Hide Forgot
I have openswan configured for 3 remote connections. The problem: some connection do not get re-established in case of a failure. but the command /etc/init.d/ipsec restart does help to re-establish the link, but it soon fail again. here CONN3 - problematic connection (DPD is enabled). 1.1.1.1 - remote IP ipsec auto --status |grep CONN3 000 #13: "CONN3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2435s; newest IPSEC; eroute owner; isakmp#12; idle; import:admin initiate 000 #13: "CONN3" esp.44d5b592.1.1 esp.6762efbd.20.20 tun.0.1.1 tun.0.20.20 ref=0 refhim=4294901761 000 #8: "CONN3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 524s; isakmp#7; idle; import:admin initiate 000 #8: "CONN3" esp.44d5b591.1.1 esp.4e93bc40.20.20 tun.0.1.1 tun.0.20.20 ref=0 refhim=4294901761 DPD is enabled, mtu is set to 1400 (just in case, there are some broken routers in between) rpm -q openswan openswan-2.6.37-1.fc15.x86_64 there is also a openvpn link, but it unaffected openswan. The problem does exist in all versions of openswan I used (since 2.6.32 and earlier)
Created attachment 530845 [details] working CONN3
Created attachment 530846 [details] FAILED CONN3 diff /tmp/fg.txt /tmp/ff.txt 7c7 < 000 "CONN3": newest ISAKMP SA: #1; newest IPsec SA: #4; --- > 000 "CONN3": newest ISAKMP SA: #0; newest IPsec SA: #4; 10d9 < 000 "CONN3": IKE algorithm newest: AES_CBC_256-SHA1-MODP2048 14c13 < 000 #4: "CONN3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2586s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate --- > 000 #4: "CONN3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2516s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 16d14 < 000 #1: "CONN3":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2563s; newest ISAKMP; lastdpd=3s(seq in:31889 out:31888); idle; import:admin initiate
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
The problem stil exists in F17
The problem still exists in F18, some times it occure even with a single connection, but much less seldom. By the loss of activity I expect that openswan is dead and, being ugly as all IPSEC, I thing the best option would be to ditch it altogether and replace by openvpn. The only issue with this - few routers support openvpn, but ipsec/openswan as well as ipsec/racoon are just plain not usable at all. Connection drops and does not get re-established.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Changed component to libreswan. do investigate this, I really need more information. Can you run this with plutodebug=all ? You can make the bug non-public if it would contain too much personal information.
I will try to test, the problem is that 2 out of 3 routers I connect to via VPN were converted from IPSEC to a PC with openvpn running exactly because of this bug and unreliability of IPSEC connections (e.g. with openvpn it is no problem to do 150Gb remote backup, with IPSEC for some reason it was A) two to three times slower B) I never managed to copy more than 20Gb via IPSEC in a single try, the connection breaks and I have to use rsync for that, but rsync further slows the process) So now I have only single IPSEC router left. If you can provide me with 2-3 testing router accounts, just for testing (any router connected to an internet configured with pre-shared key, SHA256 phase 1/2, PFS 1024 bits, make sure these routers connected to no important network) then this will simplify my testing process.
Can you add in your ipsec.conf so I can build an appropriate server as the other side? I would need to know if you need a subnet behind it, or just a host-host connection. Or I can give you a login to a vpn test server that you can reconfigure as you see fit. Can you give me a pointer to your ssh pub key?
Created attachment 759678 [details] config from /etc/ipsec.d/ I am attaching old config (the router no longer available to me) this is net-to-net config with DPD enabled and MTU is set to 1400 (just in case. my ISP used to have rather low MTU). The attached config is in aggressive mode (because I never managed to get zyxel & draytek vigor to work in main mode despite all my efforts) My /etc/ipsec.conf (which include /etc/ipsec.d/*.conf) has the lines: nat_traversal=yes force_keepalive=yes keep_alive=10 Can you create 1-2 router login similar to attached gg.conf I will try to start them all together.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
note openswan has been obsoleted for libreswan in fedora and rhel