Openswan and SSL not sending AWK for one tunnel.
I have two tunnels setup and both have SA established.
The issue I am having is that the TCP connection on the server side is dropping the packets and not sending the AWK for tunnel A but the same connection for tunnel B works perfectly.
As you can see in the tcpdump.
Configuration is identical and I cannot figure out why it works in one place but not the other.
What would I need to check to solve this issue?
Could this be a MTU problem if so how?
Why would the server not send an ACK?
Could it be due to the /31 subnet on the other side is using?
Any help or ideas or guesses are welcome I have run out of ideas.
18:21:15.156533 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xe), length 100
18:21:15.156619 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360945 ecr 0], length 0
18:21:16.171512 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0xf), length 100
18:21:16.171590 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360948 ecr 0], length 0
18:21:23.701551 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x10), length 100
18:21:23.701634 IP x.x.31.21.13973 > ne.https: Flags [S], seq 589056160, win 61440, options [mss 1380,nop,wscale 0,nop,nop,TS val 9360963 ecr 0], length 0
18:28:03.391500 IP x.x.27.18 > ne: ESP(spi=0x329696e7,seq=0x19), length 84
18:28:03.391569 IP x.x.27.21.17427 > ne.https: Flags [R], seq 0, win 0, length 0
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
conn a
type=tunnel
authby = secret
left = x.x.8.81
leftsubnet=x.x.8.81/32
leftsourceip = x.x.8.81
right= x.x.27.2
rightid =x.x.x.x
rightsubnets= {x.x.x.21/32,x.x.x.20/31}
esp=aes-256-sha1
ike="aes256-sha1-modp1024"
keyexchange = ike
pfs = no
auto = start
aggrmode=no
ikelifetime=86400s
lifetime=3600s
conn b
type=tunnel
authby = secret
left = x.x.8.81
leftsubnet =x.x.8.81/32
leftsourceip = x.x.8.81
right= x.x.x.x
rightid=x.x.x.x
rightsubnets= {x.x.x.x/32,x.x.x.x/32,x.x.x.40/32}
esp=aes256-sha1
ike="aes256-sha1-modp1024"
keyexchange = ike
pfs = no
auto = start
aggrmode=no
ikelifetime=86400s
lifetime=3600s
Last edited by Nemus; 06-14-2012 at 12:35 PM.
|