Axel Zöllich
2014-Jan-05 17:52 UTC
ipsec tunnel doesn't reestablish because of getting dropped by iptables/shorewall
hosts: pktgh eth4:192.168.223.0/24,212.117.77.202 ipsec pktgh eth4:192.168.3.0/24,212.117.77.202 ipsec rules: ACCEPT pktgh:212.117.77.202 $FW rules: 0x200:P - 212.117.77.202 0x200 $FW 212.117.77.202 The IPSEC tunnel between 212.117.77.202 and the remote station gets established and workes well. But it doesn't get restablished. Jan 2 18:30:50 router-pikt-1 kernel: [1258504.573780] Shorewall:net2fw:DROP:IN=eth4 OUT= MAC=a0:36:9f:28:42:e9:00:12:ef:61:2e:7c:08:00 SRC=212.117.77.202 DST=212.117.77.218 LEN=1036 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=1016 MARK=0x200 Allready deleting the SA is blocked by shorewall: Jan 5 18:32:43 router-pikt-1 kernel: [1517561.605683] Shorewall:net2fw:DROP:IN=eth4 OUT= MAC=a0:36:9f:28:42:e9:00:12:ef:61:2e:7c:08:00 SRC=212.117.77.202 DST=212.117.77.218 LEN=100 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=80 MARK=0x200 conntrack -L shows one connection left over: unknown 50 459 src=212.117.77.218 dst=212.117.77.202 src=212.117.77.202 dst=212.117.77.218 mark=512 use=1 Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk