[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
gprintemps at gmail.com
Sat Jun 9 12:49:22 CEST 2018
After my last email where I mentioned the setting has no effect, I
discovered something interesting:
Right after establishing the connection to the VPN,
- if I'm doing nothing (no traffic) through the vti or
- if I'm pinging a host using the virtual tunnelling directly (ping -I
vti0 www.google.com),
connection to the VPN is not destroyed and there is not retransmission of
packet.
Everything starting going wrong when I'm just doing my test request using
the "vpn" user
(sudo -u vpn -i -- curl ipinfo.io). Even if I'm getting the answer, from
this request, I'm starting to see retransmission and right after connection
is dropped and established again. And from that, connection is staying
alive until a new request as before.
Any command using the "vpn" user seems impacting the connection to the VPN
and destroying it...
Best Regards,
Gilles
On Sat, Jun 9, 2018 at 12:16 PM Gilles Printemps <gprintemps at gmail.com>
wrote:
> Hi,
> I've added the setting in the "strongswan.conf" file but, unfortunately,
> issue is still the same...
>
>> charon {
>> interfaces_use = bond0
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> filelog {
>> /var/log/charon_debug.log {
>> time_format = %a, %Y-%m-%d %R
>> default = 2
>> mgr = 0
>> net = 1
>> enc = 1
>> asn = 1
>> job = 1
>> ike_name = yes
>> append = no
>> flush_line = yes
>> }
>> }
>> }
>> include strongswan.d/*.conf
>
>
> It seems a routing problem because I have a lot of "retransmit" (see
> below) but
> - Why it is working at the beginning when the connection to the VPN
> server is established?
> - Are any requests blocked if Strongswan (here used as client) is not
> receiving an answer from the VPN server?
> - Can someone explain why it has to retransmit the response?
> Does it mean the server is not receiving it? or I a rule missing for
> routing this packet through the vti?
>
> Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
>> Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with
>> message ID 6
>> Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
>> Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from
>> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
>> Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1
>> [ ]
>> Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with
>> message ID 6
>> Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
>> Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from
>> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
>> Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with
>> ID 1, retransmitting response
>> Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from
>> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
>> Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with
>> ID 1, retransmitting response
>> Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from
>> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
>> Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with
>> ID 1, retransmitting response
>> Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from
>> 192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
>> Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy 10.3.185.30/32 ===
>> 0.0.0.0/0 out (mark 2/0xffffffff)
>> Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from
>> 109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
>
>
> Regards,
> Gilles
>
> On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> Try setting charon.interfaces_use=bond0
>>
>> Kind regards
>>
>> Noel
>>
>> On 06.06.2018 11:47, Gilles Printemps wrote:
>> > Hi Noel/Tobias,
>> > I've done the modification in the script as highlighted but,
>> unfortunately, I still have the same problem:
>> > After 2 minutes, when I'm executing the same command, it's failing...
>> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
>> > curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
>> >
>> > My routing script:
>> >
>> > export TABLE_ID="vpn"
>> > export VPN_USER="vpn"
>> > export VTI_INTERFACE="vti0"
>> > export LOCAL_IP="192.168.0.30"
>> > #export LOCAL_IP="10.211.55.3"
>> >
>> > # Flush iptables rules
>> > iptables -F -t nat
>> > iptables -F -t mangle
>> > iptables -F -t filter
>> > # Mark packets from $VPN_USER
>> > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>> > iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner
>> --uid-owner $VPN_USER -j MARK --set-mark 0x1
>> > iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
>> $VPN_USER -j MARK --set-mark 0x1
>> > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>> > # Deny $VPN_USER to access other interfaces than lo
>> > # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
>> > # Allow $VPN_USER to access lo and VPN interfaces
>> > iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
>> > iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER
>> -j ACCEPT
>> >
>> > # Allow response from $VPN_INTERFACE
>> > iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
>> ESTABLISHED -j ACCEPT
>> > # Masquarade packets on $VPN_INTERFACE
>> > iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
>> > # Routing rules
>> > GATEWAY=$(ifconfig $VTI_INTERFACE |
>> > egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
>> > egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'
>> | tail -n1)
>> > ip route replace default via $GATEWAY table $TABLE_ID
>> > ip route append default via 127.0.0.1 dev lo table $TABLE_ID
>> > ip route flush cache
>> >
>> >
>> > I really don't understand how this issue can be related to a routing
>> table. Indeed, just after starting the VPN, connection is working fine and
>> command is returning the right result.
>> >
>> > Please find below the routing table status after each steps..
>> > How it will help for finding where this issue is coming from...
>> > BR Gilles
>> >
>> > $ sudo ipsec start
>> > $ sudo ipsec statusall
>> >
>> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
>> 4.4.0-127-generic, x86_64):
>> > uptime: 8 seconds,
>> > malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>> 0/0/0/0, scheduled: 0
>> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
>> x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
>> > Listening IP addresses:
>> > 192.168.0.30
>> > Connections:
>> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
>> IKEv2, dpddelay=30s
>> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
>> identity 'gprintemps'
>> > VPN: remote: uses public key authentication
>> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
>> TUNNEL, dpdaction=restart
>> > Routed Connections:
>> > VPN{1}: ROUTED, TUNNEL, reqid 1
>> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> > Security Associations (0 up, 0 connecting):
>> > none
>> >
>> >
>> > $ sudo ip route show table all
>> >
>> > default via 127.0.0.1 dev lo table vpn
>> > default via 192.168.0.1 dev bond0 onlink
>> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
>> scope link src 192.168.0.30
>> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
>> src 127.0.0.1
>> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
>> kernel scope host src 127.0.0.1
>> > local 127.0.0.1 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> > broadcast 127.255.255.255 dev lo table local proto kernel scope
>> link src 127.0.0.1
>> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > local 192.168.0.30 dev bond0 table local proto kernel scope host
>> src 192.168.0.30
>> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > local ::1 dev lo table local proto none metric 0 pref medium
>> > local fe80:: dev lo table local proto none metric 0 pref medium
>> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
>> metric 0 pref medium
>> > ff00::/8 dev bond0 table local metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> >
>> >
>> > $ sudo ipsec up VPN
>> > ...
>> > connection 'VPN' established successfully
>> >
>> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
>> >
>> > {
>> > "ip": "95.211.101.229",
>> > "city": "",
>> > "region": "",
>> > "country": "NL",
>> > "loc": "52.3824,4.8995",
>> > "org": "AS60781 LeaseWeb Netherlands B.V."
>> > }
>> >
>> >
>> > $ sudo ifconfig (vti0 and bond0 interfaces)
>> >
>> > bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
>> > inet addr:192.168.0.30 Bcast:192.168.0.255
>> Mask:255.255.255.0
>> > inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
>> > UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
>> > RX packets:1239225 errors:13 dropped:1649 overruns:0
>> frame:3
>> > TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1000
>> > RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6
>> MB)
>> > vti0 Link encap:IPIP Tunnel HWaddr
>> > inet addr:10.3.153.58 P-t-P:10.3.153.58
>> Mask:255.255.255.255
>> > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
>> > RX packets:6 errors:0 dropped:0 overruns:0 frame:0
>> > TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1
>> > RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
>> >
>> >
>> > $ sudo ipsec statusall
>> >
>> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
>> 4.4.0-127-generic, x86_64):
>> > uptime: 95 seconds,
>> > malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>> 0/0/0/0, scheduled: 4
>> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
>> x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
>> > Listening IP addresses:
>> > 192.168.0.30
>> > 10.3.153.58
>> > Connections:
>> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
>> IKEv2, dpddelay=30s
>> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
>> identity 'gprintemps'
>> > VPN: remote: uses public key authentication
>> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
>> TUNNEL, dpdaction=restart
>> > Routed Connections:
>> > VPN{1}: ROUTED, TUNNEL, reqid 1
>> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> > Security Associations (1 up, 0 connecting):
>> > VPN[1]: ESTABLISHED 33 seconds ago,
>> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
>> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
>> > VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i*
>> 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours
>> > VPN[1]: IKE proposal:
>> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
>> > VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
>> c3519ebd_i c3e6821b_o
>> > VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
>> pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
>> > VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> >
>> > $ sudo ip route show table all
>> >
>> > default via 10.3.153.58 dev vti0 table vpn
>> > default via 127.0.0.1 dev lo table vpn
>> > default via 192.168.0.1 dev bond0 onlink
>> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
>> scope link src 192.168.0.30
>> > local 10.3.153.58 dev vti0 table local proto kernel scope host
>> src 10.3.153.58
>> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
>> src 127.0.0.1
>> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
>> kernel scope host src 127.0.0.1
>> > local 127.0.0.1 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> > broadcast 127.255.255.255 dev lo table local proto kernel scope
>> link src 127.0.0.1
>> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > local 192.168.0.30 dev bond0 table local proto kernel scope host
>> src 192.168.0.30
>> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > local ::1 dev lo table local proto none metric 0 pref medium
>> > local fe80:: dev lo table local proto none metric 0 pref medium
>> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
>> metric 0 pref medium
>> > ff00::/8 dev bond0 table local metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> >
>> >
>> > Display of all routing tables
>> >
>> > Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > 6 957 ACCEPT all -- vti0 any anywhere
>> anywhere ctstate ESTABLISHED
>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > 0 0 ACCEPT all -- any lo anywhere
>> anywhere owner UID match vpn
>> > 0 0 ACCEPT all -- any vti0 anywhere
>> anywhere owner UID match vpn
>> > Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > 2 115 MASQUERADE all -- any vti0 anywhere
>> anywhere
>> > Mangle table:
>> > Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> > 193 28964 CONNMARK all -- any any anywhere
>> anywhere CONNMARK restore
>> > 14 1439 MARK all -- any any anywhere !
>> coruscant.printemps.cc <http://coruscant.printemps.cc> owner UID match
>> vpn MARK set 0x1
>> > 0 0 MARK all -- any any !
>> coruscant.printemps.cc <http://coruscant.printemps.cc> anywhere
>> owner UID match vpn MARK set 0x1
>> > 193 28964 CONNMARK all -- any any anywhere
>> anywhere CONNMARK save
>> > Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
>> > pkts bytes target prot opt in out source
>> destination
>> >
>> >
>> >
>> > After ~2 minutes, connection is broken
>> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
>> > curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
>> >
>> > $ sudo ipsec statusall
>> >
>> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
>> 4.4.0-127-generic, x86_64):
>> > uptime: 3 minutes,
>> > malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>> 0/0/0/0, scheduled: 5
>> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
>> x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
>> > Listening IP addresses:
>> > 192.168.0.30
>> > 10.3.153.58
>> > Connections:
>> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
>> IKEv2, dpddelay=30s
>> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
>> identity 'gprintemps'
>> > VPN: remote: uses public key authentication
>> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
>> TUNNEL, dpdaction=restart
>> > Routed Connections:
>> > VPN{1}: ROUTED, TUNNEL, reqid 1
>> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> > Security Associations (1 up, 0 connecting):
>> > VPN[1]: ESTABLISHED 2 minutes ago,
>> 192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
>> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
>> > VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i*
>> 08a6a85a2e5367a6_r, EAP reauthentication in 2 hours
>> > VPN[1]: IKE proposal:
>> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
>> > VPN[1]: Tasks active: IKE_MOBIKE
>> > VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
>> c3519ebd_i c3e6821b_o
>> > VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
>> pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
>> > VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> >
>> > $ sudo ifconfig (vti0 and bond0 interfaces)
>> >
>> > bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
>> > inet addr:192.168.0.30 Bcast:192.168.0.255
>> Mask:255.255.255.0
>> > inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
>> > UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
>> > RX packets:1240273 errors:13 dropped:1651 overruns:0
>> frame:3
>> > TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1000
>> > RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7
>> MB)
>> > vti0 Link encap:IPIP Tunnel HWaddr
>> > inet addr:10.3.153.58 P-t-P:10.3.153.58
>> Mask:255.255.255.255
>> > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
>> > RX packets:6 errors:0 dropped:0 overruns:0 frame:0
>> > TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
>> > collisions:0 txqueuelen:1
>> > RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
>> >
>> >
>> > $ sudo ip route show table all
>> >
>> > default via 10.3.153.58 dev vti0 table vpn
>> > default via 127.0.0.1 dev lo table vpn
>> > default via 192.168.0.1 dev bond0 onlink
>> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
>> scope link src 192.168.0.30
>> > local 10.3.153.58 dev vti0 table local proto kernel scope host
>> src 10.3.153.58
>> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
>> src 127.0.0.1
>> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
>> kernel scope host src 127.0.0.1
>> > local 127.0.0.1 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> > broadcast 127.255.255.255 dev lo table local proto kernel scope
>> link src 127.0.0.1
>> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > local 192.168.0.30 dev bond0 table local proto kernel scope host
>> src 192.168.0.30
>> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > local ::1 dev lo table local proto none metric 0 pref medium
>> > local fe80:: dev lo table local proto none metric 0 pref medium
>> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
>> metric 0 pref medium
>> > ff00::/8 dev bond0 table local metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> >
>> >
>> >
>> > After ~2minutes, connection is restarted...
>> > $ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
>> >
>> > {
>> > "ip": "109.201.137.48",
>> > "hostname": "",
>> > "city": "Amsterdam",
>> > "region": "Noord-Holland",
>> > "country": "NL",
>> > "loc": "52.3666,4.9027",
>> > "postal": "1066",
>> > "org": "AS43350 NForce Entertainment B.V."
>> > }
>> >
>> >
>> > $ sudo ipsec statusall
>> >
>> > Status of IKE charon daemon (strongSwan 5.6.0, Linux
>> 4.4.0-127-generic, x86_64):
>> > uptime: 6 minutes,
>> > malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
>> 0/0/0/0, scheduled: 7
>> > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
>> x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
>> > Listening IP addresses:
>> > 192.168.0.30
>> > 10.3.189.169
>> > Connections:
>> > VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
>> IKEv2, dpddelay=30s
>> > VPN: local: uses EAP_MSCHAPV2 authentication with EAP
>> identity 'gprintemps'
>> > VPN: remote: uses public key authentication
>> > VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
>> TUNNEL, dpdaction=restart
>> > Routed Connections:
>> > VPN{1}: ROUTED, TUNNEL, reqid 1
>> > VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> > Security Associations (1 up, 0 connecting):
>> > VPN[2]: ESTABLISHED 61 seconds ago,
>> 192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
>> L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
>> > VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i*
>> cedf941ba5dff66d_r, EAP reauthentication in 2 hours
>> > VPN[2]: IKE proposal:
>> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
>> > VPN[2]: Tasks active: CHILD_CREATE
>> > VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
>> ca615d08_i c38d7138_o
>> > VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6
>> pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
>> > VPN{3}: 10.3.189.169/32 <http://10.3.189.169/32> ===
>> 0.0.0.0/0 <http://0.0.0.0/0>
>> >
>> >
>> > $ sudo ip route show table all
>> >
>> > default via 10.3.189.169 dev vti0 table vpn
>> > default via 127.0.0.1 dev lo table vpn
>> > default via 192.168.0.1 dev bond0 onlink
>> > 192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
>> scope link src 192.168.0.30
>> > local 10.3.189.169 dev vti0 table local proto kernel scope host
>> src 10.3.189.169
>> > broadcast 127.0.0.0 dev lo table local proto kernel scope link
>> src 127.0.0.1
>> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
>> kernel scope host src 127.0.0.1
>> > local 127.0.0.1 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> > broadcast 127.255.255.255 dev lo table local proto kernel scope
>> link src 127.0.0.1
>> > broadcast 192.168.0.0 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > local 192.168.0.30 dev bond0 table local proto kernel scope host
>> src 192.168.0.30
>> > broadcast 192.168.0.255 dev bond0 table local proto kernel scope
>> link src 192.168.0.30
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> > local ::1 dev lo table local proto none metric 0 pref medium
>> > local fe80:: dev lo table local proto none metric 0 pref medium
>> > local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
>> metric 0 pref medium
>> > ff00::/8 dev bond0 table local metric 256 pref medium
>> > unreachable default dev lo table unspec proto kernel metric
>> 4294967295 error -101 pref medium
>> >
>> >
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180609/86d2390a/attachment-0001.html>
More information about the Users
mailing list