[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libreswan
Subject:    [Swan] ESP Discard
From:       Bruno de Oliveira Bastos <brunopsitech () gmail ! com>
Date:       2020-01-22 11:50:35
Message-ID: CAMRuTBB7jL4PyCYVn99TFqsZeyuHHiCk7jcbW3eTrYy2pE0KYw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I have a problem that seems to be IPSec routing. I am using a Centos 7.6
and Libreswan 3.25. I have a closed VPN with a CheckPoint, where everything
is established, the package leaves my network and goes to the destination
network and when returning, Linux discards or does not route the package
back, it arrives and is discarded, but I can't find where . Does anyone
have any ideas.

[root@firewall log]# tcpdump -i p3p2 esp

08:45:01.469829 IP XXX.5 > XXX.4: ESP(spi=0x673291bf,seq=0x5ae), length 92
08:45:01.510735 IP XXX.4 > XXX.5: ESP(spi=0xe28a2895,seq=0x5ae), length 92
08:45:04.289129 IP XXX.5 > XXX.4: ESP(spi=0x673291bf,seq=0x5af), length 116
08:45:04.329507 IP XXX.4 > XXX.5: ESP(spi=0xe28a2895,seq=0x5af), length 116
08:45:05.290342 IP XXX.5 > XXX.4: ESP(spi=0x673291bf,seq=0x5b0), length 116
08:45:05.328562 IP XXX.4 > XXX.5: ESP(spi=0xe28a2895,seq=0x5b0), length 116
08:45:06.291074 IP XXX.5 > XXX.4: ESP(spi=0x673291bf,seq=0x5b1), length 116
08:45:06.329088 IP XXX.4 > XXX.5: ESP(spi=0xe28a2895,seq=0x5b1), length 116

[root@firewall log]# ip xfrm policy
src 192.168.70.0/24 dst 10.20.0.0/24
        dir out priority 1042407 ptype main
        tmpl src XXX.5 dst XXX.4
                proto esp reqid 16393 mode tunnel
src 10.20.0.0/24 dst 192.168.70.0/24
        dir fwd priority 1042407 ptype main
        tmpl src XXX.4 dst XXX.5
                proto esp reqid 16393 mode tunnel
src 10.20.0.0/24 dst 192.168.70.0/24
        dir in priority 1042407 ptype main
        tmpl src XXX.4 dst XXX.5
                proto esp reqid 16393 mode tunnel

[root@firewall log]# ip xfrm state
src XXX.4 dst XXX.5
        proto esp spi 0xe28a2895 reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x5735c07f9cf22f8953169d4d892aab3d837413c7 96
        enc cbc(des3_ede) 0x4c85d5d5e9fec7c7d3a98e52c89ecd530262e40ab81e1847
        anti-replay context: seq 0x5ba, oseq 0x0, bitmap 0xfffeffff
src XXX.5 dst XXX.4
        proto esp spi 0x673291bf reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xddbec1fd0caac8c95de21e51d50eab409c15552f 96
        enc cbc(des3_ede) 0x6a0414dd357c9df601edcdfb461c73fa428ed41e1e40c6fc
        anti-replay context: seq 0x0, oseq 0x5ba, bitmap 0x00000000


# ipsec status

000 #1: "VPN":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in
164s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #2: "VPN":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_EXPIRE in 164s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "VPN" esp.673291bf@XXX.4 esp.e28a2895@XXX.5 tun.0@XXX.4 tun.0@XXX.5
ref=0 refhim=0 Traffic: ESPin=119KB ESPout=119KB! ESPmax=4194303B

[Attachment #5 (text/html)]

<div dir="ltr">I have a problem that seems to be IPSec routing. I am using a Centos \
7.6 and Libreswan 3.25. I have a closed VPN with a CheckPoint, where everything is \
established, the package leaves my network and goes to the destination network and \
when returning, Linux discards or does not route the package back, it arrives and is \
discarded, but I can&#39;t find where . Does anyone have any \
ideas.<br><div><br></div><div>[root@firewall log]# tcpdump -i p3p2 \
esp<br><br>08:45:01.469829 IP XXX.5 &gt; XXX.4: ESP(spi=0x673291bf,seq=0x5ae), length \
92<br>08:45:01.510735 IP XXX.4 &gt; XXX.5: ESP(spi=0xe28a2895,seq=0x5ae), length \
92<br>08:45:04.289129 IP XXX.5 &gt; XXX.4: ESP(spi=0x673291bf,seq=0x5af), length \
116<br>08:45:04.329507 IP XXX.4 &gt; XXX.5: ESP(spi=0xe28a2895,seq=0x5af), length \
116<br>08:45:05.290342 IP XXX.5 &gt; XXX.4: ESP(spi=0x673291bf,seq=0x5b0), length \
116<br>08:45:05.328562 IP XXX.4 &gt; XXX.5: ESP(spi=0xe28a2895,seq=0x5b0), length \
116<br>08:45:06.291074 IP XXX.5 &gt; XXX.4: ESP(spi=0x673291bf,seq=0x5b1), length \
116<br>08:45:06.329088 IP XXX.4 &gt; XXX.5: ESP(spi=0xe28a2895,seq=0x5b1), length \
116<br></div><div><br></div><div>[root@firewall log]# ip xfrm policy<br>src <a \
href="http://192.168.70.0/24">192.168.70.0/24</a> dst <a \
href="http://10.20.0.0/24">10.20.0.0/24</a><br>            dir out priority 1042407 \
ptype main<br>            tmpl src XXX.5 dst XXX.4<br>                        proto \
esp reqid 16393 mode tunnel<br>src <a href="http://10.20.0.0/24">10.20.0.0/24</a> dst \
<a href="http://192.168.70.0/24">192.168.70.0/24</a><br>            dir fwd priority \
1042407 ptype main<br>            tmpl src XXX.4 dst XXX.5<br>                        \
proto esp reqid 16393 mode tunnel<br>src <a \
href="http://10.20.0.0/24">10.20.0.0/24</a> dst <a \
href="http://192.168.70.0/24">192.168.70.0/24</a><br>            dir in priority \
1042407 ptype main<br>            tmpl src XXX.4 dst XXX.5<br>                        \
proto esp reqid 16393 mode tunnel<br></div><div><br></div><div>[root@firewall log]# \
ip xfrm state<br>src XXX.4 dst XXX.5<br>            proto esp spi 0xe28a2895 reqid \
16393 mode tunnel<br>            replay-window 32 flag af-unspec<br>            \
auth-trunc hmac(sha1) 0x5735c07f9cf22f8953169d4d892aab3d837413c7 96<br>            \
enc cbc(des3_ede) 0x4c85d5d5e9fec7c7d3a98e52c89ecd530262e40ab81e1847<br>            \
anti-replay context: seq 0x5ba, oseq 0x0, bitmap 0xfffeffff<br>src XXX.5 dst \
XXX.4<br>            proto esp spi 0x673291bf reqid 16393 mode tunnel<br>            \
replay-window 32 flag af-unspec<br>            auth-trunc hmac(sha1) \
0xddbec1fd0caac8c95de21e51d50eab409c15552f 96<br>            enc cbc(des3_ede) \
0x6a0414dd357c9df601edcdfb461c73fa428ed41e1e40c6fc<br>            anti-replay \
context: seq 0x0, oseq 0x5ba, bitmap 0x00000000<br><br></div><div><br></div><div># \
ipsec status</div><div><br></div><div>000 #1: &quot;VPN&quot;:500 STATE_MAIN_I4 \
(ISAKMP SA established); EVENT_SA_EXPIRE in 164s; newest ISAKMP; lastdpd=-1s(seq in:0 \
out:0); idle; import:admin initiate<br>000 #2: &quot;VPN&quot;:500 STATE_QUICK_I2 \
(sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 164s; newest IPSEC; eroute \
owner; isakmp#1; idle; import:admin initiate<br>000 #2: &quot;VPN&quot; \
esp.673291bf@XXX.4 esp.e28a2895@XXX.5 tun.0@XXX.4 tun.0@XXX.5 ref=0 refhim=0 Traffic: \
ESPin=119KB ESPout=119KB! ESPmax=4194303B<br></div></div>



_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic