[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
gprintemps at gmail.com
Wed Jun 6 11:47:24 CEST 2018
Hi Noel/Tobias,
I've done the modification in the script as highlighted but, unfortunately,
I still have the same problem:
After 2 minutes, when I'm executing the same command, it's failing...
$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
My routing script:
> export TABLE_ID="vpn"
> export VPN_USER="vpn"
> export VTI_INTERFACE="vti0"
> export LOCAL_IP="192.168.0.30"
> #export LOCAL_IP="10.211.55.3"
>
> # Flush iptables rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Mark packets from $VPN_USER
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> # Deny $VPN_USER to access other interfaces than lo
> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
> # Allow $VPN_USER to access lo and VPN interfaces
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
> ACCEPT
>
> # Allow response from $VPN_INTERFACE
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
> ACCEPT
> # Masquarade packets on $VPN_INTERFACE
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> # Routing rules
> GATEWAY=$(ifconfig $VTI_INTERFACE |
> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
> -n1)
> ip route replace default via $GATEWAY table $TABLE_ID
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> ip route flush cache
I really don't understand how this issue can be related to a routing table.
Indeed, just after starting the VPN, connection is working fine and command
is returning the right result.
Please find below the routing table status after each steps..
How it will help for finding where this issue is coming from...
BR Gilles
$ sudo ipsec start
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
> x86_64):
> uptime: 8 seconds,
> malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> Listening IP addresses:
> 192.168.0.30
> Connections:
> VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
> 'gprintemps'
> VPN: remote: uses public key authentication
> VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Routed Connections:
> VPN{1}: ROUTED, TUNNEL, reqid 1
> VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
> Security Associations (0 up, 0 connecting):
> none
$ sudo ip route show table all
default via 127.0.0.1 dev lo table vpn
> default via 192.168.0.1 dev bond0 onlink
> 192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link
> src 127.0.0.1
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> local 192.168.0.30 dev bond0 table local proto kernel scope host src
> 192.168.0.30
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
> pref medium
> ff00::/8 dev bond0 table local metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
$ sudo ipsec up VPN
...
connection 'VPN' established successfully
$ sudo -u vpn -i -- curl ipinfo.io
{
> "ip": "95.211.101.229",
> "city": "",
> "region": "",
> "country": "NL",
> "loc": "52.3824,4.8995",
> "org": "AS60781 LeaseWeb Netherlands B.V."
> }
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
> RX packets:1239225 errors:13 dropped:1649 overruns:0 frame:3
> TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6 MB)
> vti0 Link encap:IPIP Tunnel HWaddr
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1
> RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
> x86_64):
> uptime: 95 seconds,
> malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 4
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> Listening IP addresses:
> 192.168.0.30
> 10.3.153.58
> Connections:
> VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
> 'gprintemps'
> VPN: remote: uses public key authentication
> VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Routed Connections:
> VPN{1}: ROUTED, TUNNEL, reqid 1
> VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
> VPN[1]: ESTABLISHED 33 seconds ago,
> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP
> reauthentication in 2 hours
> VPN[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i
> c3e6821b_o
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 25s
> ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
> VPN{2}: 10.3.153.58/32 === 0.0.0.0/0
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
> default via 127.0.0.1 dev lo table vpn
> default via 192.168.0.1 dev bond0 onlink
> 192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
> local 10.3.153.58 dev vti0 table local proto kernel scope host src
> 10.3.153.58
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link
> src 127.0.0.1
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> local 192.168.0.30 dev bond0 table local proto kernel scope host src
> 192.168.0.30
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
> pref medium
> ff00::/8 dev bond0 table local metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
Display of all routing tables
Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
> pkts bytes target prot opt in out source
> destination
> 6 957 ACCEPT all -- vti0 any anywhere
> anywhere ctstate ESTABLISHED
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- any lo anywhere
> anywhere owner UID match vpn
> 0 0 ACCEPT all -- any vti0 anywhere
> anywhere owner UID match vpn
> Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
> pkts bytes target prot opt in out source
> destination
> 2 115 MASQUERADE all -- any vti0 anywhere
> anywhere
> Mangle table:
> Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
> pkts bytes target prot opt in out source
> destination
> 193 28964 CONNMARK all -- any any anywhere
> anywhere CONNMARK restore
> 14 1439 MARK all -- any any anywhere !
> coruscant.printemps.cc owner UID match vpn MARK set 0x1
> 0 0 MARK all -- any any !coruscant.printemps.cc
> anywhere owner UID match vpn MARK set 0x1
> 193 28964 CONNMARK all -- any any anywhere
> anywhere CONNMARK save
> Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
> pkts bytes target prot opt in out source
> destination
After ~2 minutes, connection is broken
$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
> x86_64):
> uptime: 3 minutes,
> malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 5
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> Listening IP addresses:
> 192.168.0.30
> 10.3.153.58
> Connections:
> VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
> 'gprintemps'
> VPN: remote: uses public key authentication
> VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Routed Connections:
> VPN{1}: ROUTED, TUNNEL, reqid 1
> VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
> VPN[1]: ESTABLISHED 2 minutes ago,
> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
> VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP
> reauthentication in 2 hours
> VPN[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> VPN[1]: Tasks active: IKE_MOBIKE
> VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i
> c3e6821b_o
> VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 161s
> ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
> VPN{2}: 10.3.153.58/32 === 0.0.0.0/0
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
> inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
> UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
> RX packets:1240273 errors:13 dropped:1651 overruns:0 frame:3
> TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7 MB)
> vti0 Link encap:IPIP Tunnel HWaddr
> inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1
> RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
> default via 127.0.0.1 dev lo table vpn
> default via 192.168.0.1 dev bond0 onlink
> 192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
> local 10.3.153.58 dev vti0 table local proto kernel scope host src
> 10.3.153.58
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link
> src 127.0.0.1
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> local 192.168.0.30 dev bond0 table local proto kernel scope host src
> 192.168.0.30
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
> pref medium
> ff00::/8 dev bond0 table local metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
After ~2minutes, connection is restarted...
$ sudo -u vpn -i -- curl ipinfo.io
> {
> "ip": "109.201.137.48",
> "hostname": "",
> "city": "Amsterdam",
> "region": "Noord-Holland",
> "country": "NL",
> "loc": "52.3666,4.9027",
> "postal": "1066",
> "org": "AS43350 NForce Entertainment B.V."
> }
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
> x86_64):
> uptime: 6 minutes,
> malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 7
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> Listening IP addresses:
> 192.168.0.30
> 10.3.189.169
> Connections:
> VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
> VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
> 'gprintemps'
> VPN: remote: uses public key authentication
> VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Routed Connections:
> VPN{1}: ROUTED, TUNNEL, reqid 1
> VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
> Security Associations (1 up, 0 connecting):
> VPN[2]: ESTABLISHED 61 seconds ago,
> 192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me]
> VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r, EAP
> reauthentication in 2 hours
> VPN[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> VPN[2]: Tasks active: CHILD_CREATE
> VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca615d08_i
> c38d7138_o
> VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6 pkts, 31s
> ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
> VPN{3}: 10.3.189.169/32 === 0.0.0.0/0
$ sudo ip route show table all
default via 10.3.189.169 dev vti0 table vpn
> default via 127.0.0.1 dev lo table vpn
> default via 192.168.0.1 dev bond0 onlink
> 192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
> local 10.3.189.169 dev vti0 table local proto kernel scope host src
> 10.3.189.169
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link
> src 127.0.0.1
> broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> local 192.168.0.30 dev bond0 table local proto kernel scope host src
> 192.168.0.30
> broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
> src 192.168.0.30
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
> pref medium
> ff00::/8 dev bond0 table local metric 256 pref medium
> unreachable default dev lo table unspec proto kernel metric 4294967295
> error -101 pref medium
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180606/831818dc/attachment-0001.html>
More information about the Users
mailing list