subject:"\[strongSwan\] VPN Suddenly Stopped Forwarding Internet"

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-09 Thread Jody Whitesides

Can someone explain how I can get the following info?

"Can you also provide IPv6 over the tunnel?"

I’m a noob and while I had this VPN running for a few years without issue. I’m 
not super well versed in how to troubleshoot it when something like this 
happens. Apparently the packets are also allowed through and they're NATed, but 
there's no response.

Thank you for any help,

Jody

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-09 Thread Jody Whitesides

I’m still attempting to figure out why the VPN has stopped forwarding the 
internet to the connection. Previously posted the config. Was asked to post a 
tcpdump of the VPN connection.

I’ve tried deleting and reinstalling strongswan, that did not work. Hopefully 
someone can provide feedback about why this might has stopped allowing 
connection to the internet.

I’m still getting the same issue, I can connect to the VPN, but the server is 
not passing the internet to the connection. Here’s the output you asked for 
from the tcpdump while connected to the VPN and trying to get something from 
internet:


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), capture size 262144 bytes
13:50:59.406376 IP 10.10.10.1.57966 > 172.98.193.62.53: 8427+ Type65? 
gateway.icloud.com . (36)
13:50:59.406796 IP 10.10.10.1.62159 > 172.98.193.62.53: 42920+ A? 
gateway.icloud.com . (36)
13:51:02.951937 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:02.952192 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:03.478390 IP 10.10.10.1.57966 > 172.98.193.62.53: 8427+ Type65? 
gateway.icloud.com . (36)
13:51:03.478622 IP 10.10.10.1.62159 > 172.98.193.62.53: 42920+ A? 
gateway.icloud.com . (36)
13:51:03.980445 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:03.985177 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:04.140439 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com . (48)
13:51:05.181463 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com . (48)
13:51:06.112572 IP 10.10.10.1.65155 > 45.76.254.23.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:06.112840 IP 10.10.10.1.60252 > 45.76.254.23.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:06.249622 IP 10.10.10.1.60106 > 45.76.254.23.53: 56782+ A? 
32-courier.push.apple.com . (43)
13:51:07.095478 IP 10.10.10.1.65155 > 45.76.254.23.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:07.095763 IP 10.10.10.1.60252 > 45.76.254.23.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:07.215685 IP 10.10.10.1.60163 > 45.76.254.23.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com . (48)
13:51:07.286721 IP 10.10.10.1.60106 > 45.76.254.23.53: 56782+ A? 
32-courier.push.apple.com . (43)
13:51:07.882797 IP 10.10.10.1.53423 > 45.76.254.23.53: 40780+ A? 
p66-keyvalueservice.icloud.com . (48)
13:51:07.887783 IP 10.10.10.1.52091 > 45.76.254.23.53: 49937+ A? www.apple.com 
. (31)
13:51:07.887906 IP 10.10.10.1.62202 > 45.76.254.23.53: 37900+ A? www.icloud.com 
. (32)
13:51:07.888008 IP 10.10.10.1.56098 > 45.76.254.23.53: 31840+ A? apple.com 
. (27)
13:51:08.245855 IP 10.10.10.1.60163 > 45.76.254.23.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com . (48)
13:51:09.126279 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:09.130885 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:09.317000 IP 10.10.10.1.62451 > 172.98.193.62.53: 56782+ A? 
32-courier.push.apple.com . (43)
13:51:10.321293 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com . (48)
13:51:10.321522 IP 10.10.10.1.62451 > 172.98.193.62.53: 56782+ A? 
32-courier.push.apple.com . (43)
13:51:11.363481 IP 10.10.10.1.60950 > 45.76.254.23.53: 30887+ Type65? 
37-courier.push.apple.com . (43)
13:51:11.363734 IP 10.10.10.1.55821 > 45.76.254.23.53: 8969+ A? 
37-courier.push.apple.com . (43)
13:51:12.429460 IP 10.10.10.1.60106 > 45.76.254.23.53: 56782+ A? 
32-courier.push.apple.com . (43)
13:51:13.316759 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com . (36)
13:51:13.316998 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com . (36)
13:51:14.429114 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-09 Thread brian.g.colby

Hi Jody,

 

I’m not sure what OS you’re running, but I know for me (CentOS 7) the issue was 
that IPv4 forwarding was turned off.  If this is the same for you, you can 
temporarily turn it on using “echo 1 > /proc/sys/net/ipv4/ip_forward” or 
permanently by editing /etc/sysctl.conf and adding the line 
“net.ipv4.ip_forward = 1” (this requires a reboot).  Hopefully this helps if 
it’s the same issue…

 

R/s,

Brian

 

From: Users  On Behalf Of Jody Whitesides
Sent: Monday, August 9, 2021 1:08 PM
To: users@lists.strongswan.org
Subject: Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

 

I’m still attempting to figure out why the VPN has stopped forwarding the 
internet to the connection. Previously posted the config. Was asked to post a 
tcpdump of the VPN connection.

 

I’ve tried deleting and reinstalling strongswan, that did not work. Hopefully 
someone can provide feedback about why this might has stopped allowing 
connection to the internet.

 

I’m still getting the same issue, I can connect to the VPN, but the server is 
not passing the internet to the connection. Here’s the output you asked for 
from the tcpdump while connected to the VPN and trying to get something from 
internet:

 

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ipsec0, link-type RAW (Raw IP), capture size 262144 bytes

13:50:59.406376 IP 10.10.10.1.57966 > 172.98.193.62.53: 8427+ Type65? 
gateway.icloud.com <http://gateway.icloud.com> . (36)

13:50:59.406796 IP 10.10.10.1.62159 > 172.98.193.62.53: 42920+ A? 
gateway.icloud.com <http://gateway.icloud.com> . (36)

13:51:02.951937 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:02.952192 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:03.478390 IP 10.10.10.1.57966 > 172.98.193.62.53: 8427+ Type65? 
gateway.icloud.com <http://gateway.icloud.com> . (36)

13:51:03.478622 IP 10.10.10.1.62159 > 172.98.193.62.53: 42920+ A? 
gateway.icloud.com <http://gateway.icloud.com> . (36)

13:51:03.980445 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:03.985177 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:04.140439 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:05.181463 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:06.112572 IP 10.10.10.1.65155 > 45.76.254.23.53: 12561+ Type65? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:06.112840 IP 10.10.10.1.60252 > 45.76.254.23.53: 51958+ A? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:06.249622 IP 10.10.10.1.60106 > 45.76.254.23.53: 56782+ A? 
32-courier.push.apple.com <http://32-courier.push.apple.com> . (43)

13:51:07.095478 IP 10.10.10.1.65155 > 45.76.254.23.53: 12561+ Type65? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:07.095763 IP 10.10.10.1.60252 > 45.76.254.23.53: 51958+ A? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:07.215685 IP 10.10.10.1.60163 > 45.76.254.23.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:07.286721 IP 10.10.10.1.60106 > 45.76.254.23.53: 56782+ A? 
32-courier.push.apple.com <http://32-courier.push.apple.com> . (43)

13:51:07.882797 IP 10.10.10.1.53423 > 45.76.254.23.53: 40780+ A? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:07.887783 IP 10.10.10.1.52091 > 45.76.254.23.53: 49937+ A? www.apple.com 
<http://www.apple.com> . (31)

13:51:07.887906 IP 10.10.10.1.62202 > 45.76.254.23.53: 37900+ A? www.icloud.com 
<http://www.icloud.com> . (32)

13:51:07.888008 IP 10.10.10.1.56098 > 45.76.254.23.53: 31840+ A? apple.com 
<http://apple.com> . (27)

13:51:08.245855 IP 10.10.10.1.60163 > 45.76.254.23.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:09.126279 IP 10.10.10.1.58732 > 172.98.193.62.53: 12561+ Type65? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:09.130885 IP 10.10.10.1.57434 > 172.98.193.62.53: 51958+ A? 
metrics.icloud.com <http://metrics.icloud.com> . (36)

13:51:09.317000 IP 10.10.10.1.62451 > 172.98.193.62.53: 56782+ A? 
32-courier.push.apple.com <http://32-courier.push.apple.com> . (43)

13:51:10.321293 IP 10.10.10.1.63123 > 172.98.193.62.53: 14913+ Type65? 
p66-keyvalueservice.icloud.com <http://p66-keyvalueservice.icloud.com> . (48)

13:51:

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-03 Thread Noel Kuntze


Hello Jody,

Please provide the output of `iptables-save`, and the output of `ipsec 
statusall` once you tried to access the internet, but while the client is still 
connected.

Kind regards
Noel

Am 02.08.21 um 20:26 schrieb Jody Whitesides:

Having trouble trying to understand why VPN would suddenly stop allowing 
traffic to the internet (despite no changes to the server and was working fine 
for months). Devices can connect to the VPN and logs show they connect. 
However, they no longer get traffic to the internet or to the server itself. 
Unfortunately I don’t understand the logs enough to know the direct reason, but 
I’ve included some connection logs after the config. Any help that can lead to 
a fix would be appreciated.

Here’s the config:

config setup
         charondebug     ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 
1,enc 1,tnc 1"
         uniqueids       =no

conn %default
#        ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
#        esp             =aes256-sha1,3des-sha1!
         fragmentation   =yes
         auto            =add
         dpdaction       =clear
         dpddelay        =40
         dpdtimeout      =130
         ikelifetime     =1h
         lifetime        =1h
         margintime      =9m
         rekeyfuzz       =100%
#        rekey           =yes
         aggressive      =no
         forceencaps     =yes
         left            =%any
         leftid          =(serverIP)
         leftcert        =(link to cert)
         leftsendcert    =always
         leftsubnet      =0.0.0.0/0,::/0
         right           =%any
         rightid         =%any
#        rightauth       =eap-mschapv2
         rightdns        
=45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
         rightsourceip   =10.10.10.1/24
         rightsubnet     =%dynamic

#conn mac
#       keyexchange     =ikev1
#       authby          =xauthpsk
#       xauth           =server
#       reauth          =yes

conn ios
         ike             =aes256-sha1-modp1024,3des-sha1-modp1024!
         esp             =aes256-sha1,3des-sha1!
         keyexchange     =ikev1
         mobike          =yes
         reauth          =yes
         rekey           =yes
         leftallowany    =yes
         lefthostaccess  =yes
         leftfirewall    =yes
         leftauth        =pubkey
         rightallowany   =yes
         rightauth       =pubkey
         rightauth2      =xauth
         rightfirewall   =yes
         rightcert       =(link to cert)

conn ikev2-vpn
         ike             
=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
         esp             
=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
         keyexchange     =ikev2
         type            =tunnel
         compress        =no
         rekey           =no
         rightauth       =eap-mschapv2
         rightsendcert   =never
         eap_identity    =%identity

Here’s the Log:
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from 
[IP of Device][500] to [IP of Server][500] (848 bytes)
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed ID_PROT request 
0 [ SA V V V V V V V V V V V V V V ]
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received NAT-T (RFC 
3947) vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received XAuth vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received Cisco Unity 
vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received FRAGMENTATION 
vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received DPD vendor ID
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] [IP of Device] is 
initiating a Main Mode IKE_SA
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug  2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating ID_PROT 
response 0

[strongSwan] VPN Suddenly Stopped Forwarding Internet

2021-08-02 Thread Jody Whitesides

Having trouble trying to understand why VPN would suddenly stop allowing 
traffic to the internet (despite no changes to the server and was working fine 
for months). Devices can connect to the VPN and logs show they connect. 
However, they no longer get traffic to the internet or to the server itself. 
Unfortunately I don’t understand the logs enough to know the direct reason, but 
I’ve included some connection logs after the config. Any help that can lead to 
a fix would be appreciated.

Here’s the config:

config setup
charondebug ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 
1,lib 1,enc 1,tnc 1"
uniqueids   =no

conn %default
#ike =aes256-sha1-modp1024,3des-sha1-modp1024!
#esp =aes256-sha1,3des-sha1!
fragmentation   =yes
auto=add
dpdaction   =clear
dpddelay=40
dpdtimeout  =130
ikelifetime =1h
lifetime=1h
margintime  =9m
rekeyfuzz   =100%
#rekey   =yes
aggressive  =no
forceencaps =yes
left=%any
leftid  =(serverIP)
leftcert=(link to cert)
leftsendcert=always
leftsubnet  =0.0.0.0/0,::/0
right   =%any
rightid =%any
#rightauth   =eap-mschapv2
rightdns
=45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f
rightsourceip   =10.10.10.1/24
rightsubnet =%dynamic

#conn mac
#   keyexchange =ikev1
#   authby  =xauthpsk
#   xauth   =server
#   reauth  =yes

conn ios
ike =aes256-sha1-modp1024,3des-sha1-modp1024!
esp =aes256-sha1,3des-sha1!
keyexchange =ikev1
mobike  =yes
reauth  =yes
rekey   =yes
leftallowany=yes
lefthostaccess  =yes
leftfirewall=yes
leftauth=pubkey
rightallowany   =yes
rightauth   =pubkey
rightauth2  =xauth
rightfirewall   =yes
rightcert   =(link to cert)

conn ikev2-vpn
ike 
=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d>
esp 
=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
keyexchange =ikev2
type=tunnel
compress=no
rekey   =no
rightauth   =eap-mschapv2
rightsendcert   =never
eap_identity=%identity

Here’s the Log:
Aug  2 12:13:34 jodywhitesides charon-custom: 06[NET] received packet: from [IP 
of Device][500] to [IP of Server][500] (848 bytes)
Aug  2 12:13:34 jodywhitesides charon-custom: 06[ENC] parsed ID_PROT request 0 
[ SA V V V V V V V V V V V V V V ]
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received NAT-T (RFC 3947) 
vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-08 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-07 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-06 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-05 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-04 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-03 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received XAuth vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received Cisco Unity 
vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received FRAGMENTATION 
vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] received DPD vendor ID
Aug  2 12:13:34 jodywhitesides charon-custom: 06[IKE] [IP of Device] is 
initiating a Main Mode IKE_SA
Aug  2 12:13:34 jodywhitesides charon-custom: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug  2 12:13:34 jodywhitesides charon-custom: 06[ENC] generating ID_PROT 
response 0 [ SA V V V V ]
Aug  2 12:13:34 jodywhitesides charon-custom: 06[NET] sending packet: from [IP 
of Server][500] to [IP of Device][500] (160 bytes)
Aug  2 12:13:34 jodywhitesides charon-custom: 04[NET] received packet: from [IP 
of Device][500] to [IP of Server][500] (228 bytes)
Aug  2 12:13:34 jodywhitesides charon-custom:

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet

[strongSwan] VPN Suddenly Stopped Forwarding Internet

5 matches

Site Navigation

Mail list logo

Footer information