Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 9081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

site2site VPN and remote access stopped

brk
I am running 8.300.  Today I noticed that my site 2 site VPN and my L2TP (iphone) remote access stopped working for my local astaro.

All I could find strange in the logs for my local machine was packet filter dropping packets from my remote site2site VPN machine.

2012:01:09-00:00:18 brk ulogd[5543]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:1d:a2:xx:xx:xx" dstmac="0:11:a:xx:xx:xx" srcip="70.123.XX.XX" dstip="72.183.XX.XX" proto="6" length="64" tos="0x00" prec="0x00" ttl="55" srcport="62942" dstport="36804" tcpflags="SYN" 

To test the packet filter, I added a rule to allow all traffic from the remote machine.  remote_ip -> any -> any.

After this, the packets were still dropping.

Not sure where else to look, I rebooted the machine.

When it came back up, I found the site to site tunnel was up and all was working fine.

Suggestions?


This thread was automatically locked due to age.
Parents
  • 0
    Digging into what I was seeing earlier - the dropped packets in the firewall log.  Does this make any sense?

    # Before - all working
    iptables --list-rules > iptables.log.ipsec_working

    # Disable the interface in the interface tab
    iptables --list-rules > iptables.log.ipsec_off

    # Re-enable the interface tab
    iptables --list-rules > iptables.log.ipsec_dead


    Now - compare the results 

    brk:/tmp # diff iptables.log.ipsec_working iptables.log.ipsec_interface_off  | sed 's/70.123\..*\.*\//70.123.***.***\//g;s/72.183\..*\.*\//72.183.yyy.yyy\//g;s/172\..*\..*\.*\//172.zzz.zzz.0\//g'

    64,65d63


    And I see no change from interface being off to being back on... 

    brk:/tmp # diff iptables.log.ipsec_interface_off iptables.log.ipsec_dead  | sed 's/70.123\..*\.*\//70.123.***.***\//g;s/72.183\..*\.*\//72.183.yyy.yyy\//g;s/172\..*\..*\.*\//172.zzz.zzz.0\//g'

    brk:/tmp #
  • 0 in reply to brk
    Yeah, that's pretty much all IPsec related packetfilter rules missing. And nothing in ipsec.log about this? There should be some messages when pluto is trying to send out IKE packets.
Reply Children
No Data