Hello, Last week I opened a ticket with an error message that ended up to be incorrect. Hence I tried to replicate it on a new fresh test server.
I have created a new test VPN server, which I can connect to from London. But some middle eastern countries aren't able to connect to it. The server is with Digital Ocean (Frankfurt). The test user can open the test nginx site on the same server, which proves the IP address is not blocked by his ISP / country. So the mystery remains why he can't connect to the VPN but I can from London. Please see all logs attached below: *Syslog* May 1 19:17:32 test systemd[1]: Starting Cleanup of Temporary Directories... May 1 19:17:32 test systemd[1]: Started Cleanup of Temporary Directories. May 1 19:25:43 test charon: 16[NET] received packet: from 46.62.xxx.xxx[500] to 157.230.xx.xxx[500] (604 bytes) May 1 19:25:43 test charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 1 19:25:43 test charon: 16[IKE] 46.62.xxx.xxx is initiating an IKE_SA May 1 19:25:43 test charon: 16[IKE] remote host is behind NAT May 1 19:25:43 test charon: 16[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" May 1 19:25:43 test charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] May 1 19:25:43 test charon: 16[NET] sending packet: from 157.230.xx.xxx[500] to 46.62.xxx.xxx[500] (473 bytes) May 1 19:26:13 test charon: 06[JOB] deleting half open IKE_SA with 46.62.xxx.xxx after timeout May 1 19:26:30 test charon: 10[NET] received packet: from 46.62.xxx.xxx[500] to 157.230.xx.xxx[500] (604 bytes) May 1 19:26:30 test charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] May 1 19:26:30 test charon: 10[IKE] 46.62.xxx.xxx is initiating an IKE_SA May 1 19:26:30 test charon: 10[IKE] remote host is behind NAT May 1 19:26:30 test charon: 10[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" May 1 19:26:30 test charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] May 1 19:26:30 test charon: 10[NET] sending packet: from 157.230.xx.xxx[500] to 46.62.xxx.xxx[500] (473 bytes) May 1 19:27:00 test charon: 13[JOB] deleting half open IKE_SA with 46.62.xxx.xxx after timeout *radius.log* Wed May 1 19:02:17 2019 : Info: Signalled to terminate Wed May 1 19:02:17 2019 : Info: Exiting normally Wed May 1 19:02:33 2019 : Info: Debugger not attached Wed May 1 19:02:33 2019 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Wed May 1 19:02:33 2019 : Info: rlm_sql_mysql: libmysql version: 5.7.26 Wed May 1 19:02:33 2019 : Info: rlm_sql (sql): Attempting to connect to database "radius_db" Wed May 1 19:02:33 2019 : Info: rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used Wed May 1 19:02:33 2019 : Info: rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used Wed May 1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used Wed May 1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used Wed May 1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used Wed May 1 19:02:34 2019 : Info: Need 5 more connections to reach 10 spares Wed May 1 19:02:34 2019 : Info: rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used Wed May 1 19:02:34 2019 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". Wed May 1 19:02:34 2019 : Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". Wed May 1 19:02:34 2019 : Info: Loaded virtual server <default> Wed May 1 19:02:34 2019 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst) Wed May 1 19:02:34 2019 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331 Wed May 1 19:02:34 2019 : Info: Loaded virtual server inner-tunnel Wed May 1 19:02:34 2019 : Info: Loaded virtual server default Wed May 1 19:02:34 2019 : Info: Ready to process requests Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 121 seconds Wed May 1 19:04:35 2019 : Info: rlm_sql (sql): Opening additional connection (6), 1 of 32 pending slots used Wed May 1 19:04:36 2019 : Info: Need 2 more connections to reach min connections (3) Wed May 1 19:04:36 2019 : Info: rlm_sql (sql): Opening additional connection (7), 1 of 31 pending slots used Wed May 1 19:06:15 2019 : Info: rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 99 seconds Wed May 1 19:06:15 2019 : Info: rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 99 seconds Wed May 1 19:06:15 2019 : Info: rlm_sql (sql): Opening additional connection (8), 1 of 32 pending slots used Wed May 1 19:06:15 2019 : Info: Need 2 more connections to reach min connections (3) Wed May 1 19:06:15 2019 : Info: rlm_sql (sql): Opening additional connection (9), 1 of 31 pending slots used Wed May 1 19:06:16 2019 : Info: Need 1 more connections to reach min connections (3) Wed May 1 19:06:16 2019 : Info: rlm_sql (sql): Opening additional connection (10), 1 of 30 pending slots used Wed May 1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 171 seconds Wed May 1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 171 seconds Wed May 1 19:09:07 2019 : Info: rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 171 seconds Wed May 1 19:09:07 2019 : Info: rlm_sql (sql): Opening additional connection (11), 1 of 32 pending slots used Wed May 1 19:09:08 2019 : Info: Need 2 more connections to reach min connections (3) Wed May 1 19:09:08 2019 : Info: rlm_sql (sql): Opening additional connection (12), 1 of 31 pending slots used Wed May 1 19:09:13 2019 : Info: Need 1 more connections to reach min connections (3) Wed May 1 19:09:13 2019 : Info: rlm_sql (sql): Opening additional connection (13), 1 of 30 pending slots used *ipsec.conf* config setup strictcrlpolicy=yes uniqueids=never conn test auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048! esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! dpdaction=clear dpddelay=180s dpdtimeout=3600s rekey=no left=%any [email protected] leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0, ::/0 right=%any rightid=%any rightauth=eap-radius eap_identity=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=10.10.10.0/24,fdd2:54c4:4c90:1::300/120 leftfirewall=no *ipsec statusall* Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-48-generic, x86_64): uptime: 26 minutes, since May 01 21:23:34 2019 malloc: sbrk 2322432, mmap 532480, used 1236336, free 1086096 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Virtual IP pools (size/online/offline): 10.10.10.0/24: 254/0/0 fdd2:54c4:4c90:1::300/120: 254/0/0 Listening IP addresses: 157.230.xx.xxx 10.19.0.6 10.135.41.65 Connections: test: %any...%any IKEv2, dpddelay=180s test: local: [test.mydomain.net] uses public key authentication test: cert: "CN=test.mydomain.net" test: remote: uses EAP_RADIUS authentication with EAP identity '%any' test: child: 0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear Security Associations (0 up, 0 connecting): none *iptables-save* # Generated by iptables-save v1.6.1 on Wed May 1 21:52:38 2019 *filter :INPUT DROP [184:11341] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3182:1535989] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -j DROP -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Wed May 1 21:52:38 2019 # Generated by iptables-save v1.6.1 on Wed May 1 21:52:38 2019 *nat :PREROUTING ACCEPT [185:11405] :INPUT ACCEPT [2:104] :OUTPUT ACCEPT [222:17702] :POSTROUTING ACCEPT [222:17702] -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Wed May 1 21:52:38 2019 # Generated by iptables-save v1.6.1 on Wed May 1 21:52:38 2019 *mangle :PREROUTING ACCEPT [4197:426510] :INPUT ACCEPT [4197:426510] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3191:1536933] :POSTROUTING ACCEPT [3191:1536933] -A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Wed May 1 21:52:38 2019 *ip6tables-save* # Generated by ip6tables-save v1.6.1 on Wed May 1 21:54:06 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [29:1816] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s fdd2:54c4:4c90:1::300/120 -d fdd2:54c4:4c90:1::300/120 -j DROP -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Wed May 1 21:54:06 2019 # Generated by ip6tables-save v1.6.1 on Wed May 1 21:54:06 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -j MASQUERADE COMMIT # Completed on Wed May 1 21:54:06 2019 root@test:~# ip6tables-save # Generated by ip6tables-save v1.6.1 on Wed May 1 21:54:19 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [29:1816] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s fdd2:54c4:4c90:1::300/120 -d fdd2:54c4:4c90:1::300/120 -j DROP -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Wed May 1 21:54:19 2019 # Generated by ip6tables-save v1.6.1 on Wed May 1 21:54:19 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s fdd2:54c4:4c90:1::300/120 -o eth0 -j MASQUERADE COMMIT # Completed on Wed May 1 21:54:19 2019 *ip route show table all* default via 157.230.16.1 dev eth0 proto static 10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.6 10.135.0.0/16 dev eth1 proto kernel scope link src 10.135.41.65 157.230.16.0/20 dev eth0 proto kernel scope link src 157.230.xx.xxx broadcast 10.19.0.0 dev eth0 table local proto kernel scope link src 10.19.0.6 local 10.19.0.6 dev eth0 table local proto kernel scope host src 10.19.0.6 broadcast 10.19.255.255 dev eth0 table local proto kernel scope link src 10.19.0.6 broadcast 10.135.0.0 dev eth1 table local proto kernel scope link src 10.135.41.65 local 10.135.41.65 dev eth1 table local proto kernel scope host src 10.135.41.65 broadcast 10.135.255.255 dev eth1 table local proto kernel scope link src 10.135.41.65 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 157.230.16.0 dev eth0 table local proto kernel scope link src 157.230.xx.xxx local 157.230.xx.xxx dev eth0 table local proto kernel scope host src 157.230.xx.xxx broadcast 157.230.31.255 dev eth0 table local proto kernel scope link src 157.230.xx.xxx fe80::/64 dev eth1 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium local fe80::780e:63ff:fe78:bab7 dev eth1 table local proto kernel metric 0 pref medium local fe80::bc8d:3eff:fe0f:9d42 dev eth0 table local proto kernel metric 0 pref medium ff00::/8 dev eth1 table local metric 256 pref medium ff00::/8 dev eth0 table local metric 256 pref medium *ip address* 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether be:8d:3e:0f:9d:42 brd ff:ff:ff:ff:ff:ff inet 157.230.xx.xxx/20 brd 157.230.31.255 scope global eth0 valid_lft forever preferred_lft forever inet 10.19.0.6/16 brd 10.19.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::bc8d:3eff:fe0f:9d42/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 7a:0e:63:78:ba:b7 brd ff:ff:ff:ff:ff:ff inet 10.135.41.65/16 brd 10.135.255.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::780e:63ff:fe78:bab7/64 scope link valid_lft forever preferred_lft forever Please let me if you need to see anything else, Many Thanks, Houman
