Hi, To illustrate my issue and in addition to the configuration described previously, - I enabled more trace in the ipsec.conf [charondebug="ike 2, knl 3, cfg 0"]. [Log can be downloaded using the following link " www.printemps.cc/Temp/syslog.txt"] - I tried to launch a set of commands [See "cmds.txt" in attachment]
Executed commands: - After starting ipsec, I establish the VPN connection. As you can see in "cmds.txt", connection is established correctly - I execute the following command to see if the traffic for the user is going through the VPN $ sudo -u vpn -i -- curl ipinfo.io Result is the expected one. - A little bit later (After 17:14:34 in the syslog.02/Less than 2mins after previous cmd], I execute the same command Result fails with the following status: curl: (6) Could not resolve host: ipinfo.io - I decide to wait and after 2 additional minutes, I try to execute again the same command Command is not failing but I can see that my IP address allocated but the VPN has changed. To summarise, - VPN connection is established correctly and the route defined through the scripts are working Traffic for the "vpn" user is going through the VPN - After few minutes (less than 2) without any activity through the VPN, connection is no more working. I have to wait additional minutes, to get a working connection. - Few minutest later, connection is killed again... - Why is the VPN connection killed after less than 2 minutes? - Is the issue come from the VPN server or from my configuration? - Why is it so long to re-establish a new working connection? - How to keep the connection longer? If someone can check the log and see where the issue is coming from, I would really appreciate because, currently, I'm lost... Thanks for your help, Gilles On Tue, May 29, 2018 at 10:51 AM, Gilles Printemps <gprinte...@gmail.com> wrote: > Hi, > After several days, I finally have a configuration which force all the > traffic from a specific user to be routed from a VPN via a vti interface. > > After creating the vti interface and establishing the different route, I > can successfully check if the traffic is currently routed using the > following commands: > > sudo -u vpn -i -- curl ipinfo.io > > ping -I vti0 www.google.com > > > Unfortunately, after a period d of time, it is no more working and I can > see several error packets on the vti interface. several minute later, > connection is established again with the VPN but with a new connection (IP > has changed). > > > It seems this issue occurs after "sending keep alive" from IKE. > > Is something missing or wrong in my ipsec.conf? > > > Thanks for your help, > > Gilles > > > /etc/ipsec.conf > >> config setup >> charondebug="ike 2, knl 3, cfg 0" >> conn %default >> ### Key Exchange >> keyexchange=ikev2 >> ike=aes256-sha256-ecp384 # Algorithms used for >> the connection [phase1/ISAKMP SA] >> esp=aes256-sha256-ecp384,aes256-sha256 # Algorithms >> offered/accepted for a phase2 negotiation >> conn VPN >> dpdaction=restart >> leftupdown=/etc/ipsec.script.sh >> left=%defaultroute >> leftsourceip=%config4 >> leftauth=eap-mschapv2 >> eap_identity=gprintemps >> right=free-nl.hide.me >> rightauth=pubkey >> rightid=%any >> rightsubnet=0.0.0.0/0 >> auto=start >> mark=2 > > > /etc/ipsec.script.sh > >> set -o nounset >> set -o errexit >> VPN_USER="vpn" >> VTI_INTERFACE="vti0" >> case "${PLUTO_VERB}" in >> up-client) >> ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote >> "${PLUTO_PEER}" mode vti \ >> okey "${PLUTO_MARK_OUT%%/*}" ikey >> "${PLUTO_MARK_IN%%/*}" >> ip link set "${VTI_INTERFACE}" up >> sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1" >> sysctl -w "net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2" >> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}" >> if [[ `ip rule list | grep -c 0x1` == 0 ]]; then >> ip rule add from all fwmark 0x1 lookup $VPN_USER >> fi >> # Launch routing script >> /etc/ipsec.route.sh >> ;; >> down-client) >> ip tunnel del "${VTI_INTERFACE}" >> ;; >> esac > > > /etc/ipsec.route.sh > >> export TABLE_ID="vpn" >> export VPN_USER="vpn" >> export VTI_INTERFACE="vti0" >> export LOCAL_IP="10.211.55.3" >> >> # Flush iptables rules >> iptables -F -t nat >> iptables -F -t mangle >> iptables -F -t filter >> # Mark packets from $VPN_USER >> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark >> iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner >> $VPN_USER -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1 >> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark >> # Deny $VPN_USER to access other interfaces than lo >> # iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -j DROP >> # Allow $VPN_USER to access lo and VPN interfaces >> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT >> iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j >> ACCEPT >> >> # Allow response from $VPN_INTERFACE >> iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j >> ACCEPT >> # Masquarade packets on $VPN_INTERFACE >> iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE >> # Routing rules >> GATEWAY=$(ifconfig $VTI_INTERFACE | >> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | >> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | >> tail -n1) >> ip route replace default via $GATEWAY table $TABLE_ID >> ip route append default via 127.0.0.1 dev lo table $TABLE_ID >> ip route flush cache > >
$ sudo ipsec start Starting strongSwan 5.6.0 IPsec [starter]... $ sudo ipsec up VPN initiating IKE_SA VPN[1] to 46.166.179.54 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.0.30[500] to 46.166.179.54[500] (870 bytes) received packet: from 46.166.179.54[500] to 192.168.0.30[500] (349 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] local host is behind NAT, sending keep alives received cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" received 1 cert requests for an unknown ca sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009" sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2" sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3" sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1" sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3" sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2" sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2" sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2" sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA" sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA" sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA" sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority" sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1" sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA" sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign" sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2" sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1" sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1" sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA" sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority" sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root" sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE" sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2" sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC" sending cert request for "E=conta...@procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert" sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware" sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2" sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5" sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3" sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3" sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium" sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES" sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008" sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services" sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com" sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT" sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES" sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority" sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2" sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial" sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4" sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3" sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2" sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2" sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA" sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2" sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2" sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3" sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root" sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3" sending cert request for "C=FR, O=Dhimyotis, CN=Certigna" sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1" sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA" sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2" sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2" sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1" sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2" sending cert request for "C=TW, O=Government Root Certification Authority" sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking" sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign" sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1" sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root" sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015" sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011" sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority" sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1" sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign" sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign" sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC" sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1" sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=p...@sk.ee" sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1" sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1" sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority" sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA" sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2" sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority" sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1" sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root" sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority" sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6" sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4" sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3" sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=i...@e-szigno.hu" sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2" sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root" sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root" sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2" sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services" sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority" sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2" sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority" sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA" sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2" sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" sending cert request for "C=CN, O=CNNIC, CN=CNNIC ROOT" sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3" sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3" sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2" sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM" sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007" sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2" sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009" sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root" sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA" sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority" sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA" sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2" sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA" sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3" sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1" sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority" sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA" sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4" sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority" sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)" sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015" sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2" sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority" sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA" sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services" sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA" sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3" sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA" sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11" sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3" no IDi configured, fall back on IP address establishing CHILD_SA VPN{2} generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] splitting IKE message with length of 3296 bytes into 3 fragments generating IKE_AUTH request 1 [ EF(1/3) ] generating IKE_AUTH request 1 [ EF(2/3) ] generating IKE_AUTH request 1 [ EF(3/3) ] sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (1236 bytes) sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (1236 bytes) sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (964 bytes) received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(1/10) ] received fragment #1 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(2/10) ] received fragment #2 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(3/10) ] received fragment #3 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(4/10) ] received fragment #4 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(5/10) ] received fragment #5 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(6/10) ] received fragment #6 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(7/10) ] received fragment #7 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(8/10) ] received fragment #8 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (532 bytes) parsed IKE_AUTH response 1 [ EF(9/10) ] received fragment #9 of 10, waiting for complete IKE message received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (436 bytes) parsed IKE_AUTH response 1 [ EF(10/10) ] received fragment #10 of 10, reassembling fragmented IKE message parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] received end entity cert "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me" received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" using certificate "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me" using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" checking certificate status of "C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me" requesting ocsp status from 'http://ocsp.digicert.com' ... unable to fetch from http://ocsp.digicert.com, no capable fetcher found ocsp request to http://ocsp.digicert.com failed ocsp check failed, fallback to crl fetching crl from 'http://crl3.digicert.com/ssca-sha2-g5.crl' ... unable to fetch from http://crl3.digicert.com/ssca-sha2-g5.crl, no capable fetcher found crl fetching failed fetching crl from 'http://crl4.digicert.com/ssca-sha2-g5.crl' ... unable to fetch from http://crl4.digicert.com/ssca-sha2-g5.crl, no capable fetcher found crl fetching failed certificate status is not available using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" requesting ocsp status from 'http://ocsp.digicert.com' ... unable to fetch from http://ocsp.digicert.com, no capable fetcher found ocsp request to http://ocsp.digicert.com failed ocsp check failed, fallback to crl fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ... unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found crl fetching failed fetching crl from 'http://crl4.digicert.com/DigiCertGlobalRootCA.crl' ... unable to fetch from http://crl4.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found crl fetching failed certificate status is not available reached self-signed root ca with a path length of 1 authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me' with RSA_EMSA_PKCS1_SHA2_512 successful server requested EAP_IDENTITY (id 0x00), sending 'gprintemps' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (96 bytes) received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (112 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] server requested EAP_MSCHAPV2 authentication (id 0x01) generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (144 bytes) received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (128 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] EAP-MS-CHAPv2 succeeded: '(null)' generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (80 bytes) received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (80 bytes) parsed IKE_AUTH response 4 [ EAP/SUCC ] EAP method EAP_MSCHAPV2 succeeded, MSK established authentication of '192.168.0.30' (myself) with EAP generating IKE_AUTH request 5 [ AUTH ] sending packet: from 192.168.0.30[4500] to 46.166.179.54[4500] (112 bytes) received packet: from 46.166.179.54[4500] to 192.168.0.30[4500] (288 bytes) parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me' with EAP successful IKE_SA VPN[1] established between 192.168.0.30[192.168.0.30]...46.166.179.54[C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture Limited, CN=*.hide.me] scheduling reauthentication in 10172s maximum IKE_SA lifetime 10712s installing DNS server 46.166.179.52 via resolvconf installing DNS server 46.166.179.53 via resolvconf installing new virtual IP 10.3.145.71 CHILD_SA VPN{2} established with SPIs c38e7c45_i ce5bcac5_o and TS 10.3.145.71/32 === 0.0.0.0/0 updown: net.ipv4.conf.vti0.disable_policy = 1 updown: net.ipv4.conf.vti0.rp_filter = 2 connection 'VPN' established successfully $ sudo -u vpn -i -- curl ipinfo.io { "ip": "46.166.179.55", "hostname": "", "city": "Amsterdam", "region": "Noord-Holland", "country": "NL", "loc": "52.3666,4.9027", "postal": "1066", "org": "AS43350 NForce Entertainment B.V." } $ sudo -u vpn -i -- curl ipinfo.io curl: (6) Could not resolve host: ipinfo.io $ sudo -u vpn -i -- curl ipinfo.io curl: (6) Could not resolve host: ipinfo.io $ sudo -u vpn -i -- curl ipinfo.io { "ip": "95.211.101.196", "city": "", "region": "", "country": "NL", "loc": "52.3824,4.8995", "org": "AS60781 LeaseWeb Netherlands B.V." }