[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
gprintemps at gmail.com
Tue May 29 10:51:47 CEST 2018
Hi,
After several days, I finally have a configuration which force all the
traffic from a specific user to be routed from a VPN via a vti interface.
After creating the vti interface and establishing the different route, I
can successfully check if the traffic is currently routed using the
following commands:
sudo -u vpn -i -- curl ipinfo.io
ping -I vti0 www.google.com
Unfortunately, after a period d of time, it is no more working and I can
see several error packets on the vti interface. several minute later,
connection is established again with the VPN but with a new connection (IP
has changed).
It seems this issue occurs after "sending keep alive" from IKE.
Is something missing or wrong in my ipsec.conf?
Thanks for your help,
Gilles
/etc/ipsec.conf
> config setup
> charondebug="ike 2, knl 3, cfg 0"
> conn %default
> ### Key Exchange
> keyexchange=ikev2
> ike=aes256-sha256-ecp384 # Algorithms used for
> the connection [phase1/ISAKMP SA]
> esp=aes256-sha256-ecp384,aes256-sha256 # Algorithms
> offered/accepted for a phase2 negotiation
> conn VPN
> dpdaction=restart
> leftupdown=/etc/ipsec.script.sh
> left=%defaultroute
> leftsourceip=%config4
> leftauth=eap-mschapv2
> eap_identity=gprintemps
> right=free-nl.hide.me
> rightauth=pubkey
> rightid=%any
> rightsubnet=0.0.0.0/0
> auto=start
> mark=2
/etc/ipsec.script.sh
> set -o nounset
> set -o errexit
> VPN_USER="vpn"
> VTI_INTERFACE="vti0"
> case "${PLUTO_VERB}" in
> up-client)
> ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
> okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
> ip link set "${VTI_INTERFACE}" up
> sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
> sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2"
> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
> if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
> ip rule add from all fwmark 0x1 lookup $VPN_USER
> fi
> # Launch routing script
> /etc/ipsec.route.sh
> ;;
> down-client)
> ip tunnel del "${VTI_INTERFACE}"
> ;;
> esac
/etc/ipsec.route.sh
> export TABLE_ID="vpn"
> export VPN_USER="vpn"
> export VTI_INTERFACE="vti0"
> export LOCAL_IP="10.211.55.3"
>
> # Flush iptables rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Mark packets from $VPN_USER
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
> $VPN_USER -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> # Deny $VPN_USER to access other interfaces than lo
> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
> # Allow $VPN_USER to access lo and VPN interfaces
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
> ACCEPT
>
> # Allow response from $VPN_INTERFACE
> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
> ACCEPT
> # Masquarade packets on $VPN_INTERFACE
> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
> # Routing rules
> GATEWAY=$(ifconfig $VTI_INTERFACE |
> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
> -n1)
> ip route replace default via $GATEWAY table $TABLE_ID
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> ip route flush cache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180529/d4645257/attachment.html>
More information about the Users
mailing list