[strongSwan] VPN connection times out

[Houman]

Hello,

Last week I opened a ticket with an error message that ended up to be
incorrect.  Hence I tried to replicate it on a new fresh test server.

I have created a new test VPN server, which I can connect to from London.
But some middle eastern countries aren't able to connect to it. The server
is with Digital Ocean (Frankfurt). The test user can open the test
nginx site on the same server, which proves the IP address is not blocked
by his ISP / country.  So the mystery remains why he can't connect to the
VPN but I can from London.

Please see all logs attached below:

*Syslog*

May  1 19:17:32 test systemd[1]: Starting Cleanup of Temporary
Directories...

May  1 19:17:32 test systemd[1]: Started Cleanup of Temporary Directories.

May  1 19:25:43 test charon: 16[NET] received packet: from
46.62.xxx.xxx[500] to 157.230.xx.xxx[500] (604 bytes)

May  1 19:25:43 test charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May  1 19:25:43 test charon: 16[IKE] 46.62.xxx.xxx is initiating an IKE_SA

May  1 19:25:43 test charon: 16[IKE] remote host is behind NAT

May  1 19:25:43 test charon: 16[IKE] sending cert request for "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May  1 19:25:43 test charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]

May  1 19:25:43 test charon: 16[NET] sending packet: from
157.230.xx.xxx[500] to 46.62.xxx.xxx[500] (473 bytes)

May  1 19:26:13 test charon: 06[JOB] deleting half open IKE_SA with
46.62.xxx.xxx after timeout

May  1 19:26:30 test charon: 10[NET] received packet: from
46.62.xxx.xxx[500] to 157.230.xx.xxx[500] (604 bytes)

May  1 19:26:30 test charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

May  1 19:26:30 test charon: 10[IKE] 46.62.xxx.xxx is initiating an IKE_SA

May  1 19:26:30 test charon: 10[IKE] remote host is behind NAT

May  1 19:26:30 test charon: 10[IKE] sending cert request for "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"

May  1 19:26:30 test charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]

May  1 19:26:30 test charon: 10[NET] sending packet: from
157.230.xx.xxx[500] to 46.62.xxx.xxx[500] (473 bytes)

May  1 19:27:00 test charon: 13[JOB] deleting half open IKE_SA with
46.62.xxx.xxx after timeout


*radius.log*

Wed May  1 19:02:17 2019 : Info: Signalled to terminate

Wed May  1 19:02:17 2019 : Info: Exiting normally

Wed May  1 19:02:33 2019 : Info: Debugger not attached

Wed May  1 19:02:33 2019 : Info: rlm_sql (sql): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked

Wed May  1 19:02:33 2019 : Info: rlm_sql_mysql: libmysql version: 5.7.26

Wed May  1 19:02:33 2019 : Info: rlm_sql (sql): Attempting to connect to
database "radius_db"

Wed May  1 19:02:33 2019 : Info: rlm_sql (sql): Opening additional
connection (0), 1 of 32 pending slots used

Wed May  1 19:02:33 2019 : Info: rlm_sql (sql): Opening additional
connection (1), 1 of 31 pending slots used

Wed May  1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional
connection (2), 1 of 30 pending slots used

Wed May  1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional
connection (3), 1 of 29 pending slots used

Wed May  1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional
connection (4), 1 of 28 pending slots used

Wed May  1 19:02:34 2019 : Info: Need 5 more connections to reach 10 spares

Wed May  1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional
connection (5), 1 of 27 pending slots used

Wed May  1 19:02:34 2019 : Warning:
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"       found in filter list for realm "DEFAULT".

Wed May  1 19:02:34 2019 : Warning:
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"  found in filter list for realm "DEFAULT".

Wed May  1 19:02:34 2019 : Info: Loaded virtual server <default>

Wed May  1 19:02:34 2019 : Warning: Ignoring "ldap" (see
raddb/mods-available/README.rst)

Wed May  1 19:02:34 2019 : Info:  # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331

Wed May  1 19:02:34 2019 : Info: Loaded virtual server inner-tunnel

Wed May  1 19:02:34 2019 : Info: Loaded virtual server default

Wed May  1 19:02:34 2019 : Info: Ready to process requests

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (1): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (2): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (3): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (4): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (0): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (5): Hit
idle_timeout, was idle for 121 seconds

Wed May  1 19:04:35 2019 : Info: rlm_sql (sql): Opening additional
connection (6), 1 of 32 pending slots used

Wed May  1 19:04:36 2019 : Info: Need 2 more connections to reach min
connections (3)

Wed May  1 19:04:36 2019 : Info: rlm_sql (sql): Opening additional
connection (7), 1 of 31 pending slots used

Wed May  1 19:06:15 2019 : Info: rlm_sql (sql): Closing connection (7): Hit
idle_timeout, was idle for 99 seconds

Wed May  1 19:06:15 2019 : Info: rlm_sql (sql): Closing connection (6): Hit
idle_timeout, was idle for 99 seconds

Wed May  1 19:06:15 2019 : Info: rlm_sql (sql): Opening additional
connection (8), 1 of 32 pending slots used

Wed May  1 19:06:15 2019 : Info: Need 2 more connections to reach min
connections (3)

Wed May  1 19:06:15 2019 : Info: rlm_sql (sql): Opening additional
connection (9), 1 of 31 pending slots used

Wed May  1 19:06:16 2019 : Info: Need 1 more connections to reach min
connections (3)

Wed May  1 19:06:16 2019 : Info: rlm_sql (sql): Opening additional
connection (10), 1 of 30 pending slots used

Wed May  1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (8): Hit
idle_timeout, was idle for 171 seconds

Wed May  1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (10):
Hit idle_timeout, was idle for 171 seconds

Wed May  1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (9): Hit
idle_timeout, was idle for 171 seconds

Wed May  1 19:09:07 2019 : Info: rlm_sql (sql): Opening additional
connection (11), 1 of 32 pending slots used

Wed May  1 19:09:08 2019 : Info: Need 2 more connections to reach min
connections (3)

Wed May  1 19:09:08 2019 : Info: rlm_sql (sql): Opening additional
connection (12), 1 of 31 pending slots used

Wed May  1 19:09:13 2019 : Info: Need 1 more connections to reach min
connections (3)

Wed May  1 19:09:13 2019 : Info: rlm_sql (sql): Opening additional
connection (13), 1 of 30 pending slots used


*ipsec.conf*

config setup

  strictcrlpolicy=yes

  uniqueids=never

conn test

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=yes


ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!

  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!

  dpdaction=clear

  dpddelay=180s

  dpdtimeout=3600s

  rekey=no

  left=%any

  leftid=@test.mydomain.net

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0, ::/0

  right=%any

  rightid=%any

  rightauth=eap-radius

  eap_identity=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.0/24,fdd2:54c4:4c90:1::300/120

  leftfirewall=no


*ipsec statusall*

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-48-generic,
x86_64):

  uptime: 26 minutes, since May 01 21:23:34 2019

  malloc: sbrk 2322432, mmap 532480, used 1236336, free 1086096

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0

  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac
hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
resolve socket-default connmark farp stroke vici updown eap-identity
eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist
lookip error-notify certexpire led radattr addrblock unity counters

Virtual IP pools (size/online/offline):

  10.10.10.0/24: 254/0/0

  fdd2:54c4:4c90:1::300/120: 254/0/0

Listening IP addresses:

  157.230.xx.xxx

  10.19.0.6

  10.135.41.65

Connections:

        test:  %any...%any  IKEv2, dpddelay=180s

        test:   local:  [test.mydomain.net] uses public key authentication

        test:    cert:  "CN=test.mydomain.net"

        test:   remote: uses EAP_RADIUS authentication with EAP identity
'%any'

        test:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear

Security Associations (0 up, 0 connecting):

  none


*iptables-save*

# Generated by iptables-save v1.6.1 on Wed May  1 21:52:38 2019

*filter

:INPUT DROP [184:11341]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [3182:1535989]

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT

-A INPUT -p udp -m udp --dport 500 -j ACCEPT

-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -j DROP

-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT

COMMIT

# Completed on Wed May  1 21:52:38 2019

# Generated by iptables-save v1.6.1 on Wed May  1 21:52:38 2019

*nat

:PREROUTING ACCEPT [185:11405]

:INPUT ACCEPT [2:104]

:OUTPUT ACCEPT [222:17702]

:POSTROUTING ACCEPT [222:17702]

-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j
ACCEPT

-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

COMMIT

# Completed on Wed May  1 21:52:38 2019

# Generated by iptables-save v1.6.1 on Wed May  1 21:52:38 2019

*mangle

:PREROUTING ACCEPT [4197:426510]

:INPUT ACCEPT [4197:426510]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3191:1536933]

:POSTROUTING ACCEPT [3191:1536933]

-A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec
-m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360

COMMIT

# Completed on Wed May  1 21:52:38 2019


*ip6tables-save*

# Generated by ip6tables-save v1.6.1 on Wed May  1 21:54:06 2019

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [29:1816]

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT

-A INPUT -p udp -m udp --dport 500 -j ACCEPT

-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

-A FORWARD -s fdd2:54c4:4c90:1::300/120 -d fdd2:54c4:4c90:1::300/120 -j DROP

-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT

COMMIT

# Completed on Wed May  1 21:54:06 2019

# Generated by ip6tables-save v1.6.1 on Wed May  1 21:54:06 2019

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -m policy --dir out
--pol ipsec -j ACCEPT

-A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -j MASQUERADE

COMMIT

# Completed on Wed May  1 21:54:06 2019

root at test:~# ip6tables-save

# Generated by ip6tables-save v1.6.1 on Wed May  1 21:54:19 2019

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [29:1816]

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT

-A INPUT -p udp -m udp --dport 500 -j ACCEPT

-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

-A FORWARD -s fdd2:54c4:4c90:1::300/120 -d fdd2:54c4:4c90:1::300/120 -j DROP

-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT

-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT

COMMIT

# Completed on Wed May  1 21:54:19 2019

# Generated by ip6tables-save v1.6.1 on Wed May  1 21:54:19 2019

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -m policy --dir out
--pol ipsec -j ACCEPT

-A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -j MASQUERADE

COMMIT

# Completed on Wed May  1 21:54:19 2019


*ip route show table all*

default via 157.230.16.1 dev eth0 proto static

10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.6

10.135.0.0/16 dev eth1 proto kernel scope link src 10.135.41.65

157.230.16.0/20 dev eth0 proto kernel scope link src 157.230.xx.xxx

broadcast 10.19.0.0 dev eth0 table local proto kernel scope link src
10.19.0.6

local 10.19.0.6 dev eth0 table local proto kernel scope host src 10.19.0.6

broadcast 10.19.255.255 dev eth0 table local proto kernel scope link src
10.19.0.6

broadcast 10.135.0.0 dev eth1 table local proto kernel scope link src
10.135.41.65

local 10.135.41.65 dev eth1 table local proto kernel scope host src
10.135.41.65

broadcast 10.135.255.255 dev eth1 table local proto kernel scope link src
10.135.41.65

broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1

local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1

broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1

broadcast 157.230.16.0 dev eth0 table local proto kernel scope link src
157.230.xx.xxx

local 157.230.xx.xxx dev eth0 table local proto kernel scope host src
157.230.xx.xxx

broadcast 157.230.31.255 dev eth0 table local proto kernel scope link src
157.230.xx.xxx

fe80::/64 dev eth1 proto kernel metric 256 pref medium

fe80::/64 dev eth0 proto kernel metric 256 pref medium

local fe80::780e:63ff:fe78:bab7 dev eth1 table local proto kernel metric 0
pref medium

local fe80::bc8d:3eff:fe0f:9d42 dev eth0 table local proto kernel metric 0
pref medium

ff00::/8 dev eth1 table local metric 256 pref medium

ff00::/8 dev eth0 table local metric 256 pref medium


*ip address*

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000

    link/ether be:8d:3e:0f:9d:42 brd ff:ff:ff:ff:ff:ff

    inet 157.230.xx.xxx/20 brd 157.230.31.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet 10.19.0.6/16 brd 10.19.255.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::bc8d:3eff:fe0f:9d42/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000

    link/ether 7a:0e:63:78:ba:b7 brd ff:ff:ff:ff:ff:ff

    inet 10.135.41.65/16 brd 10.135.255.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::780e:63ff:fe78:bab7/64 scope link

       valid_lft forever preferred_lft forever


Please let me if you need to see anything else,


Many Thanks,

Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190501/064eb218/attachment-0001.html>