<div dir="ltr">After my last email where I mentioned the setting has no effect, I discovered something interesting:<div>Right after establishing the connection to the VPN, </div><div> - if I'm doing nothing (no traffic) through the vti or</div><div> - if I'm pinging a host using the virtual tunnelling directly (ping -I vti0 <a href="http://www.google.com">www.google.com</a>),</div><div> connection to the VPN is not destroyed and there is not retransmission of packet.</div><div><br></div><div>Everything starting going wrong when I'm just doing my test request using the "vpn" user </div><div>(sudo -u vpn -i -- curl <a href="http://ipinfo.io">ipinfo.io</a>). Even if I'm getting the answer, from this request, I'm starting to see retransmission and right after connection is dropped and established again. And from that, connection is staying alive until a new request as before.</div><div>Any command using the "vpn" user seems impacting the connection to the VPN and destroying it...</div><div><br></div><div>Best Regards,</div><div>Gilles</div><div><div><br><div class="gmail_quote"><div dir="ltr">On Sat, Jun 9, 2018 at 12:16 PM Gilles Printemps <<a href="mailto:gprintemps@gmail.com">gprintemps@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div>I've added the setting in the "strongswan.conf" file but, unfortunately, issue is still the same...</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1">charon {<br> interfaces_use = bond0<br> load_modular = yes<br> plugins {<br> include strongswan.d/charon/*.conf<br> }<br> filelog {<br> /var/log/charon_debug.log {<br> time_format = %a, %Y-%m-%d %R<br> default = 2<br> mgr = 0<br> net = 1<br> enc = 1<br> asn = 1<br> job = 1<br> ike_name = yes<br> append = no<br> flush_line = yes<br> }<br> }<br>}<br>include strongswan.d/*.conf</font></blockquote><div><br></div><div>It seems a routing problem because I have a lot of "retransmit" (see below) but </div><div> - Why it is working at the beginning when the connection to the VPN server is established? </div><div> - Are any requests blocked if Strongswan (here used as client) is not receiving an answer from the VPN server?</div></div><div> - Can someone explain why it has to retransmit the response? </div><div> Does it mean the server is not receiving it? or I a rule missing for routing this packet through the vti?</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1">Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with message ID 6<br></font><font size="1">Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with message ID 6<br></font><font size="1">Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]<br></font><font size="1">Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with ID 1, retransmitting response<br></font><font size="1">Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)<br></font><font size="1">Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy <a href="http://10.3.185.30/32" target="_blank">10.3.185.30/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> out (mark 2/0xffffffff)<br></font><font size="1">Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)</font></blockquote><div><br></div><div>Regards,</div><div>Gilles </div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Try setting charon.interfaces_use=bond0<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
On 06.06.2018 11:47, Gilles Printemps wrote:<br>
> Hi Noel/Tobias,<br>
> I've done the modification in the script as highlighted but, unfortunately, I still have the same problem: <br>
> After 2 minutes, when I'm executing the same command, it's failing...<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> curl: (6) Could not resolve host: <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> My routing script:<br>
> <br>
> export TABLE_ID="vpn"<br>
> export VPN_USER="vpn"<br>
> export VTI_INTERFACE="vti0"<br>
> export LOCAL_IP="192.168.0.30"<br>
> #export LOCAL_IP="10.211.55.3"<br>
> <br>
> # Flush iptables rules<br>
> iptables -F -t nat<br>
> iptables -F -t mangle<br>
> iptables -F -t filter<br>
> # Mark packets from $VPN_USER<br>
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark<br>
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br>
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br>
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark<br>
> # Deny $VPN_USER to access other interfaces than lo<br>
> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP<br>
> # Allow $VPN_USER to access lo and VPN interfaces<br>
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT<br>
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j ACCEPT<br>
> <br>
> # Allow response from $VPN_INTERFACE<br>
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT<br>
> # Masquarade packets on $VPN_INTERFACE<br>
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE<br>
> # Routing rules<br>
> GATEWAY=$(ifconfig $VTI_INTERFACE |<br>
> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |<br>
> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)<br>
> ip route replace default via $GATEWAY table $TABLE_ID<br>
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID<br>
> ip route flush cache<br>
> <br>
> <br>
> I really don't understand how this issue can be related to a routing table. Indeed, just after starting the VPN, connection is working fine and command is returning the right result.<br>
> <br>
> Please find below the routing table status after each steps..<br>
> How it will help for finding where this issue is coming from...<br>
> BR Gilles<br>
> <br>
> $ sudo ipsec start<br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 8 seconds, <br>
> malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (0 up, 0 connecting):<br>
> none<br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> $ sudo ipsec up VPN<br>
> ...<br>
> connection 'VPN' established successfully<br>
> <br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> {<br>
> "ip": "95.211.101.229",<br>
> "city": "",<br>
> "region": "",<br>
> "country": "NL",<br>
> "loc": "52.3824,4.8995",<br>
> "org": "AS60781 LeaseWeb Netherlands B.V."<br>
> }<br>
> <br>
> <br>
> $ sudo ifconfig (vti0 and bond0 interfaces)<br>
> <br>
> bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af<br>
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link<br>
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br>
> RX packets:1239225 errors:13 dropped:1649 overruns:0 frame:3<br>
> TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6 MB)<br>
> vti0 Link encap:IPIP Tunnel HWaddr<br>
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255<br>
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1<br>
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:8 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1<br>
> RX bytes:957 (957.0 B) TX bytes:503 (503.0 B) <br>
> <br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 95 seconds, <br>
> malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.153.58<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[1]: ESTABLISHED 33 seconds ago, 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours<br>
> VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i c3e6821b_o<br>
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes<br>
> VPN{2}: <a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">10.3.153.58/32</a> <<a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">http://10.3.153.58/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.153.58 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.153.58 dev vti0 table local proto kernel scope host src 10.3.153.58<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> Display of all routing tables<br>
> <br>
> Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 6 957 ACCEPT all -- vti0 any anywhere anywhere ctstate ESTABLISHED<br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 0 0 ACCEPT all -- any lo anywhere anywhere owner UID match vpn<br>
> 0 0 ACCEPT all -- any vti0 anywhere anywhere owner UID match vpn<br>
> Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain INPUT (policy ACCEPT 2 packets, 136 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 2 115 MASQUERADE all -- any vti0 anywhere anywhere<br>
> Mangle table:<br>
> Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 193 28964 CONNMARK all -- any any anywhere anywhere CONNMARK restore<br>
> 14 1439 MARK all -- any any anywhere !<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">coruscant.printemps.cc</a> <<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">http://coruscant.printemps.cc</a>> owner UID match vpn MARK set 0x1<br>
> 0 0 MARK all -- any any !<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">coruscant.printemps.cc</a> <<a href="http://coruscant.printemps.cc" rel="noreferrer" target="_blank">http://coruscant.printemps.cc</a>> anywhere owner UID match vpn MARK set 0x1<br>
> 193 28964 CONNMARK all -- any any anywhere anywhere CONNMARK save<br>
> Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
> <br>
> <br>
> After ~2 minutes, connection is broken<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> curl: (6) Could not resolve host: <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 3 minutes, <br>
> malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.153.58<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[1]: ESTABLISHED 2 minutes ago, 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours<br>
> VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN[1]: Tasks active: IKE_MOBIKE<br>
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i c3e6821b_o<br>
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes<br>
> VPN{2}: <a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">10.3.153.58/32</a> <<a href="http://10.3.153.58/32" rel="noreferrer" target="_blank">http://10.3.153.58/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ifconfig (vti0 and bond0 interfaces)<br>
> <br>
> bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af<br>
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0<br>
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link<br>
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1<br>
> RX packets:1240273 errors:13 dropped:1651 overruns:0 frame:3<br>
> TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1000<br>
> RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7 MB)<br>
> vti0 Link encap:IPIP Tunnel HWaddr<br>
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255<br>
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1<br>
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0<br>
> TX packets:51 errors:0 dropped:0 overruns:0 carrier:0<br>
> collisions:0 txqueuelen:1<br>
> RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)<br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.153.58 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.153.58 dev vti0 table local proto kernel scope host src 10.3.153.58<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> <br>
> After ~2minutes, connection is restarted...<br>
> $ sudo -u vpn -i -- curl <a href="http://ipinfo.io" rel="noreferrer" target="_blank">ipinfo.io</a> <<a href="http://ipinfo.io" rel="noreferrer" target="_blank">http://ipinfo.io</a>><br>
> <br>
> {<br>
> "ip": "109.201.137.48",<br>
> "hostname": "",<br>
> "city": "Amsterdam",<br>
> "region": "Noord-Holland",<br>
> "country": "NL",<br>
> "loc": "52.3666,4.9027",<br>
> "postal": "1066",<br>
> "org": "AS43350 NForce Entertainment B.V."<br>
> }<br>
> <br>
> <br>
> $ sudo ipsec statusall<br>
> <br>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic, x86_64):<br>
> uptime: 6 minutes, <br>
> malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7<br>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity<br>
> Listening IP addresses:<br>
> 192.168.0.30<br>
> 10.3.189.169<br>
> Connections:<br>
> VPN: %any...<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">free-nl.hide.me</a> <<a href="http://free-nl.hide.me" rel="noreferrer" target="_blank">http://free-nl.hide.me</a>> IKEv2, dpddelay=30s<br>
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity 'gprintemps'<br>
> VPN: remote: uses public key authentication<br>
> VPN: child: dynamic === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> TUNNEL, dpdaction=restart<br>
> Routed Connections:<br>
> VPN{1}: ROUTED, TUNNEL, reqid 1<br>
> VPN{1}: <a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">192.168.0.30/32</a> <<a href="http://192.168.0.30/32" rel="noreferrer" target="_blank">http://192.168.0.30/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> Security Associations (1 up, 0 connecting):<br>
> VPN[2]: ESTABLISHED 61 seconds ago, 192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.<a href="http://hide.me" rel="noreferrer" target="_blank">hide.me</a> <<a href="http://hide.me" rel="noreferrer" target="_blank">http://hide.me</a>>]<br>
> VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r, EAP reauthentication in 2 hours<br>
> VPN[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384<br>
> VPN[2]: Tasks active: CHILD_CREATE<br>
> VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca615d08_i c38d7138_o<br>
> VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6 pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes<br>
> VPN{3}: <a href="http://10.3.189.169/32" rel="noreferrer" target="_blank">10.3.189.169/32</a> <<a href="http://10.3.189.169/32" rel="noreferrer" target="_blank">http://10.3.189.169/32</a>> === <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> <br>
> <br>
> $ sudo ip route show table all<br>
> <br>
> default via 10.3.189.169 dev vti0 table vpn<br>
> default via 127.0.0.1 dev lo table vpn<br>
> default via 192.168.0.1 dev bond0 onlink<br>
> <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> dev bond0 proto kernel scope link src 192.168.0.30<br>
> local 10.3.189.169 dev vti0 table local proto kernel scope host src 10.3.189.169<br>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1<br>
> local <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>> dev lo table local proto kernel scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> local 192.168.0.30 dev bond0 table local proto kernel scope host src 192.168.0.30<br>
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link src 192.168.0.30<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> fe80::/64 dev bond0 proto kernel metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> local ::1 dev lo table local proto none metric 0 pref medium<br>
> local fe80:: dev lo table local proto none metric 0 pref medium<br>
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0 pref medium<br>
> ff00::/8 dev bond0 table local metric 256 pref medium<br>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 pref medium<br>
> <br>
> <br>
> <br>
<br>
</blockquote></div></div>
</blockquote></div></div></div></div>