[strongSwan-dev] Intermittent issue sending the outgoing packets over the tunnel

sankrp at yahoo.com sankrp at yahoo.com
Thu Nov 8 14:06:10 CET 2018 

Hi all,
I am using Strongswan 5.3.5 on Linux 4.4.0I have setup a site to site tunnel with Cisco ISR. Tunnel comes up fine but some times, Linux is not sending the outgoing packets over the tunnel. Issue is intermittent and reproducible only one few machines. 
I have enabled iptables tracing and see packet is dropped after hitting PREROUTING mangle table. 
2018-11-08T09:14:00.916017+00:00 ipsecgw02 kernel: [74044.919903] TRACE: raw:PREROUTING:policy:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916027+00:00 ipsecgw02 kernel: [74044.919917] TRACE: mangle:PREROUTING:rule:2 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305)2018-11-08T09:14:00.916028+00:00 ipsecgw02 kernel: [74044.919930] TRACE: mangle:PREROUTING:policy:3 IN=tunc1 OUT= MAC= SRC=136.147.41.172 DST=192.168.119.19 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=TCP SPT=443 DPT=57250 SEQ=1620161194 ACK=1126866778 WINDOW=29200 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030305) MARK=0x3

sankar at ipsecgw02:~$ sudo ip xfrm policysrc 0.0.0.0/0 dst 0.0.0.0/0        dir fwd priority 3075        mark 0x3/0xffffffff        tmpl src 182.156.75.158 dst 192.168.102.80                proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0        dir in priority 3075        mark 0x3/0xffffffff        tmpl src 182.156.75.158 dst 192.168.102.80                proto esp reqid 3 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0        dir out priority 3075        mark 0x3/0xffffffff        tmpl src 192.168.102.80 dst 182.156.75.158                proto esp reqid 3 mode tunnel
sankar at ipsecgw02:~$ sudo ip xfrm statesrc 192.168.102.80 dst 182.156.75.158        proto esp spi 0x46394a21 reqid 3 mode tunnel        replay-window 32 flag af-unspec        mark 0x3/0xffffffff        aead rfc4106(gcm(aes)) 0x83ff21ce5910815a0dd8d0cbdd79af34911d28540c79cad6347e1de27e9e48a0276f1769 128        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0        anti-replay context: seq 0x0, oseq 0x21d, bitmap 0x00000000src 182.156.75.158 dst 192.168.102.80        proto esp spi 0xc1f23c40 reqid 3 mode tunnel        replay-window 32 flag af-unspec        mark 0x3/0xffffffff        aead rfc4106(gcm(aes)) 0x62800cd6c8489b8478c0977f88bf64f5a8990894732a6cab92ec3da362deb998db9533ac 128        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0        anti-replay context: seq 0x21d, oseq 0x0, bitmap 0xffffffff
Any help on how to troubleshoot the issue is highly appreciated.
Thanks,
Sankar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181108/0669fff3/attachment.html>

More information about the Dev mailing list