Sun Aug 23 06:31:34 2020 daemon.notice openvpn(test_1)[31132]: Peer Connection Initiated with [AF_INET]192.168.56.3:59467
Sun Aug 23 06:31:35 2020 daemon.notice openvpn(test_1)[31132]: Initialization Sequence Completed
But i cannot ping the tunnel ip's
and it looks like the route is installed towards the wrong interface eth1 insted of br-mng
yes i needed to delete that route in both of the router .
root@OWRT-V-02:~# ping -w 3 10.20.0.1
PING 10.20.0.1 (10.20.0.1): 56 data bytes
64 bytes from 10.20.0.1: seq=0 ttl=64 time=0.962 ms
64 bytes from 10.20.0.1: seq=1 ttl=64 time=0.700 ms
64 bytes from 10.20.0.1: seq=2 ttl=64 time=0.939 ms
It looks like cased by the GRE tunnel config. if i removing that section and rebooting no problem.
I dont think there is a problem with my GRE config i tryed it in a phisical interface and it worked.
I am thinking the problem might be GRE is initializing before IPsec tunnel is ready.
it looks like this is the part which make it bad the ipsec tunnel and it is happaning also if i configuret after the Ipsec tunnel is up.
config interface 'gre1'
option ipaddr '10.20.0.1' #in the other router it is the oposit
option peeraddr '10.20.0.2' #in the other router it is the oposit
option proto 'gre'
Unfortunately i not see too much in the logs (except IPsec in a crash loop i guess because of the wrong gateway)
Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: OpenVPN 2.4.7 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TUN/TAP device tun0 opened
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TUN/TAP TX queue length set to 100
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: /sbin/ifconfig tun0 10.20.0.2 pointopoint 10.20.0.1 mtu 1500
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: UDP link local: (not bound)
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: UDP link remote: [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:20 2020 daemon.info procd: - init complete -
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network device 'eth1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' has link connectivity
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network device 'eth0' link is up
Sun Aug 23 20:06:22 2020 local1.info Keepalived_vrrp[1942]: Netlink reports br-mng up
Sun Aug 23 20:06:22 2020 local1.info Keepalived_vrrp[1942]: (VI_1) Entering BACKUP STATE
Sun Aug 23 20:06:22 2020 daemon.notice netifd: bridge 'br-mng' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'mng' has link connectivity
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.800904] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.802212] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.803074] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.803626] br-mng: port 1(eth0) entered blocking state
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.804025] br-mng: port 1(eth0) entered forwarding state
Sun Aug 23 20:06:22 2020 kern.info kernel: [ 8.805432] IPv6: ADDRCONF(NETDEV_CHANGE): br-mng: link becomes ready
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: started, v1.30.1
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: sending discover
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: sending select for 10.0.3.15
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: lease of 10.0.3.15 obtained, lease time 86400
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' is now up
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: reading /tmp/resolv.conf.auto
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain test
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain onion
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain localhost
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain local
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain invalid
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain bind
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain lan
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using nameserver 8.8.8.8#53
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is enabled
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is now up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1' is now up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: tunnel 'gre4-gre1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network alias 'gre4-gre1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' has link connectivity
Sun Aug 23 20:06:22 2020 kern.warn kernel: [ 8.868121] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
Sun Aug 23 20:06:26 2020 daemon.notice openvpn(test_1)[2087]: Peer Connection Initiated with [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:27 2020 daemon.warn openvpn(test_1)[2087]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 23 20:06:27 2020 daemon.notice openvpn(test_1)[2087]: Initialization Sequence Completed
Sun Aug 23 20:06:45 2020 daemon.info procd: Instance ipsec::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
still if i execute:
ip route del 10.20.0.1 dev eth1
ip route add 10.20.0.1 dev tun0
ip route del 10.20.0.2 dev eth1
ip route add 10.20.0.2 dev tun0