Gilles Printemps
2018-11-14 14:51:35 UTC
Hi,
Since several months, I'm trying to find a solution for routing traffic
from a specific user to a VPN using VTI.
Issue seems coming from the VTI that I created for handling the VPN
connection (FYI, using the same routing parameters with OpenVPN is
working).
Issue is the following:
- Connection is successfully established
- Then following request using VTI/VPN returns successfully a response
sudo -u vpn -i -- curl ipinfo.io
- After several attempts to keep the connection alive, connection
breaks, the link with the VPN is broken
and another run of the previous command returns "curl: (6) Could not
resolve host: ipinfo.io"
I tried to follow advice from users of the mailing list but, unfortunately,
the issue is till there...
Updated config files and logs (ifconfig, iptables, xfrm state, charon.log)
are in attachment.
I'm suspecting that the issue is due to:
- a missing/bad route
- an issue related to conn mark
.. I'm using 0x1 to mark traffic from "vpn" user and to route it
to the VTI
.. Strongswan is using 0x2 to flag its packets
BTW, as you can see is the result of "xfrm state", mark 0x2 is
only available in one way.
All result, I'm seen show the mark in both direction...
I really hope someone will be able to help me for finding a solution...
Thanks in advance
Since several months, I'm trying to find a solution for routing traffic
from a specific user to a VPN using VTI.
Issue seems coming from the VTI that I created for handling the VPN
connection (FYI, using the same routing parameters with OpenVPN is
working).
Issue is the following:
- Connection is successfully established
- Then following request using VTI/VPN returns successfully a response
sudo -u vpn -i -- curl ipinfo.io
- After several attempts to keep the connection alive, connection
breaks, the link with the VPN is broken
and another run of the previous command returns "curl: (6) Could not
resolve host: ipinfo.io"
I tried to follow advice from users of the mailing list but, unfortunately,
the issue is till there...
Updated config files and logs (ifconfig, iptables, xfrm state, charon.log)
are in attachment.
I'm suspecting that the issue is due to:
- a missing/bad route
- an issue related to conn mark
.. I'm using 0x1 to mark traffic from "vpn" user and to route it
to the VTI
.. Strongswan is using 0x2 to flag its packets
BTW, as you can see is the result of "xfrm state", mark 0x2 is
only available in one way.
All result, I'm seen show the mark in both direction...
I really hope someone will be able to help me for finding a solution...
Thanks in advance