<div dir="ltr"><span style="font-size:12.800000190734863px">Hi,</span><div><span style="font-size:12.800000190734863px">To illustrate my issue and in addition to the configuration described previously,</span><div style="font-size:12.800000190734863px"> - I enabled more trace in the ipsec.conf [charondebug="ike 2, knl 3, cfg 0"]. </div><div style="font-size:12.800000190734863px"> [Log can be downloaded using the following link "<a href="http://www.printemps.cc/Temp/syslog.txt">www.printemps.cc/Temp/syslog.txt</a>"]<div><div> - I tried to launch a set of commands [See "cmds.txt" in attachment]</div><div><br></div><div>Executed commands:</div><div> - After starting ipsec, I establish the VPN connection.<br></div><div> As you can see in "cmds.txt", connection is established correctly</div><div> - I execute the following command to see if the traffic for the user is going through the VPN</div><div> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io/" target="_blank">ipinfo.io</a></div><div> Result is the expected one.</div><div> - A little bit later (After 17:14:34 in the syslog.02/Less than 2mins after previous cmd], I execute the same command</div><div> Result fails with the following status: curl: (6) Could not resolve host: <a href="http://ipinfo.io/" target="_blank">ipinfo.io</a></div><div> - I decide to wait and after 2 additional minutes, I try to execute again the same command</div><div> Command is not failing but I can see that my IP address allocated but the VPN has changed.</div><div><br></div><div>To summarise,</div><div> - VPN connection is established correctly and the route defined through the scripts are working</div><div> Traffic for the "vpn" user is going through the VPN</div><div> - After few minutes (less than 2) without any activity through the VPN, connection is no more working.</div><div> I have to wait additional minutes, to get a working connection.</div><div> - Few minutest later, connection is killed again...</div><div><br></div><div>- Why is the VPN connection killed after less than 2 minutes?</div><div>- Is the issue come from the VPN server or from my configuration?</div><div>- Why is it so long to re-establish a new working connection?</div><div>- How to keep the connection longer?</div><div><br></div><div>If someone can check the log and see where the issue is coming from, I would really appreciate because, currently, I'm lost...</div><div class="gmail-yj6qo gmail-ajU" style="margin:2px 0px 0px"><div id="gmail-:1f8" class="gmail-ajR" tabindex="0"><img class="gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif" style="opacity: 0.3;">Thanks for your help,</div></div><div class="gmail-adL"><span class="gmail-im"><div>Gilles</div></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 29, 2018 at 10:51 AM, Gilles Printemps <span dir="ltr"><<a href="mailto:gprintemps@gmail.com" target="_blank">gprintemps@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div>After several days, I finally have a configuration which force all the traffic from a specific user to be routed from a VPN via a vti interface.</div><div><br></div><div>After creating the vti interface and establishing the different route, I can successfully check if the traffic is currently routed using the following commands:</div><div><br></div><div><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Courier">sudo -u vpn -i -- curl <a href="http://ipinfo.io" target="_blank">ipinfo.io</a></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Courier">ping -I vti0 <a href="http://www.google.com" target="_blank">www.google.com</a></p><p style="margin:0px;font-stretch:normal;font-size:11px;line-height:normal;font-family:Courier"><br></p><p style="margin:0px;font-stretch:normal;line-height:normal">Unfortunately, after a period d of time, it is no more working and I can see several error packets on the vti interface. several minute later, connection is established again with the VPN but with a new connection (IP has changed).<br></p><p style="margin:0px;font-stretch:normal;line-height:normal"><br></p><p style="margin:0px;font-stretch:normal;line-height:normal">It seems this issue occurs after "sending keep alive" from IKE.</p><p style="margin:0px;font-stretch:normal;line-height:normal">Is something missing or wrong in my ipsec.conf?</p><p style="margin:0px;font-stretch:normal;line-height:normal"><br></p><p style="margin:0px;font-stretch:normal;line-height:normal">Thanks for your help,</p><p style="margin:0px;font-stretch:normal;line-height:normal">Gilles</p><p style="margin:0px;font-stretch:normal;line-height:normal"><br></p><p style="margin:0px;font-stretch:normal;line-height:normal">/etc/ipsec.conf</p><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">config setup<br> charondebug="ike 2, knl 3, cfg 0"<br>conn %default<br> ### Key Exchange<br> keyexchange=ikev2<br> ike=aes256-sha256-ecp384 # Algorithms used for the connection [phase1/ISAKMP SA]<br> esp=aes256-sha256-ecp384,<wbr>aes256-sha256 # Algorithms offered/accepted for a phase2 negotiation<br>conn VPN<br> dpdaction=restart<br> leftupdown=/etc/<a href="http://ipsec.script.sh" target="_blank">ipsec.script.<wbr>sh</a><br> left=%defaultroute<br> leftsourceip=%config4<br> leftauth=eap-mschapv2<br> eap_identity=gprintemps<br> right=<a href="http://free-nl.hide.me" target="_blank">free-nl.hide.me</a><br> rightauth=pubkey<br> rightid=%any<br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> auto=start<br> mark=2</font></blockquote><p style="margin:0px;font-stretch:normal;line-height:normal"><font color="#3d85c6" size="1"><br></font></p><p style="margin:0px;font-stretch:normal;line-height:normal">/etc/<a href="http://ipsec.script.sh" target="_blank">ipsec.script.sh</a><br></p><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6"><font size="1">set -o nounset<br></font><font size="1">set -o errexit</font><font size="1"><br></font><font size="1">VPN_USER="vpn"<br></font><font size="1">VTI_INTERFACE="vti0"</font><font size="1"><br></font><font size="1">case "${PLUTO_VERB}" in<br></font><font size="1"> up-client)<br></font><font size="1"> ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \<br></font><font size="1"> okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"<br></font><font size="1"> ip link set "${VTI_INTERFACE}" up<br></font><font size="1"> sysctl -w "net.ipv4.conf.${VTI_<wbr>INTERFACE}.disable_policy=1"<br></font><font size="1"> sysctl -w "net.ipv4.conf.${VTI_<wbr>INTERFACE}.rp_filter=2"</font><font size="1"><br></font><font size="1"> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"<br></font><font size="1"> if [[ `ip rule list | grep -c 0x1` == 0 ]]; then<br></font><font size="1"> ip rule add from all fwmark 0x1 lookup $VPN_USER<br></font><font size="1"> fi</font><font size="1"><br></font><font size="1"> # Launch routing script<br></font><font size="1"> /etc/<a href="http://ipsec.route.sh" target="_blank">ipsec.route.sh</a><br></font><font size="1"> ;;<br></font><font size="1"> down-client)<br></font><font size="1"> ip tunnel del "${VTI_INTERFACE}"<br></font><font size="1"> ;;<br></font><font size="1">esac</font></font></blockquote><div><br></div><div>/etc/<a href="http://ipsec.route.sh" target="_blank">ipsec.route.sh</a></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1"> export TABLE_ID="vpn"<br>export VPN_USER="vpn"<br>export VTI_INTERFACE="vti0"<br>export LOCAL_IP="10.211.55.3"<br><br># Flush iptables rules<br>iptables -F -t nat<br>iptables -F -t mangle<br>iptables -F -t filter<br># Mark packets from $VPN_USER<br>iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark<br>iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br>iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1<br>iptables -t mangle -A OUTPUT -j CONNMARK --save-mark<br># Deny $VPN_USER to access other interfaces than lo<br># iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP<br># Allow $VPN_USER to access lo and VPN interfaces<br>iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT<br>iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j ACCEPT<br><br># Allow response from $VPN_INTERFACE<br>iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT<br># Masquarade packets on $VPN_INTERFACE<br>iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE<br># Routing rules<br>GATEWAY=$(ifconfig $VTI_INTERFACE |<br> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |<br> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{<wbr>1,3}\.[0-9]{1,3})' | tail -n1)<br>ip route replace default via $GATEWAY table $TABLE_ID<br>ip route append default via 127.0.0.1 dev lo table $TABLE_ID<br>ip route flush cache</font></blockquote></div></div>
</blockquote></div><br></div></div></div>