[strongSwan] VPN Suddenly Stopped Forwarding Internet

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Aug 3 21:19:23 CEST 2021


Hello Jody,

Please provide the output of `iptables-save`, and the output of `ipsec statusall` once you tried to access the internet, but while the client is still connected.

Kind regards
Noel

Am 02.08.21 um 20:26 schrieb Jody Whitesides:
> Having trouble trying to understand why VPN would suddenly stop allowing traffic to the internet (despite no changes to the server and was working fine for months). Devices can connect to the VPN and logs show they connect. However, they no longer get traffic to the internet or to the server itself. Unfortunately I don’t understand the logs enough to know the direct reason, but I’ve included some connection logs after the config. Any help that can lead to a fix would be appreciated.
> 
> Here’s the config:
> 
> config setup
>          charondebug     ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 1,enc 1,tnc 1"
>          uniqueids       =no
> 
> conn %default
> #        ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
> #        esp             =aes256-sha1,3des-sha1!
>          fragmentation   =yes
>          auto            =add
>          dpdaction       =clear
>          dpddelay        =40
>          dpdtimeout      =130
>          ikelifetime     =1h
>          lifetime        =1h
>          margintime      =9m
>          rekeyfuzz       =100%
> #        rekey           =yes
>          aggressive      =no
>          forceencaps     =yes
>          left            =%any
>          leftid          =(serverIP)
>          leftcert        =(link to cert)
>          leftsendcert    =always
>          leftsubnet      =0.0.0.0/0,::/0
>          right           =%any
>          rightid         =%any
> #        rightauth       =eap-mschapv2
>          rightdns        =45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
>          rightsourceip   =10.10.10.1/24
>          rightsubnet     =%dynamic
> 
> #conn mac
> #       keyexchange     =ikev1
> #       authby          =xauthpsk
> #       xauth           =server
> #       reauth          =yes
> 
> conn ios
>          ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
>          esp             =aes256-sha1,3des-sha1!
>          keyexchange     =ikev1
>          mobike          =yes
>          reauth          =yes
>          rekey           =yes
>          leftallowany    =yes
>          lefthostaccess  =yes
>          leftfirewall    =yes
>          leftauth        =pubkey
>          rightallowany   =yes
>          rightauth       =pubkey
>          rightauth2      =xauth
>          rightfirewall   =yes
>          rightcert       =(link to cert)
> 
> conn ikev2-vpn
>          ike             =chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
>          esp             =chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
>          keyexchange     =ikev2
>          type            =tunnel
>          compress        =no
>          rekey           =no
>          rightauth       =eap-mschapv2
>          rightsendcert   =never
>          eap_identity    =%identity
> 
> Here’s the Log:
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][500] to [IP of Server][500] (848 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received NAT-T (RFC 3947) vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received XAuth vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received Cisco Unity vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received FRAGMENTATION vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received DPD vendor ID
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] [IP of Device] is initiating a Main Mode IKE_SA
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating ID_PROT response 0 [ SA V V V V ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] sending packet: from [IP of Server][500] to [IP of Device][500] (160 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[NET] received packet: from [IP of Device][500] to [IP of Server][500] (228 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[IKE] remote host is behind NAT
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[IKE] sending cert request for "C=US, O=JW Server VPN, CN=[IP of Server] Root CA"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[NET] sending packet: from [IP of Server][500] to [IP of Device][500] (321 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (1280 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[ENC] parsed ID_PROT request 0 [ FRAG(1) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[ENC] received fragment #1, waiting for complete IKE message
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (804 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] parsed ID_PROT request 0 [ FRAG(2/2) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] received fragment #2, reassembled fragmented IKE message (2012 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (2012 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[IKE] ignoring certificate request without data
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[IKE] received end entity cert "C=US, O=JW Server VPN, CN=[IP of Server]"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG] looking for XAuthInitRSA peer configs matching [IP of Server]...[IP of Device][C=US, O=JW Server VPN, CN=[IP of Server]]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG] selected peer config "ios"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG]   using trusted ca certificate "C=US, O=JW Server VPN, CN=[IP of Server] Root CA"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG] checking certificate status of "C=US, O=JW Server VPN, CN=[IP of Server]"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG] certificate status is not available
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG]   reached self-signed root ca with a path length of 0
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[CFG]   using trusted certificate "C=US, O=JW Server VPN, CN=[IP of Server]"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[IKE] authentication of 'C=US, O=JW Server VPN, CN=[IP of Server]' with RSA_EMSA_PKCS1_NULL successful
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[IKE] authentication of '[IP of Server]' (myself) successful
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[IKE] sending end entity cert "C=US, O=JW Server VPN, CN=[IP of Server]"
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] splitting IKE message (1948 bytes) into 2 fragments
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] generating ID_PROT response 0 [ FRAG(1) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] generating ID_PROT response 0 [ FRAG(2/2) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (1248 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (772 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[ENC] generating TRANSACTION request 434236087 [ HASH CPRQ(X_USER X_PWD) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 11[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (76 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 14[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (108 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 14[ENC] parsed TRANSACTION response 434236087 [ HASH CPRP(X_USER X_PWD) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 14[IKE] XAuth authentication of 'JodyiPhone' successful
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 14[ENC] generating TRANSACTION request 2649355397 [ HASH CPS(X_STATUS) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 14[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (76 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 08[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (76 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 08[ENC] parsed TRANSACTION response 2649355397 [ HASH CPA(X_STATUS) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 08[IKE] IKE_SA ios[32] established between [IP of Server][[IP of Server]]...[IP of Device][C=US, O=JW Server VPN, CN=[IP of Server]]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 08[IKE] scheduling reauthentication in 2712s
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 08[IKE] maximum IKE_SA lifetime 3252s
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (172 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] unknown attribute type (28683)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed TRANSACTION request 1724246389 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] peer requested virtual IP %any
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] reassigning offline lease to 'JodyiPhone'
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] assigning virtual IP 10.10.10.1 to peer 'JodyiPhone'
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating TRANSACTION response 1724246389 [ HASH CPRP(ADDR DNS DNS DNS6) ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (108 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (380 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[ENC] parsed QUICK_MODE request 3533799051 [ HASH SA No ID ID ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[ENC] generating QUICK_MODE response 3533799051 [ HASH SA No ID ID ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 04[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (172 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (60 bytes)
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[ENC] parsed QUICK_MODE request 3533799051 [ HASH ]
> Aug  2 12:13:34 jodywhitesides *charon*-custom: 12[IKE] CHILD_SA ios{32} established with SPIs faff7197_i 04ef441d_o and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
> Aug  2 12:13:56 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (92 bytes)
> Aug  2 12:13:56 jodywhitesides *charon*-custom: 06[ENC] parsed INFORMATIONAL_V1 request 1330296429 [ HASH N(DPD) ]
> Aug  2 12:13:56 jodywhitesides *charon*-custom: 06[ENC] generating INFORMATIONAL_V1 request 2584453767 [ HASH N(DPD_ACK) ]
> Aug  2 12:13:56 jodywhitesides *charon*-custom: 06[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (92 bytes)
> Aug  2 12:14:11 jodywhitesides *charon*-custom: 12[NET] received packet: from [IP of Device][41517] to [IP of Server][4500] (92 bytes)
> Aug  2 12:14:11 jodywhitesides *charon*-custom: 12[ENC] parsed INFORMATIONAL_V1 request 2338576608 [ HASH N(DPD) ]
> Aug  2 12:14:11 jodywhitesides *charon*-custom: 12[ENC] generating INFORMATIONAL_V1 request 117146712 [ HASH N(DPD_ACK) ]
> Aug  2 12:14:11 jodywhitesides *charon*-custom: 12[NET] sending packet: from [IP of Server][4500] to [IP of Device][41517] (92 bytes)
> Aug  2 12:14:18 jodywhitesides *charon*-custom: 08[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (92 bytes)
> Aug  2 12:14:18 jodywhitesides *charon*-custom: 08[ENC] parsed INFORMATIONAL_V1 request 96203116 [ HASH N(DPD) ]
> Aug  2 12:14:18 jodywhitesides *charon*-custom: 08[ENC] generating INFORMATIONAL_V1 request 183741560 [ HASH N(DPD_ACK) ]
> Aug  2 12:14:18 jodywhitesides *charon*-custom: 08[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (92 bytes)
> Aug  2 12:14:31 jodywhitesides *charon*-custom: 05[NET] received packet: from [IP of Device][41517] to [IP of Server][4500] (92 bytes)
> Aug  2 12:14:31 jodywhitesides *charon*-custom: 05[ENC] parsed INFORMATIONAL_V1 request 1541247232 [ HASH N(DPD) ]
> Aug  2 12:14:31 jodywhitesides *charon*-custom: 05[ENC] generating INFORMATIONAL_V1 request 1626504577 [ HASH N(DPD_ACK) ]
> Aug  2 12:14:31 jodywhitesides *charon*-custom: 05[NET] sending packet: from [IP of Server][4500] to [IP of Device][41517] (92 bytes)
> Aug  2 12:14:40 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (92 bytes)
> Aug  2 12:14:40 jodywhitesides *charon*-custom: 06[ENC] parsed INFORMATIONAL_V1 request 2847095602 [ HASH N(DPD) ]
> Aug  2 12:14:40 jodywhitesides *charon*-custom: 06[ENC] generating INFORMATIONAL_V1 request 2905827564 [ HASH N(DPD_ACK) ]
> Aug  2 12:14:40 jodywhitesides *charon*-custom: 06[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (92 bytes)
> Aug  2 12:15:15 jodywhitesides *charon*-custom: 14[NET] received packet: from [IP of Device][41517] to [IP of Server][4500] (92 bytes)
> Aug  2 12:15:15 jodywhitesides *charon*-custom: 14[ENC] parsed INFORMATIONAL_V1 request 401695110 [ HASH N(DPD) ]
> Aug  2 12:15:15 jodywhitesides *charon*-custom: 14[ENC] generating INFORMATIONAL_V1 request 1418410180 [ HASH N(DPD_ACK) ]
> Aug  2 12:15:15 jodywhitesides *charon*-custom: 14[NET] sending packet: from [IP of Server][4500] to [IP of Device][41517] (92 bytes)
> Aug  2 12:15:36 jodywhitesides *charon*-custom: 05[IKE] sending DPD request
> Aug  2 12:15:36 jodywhitesides *charon*-custom: 05[ENC] generating INFORMATIONAL_V1 request 1331469902 [ HASH N(DPD) ]
> Aug  2 12:15:36 jodywhitesides *charon*-custom: 05[NET] sending packet: from [IP of Server][4500] to [IP of Device][38463] (92 bytes)
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (92 bytes)
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 06[ENC] parsed INFORMATIONAL_V1 request 3915774072 [ HASH N(DPD_ACK) ]
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 01[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (76 bytes)
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 01[ENC] parsed INFORMATIONAL_V1 request 2720218620 [ HASH D ]
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 01[IKE] received DELETE for ESP CHILD_SA with SPI 04ef441d
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 01[IKE] closing CHILD_SA ios{32} with SPIs faff7197_i (6281 bytes) 04ef441d_o (0 bytes) and TS 0.0.0.0/0 ::/0 === 10.10.10.1/32
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 04[NET] received packet: from [IP of Device][38463] to [IP of Server][4500] (92 bytes)
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 04[ENC] parsed INFORMATIONAL_V1 request 234101309 [ HASH D ]
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 04[IKE] received DELETE for IKE_SA ios[32]
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 04[IKE] deleting IKE_SA ios[32] between [IP of Server][[IP of Server]]...[IP of Device][C=US, O=JW Server VPN, CN=[IP of Server]]
> Aug  2 12:15:37 jodywhitesides *charon*-custom: 04[CFG] lease 10.10.10.1 by 'JodyiPhone' went offline
> 
> Thank you,
> 
> Jody

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210803/0b21a97e/attachment.sig>


More information about the Users mailing list