start
aggrmode=no
ikelifetime=86400s
lifetime=3600s


All times are GMT -5. The time now is 05:21 AM.