<div dir="ltr">Hi,<div>I've added the setting in the "strongswan.conf" file but, unfortunately, issue is still the same...</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1">charon {<br> interfaces_use = bond0<br> load_modular = yes<br> plugins {<br> include strongswan.d/charon/*.conf<br> }<br> filelog {<br> /var/log/charon_debug.log {<br> time_format = %a, %Y-%m-%d %R<br> default = 2<br> mgr = 0<br> net = 1<br> enc = 1<br> asn = 1<br> job = 1<br> ike_name = yes<br> append = no<br> flush_line = yes<br> }<br> }<br>}<br>include strongswan.d/*.conf</font></blockquote><div><br></div><div>It seems a routing problem because I have a lot of "retransmit" (see below) but </div><div> - Why it is working at the beginning when the connection to the VPN server is established? </div><div> - Are any requests blocked if Strongswan (here used as client) is not receiving an answer from the VPN server?</div></div><div> - Can someone explain why it has to retransmit the response? </div><div> Does it mean the server is not receiving it? or I a rule missing for routing this packet through the vti?</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1">Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with message ID 6<br></font><font size="1">Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with message ID 6<br></font><font size="1">Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy <a href="http://10.3.185.30/32" target="_blank">10.3.185.30/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> out (mark 2/0xffffffff)<br></font><font size="1">Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)</font></blockquote><div><br></div><div>Regards,</div><div>Gilles </div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Try setting charon.interfaces_use=bond0<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
On 06.06.2018 11:47, Gilles Printemps wrote:<br>
> Hi Noel/Tobias,<br>
> I've done the modification in the script as highlighted but, unfortunately, I still have the same problem: <br>
> After 2 minutes, when I'm executing the same command, it's failing...<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> curl: (6) Could not resolve host: <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> My routing script:<br>
> <br>
> export TABLE_ID="vpn"<br>
> export VPN_USER="vpn"<br>
> export VTI_INTERFACE="vti0"<br>
> export LOCAL_IP="192.168.0.30"<br>
> #export LOCAL_IP="10.211.55.3"<br>
> <br>
> # Flush iptables rules<br>
> iptables -F -t nat<br>
> iptables -F -t mangle<br>
> iptables -F -t filter<br>
> # Mark packets from $VPN_USER<br>
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark<br>
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br>
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br>
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark<br>
> # Deny $VPN_USER to access other interfaces than lo<br>
> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP<br>
> # Allow $VPN_USER to access lo and VPN interfaces<br>
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT<br>
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j ACCEPT<br>
> <br>
> # Allow response from $VPN_INTERFACE<br>
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT<br>
> # Masquarade packets on $VPN_INTERFACE<br>
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE<br>
> # Routing rules<br>
> GATEWAY=$(ifconfig $VTI_INTERFACE |<br>
> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |<br>
> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)<br>
> ip route replace default via $GATEWAY table $TABLE_ID<br>
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID<br>
> ip route flush cache<br>
> <br>
> <br>
> I really don't understand how this issue can be related to a routing table. Indeed, just after starting the VPN, connection is working fine and command is returning the right result.<br>
> <br>
> Please find below the routing table status after each steps..<br>
> How it will help for finding where this issue is coming from...<br>
> BR Gilles<br>
> <br>
> $ sudo ipsec start<br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 8 seconds, <br>
> malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (0 up, 0 connecting):<br>
> none<br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> $ sudo ipsec up VPN<br>
> ...<br>
> connection 'VPN' established successfully<br>
> <br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> {<br>
> "ip": "95.211.101.229",<br>
> "city": "",<br>
> "region": "",<br>
> "country": "NL",<br>
> "loc": "52.3824,4.8995",<br>
> "org": "AS60781 LeaseWeb Netherlands B.V."<br>
> }<br>
> <br>
> <br>
> $ sudo ifconfig (vti0 and bond0 interfaces)<br>
> <br>
> bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af<br>
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link<br>
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br>
> RX packets:1239225 errors:13 dropped:1649 overruns:0 frame:3<br>
> TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6 MB)<br>
> vti0 Link encap:IPIP Tunnel HWaddr<br>
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255<br>
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1<br>
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:8 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1<br>
> RX bytes:957 (957.0 B) TX bytes:503 (503.0 B) <br>
> <br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 95 seconds, <br>
> malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.153.58<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[1]: ESTABLISHED 33 seconds ago, 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours<br>
> VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i c3e6821b_o<br>
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes<br>
> VPN{2}: <a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">10.3.153.58/32</a> <<a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">http://10.3.153.58/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.153.58 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.153.58 dev vti0 table local proto kernel scope host src 10.3.153.58<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> Display of all routing tables<br>
> <br>
> Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 6 957 ACCEPT all -- vti0 any anywhere anywhere ctstate ESTABLISHED<br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 0 0 ACCEPT all -- any lo anywhere anywhere owner UID match vpn<br>
> 0 0 ACCEPT all -- any vti0 anywhere anywhere owner UID match vpn<br>
> Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain INPUT (policy ACCEPT 2 packets, 136 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 2 115 MASQUERADE all -- any vti0 anywhere anywhere<br>
> Mangle table:<br>
> Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 193 28964 CONNMARK all -- any any anywhere anywhere CONNMARK restore<br>
> 14 1439 MARK all -- any any anywhere !<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">coruscant.printemps.cc</a> <<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">http://coruscant.printemps.cc</a>> owner UID match vpn MARK set 0x1<br>
> 0 0 MARK all -- any any !<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">coruscant.printemps.cc</a> <<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">http://coruscant.printemps.cc</a>> anywhere owner UID match vpn MARK set 0x1<br>
> 193 28964 CONNMARK all -- any any anywhere anywhere CONNMARK save<br>
> Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
> <br>
> <br>
> After ~2 minutes, connection is broken<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> curl: (6) Could not resolve host: <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 3 minutes, <br>
> malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.153.58<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[1]: ESTABLISHED 2 minutes ago, 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours<br>
> VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN[1]: Tasks active: IKE_MOBIKE<br>
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i c3e6821b_o<br>
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes<br>
> VPN{2}: <a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">10.3.153.58/32</a> <<a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">http://10.3.153.58/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ifconfig (vti0 and bond0 interfaces)<br>
> <br>
> bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af<br>
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link<br>
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br>
> RX packets:1240273 errors:13 dropped:1651 overruns:0 frame:3<br>
> TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7 MB)<br>
> vti0 Link encap:IPIP Tunnel HWaddr<br>
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255<br>
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1<br>
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:51 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1<br>
> RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)<br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.153.58 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.153.58 dev vti0 table local proto kernel scope host src 10.3.153.58<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> <br>
> After ~2minutes, connection is restarted...<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> {<br>
> "ip": "109.201.137.48",<br>
> "hostname": "",<br>
> "city": "Amsterdam",<br>
> "region": "Noord-Holland",<br>
> "country": "NL",<br>
> "loc": "52.3666,4.9027",<br>
> "postal": "1066",<br>
> "org": "AS43350 NForce Entertainment B.V."<br>
> }<br>
> <br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 6 minutes, <br>
> malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.189.169<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[2]: ESTABLISHED 61 seconds ago, 192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r, EAP reauthentication in 2 hours<br>
> VPN[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN[2]: Tasks active: CHILD_CREATE<br>
> VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca615d08_i c38d7138_o<br>
> VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6 pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes<br>
> VPN{3}: <a href="http://10.3.189.169/32" rel="noreferrer" target="_blank">10.3.189.169/32</a> <<a href="http://10.3.189.169/32" rel="noreferrer" target="_blank">http://10.3.189.169/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.189.169 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.189.169 dev vti0 table local proto kernel scope host src 10.3.189.169<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> <br>
<br>
</blockquote></div></div>