[strongSwan] Packet loss in ipsec tunnel

wax g. waxitau at gmail.com
Mon Oct 12 14:41:51 CEST 2020 

Hi,
I have a route based ipsec tunnel that's working fine except that I'm
observing some packet loss over the tunnel (but no packet loss on the
underlying physical interface).

** RX Errors can be seen on the vti interface **:

root at spoke:~# ip -s -s -s l sh ipsec1
244: ipsec1 at NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc
noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ipip 169.254.255.1 peer 169.254.255.2
    RX: bytes  packets  errors  dropped overrun mcast
    45605608340 42900723 54170   54170   0       0
    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    7614392646 33201401 0       0       0       0
    TX errors: aborted  fifo   window heartbeat transns
               0        0       0       0       0

** But no errors on the underlying physical interface (ruling out frame crc
errors i guess) **:

root at spoke:~# ip -s  l sh eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode
DEFAULT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    387884665702 347613392 0       0       0       84505
    TX: bytes  packets  errors  dropped carrier collsns
    102682750607 284163570 0       0       0       0

** Also the replay window stats > 0 in xfrm state ** :

root at spoke:~# ip -s xfrm state
src 169.254.255.1  dst 169.254.255.2
proto esp spi 0x67d21812(1741821970) reqid 98(0x00000062) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
mark 0x1/0xffffffff
auth-trunc hmac(sha1) 0xf2969aaxxxx (160 bits) 96
enc cbc(aes) 0x180c774xxxxx (128 bits)
anti-replay context: seq 0x0, oseq 0x21184d2, bitmap 0x00000000
lifetime config:
 limit: soft (INF)(bytes), hard (INF)(bytes)
 limit: soft (INF)(packets), hard (INF)(packets)
 expire add: soft 0(sec), hard 0(sec)
 expire use: soft 0(sec), hard 0(sec)
lifetime current:
 8141152159(bytes), 34702546(packets)
 add 2020-10-11 13:22:28 use 2020-10-11 13:22:30
stats:
 replay-window 0 replay 0 failed 0
src 169.254.255.2 dst 169.254.255.1
proto esp spi 0xccc9ea89(3435784841) reqid 98(0x00000062) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 0x1/0xffffffff
auth-trunc hmac(sha1) 0x6b508daf6xxxxx(160 bits) 96
enc cbc(aes) 0xe545c1bxxxxxx (128 bits)
anti-replay context: seq 0x30dd997, oseq 0x0, bitmap 0xffffffff
lifetime config:
 limit: soft (INF)(bytes), hard (INF)(bytes)
 limit: soft (INF)(packets), hard (INF)(packets)
 expire add: soft 0(sec), hard 0(sec)
 expire use: soft 0(sec), hard 0(sec)
lifetime current:
 47548096033(bytes), 44810813(packets)
 add 2020-10-11 13:22:28 use 2020-10-11 13:22:34
stats:
 replay-window 54493 replay 0 failed 0
root at spoke:~#


* When is replay-window stats increased ?

* I've noticed that on devices not experiencing packet losses over the
ipsec tunnel all the stats = 0 (replay-window, replay & fail).

* I'm suspecting a replay window issue for received ipsec packets that are
dropped..

Has anyone encountered a similar problem ? any suggestions are welcome.

Thx & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201012/eb452cf8/attachment.html>

More information about the Users mailing list