IPsec Tunnel Mode - ping won't work after 15 minutes of no traffic

0

I have an IPsec (tunnel mode) connection which after about 15 minutes of no traffic, the ping stops working and can be resumed only if ping is initiated from the other end.

The setup is made out of two routers which use Linux Openswan 1.5.13-6-g96f6187-dirty (klips)

Below are the configs and the logs when it's working and when it's not.

I'm rather new to IPsec. I've tried enabling rekey and compress, but without luck. The iptables look identical when ping works and stops working.

Device_1

config setup
        interfaces="ipsec0=wwan0"
        klipsdebug=all
        plutodebug=all
        plutostderrlog=/var/logs/ipsecerr.log
        uniqueids=no
        protostack=klips

conn %default
        keyingtries=0
        authby=secret
        connaddrfamily=ipv4
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        compress=no
        rekey=no
        auto=start
        leftupdown="ipsec _updown"

conn remote
        leftid=@Device_1
        left=82.79.119.159
        leftsubnet=10.0.0.0/24
        leftsourceip=10.0.0.250
        #leftnexthop=
        rightid=@Device_2
        right=82.79.119.160
        rightsubnet=10.0.1.5/24
        #rightsourceip=
        #rightnexthop=
        auto=start

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn OEself
        auto=ignore

Device_2

config setup
        interfaces="ipsec0=wwan0"
        klipsdebug=all
        plutodebug=all
        plutostderrlog=/var/logs/ipsecerr.log
        uniqueids=no
        protostack=klips

conn %default
        keyingtries=0
        authby=secret
        connaddrfamily=ipv4
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        compress=no
        rekey=no
        auto=start
        leftupdown="ipsec _updown"

conn remote
        leftid=@Device_2
        left=82.79.119.160
        leftsubnet=10.0.1.0/24
        leftsourceip=10.0.1.250
        #leftnexthop=
        rightid=@Device_1
        right=82.79.119.159
        rightsubnet=10.0.0.5/24
        #rightsourceip=
        #rightnexthop=
        auto=start

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn OEself
        auto=ignore

Logs

When ping works:

ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0
klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:esp.1f2673db@82.79.119.159 requested.
ipsec_sa_get: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159, src=82.79.119.160 of pkt agrees with expected SA source address policy.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159 First SA in group.
klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok
klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 sa=esp.1f2673db@82.79.119.159
klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6)
klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3.
klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check
klips_debug:ipsec_rcv_auth_chk: authentication successful.
klips_debug: ipsec_rcv_decrypt(st=7,nxt=8)
klips_debug:ipsec_rcv: encalg=12 esphlen=24
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ...
klips_debug:           00: 01 02 03 04 05 06 07 08 09 0a
klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10
klips_debug:ipsec_rcv: trimming to 84.
klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9)
klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked
klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.1f2673db@82.79.119.159:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug:ipsec_rcv_decap_cont: SA:esp.1f2673db@82.79.119.159, Another IPSEC header to process.
klips_debug: ipsec_rcv_cleanup(st=9,nxt=11)
ipsec_sa_get: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798.
ipsec_sa_get: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815.
ipsec_sa_put: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818.
klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0
klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000.
klips_debug: ipsec_rcv_complete(st=11,nxt=100)
klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called.
ipsec_sa_put: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (4--) decremented by ipsec_rsm:2019.
ipsec_sa_put: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (4--) decremented by ipsec_rsm:2024.

When ping doesn't work:

ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160

    Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Control loopback interface input */
    0     0 ACCEPT     udp  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            udp dpt:8080 /* Control web port connection attempts */
    0     0 ACCEPT     tcp  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
  342 49352 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */
    0     0 DROP       all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
   35 11480 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    7   203 ACCEPT     all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   27  2268 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            state NEW /* Forward new connection attempts out WAN port */
  464 38976 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Forward established connections (where?) */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* Control loopback interface output */
    0     0 ACCEPT     udp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            udp dpt:8080 /* Control web port connection attempts */
    0     0 ACCEPT     tcp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
    0     0 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            state NEW /* Allow new outbound WAN connections */
  360 52568 ACCEPT     all  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
ipsec
asked on Super User Sep 17, 2018 by Erik

1 Answer

0

We solved it by adding a keepalive on each device pointing to LAN IP of the remote device, every 5 minutes. Dem workarounds! :)

answered on Super User Oct 12, 2018 by Erik

User contributions licensed under CC BY-SA 3.0