Re: [strongSwan] Memory leak when routing internet traffic via VPN

2019-11-12 Thread Alexander Hill
Wow, thanks for the quick response Martin. It sounds a heck of a lot like what I'm seeing. I'll try reverting to a 4.9 kernel. Cheers, Alex On Tue, Nov 12, 2019 at 3:45 PM Martin Willi wrote: > Hi, > > > If I have "leftsubnet=172.30.0.0/16,0.0.0.0/0", the server leaks > > memory - available

[strongSwan] Memory leak when routing internet traffic via VPN

2019-11-11 Thread Alexander Hill
Hi list, Trying to troubleshoot a weird memory leak on my VPN server. I have a roadwarrior setup described here - https://lists.strongswan.org/pipermail/users/2019-October/013878.html I have nat and mangle iptables rules set up as per the strongswan wiki to forward internet-bound traffic via

Re: [strongSwan] No traffic between Strongswan 5.6.2 server and 5.7.2 roadwarrior, works in other client versions

2019-10-08 Thread Alexander Hill
Any ideas? Thanks, Alex On Tue, Oct 1, 2019 at 12:30 PM Alexander Hill wrote: > Hi, > > I have a roadwarrior setup with a server running 5.6.2 on Ubuntu Bionic. > Clients are a mix of 5.6.2 (Bionic), 5.3.5 (Xenial) and 5.5.1 (Stretch) and > all work fine. > > I'm testing an

[strongSwan] No traffic between Strongswan 5.6.2 server and 5.7.2 roadwarrior, works in other client versions

2019-09-30 Thread Alexander Hill
Hi, I have a roadwarrior setup with a server running 5.6.2 on Ubuntu Bionic. Clients are a mix of 5.6.2 (Bionic), 5.3.5 (Xenial) and 5.5.1 (Stretch) and all work fine. I'm testing an updated client image on an Asus Tinkerboard S with Armbian Buster which ships with 5.7.2. On this client, I can

Re: [strongSwan] Tunnel over [slow] GPRS link

2017-05-01 Thread Alexander Hill
at 13:40 Rene Maurer <renem...@gmail.com> wrote: > Hello Alex > > Alexander Hill <a...@hill.net.au> wrote: > > > It sounds like an issue with that provider's network configuration > > rather than with the bandwidth or latency. > > This is my opinion as we

Re: [strongSwan] Tunnel over [slow] GPRS link

2017-05-01 Thread Alexander Hill
Hi René, It sounds like an issue with that provider's network configuration rather than with the bandwidth or latency. Try lowering MTU/MSS with either the charon.plugins.kernel-netlink.mss/mtu settings or via iptables.

[strongSwan] No traffic with compress=yes

2017-02-09 Thread Alexander Hill
Hi all, Runnings Strongswan 5.3.5 on Ubuntu 16.04 on clients and server. My connections with compress=yes don't appear to pass any traffic. What I'm seeing seems similar to the issue described in this post from 2013: https://lists.strongswan.org/pipermail/users/2013-May/004689.html I get

Re: [strongSwan] What enqueues IKE_MOBIKE tasks?

2017-02-06 Thread Alexander Hill
Makes sense, thankyou! On Mon, 6 Feb 2017 at 16:58 Tobias Brunner wrote: > Hi Alexander, > > > My understanding was that the IKE_MOBIKE task was triggered by changes > > to routes/interfaces. > > > > I'm intermittently seeing the IKE_MOBIKE task be queued at 30 second > >

[strongSwan] What enqueues IKE_MOBIKE tasks?

2017-02-05 Thread Alexander Hill
Hello, My understanding was that the IKE_MOBIKE task was triggered by changes to routes/interfaces. I'm intermittently seeing the IKE_MOBIKE task be queued at 30 second intervals, with no interface changes. There is nothing in the syslog or kernel log in between most of these events. Is this

[strongSwan] Strongswan connects, but times out immediately and passes no traffic

2017-01-23 Thread Alexander Hill
I was just troubleshooting a remote device (roadwarrior-style config) that had stopped talking to our server. Rebooting the device fixed the problem, but I'd like to get to the bottom of it since these devices are hard to get to physically. The device was in a strange state where it would

[strongSwan] Same credentials, different IDs

2016-11-21 Thread Alexander Hill
Hi list, I have many effectively identical roadwarrior clients being assigned dynamic virtual IPs. What I'd like is to have clients use the same certificate/key, but identify themselves differently (e.g. by their hostname). Essentially I just want each client to be able to give itself an

Re: [strongSwan] auto=route with virtual IPs

2016-11-01 Thread Alexander Hill
. Thanks, Alex On Fri, 28 Oct 2016 at 09:12 Alexander Hill <a...@hill.net.au> wrote: > Sure, will do. I started that process yesterday but my account is still > awaiting approval :) > > Alex > > On Fri, 28 Oct 2016 at 09:09 Noel Kuntze <n...@familie-kuntze.de>

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

2016-10-31 Thread Alexander Hill
Hi Tobias, Sounds promising - would assigning the virtual IP to the loopback interface "just work" with no extra configuration? Are there any downsides to doing this? Thanks, Alex On Mon., 31 Oct. 2016 at 9:56 pm, Tobias Brunner wrote: > Hi Alex, > > > But when there's

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

2016-10-31 Thread Alexander Hill
Hi Tobias, thanks for taking the time. I do see the relevant log messages in the case of switching interfaces, and when there's another path for the tunnel to take, everything works including MOBIKE. But when there's no immediate path, e.g. if the only network adapter has a cable unplugged or if

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

2016-10-31 Thread Alexander Hill
on the correct interface. The case where no new route is immediately available is a corner case, but I don't think one that doesn't deserve to be handled in the same way. What do you think? Cheers, Alex On Fri, 28 Oct 2016 at 23:33 Alexander Hill <a...@hill.net.au> wrote: Ok, thanks. That makes

Re: [strongSwan] ipsec routes removed when interface down and not reinstated

2016-10-28 Thread Alexander Hill
Ok, thanks. That makes sense. Triggering a reconnect on if-up should do the trick then. Cheers, Alex On Fri., 28 Oct. 2016 at 11:09 pm, Noel Kuntze <n...@familie-kuntze.de> wrote: > On 28.10.2016 07:07, Alexander Hill wrote: > > What's the thing that removes the route when th

[strongSwan] ipsec routes removed when interface down and not reinstated

2016-10-27 Thread Alexander Hill
Hi all, Trying to get my IPsec tunnels to come back up as reliably as possible. Say I'm connected to ipsec and my table 220 looks like this: 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.2 All is working. I then unplug my network cable, wait a few seconds, and plug it

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Alexander Hill
wrote: On 27.10.2016 18:29, Alexander Hill wrote: > I get a route with src explicitly set to my interface's real IP, which has the same effect. What version of strongSwan are you using? -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Alexander Hill
Hi Noel, Thanks for the suggestion, I tried that. If I remove the leftsubnet directive from the client config, I get a route with src explicitly set to my interface's real IP, which has the same effect. I also tried setting it to the virtual IP pool, and the current virtual IP under lease, to no

[strongSwan] auto=route with virtual IPs

2016-10-27 Thread Alexander Hill
Hello, I'm having what seems to be a similar problem as that described in ticket #85 (https://wiki.strongswan.org/issues/85) except that my connections are up, I'm just not routing correctly. My goal is to have many roadwarrior clients getting virtual dynamic IP addresses, which I want to remain