[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
gprintemps at gmail.com
Mon Jun 4 23:22:32 CEST 2018
Hi Noel,
Thanks for your help.
Log as defined in the HelpRequests page can be download from "
http://www.printemps.cc/Temp/charon_debug.log"
it shows the result of the following commands:
- sudo ipsec start
- sudo ipsec up VPN
- sudo -u vpn -i -- curl ipinfo.io
{
"ip": "5.79.71.229",
"city": "",
"region": "",
"country": "NL",
"loc": "52.3824,4.8995",
"org": "AS60781 LeaseWeb Netherlands B.V."
}
- sudo -u vpn -i -- curl ipinfo.io
{
"ip": "5.79.71.229",
"city": "",
"region": "",
"country": "NL",
"loc": "52.3824,4.8995",
"org": "AS60781 LeaseWeb Netherlands B.V."
}
- sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
- sudo -u vpn -i -- curl ipinfo.io
{
"ip": "46.166.179.59",
"hostname": "",
"city": "Amsterdam",
"region": "Noord-Holland",
"country": "NL",
"loc": "52.3666,4.9027",
"postal": "1066",
"org": "AS43350 NForce Entertainment B.V."
}
Connection is established, works few minutes, destroyed and restarted
Best Regards,
Gilles
On Mon, Jun 4, 2018 at 8:44 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hello,
>
> The log you provide is not useful. Please provide a log file as the
> HelpRequests page says and use the exact configuration from the page to
> create it.
>
> Kind regards
>
> Noel
>
> On 04.06.2018 00:10, Gilles Printemps wrote:
> > Hi,
> > To illustrate my issue and in addition to the configuration described
> previously,
> > - I enabled more trace in the ipsec.conf [charondebug="ike 2, knl 3,
> cfg 0"].
> > [Log can be downloaded using the following link "
> www.printemps.cc/Temp/syslog.txt <http://www.printemps.cc/Temp/syslog.txt
> >"]
> > - I tried to launch a set of commands [See "cmds.txt" in attachment]
> >
> > Executed commands:
> > - After starting ipsec, I establish the VPN connection.
> > As you can see in "cmds.txt", connection is established correctly
> > - I execute the following command to see if the traffic for the user
> is going through the VPN
> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io/>
> > Result is the expected one.
> > - A little bit later (After 17:14:34 in the syslog.02/Less than 2mins
> after previous cmd], I execute the same command
> > Result fails with the following status: curl: (6) Could not resolve
> host: ipinfo.io <http://ipinfo.io/>
> > - I decide to wait and after 2 additional minutes, I try to execute
> again the same command
> > Command is not failing but I can see that my IP address allocated
> but the VPN has changed.
> >
> > To summarise,
> > - VPN connection is established correctly and the route defined
> through the scripts are working
> > Traffic for the "vpn" user is going through the VPN
> > - After few minutes (less than 2) without any activity through the
> VPN, connection is no more working.
> > I have to wait additional minutes, to get a working connection.
> > - Few minutest later, connection is killed again...
> >
> > - Why is the VPN connection killed after less than 2 minutes?
> > - Is the issue come from the VPN server or from my configuration?
> > - Why is it so long to re-establish a new working connection?
> > - How to keep the connection longer?
> >
> > If someone can check the log and see where the issue is coming from, I
> would really appreciate because, currently, I'm lost...
> > Thanks for your help,
> > Gilles
> >
> > On Tue, May 29, 2018 at 10:51 AM, Gilles Printemps <gprintemps at gmail.com
> <mailto:gprintemps at gmail.com>> wrote:
> >
> > Hi,
> > After several days, I finally have a configuration which force all
> the traffic from a specific user to be routed from a VPN via a vti
> interface.
> >
> > After creating the vti interface and establishing the different
> route, I can successfully check if the traffic is currently routed using
> the following commands:
> >
> > sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> >
> > ping -I vti0 www.google.com <http://www.google.com>
> >
> >
> > Unfortunately, after a period d of time, it is no more working and I
> can see several error packets on the vti interface. several minute later,
> connection is established again with the VPN but with a new connection (IP
> has changed).
> >
> >
> > It seems this issue occurs after "sending keep alive" from IKE.
> >
> > Is something missing or wrong in my ipsec.conf?
> >
> >
> > Thanks for your help,
> >
> > Gilles
> >
> >
> > /etc/ipsec.conf
> >
> > config setup
> > charondebug="ike 2, knl 3, cfg 0"
> > conn %default
> > ### Key Exchange
> > keyexchange=ikev2
> > ike=aes256-sha256-ecp384 # Algorithms
> used for the connection [phase1/ISAKMP SA]
> > esp=aes256-sha256-ecp384,aes256-sha256 #
> Algorithms offered/accepted for a phase2 negotiation
> > conn VPN
> > dpdaction=restart
> > leftupdown=/etc/ipsec.script.sh <http://ipsec.script.sh>
> > left=%defaultroute
> > leftsourceip=%config4
> > leftauth=eap-mschapv2
> > eap_identity=gprintemps
> > right=free-nl.hide.me <http://free-nl.hide.me>
> > rightauth=pubkey
> > rightid=%any
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > auto=start
> > mark=2
> >
> >
> > /etc/ipsec.script.sh <http://ipsec.script.sh>
> >
> > set -o nounset
> > set -o errexit
> > VPN_USER="vpn"
> > VTI_INTERFACE="vti0"
> > case "${PLUTO_VERB}" in
> > up-client)
> > ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}"
> remote "${PLUTO_PEER}" mode vti \
> > okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
> > ip link set "${VTI_INTERFACE}" up
> > sysctl -w "net.ipv4.conf.${VTI_
> INTERFACE}.disable_policy=1"
> > sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2"
> > ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
> > if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
> > ip rule add from all fwmark 0x1 lookup $VPN_USER
> > fi
> > # Launch routing script
> > /etc/ipsec.route.sh <http://ipsec.route.sh>
> > ;;
> > down-client)
> > ip tunnel del "${VTI_INTERFACE}"
> > ;;
> > esac
> >
> >
> > /etc/ipsec.route.sh <http://ipsec.route.sh>
> >
> > export TABLE_ID="vpn"
> > export VPN_USER="vpn"
> > export VTI_INTERFACE="vti0"
> > export LOCAL_IP="10.211.55.3"
> >
> > # Flush iptables rules
> > iptables -F -t nat
> > iptables -F -t mangle
> > iptables -F -t filter
> > # Mark packets from $VPN_USER
> > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> > iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner
> --uid-owner $VPN_USER -j MARK --set-mark 0x1
> > iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK
> --set-mark 0x1
> > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> > # Deny $VPN_USER to access other interfaces than lo
> > # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j
> DROP
> > # Allow $VPN_USER to access lo and VPN interfaces
> > iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> > iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner
> $VPN_USER -j ACCEPT
> >
> > # Allow response from $VPN_INTERFACE
> > iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
> ESTABLISHED -j ACCEPT
> > # Masquarade packets on $VPN_INTERFACE
> > iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> > # Routing rules
> > GATEWAY=$(ifconfig $VTI_INTERFACE |
> > egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
> > egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'
> | tail -n1)
> > ip route replace default via $GATEWAY table $TABLE_ID
> > ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> > ip route flush cache
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180604/458e63fb/attachment-0001.html>
More information about the Users
mailing list