[strongSwan] "sending keep alive" seems breaking VPN connection

Gilles Printemps gprintemps at gmail.com
Mon Jun 4 23:22:32 CEST 2018


Hi Noel,
Thanks for your help.

Log as defined in the HelpRequests page can be download from "
http://www.printemps.cc/Temp/charon_debug.log"
it shows the result of the following commands:
  - sudo ipsec start
  - sudo ipsec up VPN
  - sudo -u vpn -i -- curl ipinfo.io
    {
    "ip": "5.79.71.229",
    "city": "",
    "region": "",
    "country": "NL",
    "loc": "52.3824,4.8995",
    "org": "AS60781 LeaseWeb Netherlands B.V."
    }
  - sudo -u vpn -i -- curl ipinfo.io
    {
    "ip": "5.79.71.229",
    "city": "",
    "region": "",
    "country": "NL",
    "loc": "52.3824,4.8995",
    "org": "AS60781 LeaseWeb Netherlands B.V."
    }

  - sudo -u vpn -i -- curl ipinfo.io
    curl: (6) Could not resolve host: ipinfo.io

  - sudo -u vpn -i -- curl ipinfo.io
    {
    "ip": "46.166.179.59",
    "hostname": "",
    "city": "Amsterdam",
    "region": "Noord-Holland",
    "country": "NL",
    "loc": "52.3666,4.9027",
    "postal": "1066",
    "org": "AS43350 NForce Entertainment B.V."
    }

Connection is established, works few minutes, destroyed and restarted
Best Regards,
Gilles

On Mon, Jun 4, 2018 at 8:44 PM, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello,
>
> The log you provide is not useful. Please provide a log file as the
> HelpRequests page says and use the exact configuration from the page to
> create it.
>
> Kind regards
>
> Noel
>
> On 04.06.2018 00:10, Gilles Printemps wrote:
> > Hi,
> > To illustrate my issue and in addition to the configuration described
> previously,
> >   - I enabled more trace in the ipsec.conf [charondebug="ike 2, knl 3,
> cfg 0"].
> >     [Log can be downloaded using the following link "
> www.printemps.cc/Temp/syslog.txt <http://www.printemps.cc/Temp/syslog.txt
> >"]
> >   - I tried to launch a set of commands [See "cmds.txt" in attachment]
> >
> > Executed commands:
> >    - After starting ipsec, I establish the VPN connection.
> >      As you can see in "cmds.txt", connection is established correctly
> >    - I execute the following command to see if the traffic for the user
> is going through the VPN
> >      $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io/>
> >      Result is the expected one.
> >    - A little bit later (After 17:14:34 in the syslog.02/Less than 2mins
> after previous cmd], I execute the same command
> >      Result fails with the following status: curl: (6) Could not resolve
> host: ipinfo.io <http://ipinfo.io/>
> >    - I decide to wait and after 2 additional minutes, I try to execute
> again the same command
> >      Command is not failing but I can see that my IP address allocated
> but the VPN has changed.
> >
> > To summarise,
> >    - VPN connection is established correctly and the route defined
> through the scripts are working
> >      Traffic for the "vpn" user is going through the VPN
> >    - After few minutes (less than 2) without any activity through the
> VPN, connection is no more working.
> >      I have to wait additional minutes, to get a working connection.
> >    - Few minutest later, connection is killed again...
> >
> > - Why is the VPN connection killed after less than 2 minutes?
> > - Is the issue come from the VPN server or from my configuration?
> > - Why is it so long to re-establish a new working connection?
> > - How to keep the connection longer?
> >
> > If someone can check the log and see where the issue is coming from, I
> would really appreciate because, currently, I'm lost...
> > Thanks for your help,
> > Gilles
> >
> > On Tue, May 29, 2018 at 10:51 AM, Gilles Printemps <gprintemps at gmail.com
> <mailto:gprintemps at gmail.com>> wrote:
> >
> >     Hi,
> >     After several days, I finally have a configuration which force all
> the traffic from a specific user to be routed from a VPN via a vti
> interface.
> >
> >     After creating the vti interface and establishing the different
> route, I can successfully check if the traffic is currently routed using
> the following commands:
> >
> >     sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> >
> >     ping -I vti0 www.google.com <http://www.google.com>
> >
> >
> >     Unfortunately, after a period d of time, it is no more working and I
> can see several error packets on the vti interface. several minute later,
> connection is established again with the VPN but with a new connection (IP
> has changed).
> >
> >
> >     It seems this issue occurs after "sending keep alive" from IKE.
> >
> >     Is something missing or wrong in my ipsec.conf?
> >
> >
> >     Thanks for your help,
> >
> >     Gilles
> >
> >
> >     /etc/ipsec.conf
> >
> >         config setup
> >                 charondebug="ike 2, knl 3, cfg 0"
> >         conn %default
> >                 ### Key Exchange
> >                 keyexchange=ikev2
> >                 ike=aes256-sha256-ecp384                    # Algorithms
> used for the connection [phase1/ISAKMP SA]
> >                 esp=aes256-sha256-ecp384,aes256-sha256      #
> Algorithms offered/accepted for a phase2 negotiation
> >         conn VPN
> >                 dpdaction=restart
> >                 leftupdown=/etc/ipsec.script.sh <http://ipsec.script.sh>
> >                 left=%defaultroute
> >                 leftsourceip=%config4
> >                 leftauth=eap-mschapv2
> >                 eap_identity=gprintemps
> >                 right=free-nl.hide.me <http://free-nl.hide.me>
> >                 rightauth=pubkey
> >                 rightid=%any
> >                 rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >                 auto=start
> >                 mark=2
> >
> >
> >     /etc/ipsec.script.sh <http://ipsec.script.sh>
> >
> >         set -o nounset
> >         set -o errexit
> >         VPN_USER="vpn"
> >         VTI_INTERFACE="vti0"
> >         case "${PLUTO_VERB}" in
> >             up-client)
> >                 ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}"
> remote "${PLUTO_PEER}" mode vti \
> >                               okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
> >                 ip link set "${VTI_INTERFACE}" up
> >                 sysctl -w "net.ipv4.conf.${VTI_
> INTERFACE}.disable_policy=1"
> >                 sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2"
> >                 ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
> >                 if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
> >                   ip rule add from all fwmark 0x1 lookup $VPN_USER
> >                 fi
> >                 # Launch routing script
> >                 /etc/ipsec.route.sh <http://ipsec.route.sh>
> >                 ;;
> >             down-client)
> >                 ip tunnel del "${VTI_INTERFACE}"
> >                 ;;
> >         esac
> >
> >
> >     /etc/ipsec.route.sh <http://ipsec.route.sh>
> >
> >          export TABLE_ID="vpn"
> >         export VPN_USER="vpn"
> >         export VTI_INTERFACE="vti0"
> >         export LOCAL_IP="10.211.55.3"
> >
> >         # Flush iptables rules
> >         iptables -F -t nat
> >         iptables -F -t mangle
> >         iptables -F -t filter
> >         # Mark packets from $VPN_USER
> >         iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> >         iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP  -m owner
> --uid-owner $VPN_USER -j MARK --set-mark 0x1
> >         iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK
> --set-mark 0x1
> >         iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> >         # Deny $VPN_USER to access other interfaces than lo
> >         # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j
> DROP
> >         # Allow $VPN_USER to access lo and VPN interfaces
> >         iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> >         iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner
> $VPN_USER -j ACCEPT
> >
> >         # Allow response from $VPN_INTERFACE
> >         iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
> ESTABLISHED -j ACCEPT
> >         # Masquarade packets on $VPN_INTERFACE
> >         iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> >         # Routing rules
> >         GATEWAY=$(ifconfig $VTI_INTERFACE |
> >                   egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
> >                   egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'
> | tail -n1)
> >         ip route replace default via $GATEWAY table $TABLE_ID
> >         ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> >         ip route flush cache
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180604/458e63fb/attachment-0001.html>


More information about the Users mailing list