I have an IPsec (tunnel mode) connection which after about 15 minutes of no traffic, the ping stops working and can be resumed only if ping is initiated from the other end.
The setup is made out of two routers which use Linux Openswan 1.5.13-6-g96f6187-dirty (klips)
Below are the configs and the logs when it's working and when it's not.
I'm rather new to IPsec. I've tried enabling rekey and compress, but without luck. The iptables look identical when ping works and stops working.
Device_1
config setup
interfaces="ipsec0=wwan0"
klipsdebug=all
plutodebug=all
plutostderrlog=/var/logs/ipsecerr.log
uniqueids=no
protostack=klips
conn %default
keyingtries=0
authby=secret
connaddrfamily=ipv4
type=tunnel
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
rekey=no
auto=start
leftupdown="ipsec _updown"
conn remote
leftid=@Device_1
left=82.79.119.159
leftsubnet=10.0.0.0/24
leftsourceip=10.0.0.250
#leftnexthop=
rightid=@Device_2
right=82.79.119.160
rightsubnet=10.0.1.5/24
#rightsourceip=
#rightnexthop=
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn OEself
auto=ignore
Device_2
config setup
interfaces="ipsec0=wwan0"
klipsdebug=all
plutodebug=all
plutostderrlog=/var/logs/ipsecerr.log
uniqueids=no
protostack=klips
conn %default
keyingtries=0
authby=secret
connaddrfamily=ipv4
type=tunnel
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
rekey=no
auto=start
leftupdown="ipsec _updown"
conn remote
leftid=@Device_2
left=82.79.119.160
leftsubnet=10.0.1.0/24
leftsourceip=10.0.1.250
#leftnexthop=
rightid=@Device_1
right=82.79.119.159
rightsubnet=10.0.0.5/24
#rightsourceip=
#rightnexthop=
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn OEself
auto=ignore
Logs
When ping works:
ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0
klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:esp.1f2673db@82.79.119.159 requested.
ipsec_sa_get: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159, src=82.79.119.160 of pkt agrees with expected SA source address policy.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159 First SA in group.
klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok
klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 sa=esp.1f2673db@82.79.119.159
klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6)
klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3.
klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check
klips_debug:ipsec_rcv_auth_chk: authentication successful.
klips_debug: ipsec_rcv_decrypt(st=7,nxt=8)
klips_debug:ipsec_rcv: encalg=12 esphlen=24
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ...
klips_debug: 00: 01 02 03 04 05 06 07 08 09 0a
klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10
klips_debug:ipsec_rcv: trimming to 84.
klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9)
klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked
klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.1f2673db@82.79.119.159:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug:ipsec_rcv_decap_cont: SA:esp.1f2673db@82.79.119.159, Another IPSEC header to process.
klips_debug: ipsec_rcv_cleanup(st=9,nxt=11)
ipsec_sa_get: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798.
ipsec_sa_get: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815.
ipsec_sa_put: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818.
klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0
klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000.
klips_debug: ipsec_rcv_complete(st=11,nxt=100)
klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called.
ipsec_sa_put: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (4--) decremented by ipsec_rsm:2019.
ipsec_sa_put: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (4--) decremented by ipsec_rsm:2024.
When ping doesn't work:
ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface input */
0 0 ACCEPT udp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */
0 0 ACCEPT tcp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
342 49352 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */
0 0 DROP all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
35 11480 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
7 203 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 2268 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Forward new connection attempts out WAN port */
464 38976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Forward established connections (where?) */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface output */
0 0 ACCEPT udp -- * wwan0 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */
0 0 ACCEPT tcp -- * wwan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Allow new outbound WAN connections */
360 52568 ACCEPT all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
We solved it by adding a keepalive on each device pointing to LAN IP of the remote device, every 5 minutes. Dem workarounds! :)
User contributions licensed under CC BY-SA 3.0