[strongSwan] Strongswan/VTI: Connection killed after several "retransmit of request"
Gilles Printemps
gprintemps at gmail.com
Wed Nov 14 15:51:35 CET 2018
Hi,
Since several months, I'm trying to find a solution for routing traffic
from a specific user to a VPN using VTI.
Issue seems coming from the VTI that I created for handling the VPN
connection (FYI, using the same routing parameters with OpenVPN is
working).
Issue is the following:
- Connection is successfully established
- Then following request using VTI/VPN returns successfully a response
sudo -u vpn -i -- curl ipinfo.io
- After several attempts to keep the connection alive, connection
breaks, the link with the VPN is broken
and another run of the previous command returns "curl: (6) Could not
resolve host: ipinfo.io"
I tried to follow advice from users of the mailing list but, unfortunately,
the issue is till there...
Updated config files and logs (ifconfig, iptables, xfrm state, charon.log)
are in attachment.
I'm suspecting that the issue is due to:
- a missing/bad route
- an issue related to conn mark
.. I'm using 0x1 to mark traffic from "vpn" user and to route it
to the VTI
.. Strongswan is using 0x2 to flag its packets
BTW, as you can see is the result of "xfrm state", mark 0x2 is
only available in one way.
All result, I'm seen show the mark in both direction...
I really hope someone will be able to help me for finding a solution...
Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181114/23d205a8/attachment-0001.html>
-------------- next part --------------
enp0s5 Link encap:Ethernet HWaddr 00:1c:42:61:00:5f
inet addr:10.211.55.26 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe61:5f/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe61:5f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30689 errors:0 dropped:0 overruns:0 frame:0
TX packets:20834 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3096795 (3.0 MB) TX bytes:4175200 (4.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:309 errors:0 dropped:0 overruns:0 frame:0
TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:29366 (29.3 KB) TX bytes:29366 (29.3 KB)
tun0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.190.59 P-t-P:10.3.190.59 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:15 dropped:0 overruns:0 carrier:15
collisions:0 txqueuelen:1
RX bytes:4075 (4.0 KB) TX bytes:3476 (3.4 KB)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.vti.sh
Type: application/x-sh
Size: 1627 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181114/23d205a8/attachment-0002.sh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 529 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181114/23d205a8/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.route.sh
Type: application/x-sh
Size: 1968 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181114/23d205a8/attachment-0003.sh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log.zip
Type: application/zip
Size: 16617 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181114/23d205a8/attachment-0001.zip>
-------------- next part --------------
�[0;31mFilter table:�[0mChain INPUT (policy ACCEPT 598 packets, 48232 bytes)
pkts bytes target prot opt in out source destination
24 4075 ACCEPT all -- tun0 any anywhere anywhere ctstate ESTABLISHED
0 0 REJECT all -- tun0 any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 471 packets, 87850 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere owner UID match vpn
0 0 ACCEPT all -- any tun0 anywhere anywhere owner UID match vpn
0 0 REJECT all -- any enp0s5 !10.211.55.26 anywhere reject-with icmp-port-unreachable
�[0;31m
Nat table:�[0mChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26 packets, 1683 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12 packets, 857 bytes)
pkts bytes target prot opt in out source destination
14 826 MASQUERADE all -- any tun0 anywhere anywhere
�[0;31m
Mangle table:�[0m
Chain PREROUTING (policy ACCEPT 623 packets, 52455 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 623 packets, 52455 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 472 packets, 87921 bytes)
pkts bytes target prot opt in out source destination
472 87921 CONNMARK all -- any any anywhere anywhere CONNMARK restore
104 11412 MARK all -- any any anywhere !10.211.55.26 owner UID match vpn MARK set 0x1
0 0 MARK udp -- any any anywhere 10.211.55.26 udp dpt:domain owner UID match vpn MARK set 0x1
0 0 MARK tcp -- any any anywhere 10.211.55.26 tcp dpt:domain owner UID match vpn MARK set 0x1
0 0 MARK all -- any any !10.211.55.26 anywhere owner UID match vpn MARK set 0x1
472 87921 CONNMARK all -- any any anywhere anywhere CONNMARK save
Chain POSTROUTING (policy ACCEPT 528 packets, 91397 bytes)
pkts bytes target prot opt in out source destination
-------------- next part --------------
src 10.211.55.26 dst 109.201.137.51
proto esp spi 0xcb891ab0 reqid 1 mode tunnel
replay-window 0 flag af-unspec
mark 0x2/0xffffffff
auth-trunc hmac(sha512) 0xb614f7da07f790de4f11e185574d3a36bdaa7c6e6ddb9e9bb04db47b1bc6c482b5878a63336eecc5379f8a66110364bd8aaea79dcb9650aad79be2613bb9a10b 256
enc cbc(aes) 0x94df611762df1f4306ab2589507de29c10b8b869285786c2cfc8cacc0fd6fa9e
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x38, bitmap 0x00000000
src 109.201.137.51 dst 10.211.55.26
proto esp spi 0xc23a523c reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha512) 0x288d8a1a5deb50ed1a633f3ffab307dcb8adc349554f298cfbd78b1171e16c4ac4d3085e1291de8890db09fb3cd78b2c7cd0277e2d527a207785ee9fd5925ee5 256
enc cbc(aes) 0x5cf2ceb5b051d7f1510bf70de6ac4d7f53a6b33b15d33df633e7c396f8bc0a12
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x18, oseq 0x0, bitmap 0x00ffffff
More information about the Users
mailing list