Discussion:
[strongSwan] "sending keep alive" seems breaking VPN connection
Gilles Printemps
2018-05-29 08:51:47 UTC
Permalink
Hi,
After several days, I finally have a configuration which force all the
traffic from a specific user to be routed from a VPN via a vti interface.

After creating the vti interface and establishing the different route, I
can successfully check if the traffic is currently routed using the
following commands:

sudo -u vpn -i -- curl ipinfo.io

ping -I vti0 www.google.com


Unfortunately, after a period d of time, it is no more working and I can
see several error packets on the vti interface. several minute later,
connection is established again with the VPN but with a new connection (IP
has changed).


It seems this issue occurs after "sending keep alive" from IKE.

Is something missing or wrong in my ipsec.conf?


Thanks for your help,

Gilles


/etc/ipsec.conf
config setup
charondebug="ike 2, knl 3, cfg 0"
conn %default
### Key Exchange
keyexchange=ikev2
ike=aes256-sha256-ecp384 # Algorithms used for
the connection [phase1/ISAKMP SA]
esp=aes256-sha256-ecp384,aes256-sha256 # Algorithms
offered/accepted for a phase2 negotiation
conn VPN
dpdaction=restart
leftupdown=/etc/ipsec.script.sh
left=%defaultroute
leftsourceip=%config4
leftauth=eap-mschapv2
eap_identity=gprintemps
right=free-nl.hide.me
rightauth=pubkey
rightid=%any
rightsubnet=0.0.0.0/0
auto=start
mark=2
/etc/ipsec.script.sh
set -o nounset
set -o errexit
VPN_USER="vpn"
VTI_INTERFACE="vti0"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey
"${PLUTO_MARK_IN%%/*}"
ip link set "${VTI_INTERFACE}" up
sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPN_USER
fi
# Launch routing script
/etc/ipsec.route.sh
;;
down-client)
ip tunnel del "${VTI_INTERFACE}"
;;
esac
/etc/ipsec.route.sh
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
# iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
-n1)
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
Christian Salway
2018-05-31 09:29:27 UTC
Permalink
Just updated strongSwan from 5.6.2 to 5.6.3 and now the certificate auth doesn’t work from Windows 10 (OSX works) with an IKE error.

IKE authentication credentials are unacceptable. The error code returned on failure is 13801.

The certificates are created as follows

openssl req -new -newkey rsa:4096 -sha384 -nodes \
-subj "/CN=vpnuser" \
-keyout private/vpnuser.key -out requests/vpnuser.csr

openssl ca -config openssl.cnf -create_serial -days 395 \
-keyfile private/ca.key -cert ca.crt -passin pass:"${CAKEYPSWD}" \
-in requests/vpnuser.csr -notext \
-extfile <(cat <<EOF
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
keyUsage=digitalSignature, nonRepudiation
extendedKeyUsage = clientAuth
subjectAltName = DNS:vpnuser
EOF
)


Looking at the changleLog, there isn’t any obvious reason
 https://wiki.strongswan.org/projects/strongswan/wiki/Changelog56 <https://wiki.strongswan.org/projects/strongswan/wiki/Changelog56>

Any ideas?

C
Tobias Brunner
2018-05-31 09:44:03 UTC
Permalink
Hi Christian,
*IKE authentication credentials are unacceptable. The error code
returned on failure is 13801.*
If you send the same certificate then this is strange. Did you try
going back to 5.6.2 to verify that it's actually caused by strongSwan?
Otherwise, I'd assume the reason is a Windows 10 update (or upgrade e.g.
to v1803, which apparently brought some updates to the IKEv2 client as
IKEv2 fragmentation is now supported). In which case further analysis
is required.

Regards,
Tobias
Christian Salway
2018-05-31 09:45:43 UTC
Permalink
I’m running dual 5.6.2 and 5.6.3 with the same cert on each and Windows10 can still connect to 5.6.2 but not 5.6.3 .
Post by Tobias Brunner
Hi Christian,
*IKE authentication credentials are unacceptable. The error code
returned on failure is 13801.*
If you send the same certificate then this is strange. Did you try
going back to 5.6.2 to verify that it's actually caused by strongSwan?
Otherwise, I'd assume the reason is a Windows 10 update (or upgrade e.g.
to v1803, which apparently brought some updates to the IKEv2 client as
IKEv2 fragmentation is now supported). In which case further analysis
is required.
Regards,
Tobias
Tobias Brunner
2018-05-31 09:54:56 UTC
Permalink
Hi Christian,
Post by Christian Salway
I’m running dual 5.6.2 and 5.6.3 with the same cert on each and Windows10 can still connect to 5.6.2 but not 5.6.3 .
Please provide server logs for both cases (see [1]).

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Christian Salway
2018-05-31 10:00:14 UTC
Permalink
Post by Tobias Brunner
Hi Christian,
I’m running dual 5.6.2 and 5.6.3 with the same cert on each and Windows10 can still connect to 5.6.2 but not 5.6.3 .
Please provide server logs for both cases (see [1]).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Tobias Brunner
2018-05-31 11:01:39 UTC
Permalink
Hi Christian,

Thanks, could you please use the log settings at [1] (in particular net
and enc at level 1 so we see what's sent/received e.g. message sizes).
Only Win10 logs are necessary.

Regards,
Tobias
Christian Salway
2018-05-31 15:30:15 UTC
Permalink
False alarm, very sorry…. There was a problem with the server certificate when it came to Windows 10!
Post by Tobias Brunner
Hi Christian,
Thanks, could you please use the log settings at [1] (in particular net
and enc at level 1 so we see what's sent/received e.g. message sizes).
Only Win10 logs are necessary.
Regards,
Tobias
Christian Salway
2018-05-31 10:14:41 UTC
Permalink
5.6.2

#swanctl --stats
uptime: 27 minutes, since May 31 09:40:48 2018
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 12
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1843200, mmap 0, used 681440, free 1161760
loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic

#/etc/swanctl/conf.d/conn-ecdsa.conf
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-modp2048-modp1024
pools = pool1
local {
id = vpnserver1
certs = vpnserver1.crt
}
remote {
auth = eap-dynamic
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/18
}
}
}
}

#swanctl --list-certs

List of X.509 End Entity Certificates

subject: "CN=vpnuser"
issuer: "CN=Vivace Root CA"
validity: not before May 31 09:38:38 2018, ok
not after Jun 30 09:38:38 2019, ok (expires in 394 days)
serial: cd:b8:5a:3f:bb:df:f2:a7
altNames: vpnuser
flags: clientAuth
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 93:26:d4:8e:d0:5e:4b:82:4c:2f:c0:08:fd:b0:44:72:06:d0:75:2e
pubkey: ECDSA 384 bits
keyid: 97:2b:7f:05:46:62:48:65:a9:64:8c:28:09:a5:24:40:26:26:6e:3d
subjkey: 93:26:d4:8e:d0:5e:4b:82:4c:2f:c0:08:fd:b0:44:72:06:d0:75:2e

subject: "CN=vpnserver"
issuer: "CN=Vivace Root CA"
validity: not before May 24 11:39:02 2018, ok
not after Jun 23 11:39:02 2019, ok (expires in 388 days)
serial: cd:b8:5a:3f:bb:df:f2:a3
altNames: vpnserver, 35.177.138.182
flags: serverAuth ikeIntermediate
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
pubkey: RSA 4096 bits, has private key
keyid: b5:9e:2e:12:30:3e:8f:19:ef:29:94:a4:36:ae:31:59:7f:22:4e:11
subjkey: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae

List of X.509 CA Certificates

subject: "CN=Vivace Root CA"
issuer: "CN=Vivace Root CA"
validity: not before May 01 12:10:28 2018, ok
not after Apr 28 12:10:28 2028, ok (expires in 3620 days)
serial: dd:d4:40:a6:c0:e7:f0:e2
flags: CA self-signed
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
pubkey: RSA 4096 bits
keyid: 33:20:dc:2c:7c:d7:83:a2:58:4c:c1:01:d7:92:da:fb:a0:18:94:c4
subjkey: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50


5.6.3

#swanctl --stats
uptime: 14 minutes, since May 31 09:54:04 2018
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 7
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1769472, mmap 0, used 667760, free 1101712
loaded plugins: charon-systemd charon-systemd aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac gcm curl attr kernel-netlink resolve socket-default vici updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic

#/etc/swanctl/conf.d/conn-ecdsa.conf
connections {
ecdsa {
version = 2
send_cert = always
encap = yes
unique = replace
proposals = aes256-sha256-prfsha256-modp2048-modp1024
pools = pool1
local {
id = vpnserver1
certs = vpnserver1.crt
}
remote {
auth = eap-dynamic
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/18
}
}
}
}

#swanctl --list-certs

List of X.509 End Entity Certificates

subject: "CN=vpnserver"
issuer: "CN=Vivace Root CA"
validity: not before May 24 11:39:02 2018, ok
not after Jun 23 11:39:02 2019, ok (expires in 388 days)
serial: cd:b8:5a:3f:bb:df:f2:a3
altNames: vpnserver, 35.177.138.182
flags: serverAuth ikeIntermediate
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae
pubkey: RSA 4096 bits, has private key
keyid: b5:9e:2e:12:30:3e:8f:19:ef:29:94:a4:36:ae:31:59:7f:22:4e:11
subjkey: 6b:89:5b:56:c9:ef:31:06:aa:f5:19:70:72:dd:ca:7b:44:04:c5:ae

subject: "CN=test_user"
issuer: "CN=Vivace Root CA"
validity: not before May 31 09:53:01 2018, ok
not after Jun 30 09:53:01 2019, ok (expires in 394 days)
serial: cd:b8:5a:3f:bb:df:f2:a8
altNames: test_user
flags: clientAuth
OCSP URIs: http://127.0.0.1:2560
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: bb:91:05:24:c3:f0:ee:a4:86:8a:09:4e:de:76:31:76:65:94:8d:38
pubkey: ECDSA 384 bits
keyid: 79:47:d3:e0:11:e7:a2:d8:89:69:43:d8:8a:f2:81:02:3b:fc:ea:de
subjkey: bb:91:05:24:c3:f0:ee:a4:86:8a:09:4e:de:76:31:76:65:94:8d:38

List of X.509 CA Certificates

subject: "CN=Vivace Root CA"
issuer: "CN=Vivace Root CA"
validity: not before May 01 12:10:28 2018, ok
not after Apr 28 12:10:28 2028, ok (expires in 3620 days)
serial: dd:d4:40:a6:c0:e7:f0:e2
flags: CA self-signed
authkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
subjkeyId: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
pubkey: RSA 4096 bits
keyid: 33:20:dc:2c:7c:d7:83:a2:58:4c:c1:01:d7:92:da:fb:a0:18:94:c4
subjkey: ff:4e:05:ee:8a:b3:d7:24:62:96:78:9a:b6:f0:51:82:b4:8f:f9:50
Post by Tobias Brunner
Hi Christian,
I’m running dual 5.6.2 and 5.6.3 with the same cert on each and Windows10 can still connect to 5.6.2 but not 5.6.3 .
Please provide server logs for both cases (see [1]).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Tobias Brunner
2018-06-05 08:06:56 UTC
Permalink
Hi Gilles,
Mon, 2018-06-04 23:04 09[KNL] received a XFRM_MSG_ACQUIRE
Mon, 2018-06-04 23:04 09[KNL] XFRMA_TMPL
Mon, 2018-06-04 23:04 09[KNL] XFRMA_MARK
Mon, 2018-06-04 23:04 09[KNL] creating acquire job for policy 192.168.0.30/32[udp/ipsec-nat-t] === 5.79.71.212/32[udp/ipsec-nat-t] with reqid {1}
This triggers a CREATE_CHILD_SA exchange, which the other peer never
answers (check the log there to find out why), eventually causing the
Mon, 2018-06-04 23:04 09[ENC] <VPN|1> generating CREATE_CHILD_SA request 7 [ SA No KE TSi TSr ]> ...
Mon, 2018-06-04 23:07 04[IKE] <VPN|1> giving up after 5 retransmits
...
Mon, 2018-06-04 23:07 04[IKE] <VPN|1> IKE_SA VPN[1] state change: ESTABLISHED => DESTROYING
Then due to dpdaction=restart the SA is recreated. Actually, two
CHILD_SAs are created (because of the queued CREATE_CHILD task).
Strangely, the peer now responds to this additional CREATE_CHILD_SA
request, but your updown script can't actually handle this duplicate
CHILD_SA properly.

To avoid the unnecessary and problematic acquire you have to fix the
routes (or iptables rules) so that the source address is correct once
the virtual IP is installed (as you can see above the physical IP is
used for some packets routed via VTI device and that triggers an acquire
because the IPsec policy is only for the virtual IP).

Regards,
Tobias
Tobias Brunner
2018-06-05 09:11:02 UTC
Permalink
Hi Gilles,
Following your comment, it seems the issue comes first for "Hide.me"
which is not answering correctly to the "CREATE_CHILD_SA"
request.
No, the problem is that an acquire is generated in the first place. The
behavior by the peer is definitely not correct, but that's not the
actual problem (and fixing it wouldn't get you anything).
   - Does it mean that if they fix this issue, I will not lose anymore
the connection on my side?
No, as I said, you have to fix your routing/iptables setup so the
correct source IP is used for traffic that's routed via VTI device.
If it is not possible for them to change the behaviour of their VPN, you
mentioned I may handle it on my side by fixing the route when the
virtual IP is created. Can you provide more details?
Install routes with `src ${PLUTO_MY_SOURCEIP}` so that source IP is used
or NAT traffic to the virtual IP before it hits VTI device and the IPsec
policies.

Regards,
Tobias
Gilles Printemps
2018-06-06 09:47:24 UTC
Permalink
Hi Noel/Tobias,
I've done the modification in the script as highlighted but, unfortunately,
I still have the same problem:
After 2 minutes, when I'm executing the same command, it's failing...
$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="192.168.0.30"
#export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
# iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j
ACCEPT
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j
ACCEPT
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail
-n1)
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
I really don't understand how this issue can be related to a routing table.
Indeed, just after starting the VPN, connection is working fine and command
is returning the right result.

Please find below the routing table status after each steps..
How it will help for finding where this issue is coming from...
BR Gilles

$ sudo ipsec start
$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
uptime: 8 seconds,
malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
192.168.0.30
VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
'gprintemps'
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
none
$ sudo ip route show table all

default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
src 192.168.0.30
local 192.168.0.30 dev bond0 table local proto kernel scope host src
192.168.0.30
broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
src 192.168.0.30
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
pref medium
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
$ sudo ipsec up VPN
...
connection 'VPN' established successfully

$ sudo -u vpn -i -- curl ipinfo.io

{
"ip": "95.211.101.229",
"city": "",
"region": "",
"country": "NL",
"loc": "52.3824,4.8995",
"org": "AS60781 LeaseWeb Netherlands B.V."
}
$ sudo ifconfig (vti0 and bond0 interfaces)

bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1239225 errors:13 dropped:1649 overruns:0 frame:3
TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6 MB)
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
uptime: 95 seconds,
malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
'gprintemps'
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
VPN[1]: ESTABLISHED 33 seconds ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me]
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP
reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i
c3e6821b_o
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 25s
ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
VPN{2}: 10.3.153.58/32 === 0.0.0.0/0
$ sudo ip route show table all

default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
local 10.3.153.58 dev vti0 table local proto kernel scope host src
10.3.153.58
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
src 192.168.0.30
local 192.168.0.30 dev bond0 table local proto kernel scope host src
192.168.0.30
broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
src 192.168.0.30
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
pref medium
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
Display of all routing tables

Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
pkts bytes target prot opt in out source
destination
6 957 ACCEPT all -- vti0 any anywhere
anywhere ctstate ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any lo anywhere
anywhere owner UID match vpn
0 0 ACCEPT all -- any vti0 anywhere
anywhere owner UID match vpn
Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
pkts bytes target prot opt in out source
destination
2 115 MASQUERADE all -- any vti0 anywhere
anywhere
Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
pkts bytes target prot opt in out source
destination
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK restore
14 1439 MARK all -- any any anywhere !
coruscant.printemps.cc owner UID match vpn MARK set 0x1
0 0 MARK all -- any any !coruscant.printemps.cc
anywhere owner UID match vpn MARK set 0x1
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK save
Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
pkts bytes target prot opt in out source
destination
After ~2 minutes, connection is broken
$ sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io

$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
uptime: 3 minutes,
malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
'gprintemps'
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
VPN[1]: ESTABLISHED 2 minutes ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me]
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r, EAP
reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
VPN[1]: Tasks active: IKE_MOBIKE
VPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3519ebd_i
c3e6821b_o
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6 pkts, 161s
ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
VPN{2}: 10.3.153.58/32 === 0.0.0.0/0
$ sudo ifconfig (vti0 and bond0 interfaces)

bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1240273 errors:13 dropped:1651 overruns:0 frame:3
TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7 MB)
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
$ sudo ip route show table all

default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
local 10.3.153.58 dev vti0 table local proto kernel scope host src
10.3.153.58
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
src 192.168.0.30
local 192.168.0.30 dev bond0 table local proto kernel scope host src
192.168.0.30
broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
src 192.168.0.30
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
pref medium
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
After ~2minutes, connection is restarted...
$ sudo -u vpn -i -- curl ipinfo.io
{
"ip": "109.201.137.48",
"hostname": "",
"city": "Amsterdam",
"region": "Noord-Holland",
"country": "NL",
"loc": "52.3666,4.9027",
"postal": "1066",
"org": "AS43350 NForce Entertainment B.V."
}
$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.4.0-127-generic,
uptime: 6 minutes,
malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 7
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
192.168.0.30
10.3.189.169
VPN: %any...free-nl.hide.me IKEv2, dpddelay=30s
VPN: local: uses EAP_MSCHAPV2 authentication with EAP identity
'gprintemps'
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 === 0.0.0.0/0
VPN[2]: ESTABLISHED 61 seconds ago,
192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me]
VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r, EAP
reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
VPN[2]: Tasks active: CHILD_CREATE
VPN{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca615d08_i
c38d7138_o
VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6 pkts, 31s
ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
VPN{3}: 10.3.189.169/32 === 0.0.0.0/0
$ sudo ip route show table all

default via 10.3.189.169 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 dev bond0 proto kernel scope link src 192.168.0.30
local 10.3.189.169 dev vti0 table local proto kernel scope host src
10.3.189.169
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
broadcast 192.168.0.0 dev bond0 table local proto kernel scope link
src 192.168.0.30
local 192.168.0.30 dev bond0 table local proto kernel scope host src
192.168.0.30
broadcast 192.168.0.255 dev bond0 table local proto kernel scope link
src 192.168.0.30
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none metric 0
pref medium
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101 pref medium
Gilles Printemps
2018-06-09 10:16:28 UTC
Permalink
Hi,
I've added the setting in the "strongswan.conf" file but, unfortunately,
issue is still the same...
charon {
interfaces_use = bond0
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
ike_name = yes
append = no
flush_line = yes
}
}
}
include strongswan.d/*.conf
It seems a routing problem because I have a lot of "retransmit" (see below)
but
- Why it is working at the beginning when the connection to the VPN
server is established?
- Are any requests blocked if Strongswan (here used as client) is not
receiving an answer from the VPN server?
- Can someone explain why it has to retransmit the response?
Does it mean the server is not receiving it? or I a rule missing for
routing this packet through the vti?

Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with message
ID 6
Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1
[ ]
Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with message
ID 6
Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy 10.3.185.30/32 ===
0.0.0.0/0 out (mark 2/0xffffffff)
Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Regards,
Gilles

On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze
Hi,
Try setting charon.interfaces_use=bond0
Kind regards
Noel
Post by Gilles Printemps
Hi Noel/Tobias,
I've done the modification in the script as highlighted but,
After 2 minutes, when I'm executing the same command, it's failing...
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="192.168.0.30"
#export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
Post by Gilles Printemps
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
Post by Gilles Printemps
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
# iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER
-j ACCEPT
Post by Gilles Printemps
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
ESTABLISHED -j ACCEPT
Post by Gilles Printemps
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' |
tail -n1)
Post by Gilles Printemps
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
I really don't understand how this issue can be related to a routing
table. Indeed, just after starting the VPN, connection is working fine and
command is returning the right result.
Post by Gilles Printemps
Please find below the routing table status after each steps..
How it will help for finding where this issue is coming from...
BR Gilles
$ sudo ipsec start
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 8 seconds,
malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
0/0/0/0, scheduled: 0
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
none
$ sudo ip route show table all
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
$ sudo ipsec up VPN
...
connection 'VPN' established successfully
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
{
"ip": "95.211.101.229",
"city": "",
"region": "",
"country": "NL",
"loc": "52.3824,4.8995",
"org": "AS60781 LeaseWeb Netherlands B.V."
}
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255
Mask:255.255.255.0
Post by Gilles Printemps
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1239225 errors:13 dropped:1649 overruns:0
frame:3
Post by Gilles Printemps
TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6
MB)
Post by Gilles Printemps
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58
Mask:255.255.255.255
Post by Gilles Printemps
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 95 seconds,
malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
0/0/0/0, scheduled: 4
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[1]: ESTABLISHED 33 seconds ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r,
EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
c3519ebd_i c3e6821b_o
Post by Gilles Printemps
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
Post by Gilles Printemps
VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.153.58 dev vti0 table local proto kernel scope host
src 10.3.153.58
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
Display of all routing tables
Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
6 957 ACCEPT all -- vti0 any anywhere
anywhere ctstate ESTABLISHED
Post by Gilles Printemps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
0 0 ACCEPT all -- any lo anywhere
anywhere owner UID match vpn
Post by Gilles Printemps
0 0 ACCEPT all -- any vti0 anywhere
anywhere owner UID match vpn
Post by Gilles Printemps
Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
2 115 MASQUERADE all -- any vti0 anywhere
anywhere
Post by Gilles Printemps
Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK restore
Post by Gilles Printemps
14 1439 MARK all -- any any anywhere !
coruscant.printemps.cc <http://coruscant.printemps.cc> owner UID match
vpn MARK set 0x1
Post by Gilles Printemps
0 0 MARK all -- any any !
coruscant.printemps.cc <http://coruscant.printemps.cc> anywhere
owner UID match vpn MARK set 0x1
Post by Gilles Printemps
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK save
Post by Gilles Printemps
Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
After ~2 minutes, connection is broken
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 3 minutes,
malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
0/0/0/0, scheduled: 5
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[1]: ESTABLISHED 2 minutes ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i* 08a6a85a2e5367a6_r,
EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Post by Gilles Printemps
VPN[1]: Tasks active: IKE_MOBIKE
c3519ebd_i c3e6821b_o
Post by Gilles Printemps
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
Post by Gilles Printemps
VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255
Mask:255.255.255.0
Post by Gilles Printemps
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1240273 errors:13 dropped:1651 overruns:0
frame:3
Post by Gilles Printemps
TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7
MB)
Post by Gilles Printemps
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58
Mask:255.255.255.255
Post by Gilles Printemps
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.153.58 dev vti0 table local proto kernel scope host
src 10.3.153.58
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
After ~2minutes, connection is restarted...
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
{
"ip": "109.201.137.48",
"hostname": "",
"city": "Amsterdam",
"region": "Noord-Holland",
"country": "NL",
"loc": "52.3666,4.9027",
"postal": "1066",
"org": "AS43350 NForce Entertainment B.V."
}
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 6 minutes,
malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
0/0/0/0, scheduled: 7
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.189.169
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[2]: ESTABLISHED 61 seconds ago,
192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i* cedf941ba5dff66d_r,
EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Post by Gilles Printemps
VPN[2]: Tasks active: CHILD_CREATE
ca615d08_i c38d7138_o
Post by Gilles Printemps
VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6
pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
Post by Gilles Printemps
VPN{3}: 10.3.189.169/32 <http://10.3.189.169/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ip route show table all
default via 10.3.189.169 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.189.169 dev vti0 table local proto kernel scope host
src 10.3.189.169
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Gilles Printemps
2018-06-09 10:49:22 UTC
Permalink
After my last email where I mentioned the setting has no effect, I
discovered something interesting:
Right after establishing the connection to the VPN,
- if I'm doing nothing (no traffic) through the vti or
- if I'm pinging a host using the virtual tunnelling directly (ping -I
vti0 www.google.com),
connection to the VPN is not destroyed and there is not retransmission of
packet.

Everything starting going wrong when I'm just doing my test request using
the "vpn" user
(sudo -u vpn -i -- curl ipinfo.io). Even if I'm getting the answer, from
this request, I'm starting to see retransmission and right after connection
is dropped and established again. And from that, connection is staying
alive until a new request as before.
Any command using the "vpn" user seems impacting the connection to the VPN
and destroying it...

Best Regards,
Gilles
Post by Gilles Printemps
Hi,
I've added the setting in the "strongswan.conf" file but, unfortunately,
issue is still the same...
charon {
interfaces_use = bond0
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
ike_name = yes
append = no
flush_line = yes
}
}
}
include strongswan.d/*.conf
It seems a routing problem because I have a lot of "retransmit" (see
below) but
- Why it is working at the beginning when the connection to the VPN
server is established?
- Are any requests blocked if Strongswan (here used as client) is not
receiving an answer from the VPN server?
- Can someone explain why it has to retransmit the response?
Does it mean the server is not receiving it? or I a rule missing for
routing this packet through the vti?
Sat, 2018-06-09 11:57 15[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 10[IKE] <VPN|2> retransmit 1 of request with
message ID 6
Sat, 2018-06-09 11:57 10[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 05[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 05[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 05[ENC] <VPN|2> generating INFORMATIONAL response 1
[ ]
Sat, 2018-06-09 11:57 05[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 16[IKE] <VPN|2> retransmit 2 of request with
message ID 6
Sat, 2018-06-09 11:57 16[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (512 bytes)
Sat, 2018-06-09 11:57 07[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 07[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 07[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 07[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 13[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 13[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 13[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 13[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 12[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Sat, 2018-06-09 11:57 12[ENC] <VPN|2> parsed INFORMATIONAL request 1 [ ]
Sat, 2018-06-09 11:57 12[IKE] <VPN|2> received retransmit of request with
ID 1, retransmitting response
Sat, 2018-06-09 11:57 12[NET] <VPN|2> sending packet: from
192.168.0.30[4500] to 109.201.137.36[4500] (80 bytes)
Sat, 2018-06-09 11:57 09[KNL] <VPN|2> querying policy 10.3.185.30/32 ===
0.0.0.0/0 out (mark 2/0xffffffff)
Sat, 2018-06-09 11:57 03[NET] <VPN|2> received packet: from
109.201.137.36[4500] to 192.168.0.30[4500] (80 bytes)
Regards,
Gilles
On Fri, Jun 8, 2018 at 5:08 PM Noel Kuntze
Hi,
Try setting charon.interfaces_use=bond0
Kind regards
Noel
Post by Gilles Printemps
Hi Noel/Tobias,
I've done the modification in the script as highlighted but,
After 2 minutes, when I'm executing the same command, it's failing...
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
export TABLE_ID="vpn"
export VPN_USER="vpn"
export VTI_INTERFACE="vti0"
export LOCAL_IP="192.168.0.30"
#export LOCAL_IP="10.211.55.3"
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner
--uid-owner $VPN_USER -j MARK --set-mark 0x1
Post by Gilles Printemps
iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -m owner --uid-owner
$VPN_USER -j MARK --set-mark 0x1
Post by Gilles Printemps
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Deny $VPN_USER to access other interfaces than lo
# iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER
-j ACCEPT
Post by Gilles Printemps
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate
ESTABLISHED -j ACCEPT
Post by Gilles Printemps
# Masquarade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Routing rules
GATEWAY=$(ifconfig $VTI_INTERFACE |
egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |
egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'
| tail -n1)
Post by Gilles Printemps
ip route replace default via $GATEWAY table $TABLE_ID
ip route append default via 127.0.0.1 dev lo table $TABLE_ID
ip route flush cache
I really don't understand how this issue can be related to a routing
table. Indeed, just after starting the VPN, connection is working fine and
command is returning the right result.
Post by Gilles Printemps
Please find below the routing table status after each steps..
How it will help for finding where this issue is coming from...
BR Gilles
$ sudo ipsec start
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 8 seconds,
malloc: sbrk 3088384, mmap 0, used 1304704, free 1783680
0/0/0/0, scheduled: 0
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
none
$ sudo ip route show table all
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
$ sudo ipsec up VPN
...
connection 'VPN' established successfully
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
{
"ip": "95.211.101.229",
"city": "",
"region": "",
"country": "NL",
"loc": "52.3824,4.8995",
"org": "AS60781 LeaseWeb Netherlands B.V."
}
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255
Mask:255.255.255.0
Post by Gilles Printemps
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1239225 errors:13 dropped:1649 overruns:0
frame:3
Post by Gilles Printemps
TX packets:664640 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298208189 (298.2 MB) TX bytes:123692731 (123.6
MB)
Post by Gilles Printemps
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58
Mask:255.255.255.255
Post by Gilles Printemps
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:503 (503.0 B)
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 95 seconds,
malloc: sbrk 3629056, mmap 0, used 1409056, free 2220000
0/0/0/0, scheduled: 4
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[1]: ESTABLISHED 33 seconds ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i*
08a6a85a2e5367a6_r, EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
c3519ebd_i c3e6821b_o
Post by Gilles Printemps
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
pkts, 25s ago), 532 bytes_o (9 pkts, 25s ago), rekeying in 46 minutes
Post by Gilles Printemps
VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.153.58 dev vti0 table local proto kernel scope host
src 10.3.153.58
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
Display of all routing tables
Filter table:Chain INPUT (policy ACCEPT 189 packets, 15132 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
6 957 ACCEPT all -- vti0 any anywhere
anywhere ctstate ESTABLISHED
Post by Gilles Printemps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 185 packets, 26720 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
0 0 ACCEPT all -- any lo anywhere
anywhere owner UID match vpn
Post by Gilles Printemps
0 0 ACCEPT all -- any vti0 anywhere
anywhere owner UID match vpn
Post by Gilles Printemps
Nat table:Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 30 packets, 2361 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain POSTROUTING (policy ACCEPT 28 packets, 2246 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
2 115 MASQUERADE all -- any vti0 anywhere
anywhere
Post by Gilles Printemps
Chain PREROUTING (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain INPUT (policy ACCEPT 195 packets, 16089 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
Chain OUTPUT (policy ACCEPT 193 packets, 28964 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK restore
Post by Gilles Printemps
14 1439 MARK all -- any any anywhere !
coruscant.printemps.cc <http://coruscant.printemps.cc> owner UID match
vpn MARK set 0x1
Post by Gilles Printemps
0 0 MARK all -- any any !
coruscant.printemps.cc <http://coruscant.printemps.cc> anywhere
owner UID match vpn MARK set 0x1
Post by Gilles Printemps
193 28964 CONNMARK all -- any any anywhere
anywhere CONNMARK save
Post by Gilles Printemps
Chain POSTROUTING (policy ACCEPT 211 packets, 30421 bytes)
pkts bytes target prot opt in out source
destination
Post by Gilles Printemps
After ~2 minutes, connection is broken
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
curl: (6) Could not resolve host: ipinfo.io <http://ipinfo.io>
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 3 minutes,
malloc: sbrk 3629056, mmap 0, used 1411312, free 2217744
0/0/0/0, scheduled: 5
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.153.58
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[1]: ESTABLISHED 2 minutes ago,
192.168.0.30[192.168.0.30]...95.211.101.201[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[1]: IKEv2 SPIs: ced6fd317e98294d_i*
08a6a85a2e5367a6_r, EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Post by Gilles Printemps
VPN[1]: Tasks active: IKE_MOBIKE
c3519ebd_i c3e6821b_o
Post by Gilles Printemps
VPN{2}: AES_CBC_256/HMAC_SHA2_256_128, 957 bytes_i (6
pkts, 161s ago), 4127 bytes_o (52 pkts, 27s ago), rekeying in 44 minutes
Post by Gilles Printemps
VPN{2}: 10.3.153.58/32 <http://10.3.153.58/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ifconfig (vti0 and bond0 interfaces)
bond0 Link encap:Ethernet HWaddr c8:1f:66:cb:1f:af
inet addr:192.168.0.30 Bcast:192.168.0.255
Mask:255.255.255.0
Post by Gilles Printemps
inet6 addr: fe80::ca1f:66ff:fecb:1faf/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:1240273 errors:13 dropped:1651 overruns:0
frame:3
Post by Gilles Printemps
TX packets:665233 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298394839 (298.3 MB) TX bytes:123780036 (123.7
MB)
Post by Gilles Printemps
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.153.58 P-t-P:10.3.153.58
Mask:255.255.255.255
Post by Gilles Printemps
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:957 (957.0 B) TX bytes:4098 (4.0 KB)
$ sudo ip route show table all
default via 10.3.153.58 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.153.58 dev vti0 table local proto kernel scope host
src 10.3.153.58
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
After ~2minutes, connection is restarted...
$ sudo -u vpn -i -- curl ipinfo.io <http://ipinfo.io>
{
"ip": "109.201.137.48",
"hostname": "",
"city": "Amsterdam",
"region": "Noord-Holland",
"country": "NL",
"loc": "52.3666,4.9027",
"postal": "1066",
"org": "AS43350 NForce Entertainment B.V."
}
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux
uptime: 6 minutes,
malloc: sbrk 3629056, mmap 0, used 1434848, free 2194208
0/0/0/0, scheduled: 7
Post by Gilles Printemps
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce
x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Post by Gilles Printemps
192.168.0.30
10.3.189.169
VPN: %any...free-nl.hide.me <http://free-nl.hide.me>
IKEv2, dpddelay=30s
Post by Gilles Printemps
VPN: local: uses EAP_MSCHAPV2 authentication with EAP
identity 'gprintemps'
Post by Gilles Printemps
VPN: remote: uses public key authentication
VPN: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0>
TUNNEL, dpdaction=restart
Post by Gilles Printemps
VPN{1}: ROUTED, TUNNEL, reqid 1
VPN{1}: 192.168.0.30/32 <http://192.168.0.30/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
VPN[2]: ESTABLISHED 61 seconds ago,
192.168.0.30[192.168.0.30]...109.201.137.46[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me <http://hide.me>]
Post by Gilles Printemps
VPN[2]: IKEv2 SPIs: 5855a17374bc3cee_i*
cedf941ba5dff66d_r, EAP reauthentication in 2 hours
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Post by Gilles Printemps
VPN[2]: Tasks active: CHILD_CREATE
ca615d08_i c38d7138_o
Post by Gilles Printemps
VPN{3}: AES_CBC_256/HMAC_SHA2_256_128, 1017 bytes_i (6
pkts, 31s ago), 503 bytes_o (8 pkts, 31s ago), rekeying in 44 minutes
Post by Gilles Printemps
VPN{3}: 10.3.189.169/32 <http://10.3.189.169/32> ===
0.0.0.0/0 <http://0.0.0.0/0>
Post by Gilles Printemps
$ sudo ip route show table all
default via 10.3.189.169 dev vti0 table vpn
default via 127.0.0.1 dev lo table vpn
default via 192.168.0.1 dev bond0 onlink
192.168.0.0/24 <http://192.168.0.0/24> dev bond0 proto kernel
scope link src 192.168.0.30
Post by Gilles Printemps
local 10.3.189.169 dev vti0 table local proto kernel scope host
src 10.3.189.169
Post by Gilles Printemps
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto
kernel scope host src 127.0.0.1
Post by Gilles Printemps
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
Post by Gilles Printemps
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
Post by Gilles Printemps
broadcast 192.168.0.0 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
local 192.168.0.30 dev bond0 table local proto kernel scope host
src 192.168.0.30
Post by Gilles Printemps
broadcast 192.168.0.255 dev bond0 table local proto kernel scope
link src 192.168.0.30
Post by Gilles Printemps
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
fe80::/64 dev bond0 proto kernel metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Post by Gilles Printemps
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::ca1f:66ff:fecb:1faf dev lo table local proto none
metric 0 pref medium
Post by Gilles Printemps
ff00::/8 dev bond0 table local metric 256 pref medium
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 pref medium
Loading...