<div dir="ltr">Hi all!<div><br></div><div><div>We have ipsec (ikev1) + ipip configured on Ubuntu 16, kernel 4.15.0-45-generic, strongswan. Our peer has a strange strict security policy making rekey every two minutes (crazy but they don't want to change that). Sometimes after rekey our machine does not route packets coming from the peer for the time=lifetime of the SA (2 minutes in this case).</div><div>Also need to mention that we have SNAT configured to ipip interface.</div><div><br></div><div>Tcpdump analysis results:</div><div>1) on ipip interface: I can see replies from the remote side with tcpdump, so I guess the traffic is decrypted successfully</div><div>2) on physical interface: I have checked initiator and responder SPIs and compared them with those in strongswan logs and those in ip -s xfrm state. ip -s xfrm state showed just 2 SPIs for that source and destination, so I'm sure there was no mistake. Everything matched.</div><div><br></div><div>I turned on iptables logging in every chain and table (except raw), and I see these incoming packets in the mangle prerouting chain, but nothing in forward (during the issue). AFAIK the next step is routing decision (I checked this pic <a href="http://inai.de/images/nf-packet-flow.png">http://inai.de/images/nf-packet-flow.png</a>), that's why I tried "ip route flush cache" command, and it helped (I was surprized).</div><div><br></div><div>So, it seems like the packets are dropped for some reason, they are not routed. At the same time everything works fine from the server itself (when there is no routing via it). After the next rekey everything works fine.</div><div>I have tried to tune /proc/sys/net/ipv4/route/* parameters reducing timeouts and so, however the problem still exists.</div><div>I have compared ip ro get, ip rule commands output and output of lnstat and lnstat -f rt_cache, and /proc/net/fib_trie and /proc/net/fib_triestat at working and non-working time, - there is nothing that could give me a clue what's going on. I also need to mention that this traffic loss during a specific SA seems to be totally random, but it always starts with some particular rekey and ends with the next rekey.</div></div><div><br></div><div>Does anybody have any idea about that?</div><div><br></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><p dir="ltr">BR, Kseniya</p>
</div>