[strongSwan] "sending keep alive" seems breaking VPN connection

Gilles Printemps gprintemps at gmail.com
Mon Jun 4 00:10:23 CEST 2018


Hi,
To illustrate my issue and in addition to the configuration described
previously,
  - I enabled more trace in the ipsec.conf [charondebug="ike 2, knl 3, cfg
0"].
    [Log can be downloaded using the following link "
www.printemps.cc/Temp/syslog.txt"]
  - I tried to launch a set of commands [See "cmds.txt" in attachment]

Executed commands:
   - After starting ipsec, I establish the VPN connection.
     As you can see in "cmds.txt", connection is established correctly
   - I execute the following command to see if the traffic for the user is
going through the VPN
     $ sudo -u vpn -i -- curl ipinfo.io
     Result is the expected one.
   - A little bit later (After 17:14:34 in the syslog.02/Less than 2mins
after previous cmd], I execute the same command
     Result fails with the following status: curl: (6) Could not resolve
host: ipinfo.io
   - I decide to wait and after 2 additional minutes, I try to execute
again the same command
     Command is not failing but I can see that my IP address allocated but
the VPN has changed.

To summarise,
   - VPN connection is established correctly and the route defined through
the scripts are working
     Traffic for the "vpn" user is going through the VPN
   - After few minutes (less than 2) without any activity through the VPN,
connection is no more working.
     I have to wait additional minutes, to get a working connection.
   - Few minutest later, connection is killed again...

- Why is the VPN connection killed after less than 2 minutes?
- Is the issue come from the VPN server or from my configuration?
- Why is it so long to re-establish a new working connection?
- How to keep the connection longer?

If someone can check the log and see where the issue is coming from, I
would really appreciate because, currently, I'm lost...
Thanks for your help,
Gilles

On Tue, May 29, 2018 at 10:51 AM, Gilles Printemps <gprintemps at gmail.com>
wrote:

> Hi,
> After several days, I finally have a configuration which force all the
> traffic from a specific user to be routed from a VPN via a vti interface.
>
> After creating the vti interface and establishing the different route, I
> can successfully check if the traffic is currently routed using the
> following commands:
>
> sudo -u vpn -i -- curl ipinfo.io
>
> ping -I vti0 www.google.com
>
>
> Unfortunately, after a period d of time, it is no more working and I can
> see several error packets on the vti interface. several minute later,
> connection is established again with the VPN but with a new connection (IP
> has changed).
>
>
> It seems this issue occurs after "sending keep alive" from IKE.
>
> Is something missing or wrong in my ipsec.conf?
>
>
> Thanks for your help,
>
> Gilles
>
>
> /etc/ipsec.conf
>
>> config setup
>>         charondebug="ike 2, knl 3, cfg 0"
>> conn %default
>>         ### Key Exchange
>>         keyexchange=ikev2
>>         ike=aes256-sha256-ecp384                    # Algorithms used for
>> the connection [phase1/ISAKMP SA]
>>         esp=aes256-sha256-ecp384,aes256-sha256      # Algorithms
>> offered/accepted for a phase2 negotiation
>> conn VPN
>>         dpdaction=restart
>>         leftupdown=/etc/ipsec.script.sh
>>         left=%defaultroute
>>         leftsourceip=%config4
>>         leftauth=eap-mschapv2
>>         eap_identity=gprintemps
>>         right=free-nl.hide.me
>>         rightauth=pubkey
>>         rightid=%any
>>         rightsubnet=0.0.0.0/0
>>         auto=start
>>         mark=2
>
>
> /etc/ipsec.script.sh
>
>> set -o nounset
>> set -o errexit
>> VPN_USER="vpn"
>> VTI_INTERFACE="vti0"
>> case "${PLUTO_VERB}" in
>>     up-client)
>>         ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
>> "${PLUTO_PEER}" mode vti \
>>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
>> "${PLUTO_MARK_IN%%/*}"
>>         ip link set "${VTI_INTERFACE}" up
>>         sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
>>         sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2"
>>         ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
>>         if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
>>           ip rule add from all fwmark 0x1 lookup $VPN_USER
>>         fi
>>         # Launch routing script
>>         /etc/ipsec.route.sh
>>         ;;
>>     down-client)
>>         ip tunnel del "${VTI_INTERFACE}"
>>         ;;
>> esac
>
>
> /etc/ipsec.route.sh
>
>>  export TABLE_ID="vpn"
>> export VPN_USER="vpn"
>> export VTI_INTERFACE="vti0"
>> export LOCAL_IP="10.211.55.3"
>>
>> # Flush iptables rules
>> iptables -F -t nat
>> iptables -F -t mangle
>> iptables -F -t filter
>> # Mark packets from $VPN_USER
>> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP  -m owner --uid-owner
>> $VPN_USER -j MARK --set-mark 0x1
>> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
>> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>> # Deny $VPN_USER to access other interfaces than lo
>> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
>> # Allow $VPN_USER to access lo and VPN interfaces
>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
>> ACCEPT
>>
>> # Allow response from $VPN_INTERFACE
>> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
>> ACCEPT
>> # Masquarade packets on $VPN_INTERFACE
>> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
>> # Routing rules
>> GATEWAY=$(ifconfig $VTI_INTERFACE |
>>           egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
>>           egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' |
>> tail -n1)
>> ip route replace default via $GATEWAY table $TABLE_ID
>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>> ip route flush cache
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180604/74a70893/attachment-0001.html>
-------------- next part --------------
$ sudo ipsec start
Starting strongSwan 5.6.0 IPsec [starter]...

$ sudo ipsec up VPN
initiating IKE_SA VPN[1] to 46.166.179.54
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.0.30[500] to 46.166.179.54[500] (870 bytes)
received packet: from 46.166.179.54[500] to 192.168.0.30[500] (349 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
received 1 cert requests for an unknown ca
sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2"
sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2"
sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1"
sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1"
sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root"
sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
sending cert request for "E=contacto at procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert"
sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware"
sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services"
sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root"
sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1"
sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
sending cert request for "C=TW, O=Government Root Certification Authority"
sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki at sk.ee"
sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info at e-szigno.hu"
sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
sending cert request for "C=CN, O=CNNIC, CN=CNNIC ROOT"
sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2"
sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2"
sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services"
sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
no IDi configured, fall back on IP address
establishing CHILD_SA VPN{2}
generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message with length of 3296 bytes into 3 fragments
generating IKE_AUTH request 1 [ EF(1/3) ]
generating IKE_AUTH request 1 [ EF(2/3) ]
generating IKE_AUTH request 1 [ EF(3/3) ]
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (1236 bytes)
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (1236 bytes)
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (964 bytes)
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(1/10) ]
received fragment #1 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(2/10) ]
received fragment #2 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(3/10) ]
received fragment #3 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(4/10) ]
received fragment #4 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(5/10) ]
received fragment #5 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(6/10) ]
received fragment #6 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(7/10) ]
received fragment #7 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(8/10) ]
received fragment #8 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes)
parsed IKE_AUTH response 1 [ EF(9/10) ]
received fragment #9 of 10, waiting for complete IKE message
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (436 bytes)
parsed IKE_AUTH response 1 [ EF(10/10) ]
received fragment #10 of 10, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me"
received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
  using certificate "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me"
  using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
checking certificate status of "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me"
  requesting ocsp status from 'http://ocsp.digicert.com' ...
unable to fetch from http://ocsp.digicert.com, no capable fetcher found
ocsp request to http://ocsp.digicert.com failed
ocsp check failed, fallback to crl
  fetching crl from 'http://crl3.digicert.com/ssca-sha2-g5.crl' ...
unable to fetch from http://crl3.digicert.com/ssca-sha2-g5.crl, no capable fetcher found
crl fetching failed
  fetching crl from 'http://crl4.digicert.com/ssca-sha2-g5.crl' ...
unable to fetch from http://crl4.digicert.com/ssca-sha2-g5.crl, no capable fetcher found
crl fetching failed
certificate status is not available
  using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
  requesting ocsp status from 'http://ocsp.digicert.com' ...
unable to fetch from http://ocsp.digicert.com, no capable fetcher found
ocsp request to http://ocsp.digicert.com failed
ocsp check failed, fallback to crl
  fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
crl fetching failed
  fetching crl from 'http://crl4.digicert.com/DigiCertGlobalRootCA.crl' ...
unable to fetch from http://crl4.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
crl fetching failed
certificate status is not available
  reached self-signed root ca with a path length of 1
authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me' with RSA_EMSA_PKCS1_SHA2_512 successful
server requested EAP_IDENTITY (id 0x00), sending 'gprintemps'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (96 bytes)
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (112 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x01)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (144 bytes)
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (128 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: '(null)'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (80 bytes)
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (80 bytes)
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of '192.168.0.30' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (112 bytes)
received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (288 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me' with EAP successful
IKE_SA VPN[1] established between 192.168.0.30[192.168.0.30]...46.166.179.54[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me]
scheduling reauthentication in 10172s
maximum IKE_SA lifetime 10712s
installing DNS server 46.166.179.52 via resolvconf
installing DNS server 46.166.179.53 via resolvconf
installing new virtual IP 10.3.145.71
CHILD_SA VPN{2} established with SPIs c38e7c45_i ce5bcac5_o and TS 10.3.145.71/32 === 0.0.0.0/0
updown: net.ipv4.conf.vti0.disable_policy = 1
updown: net.ipv4.conf.vti0.rp_filter = 2
connection 'VPN' established successfully


$ sudo -u vpn -i -- curl ipinfo.io
{
  "ip": "46.166.179.55",
  "hostname": "",
  "city": "Amsterdam",
  "region": "Noord-Holland",
  "country": "NL",
  "loc": "52.3666,4.9027",
  "postal": "1066",
  "org": "AS43350 NForce Entertainment B.V."
}

$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io

$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io

$ sudo -u vpn -i -- curl ipinfo.io
{
  "ip": "95.211.101.196",
  "city": "",
  "region": "",
  "country": "NL",
  "loc": "52.3824,4.8995",
  "org": "AS60781 LeaseWeb Netherlands B.V."
}



More information about the Users mailing list