[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] Strongswan/VTI: Connection killed after several "retransmit of request"
From: Gilles Printemps <gprintemps () gmail ! com>
Date: 2018-11-14 14:51:35
Message-ID: CAGuTi1DRoAe2FTT6zvRitB90UT97636Y=ZP4Fz2RTh3M2vT-eg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Since several months, I'm trying to find a solution for routing traffic
from a specific user to a VPN using VTI.
Issue seems coming from the VTI that I created for handling the VPN
connection (FYI, using the same routing parameters with OpenVPN is
working).
Issue is the following:
- Connection is successfully established
- Then following request using VTI/VPN returns successfully a response
sudo -u vpn -i -- curl ipinfo.io
- After several attempts to keep the connection alive, connection
breaks, the link with the VPN is broken
and another run of the previous command returns "curl: (6) Could not
resolve host: ipinfo.io"
I tried to follow advice from users of the mailing list but, unfortunately,
the issue is till there...
Updated config files and logs (ifconfig, iptables, xfrm state, charon.log)
are in attachment.
I'm suspecting that the issue is due to:
- a missing/bad route
- an issue related to conn mark
.. I'm using 0x1 to mark traffic from "vpn" user and to route it
to the VTI
.. Strongswan is using 0x2 to flag its packets
BTW, as you can see is the result of "xfrm state", mark 0x2 is
only available in one way.
All result, I'm seen show the mark in both direction...
I really hope someone will be able to help me for finding a solution...
Thanks in advance
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr">Hi,<div>Since several months, I'm trying to find a \
solution for routing traffic from a specific user to a VPN using VTI. \
</div><div>Issue seems coming from the VTI that I created for handling the VPN \
connection (FYI, using the same routing parameters with OpenVPN is working). \
</div><div><br></div><div>Issue is the following: </div><div> - Connection is \
successfully established</div><div> - Then following request using VTI/VPN \
returns successfully a response </div><div> sudo -u vpn -i -- curl <a \
href="http://ipinfo.io" target="_blank">ipinfo.io</a></div><div><br></div><div> - \
After several attempts to keep the connection alive, connection breaks, the link with \
the VPN is broken<br></div><div> and another run of the previous command \
returns "curl: (6) Could not resolve host: <a href="http://ipinfo.io" \
target="_blank">ipinfo.io</a>"</div><div><br></div><div>I tried to follow advice \
from users of the mailing list but, unfortunately, the issue is till \
there...</div><div>Updated config files and logs (ifconfig, iptables, xfrm state, \
charon.log) are in attachment.</div><div><br></div><div>I'm suspecting that the \
issue is due to:</div><div> - a missing/bad route </div><div> - an issue \
related to conn mark</div><div> .. I'm using 0x1 to mark traffic \
from "vpn" user and to route it to the VTI</div><div> .. \
Strongswan is using 0x2 to flag its packets</div><div> BTW, as you \
can see is the result of "xfrm state", mark 0x2 is only available in one \
way.</div><div> All result, I'm seen show the mark in both \
direction... </div><div><br></div><div>I really hope someone will be able to help me \
for finding a solution...</div><div>Thanks in advance</div></div></div>
["ifconfig.txt" (text/plain)]
enp0s5 Link encap:Ethernet HWaddr 00:1c:42:61:00:5f
inet addr:10.211.55.26 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fe61:5f/64 Scope:Global
inet6 addr: fe80::21c:42ff:fe61:5f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30689 errors:0 dropped:0 overruns:0 frame:0
TX packets:20834 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3096795 (3.0 MB) TX bytes:4175200 (4.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:309 errors:0 dropped:0 overruns:0 frame:0
TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:29366 (29.3 KB) TX bytes:29366 (29.3 KB)
tun0 Link encap:IPIP Tunnel HWaddr
inet addr:10.3.190.59 P-t-P:10.3.190.59 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:15 dropped:0 overruns:0 carrier:15
collisions:0 txqueuelen:1
RX bytes:4075 (4.0 KB) TX bytes:3476 (3.4 KB)
["ipsec.vti.sh" (application/x-sh)]
#!/bin/bash
set -o nounset
set -o errexit
VTI_INTERFACE="tun0"
ETH_INTERFACE=`route | grep '^default' | grep -o '[^ ]*$'`
case "${PLUTO_VERB}" in
up-client)
echo "PLUTO_ME: ${PLUTO_ME}" > /tmp/log.txt
echo "PLUTO_PEER: ${PLUTO_PEER}" >> /tmp/log.txt
echo "PLUTO_MY_SOURCEIP: ${PLUTO_MY_SOURCEIP}" >> /tmp/log.txt
echo "PLUTO_PEER_CLIENT: ${PLUTO_PEER_CLIENT}" >> /tmp/log.txt
echo "PLUTO_MARK_IN: ${PLUTO_MARK_IN%%/*}" >> /tmp/log.txt
echo "PLUTO_MARK_OUT: ${PLUTO_MARK_OUT%%/*}" >> /tmp/log.txt
echo "Creating ${VTI_INTERFACE}..." >> /tmp/log.txt
ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
echo "Enabling ${VTI_INTERFACE}..." >> /tmp/log.txt
ip link set "${VTI_INTERFACE}" up
ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_INTERFACE}"
sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1"
echo "Changing Reverse Path Filtering mode..." >> /tmp/log.txt
sysctl -w "net.ipv4.conf.all.rp_filter=2"
sysctl -w "net.ipv4.conf.default.rp_filter=2"
sysctl -w "net.ipv4.conf.${ETH_INTERFACE}.rp_filter=2"
echo "Saving current routes..." >> /tmp/log.txt
iptables-save > /tmp/$(date +'%y%m%d')_IPTables
/etc/ipsec.route.sh ${VTI_INTERFACE}
echo "VPN script executed" >> /tmp/log.txt
;;
down-client)
ip tunnel del "${VTI_INTERFACE}"
echo "Restoring routing tables..." >> /tmp/log.txt
iptables-restore -c /tmp/$(date +'%y%m%d')_IPTables
rm /var/log/charon.log
echo "VPN script executed" >> /tmp/log.txt
;;
esac
["ipsec.conf" (application/octet-stream)]
["ipsec.route.sh" (application/x-sh)]
#! /bin/bash
VTI_INTERFACE=$1
ETH_INTERFACE=`route | grep '^default' | grep -o '[^ ]*$'`
function getIPAddress() {
echo $(ip -4 -o address show dev $1 | awk '{split($4, a, "/"); print a[1]}')
}
#########
VPN_USER="vpn"
ETH_ADDR=$(getIPAddress ${ETH_INTERFACE})
echo "Setting iptables on ${ETH_ADDR}..." >> /tmp/log.txt
# Flush iptables rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Mark packets from $VPN_USER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $ETH_ADDR -m owner --uid-owner $VPN_USER -j \
MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $ETH_ADDR -p udp --dport 53 \
-m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT \
--dest $ETH_ADDR -p tcp --dport 53 -m owner --uid-owner $VPN_USER -j MARK --set-mark \
0x1 iptables -t mangle -A OUTPUT ! --src $ETH_ADDR -m owner --uid-owner $VPN_USER -j \
MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# Allow response from $VPN_INTERFACE
iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Block everything incoming on $VTI_INTERFACE to prevent port exposing
iptables -A INPUT -i $VTI_INTERFACE -j REJECT
# Allow $VPN_USER to access lo and VPN interfaces
iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j ACCEPT
# Masquerade packets on $VPN_INTERFACE
iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE
# Reject connections from predator IP going over $ETH_INTERFACE
iptables -A OUTPUT ! --src $ETH_ADDR -o $ETH_INTERFACE -j REJECT
#########
TABLE_ID="vpn"
VTI_ADDR=$(getIPAddress ${VTI_INTERFACE})
echo "Setting rules for table ${TABLE_ID}..." >> /tmp/log.txt
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $TABLE_ID
fi
ip route replace default via $VTI_ADDR dev $VTI_INTERFACE table $TABLE_ID
["charon.log.zip" (application/zip)]
["iptables.txt" (text/plain)]
�[0;31mFilter table:�[0mChain INPUT (policy ACCEPT 598 packets, 48232 bytes)
pkts bytes target prot opt in out source destination \
24 4075 ACCEPT all -- tun0 any anywhere anywhere \
ctstate ESTABLISHED 0 0 REJECT all -- tun0 any anywhere \
anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination \
Chain OUTPUT (policy ACCEPT 471 packets, 87850 bytes)
pkts bytes target prot opt in out source destination \
0 0 ACCEPT all -- any lo anywhere anywhere \
owner UID match vpn 0 0 ACCEPT all -- any tun0 anywhere \
anywhere owner UID match vpn 0 0 REJECT all -- any enp0s5 \
!10.211.55.26 anywhere reject-with icmp-port-unreachable �[0;31m
Nat table:�[0mChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination \
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination \
Chain OUTPUT (policy ACCEPT 26 packets, 1683 bytes)
pkts bytes target prot opt in out source destination \
Chain POSTROUTING (policy ACCEPT 12 packets, 857 bytes)
pkts bytes target prot opt in out source destination \
14 826 MASQUERADE all -- any tun0 anywhere anywhere \
�[0;31m
Mangle table:�[0m
Chain PREROUTING (policy ACCEPT 623 packets, 52455 bytes)
pkts bytes target prot opt in out source destination \
Chain INPUT (policy ACCEPT 623 packets, 52455 bytes)
pkts bytes target prot opt in out source destination \
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination \
Chain OUTPUT (policy ACCEPT 472 packets, 87921 bytes)
pkts bytes target prot opt in out source destination \
472 87921 CONNMARK all -- any any anywhere anywhere \
CONNMARK restore 104 11412 MARK all -- any any anywhere \
!10.211.55.26 owner UID match vpn MARK set 0x1 0 0 MARK udp -- \
any any anywhere 10.211.55.26 udp dpt:domain owner UID \
match vpn MARK set 0x1 0 0 MARK tcp -- any any anywhere \
10.211.55.26 tcp dpt:domain owner UID match vpn MARK set 0x1 0 0 MARK \
all -- any any !10.211.55.26 anywhere owner UID match vpn \
MARK set 0x1 472 87921 CONNMARK all -- any any anywhere \
anywhere CONNMARK save
Chain POSTROUTING (policy ACCEPT 528 packets, 91397 bytes)
pkts bytes target prot opt in out source destination \
["xfrm_state.txt" (text/plain)]
src 10.211.55.26 dst 109.201.137.51
proto esp spi 0xcb891ab0 reqid 1 mode tunnel
replay-window 0 flag af-unspec
mark 0x2/0xffffffff
auth-trunc hmac(sha512) \
0xb614f7da07f790de4f11e185574d3a36bdaa7c6e6ddb9e9bb04db47b1bc6c482b5878a63336eecc5379f8a66110364bd8aaea79dcb9650aad79be2613bb9a10b \
256 enc cbc(aes) 0x94df611762df1f4306ab2589507de29c10b8b869285786c2cfc8cacc0fd6fa9e
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x38, bitmap 0x00000000
src 109.201.137.51 dst 10.211.55.26
proto esp spi 0xc23a523c reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha512) \
0x288d8a1a5deb50ed1a633f3ffab307dcb8adc349554f298cfbd78b1171e16c4ac4d3085e1291de8890db09fb3cd78b2c7cd0277e2d527a207785ee9fd5925ee5 \
256 enc cbc(aes) 0x5cf2ceb5b051d7f1510bf70de6ac4d7f53a6b33b15d33df633e7c396f8bc0a12
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x18, oseq 0x0, bitmap 0x00ffffff
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic