[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
gprintemps at gmail.com
Sat Jun 9 12:16:28 CEST 2018
Hi,
I've added the setting in the "strongswan.conf" file but, unfortunately,
issue is still the same...
> charon {
> interfaces_use = bond0
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> filelog {
> /var/log/charon_debug.log {
> time_format = %a, %Y-%m-%d %R
> default = 2
> mgr = 0
> net = 1
> enc = 1
> asn = 1
> job = 1
> ike_name = yes
> append = no
> flush_line = yes
> }
> }
> }
> include strongswan.d/*.conf
It seems a routing problem because I have a lot of "retransmit" (see below)
but
- Why it is working at the beginning when the connection to the VPN
server is established?
- Are any requests blocked if Strongswan (here used as client) is not
receiving an answer from the VPN server?
- Can someone explain why it has to retransmit the response?
Does it mean the server is not receiving it? or I a rule missing for
routing this packet through the vti?
Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
> Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with message
> ID 6
> Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
> Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from
> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
> Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
> Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1
> [ ]
> Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
> Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with message
> ID 6
> Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
> Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from
> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
> Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
> Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with
> ID 1, retransmitting response
> Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
> Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from
> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
> Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
> Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with
> ID 1, retransmitting response
> Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
> Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from
> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
> Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
> Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with
> ID 1, retransmitting response
> Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from
> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
> Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy 10.3.185.30/32 ===
> 0.0.0.0/0 out (mark 2/0xffffffff)
> Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from
> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Regards,
Gilles
On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hi,
>
> Try setting charon.interfaces_use=bond0
>
> Kind regards
>
> Noel
>
> On 06.06.2018 11:47, Gilles Printemps wrote:
> > Hi Noel/Tobias,
> > I've done the modification in the script as highlighted but,
> unfortunately, I still have the same problem:
> > After 2 minutes, when I'm executing the same command, it's failing...
> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> > curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
> >
> > My routing script:
> >
> > export TABLE_ID="vpn"
> > export VPN_USER="vpn"
> > export VTI_INTERFACE="vti0"
> > export LOCAL_IP="192.168.0.30"
> > #export LOCAL_IP="10.211.55.3"
> >
> > # Flush iptables rules
> > iptables -F -t nat
> > iptables -F -t mangle
> > iptables -F -t filter
> > # Mark packets from $VPN_USER
> > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> > iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> > iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> > # Deny $VPN_USER to access other interfaces than lo
> > # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
> > # Allow $VPN_USER to access lo and VPN interfaces
> > iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> > iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER
> -j ACCEPT
> >
> > # Allow response from $VPN_INTERFACE
> > iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
> ESTABLISHED -j ACCEPT
> > # Masquarade packets on $VPN_INTERFACE
> > iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> > # Routing rules
> > GATEWAY=$(ifconfig $VTI_INTERFACE |
> > egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
> > egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' |
> tail -n1)
> > ip route replace default via $GATEWAY table $TABLE_ID
> > ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> > ip route flush cache
> >
> >
> > I really don't understand how this issue can be related to a routing
> table. Indeed, just after starting the VPN, connection is working fine and
> command is returning the right result.
> >
> > Please find below the routing table status after each steps..
> > How it will help for finding where this issue is coming from...
> > BR Gilles
> >
> > $ sudo ipsec start
> > $ sudo ipsec statusall
> >
> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
> 4.4.0-127-generic, x86_64):
> > uptime: 8 seconds,
> > malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 0
> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> > Listening IP addresses:
> > 192.168.0.30
> > Connections:
> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
> IKEv2, dpddelay=30s
> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
> identity 'gprintemps'
> > VPN: remote: uses public key authentication
> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
> TUNNEL, dpdaction=restart
> > Routed Connections:
> > VPN{1}: ROUTED, TUNNEL, reqid 1
> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> > Security Associations (0 up, 0 connecting):
> > none
> >
> >
> > $ sudo ip route show table all
> >
> > default via 127.0.0.1 dev lo table vpn
> > default via 192.168.0.1 dev bond0 onlink
> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
> scope link src 192.168.0.30
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
> src 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
> kernel scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope
> link src 127.0.0.1
> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > local 192.168.0.30 dev bond0 table local proto kernel scope host
> src 192.168.0.30
> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > local ::1 dev lo table local proto none metric 0 pref medium
> > local fe80:: dev lo table local proto none metric 0 pref medium
> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
> metric 0 pref medium
> > ff00::/8 dev bond0 table local metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> >
> >
> > $ sudo ipsec up VPN
> > ...
> > connection 'VPN' established successfully
> >
> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> >
> > {
> > "ip": "95.211.101.229",
> > "city": "",
> > "region": "",
> > "country": "NL",
> > "loc": "52.3824,4.8995",
> > "org": "AS60781 LeaseWeb Netherlands B.V."
> > }
> >
> >
> > $ sudo ifconfig (vti0 and bond0 interfaces)
> >
> > bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
> > inet addr:192.168.0.30 Bcast:192.168.0.255
> Mask:255.255.255.0
> > inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
> > UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
> > RX packets:1239225 errors:13 dropped:1649 overruns:0
> frame:3
> > TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6
> MB)
> > vti0 Link encap:IPIP Tunnel HWaddr
> > inet addr:10.3.153.58 P-t-P:10.3.153.58
> Mask:255.255.255.255
> > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
> > RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1
> > RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
> >
> >
> > $ sudo ipsec statusall
> >
> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
> 4.4.0-127-generic, x86_64):
> > uptime: 95 seconds,
> > malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 4
> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> > Listening IP addresses:
> > 192.168.0.30
> > 10.3.153.58
> > Connections:
> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
> IKEv2, dpddelay=30s
> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
> identity 'gprintemps'
> > VPN: remote: uses public key authentication
> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
> TUNNEL, dpdaction=restart
> > Routed Connections:
> > VPN{1}: ROUTED, TUNNEL, reqid 1
> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> > Security Associations (1 up, 0 connecting):
> > VPN[1]: ESTABLISHED 33 seconds ago,
> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
> > VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r,
> EAP reauthentication in 2 hours
> > VPN[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> > VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> c3519ebd_i c3e6821b_o
> > VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
> pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
> > VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > $ sudo ip route show table all
> >
> > default via 10.3.153.58 dev vti0 table vpn
> > default via 127.0.0.1 dev lo table vpn
> > default via 192.168.0.1 dev bond0 onlink
> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
> scope link src 192.168.0.30
> > local 10.3.153.58 dev vti0 table local proto kernel scope host
> src 10.3.153.58
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
> src 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
> kernel scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope
> link src 127.0.0.1
> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > local 192.168.0.30 dev bond0 table local proto kernel scope host
> src 192.168.0.30
> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > local ::1 dev lo table local proto none metric 0 pref medium
> > local fe80:: dev lo table local proto none metric 0 pref medium
> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
> metric 0 pref medium
> > ff00::/8 dev bond0 table local metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> >
> >
> > Display of all routing tables
> >
> > Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 6 957 ACCEPT all -- vti0 any anywhere
> anywhere ctstate ESTABLISHED
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 0 0 ACCEPT all -- any lo anywhere
> anywhere owner UID match vpn
> > 0 0 ACCEPT all -- any vti0 anywhere
> anywhere owner UID match vpn
> > Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 2 115 MASQUERADE all -- any vti0 anywhere
> anywhere
> > Mangle table:
> > Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> destination
> > Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 193 28964 CONNMARK all -- any any anywhere
> anywhere CONNMARK restore
> > 14 1439 MARK all -- any any anywhere !
> coruscant.printemps.cc <http://coruscant.printemps.cc> owner UID match
> vpn MARK set 0x1
> > 0 0 MARK all -- any any !
> coruscant.printemps.cc <http://coruscant.printemps.cc> anywhere
> owner UID match vpn MARK set 0x1
> > 193 28964 CONNMARK all -- any any anywhere
> anywhere CONNMARK save
> > Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >
> >
> > After ~2 minutes, connection is broken
> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> > curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
> >
> > $ sudo ipsec statusall
> >
> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
> 4.4.0-127-generic, x86_64):
> > uptime: 3 minutes,
> > malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 5
> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> > Listening IP addresses:
> > 192.168.0.30
> > 10.3.153.58
> > Connections:
> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
> IKEv2, dpddelay=30s
> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
> identity 'gprintemps'
> > VPN: remote: uses public key authentication
> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
> TUNNEL, dpdaction=restart
> > Routed Connections:
> > VPN{1}: ROUTED, TUNNEL, reqid 1
> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> > Security Associations (1 up, 0 connecting):
> > VPN[1]: ESTABLISHED 2 minutes ago,
> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
> > VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r,
> EAP reauthentication in 2 hours
> > VPN[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> > VPN[1]: Tasks active: IKE_MOBIKE
> > VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> c3519ebd_i c3e6821b_o
> > VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
> pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
> > VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > $ sudo ifconfig (vti0 and bond0 interfaces)
> >
> > bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
> > inet addr:192.168.0.30 Bcast:192.168.0.255
> Mask:255.255.255.0
> > inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
> > UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
> > RX packets:1240273 errors:13 dropped:1651 overruns:0
> frame:3
> > TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
> > collisions:0 txqueuelen:1000
> > RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7
> MB)
> > vti0 Link encap:IPIP Tunnel HWaddr
> > inet addr:10.3.153.58 P-t-P:10.3.153.58
> Mask:255.255.255.255
> > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
> > RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:1
> > RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
> >
> >
> > $ sudo ip route show table all
> >
> > default via 10.3.153.58 dev vti0 table vpn
> > default via 127.0.0.1 dev lo table vpn
> > default via 192.168.0.1 dev bond0 onlink
> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
> scope link src 192.168.0.30
> > local 10.3.153.58 dev vti0 table local proto kernel scope host
> src 10.3.153.58
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
> src 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
> kernel scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope
> link src 127.0.0.1
> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > local 192.168.0.30 dev bond0 table local proto kernel scope host
> src 192.168.0.30
> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > local ::1 dev lo table local proto none metric 0 pref medium
> > local fe80:: dev lo table local proto none metric 0 pref medium
> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
> metric 0 pref medium
> > ff00::/8 dev bond0 table local metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> >
> >
> >
> > After ~2minutes, connection is restarted...
> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
> >
> > {
> > "ip": "109.201.137.48",
> > "hostname": "",
> > "city": "Amsterdam",
> > "region": "Noord-Holland",
> > "country": "NL",
> > "loc": "52.3666,4.9027",
> > "postal": "1066",
> > "org": "AS43350 NForce Entertainment B.V."
> > }
> >
> >
> > $ sudo ipsec statusall
> >
> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
> 4.4.0-127-generic, x86_64):
> > uptime: 6 minutes,
> > malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 7
> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
> fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
> > Listening IP addresses:
> > 192.168.0.30
> > 10.3.189.169
> > Connections:
> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
> IKEv2, dpddelay=30s
> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
> identity 'gprintemps'
> > VPN: remote: uses public key authentication
> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
> TUNNEL, dpdaction=restart
> > Routed Connections:
> > VPN{1}: ROUTED, TUNNEL, reqid 1
> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> > Security Associations (1 up, 0 connecting):
> > VPN[2]: ESTABLISHED 61 seconds ago,
> 192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
> > VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r,
> EAP reauthentication in 2 hours
> > VPN[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> > VPN[2]: Tasks active: CHILD_CREATE
> > VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> ca615d08_i c38d7138_o
> > VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6
> pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
> > VPN{3}: 10.3.189.169/32 <http://10.3.189.169/32> ===
> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> >
> > $ sudo ip route show table all
> >
> > default via 10.3.189.169 dev vti0 table vpn
> > default via 127.0.0.1 dev lo table vpn
> > default via 192.168.0.1 dev bond0 onlink
> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
> scope link src 192.168.0.30
> > local 10.3.189.169 dev vti0 table local proto kernel scope host
> src 10.3.189.169
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
> src 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
> kernel scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src
> 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope
> link src 127.0.0.1
> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > local 192.168.0.30 dev bond0 table local proto kernel scope host
> src 192.168.0.30
> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
> link src 192.168.0.30
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> > local ::1 dev lo table local proto none metric 0 pref medium
> > local fe80:: dev lo table local proto none metric 0 pref medium
> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
> metric 0 pref medium
> > ff00::/8 dev bond0 table local metric 256 pref medium
> > unreachable default dev lo table unspec proto kernel metric
> 4294967295 error -101 pref medium
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180609/0a7a6344/attachment-0001.html>
More information about the Users
mailing list