No internet connection on iPhone after successful connection to VPN server Scaleway #1130

amarCosmospace · 2018-09-27T14:01:59Z

The install finished without any error. i've added the mobileconfig profile to my mac book and iphone. there are installed correctly and i use 8.8.8.8 as dns resolver. But i cant get access to the web even google or anything else.

i've tried the same configuration with digitalocean and it works perfectly. I'm using scaleway because the don't limit the bandwith.

A clear and concise description of what the bug is.

install on scaleway

Expected behavior

A clear and concise description of what you expected to happen.

Additional context

Add any other context about the problem here.

Full log

(env) ➜  algo-master ./algo

PLAY [Ask user for the input] ****************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Vultr
    4. Microsoft Azure
    5. Google Compute Engine
    6. Scaleway
    7. OpenStack (DreamCompute optimised)
    8. Install to existing Ubuntu 18.04 server (Advanced)
  
Enter the number of your desired provider
:
6 

TASK [pause] *********************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:


TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
y

TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
y

TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:


TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
n

TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
n

TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
n

TASK [pause] *********************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
n

TASK [pause] *********************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] **********************************************************************************
ok: [localhost]

PLAY [Provision the server] ******************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Mac OS X 10.14
ZIP file created: Sep 27 01:18:12 2018
Python 2.7.14
Runtime variables:
    algo_provider "scaleway"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "_null"
    algo_local_dns "False"
    algo_ssh_tunneling "False"
    algo_windows "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] ****************************************************************************
changed: [localhost -> localhost]

TASK [Generate the SSH private key] **********************************************************************************
ok: [localhost]

TASK [Generate the SSH public key] ***********************************************************************************
ok: [localhost]
[cloud-scaleway : pause]
Enter your auth token (https://www.scaleway.com/docs/generate-an-api-token/)
 (output is hidden):

TASK [cloud-scaleway : pause] ****************************************************************************************
ok: [localhost]
[cloud-scaleway : pause]
Enter your organization name (https://cloud.scaleway.com/#/billing)
:
lamkadem

TASK [cloud-scaleway : pause] ****************************************************************************************
ok: [localhost]
[cloud-scaleway : pause]
What region should the server be located in?
    1. par1
    2. ams1
  
Enter the number of your desired region
[par1]
:


TASK [cloud-scaleway : pause] ****************************************************************************************
ok: [localhost]

TASK [cloud-scaleway : Set scaleway facts] ***************************************************************************
ok: [localhost]

TASK [cloud-scaleway : Check if server exists] ***********************************************************************
ok: [localhost]

TASK [cloud-scaleway : Get the organization id] **********************************************************************
ok: [localhost]
ok: [localhost] => (item=None)

TASK [cloud-scaleway : Set organization id as a fact] ****************************************************************

TASK [cloud-scaleway : Get total count of images] ********************************************************************
ok: [localhost]
ok: [localhost] => (item=1)
ok: [localhost] => (item=2)
ok: [localhost] => (item=3)
ok: [localhost] => (item=4)
ok: [localhost] => (item=5)
ok: [localhost] => (item=6)
ok: [localhost] => (item=7)
ok: [localhost] => (item=8)
ok: [localhost] => (item=9)
ok: [localhost] => (item=10)

TASK [cloud-scaleway : Get images] ***********************************************************************************

TASK [cloud-scaleway : Set image id as a fact] ***********************************************************************
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
included: /Users/travail/algo-master/roles/cloud-scaleway/tasks/image_facts.yml for localhost
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)
ok: [localhost] => (item=None)

TASK [cloud-scaleway : Create a server] ******************************************************************************
ok: [localhost]

TASK [cloud-scaleway : Set server id as a fact] **********************************************************************
ok: [localhost]

TASK [cloud-scaleway : Power on the server] **************************************************************************
ok: [localhost]
FAILED - RETRYING: Wait for the server to become running (20 retries left).

TASK [cloud-scaleway : Wait for the server to become running] ********************************************************
ok: [localhost]

TASK [cloud-scaleway : set_fact] *************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as afact] ***********************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] **************************************************************************
changed: [localhost]

TASK [Additional variables for the server] ***************************************************************************
changed: [localhost]

TASK [Wait until SSH becomes ready...] *******************************************************************************
ok: [localhost]

TASK [debug] *********************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "51.xx.xx.xx"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ******************************************************
ok: [localhost]

PLAY [Configure the server and install required software] ************************************************************

TASK [common : Check the system] *************************************************************************************
changed: [51.xx.xx.xx]

TASK [common : include_tasks] ****************************************************************************************
included: /Users/travail/algo-master/roles/common/tasks/ubuntu.yml for 51.xx.xx.xx
changed: [51.xx.xx.xx] => (item=[u'python2.7', u'sudo'])

TASK [common : Ubuntu | Install prerequisites] ***********************************************************************

TASK [common : Ubuntu | Configure defaults] **************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Gather facts] *****************************************************************************************
ok: [51.xx.xx.xx]

TASK [common : Install software updates] *****************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Check if reboot is required] **************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Reboot] ***********************************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Wait until SSH becomes ready...] **********************************************************************
ok: [51.xx.xx.xx -> localhost]

TASK [common : Install unattended-upgrades] **************************************************************************
ok: [51.xx.xx.xx]

TASK [common : Configure unattended-upgrades] ************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Periodic upgrades configured] *************************************************************************
changed: [51.xx.xx.xx]

TASK [common : Unattended reboots configured] ************************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [51.xx.xx.xx] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] ***********************************************************************

TASK [common : Loopback for services configured] *********************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item=systemd-networkd)
ok: [51.xx.xx.xx] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] *****************************************************************

RUNNING HANDLER [common : restart systemd-networkd] ******************************************************************
changed: [51.xx.xx.xx]

TASK [common : Check apparmor support] *******************************************************************************
changed: [51.xx.xx.xx]

TASK [common : set_fact] *********************************************************************************************
ok: [51.xx.xx.xx]

TASK [common : set_fact] *********************************************************************************************
ok: [51.xx.xx.xx]
ok: [51.xx.xx.xx] => (item=git)
ok: [51.xx.xx.xx] => (item=screen)
changed: [51.xx.xx.xx] => (item=apparmor-utils)
ok: [51.xx.xx.xx] => (item=uuid-runtime)
ok: [51.xx.xx.xx] => (item=coreutils)
changed: [51.xx.xx.xx] => (item=iptables-persistent)
changed: [51.xx.xx.xx] => (item=cgroup-tools)
ok: [51.xx.xx.xx] => (item=openssl)

TASK [common : Install tools] ****************************************************************************************
changed: [51.xx.xx.xx] => (item=[u'linux-headers-generic', u'linux-headers-4.15.0-20-generic'])

TASK [common : Install headers] **************************************************************************************

TASK [common : Generate password for the CA key] *********************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [common : Generate p12 export password] *************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [common : Define facts] *****************************************************************************************
ok: [51.xx.xx.xx]

TASK [common : set_fact] *********************************************************************************************
ok: [51.xx.xx.xx]

TASK [common : Set IPv6 support as a fact] ***************************************************************************
ok: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [51.xx.xx.xx] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [51.xx.xx.xx] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] ****************************************************************************************

TASK [dns_encryption : Include tasks for Ubuntu] *********************************************************************
included: /Users/travail/algo-master/roles/dns_encryption/tasks/ubuntu.yml for 51.xx.xx.xx

TASK [dns_encryption : Add the repository] ***************************************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : Install dnscrypt-proxy] ***********************************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : Configure unattended-upgrades] ****************************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *********************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ******************************************
ok: [51.xx.xx.xx]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ******************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ******************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *******************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : dnscrypt-proxy configured] ********************************************************************
changed: [51.xx.xx.xx]

TASK [dns_encryption : dnscrypt-proxy enabled and started] ***********************************************************
ok: [51.xx.xx.xx]

RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx -> localhost] => (item=private)
changed: [51.xx.xx.xx -> localhost] => (item=public)

TASK [wireguard : Ensure the required directories exist] *************************************************************

TASK [wireguard : Include tasks for Ubuntu] **************************************************************************
included: /Users/travail/algo-master/roles/wireguard/tasks/ubuntu.yml for 51.xx.xx.xx

TASK [wireguard : WireGuard repository configured] *******************************************************************
changed: [51.xx.xx.xx]

TASK [wireguard : WireGuard installed] *******************************************************************************
changed: [51.xx.xx.xx]

TASK [wireguard : WireGuard reload-module-on-update] *****************************************************************
changed: [51.xx.xx.xx]

TASK [wireguard : Configure unattended-upgrades] *********************************************************************
changed: [51.xx.xx.xx]

TASK [wireguard : set_fact] ******************************************************************************************
ok: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item=user1)
changed: [51.xx.xx.xx] => (item=user2)
changed: [51.xx.xx.xx] => (item=rand)
changed: [51.xx.xx.xx] => (item=51.xx.xx.xx)

TASK [wireguard : Generate private keys] *****************************************************************************
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)

TASK [wireguard : Save private keys] *********************************************************************************
changed: [51.xx.xx.xx] => (item=user1)
changed: [51.xx.xx.xx] => (item=user2)
changed: [51.xx.xx.xx] => (item=rand)
changed: [51.xx.xx.xx] => (item=51.xx.xx.xx)

TASK [wireguard : Touch the lock file] *******************************************************************************
ok: [51.xx.xx.xx] => (item=user1)
ok: [51.xx.xx.xx] => (item=user2)
ok: [51.xx.xx.xx] => (item=rand)
ok: [51.xx.xx.xx] => (item=51.xx.xx.xx)

TASK [wireguard : Generate public keys] ******************************************************************************
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)

TASK [wireguard : Save public keys] **********************************************************************************

TASK [wireguard : WireGuard configured] ******************************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx -> localhost] => (item=(0, u'user1'))
changed: [51.xx.xx.xx -> localhost] => (item=(1, u'user2'))
changed: [51.xx.xx.xx -> localhost] => (item=(2, u'rand'))

TASK [wireguard : WireGuard users config generated] ******************************************************************

TASK [wireguard : WireGuard enabled and started] *********************************************************************
changed: [51.xx.xx.xx]

RUNNING HANDLER [wireguard : restart wireguard] **********************************************************************
changed: [51.xx.xx.xx]

TASK [vpn : Ensure that the strongswan group exist] ******************************************************************
changed: [51.xx.xx.xx]

TASK [vpn : Ensure that the strongswan user exist] *******************************************************************
changed: [51.xx.xx.xx]

TASK [vpn : include_tasks] *******************************************************************************************
included: /Users/travail/algo-master/roles/vpn/tasks/ubuntu.yml for 51.xx.xx.xx

TASK [vpn : set_fact] ************************************************************************************************
ok: [51.xx.xx.xx]

TASK [vpn : Ubuntu | Install strongSwan] *****************************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item=/usr/lib/ipsec/charon)
changed: [51.xx.xx.xx] => (item=/usr/lib/ipsec/lookip)
changed: [51.xx.xx.xx] => (item=/usr/lib/ipsec/stroke)

TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ******************************************************************
ok: [51.xx.xx.xx] => (item=apparmor)
ok: [51.xx.xx.xx] => (item=strongswan)
ok: [51.xx.xx.xx] => (item=netfilter-persistent)

TASK [vpn : Ubuntu | Enable services] ********************************************************************************

TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] *********************************************
changed: [51.xx.xx.xx]

TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **********************************************
changed: [51.xx.xx.xx]

TASK [vpn : include_tasks] *******************************************************************************************
included: /Users/travail/algo-master/roles/vpn/tasks/iptables.yml for 51.xx.xx.xx
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [vpn : Iptables configured] *************************************************************************************
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [vpn : Iptables configured] *************************************************************************************

TASK [vpn : Install strongSwan] **************************************************************************************
ok: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Setup the config files from our templates] ***************************************************************

TASK [vpn : Get loaded plugins] **************************************************************************************
changed: [51.xx.xx.xx]
changed: [51.xx.xx.xx] => (item=sha1)
changed: [51.xx.xx.xx] => (item=pkcs1)
changed: [51.xx.xx.xx] => (item=agent)
changed: [51.xx.xx.xx] => (item=resolve)
changed: [51.xx.xx.xx] => (item=eap-mschapv2)
changed: [51.xx.xx.xx] => (item=gmp)
changed: [51.xx.xx.xx] => (item=dnskey)
changed: [51.xx.xx.xx] => (item=xcbc)
changed: [51.xx.xx.xx] => (item=rc2)
changed: [51.xx.xx.xx] => (item=sshkey)
changed: [51.xx.xx.xx] => (item=updown)
changed: [51.xx.xx.xx] => (item=bypass-lan)
changed: [51.xx.xx.xx] => (item=xauth-generic)
changed: [51.xx.xx.xx] => (item=attr)
changed: [51.xx.xx.xx] => (item=md5)
changed: [51.xx.xx.xx] => (item=constraints)
changed: [51.xx.xx.xx] => (item=md4)
changed: [51.xx.xx.xx] => (item=connmark)
changed: [51.xx.xx.xx] => (item=mgf1)
changed: [51.xx.xx.xx] => (item=counters)
changed: [51.xx.xx.xx] => (item=fips-prf)
changed: [51.xx.xx.xx] => (item=aesni)
changed: [51.xx.xx.xx] => (item=pem)
changed: [51.xx.xx.xx] => (item=gcm)
changed: [51.xx.xx.xx] => (item=aes)
changed: [51.xx.xx.xx] => (item=pkcs8)
changed: [51.xx.xx.xx] => (item=random)
changed: [51.xx.xx.xx] => (item=sha2)
changed: [51.xx.xx.xx] => (item=pgp)
changed: [51.xx.xx.xx] => (item=revocation)
changed: [51.xx.xx.xx] => (item=pubkey)
changed: [51.xx.xx.xx] => (item=kernel-netlink)
changed: [51.xx.xx.xx] => (item=openssl)
changed: [51.xx.xx.xx] => (item=stroke)
changed: [51.xx.xx.xx] => (item=nonce)
changed: [51.xx.xx.xx] => (item=pkcs12)
changed: [51.xx.xx.xx] => (item=socket-default)
changed: [51.xx.xx.xx] => (item=pkcs7)
changed: [51.xx.xx.xx] => (item=x509)
changed: [51.xx.xx.xx] => (item=hmac)

TASK [vpn : Set subjectAltName as a fact] ****************************************************************************
ok: [51.xx.xx.xx -> localhost]
changed: [51.xx.xx.xx -> localhost] => (item=ecparams)
changed: [51.xx.xx.xx -> localhost] => (item=certs)
changed: [51.xx.xx.xx -> localhost] => (item=crl)
changed: [51.xx.xx.xx -> localhost] => (item=newcerts)
changed: [51.xx.xx.xx -> localhost] => (item=private)
changed: [51.xx.xx.xx -> localhost] => (item=reqs)

TASK [vpn : Ensure the pki directories exist] ************************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=.rnd)
changed: [51.xx.xx.xx -> localhost] => (item=private/.rnd)
changed: [51.xx.xx.xx -> localhost] => (item=index.txt)
changed: [51.xx.xx.xx -> localhost] => (item=index.txt.attr)
changed: [51.xx.xx.xx -> localhost] => (item=serial)

TASK [vpn : Ensure the files exist] **********************************************************************************

TASK [vpn : Generate the openssl server configs] *********************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [vpn : Build the CA pair] ***************************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [vpn : Copy the CA certificate] *********************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [vpn : Generate the serial number] ******************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [vpn : Build the server pair] ***********************************************************************************
changed: [51.xx.xx.xx -> localhost]
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Build the client's pair] *********************************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Build the client's p12] **********************************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Copy the p12 certificates] *******************************************************************************

TASK [vpn : Get active users] ****************************************************************************************
changed: [51.xx.xx.xx -> localhost]
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/51.xx.xx.xx/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/ipsec.d/certs/51.xx.xx.xx.crt', u'src': u'configs/51.xx.xx.xx/pki/certs/51.xx.xx.xx.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [51.xx.xx.xx] => (item={u'dest': u'/etc/ipsec.d/private/51.xx.xx.xx.key', u'src': u'configs/51.xx.xx.xx/pki/private/51.xx.xx.xx.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})

TASK [vpn : Copy the keys to the strongswan directory] ***************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Register p12 PayloadContent] *****************************************************************************

TASK [vpn : Set facts for mobileconfigs] *****************************************************************************
ok: [51.xx.xx.xx -> localhost]
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)
changed: [51.xx.xx.xx] => (item=None)

TASK [vpn : Build the mobileconfigs] *********************************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Build the client ipsec config file] **********************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=user1)
changed: [51.xx.xx.xx -> localhost] => (item=user2)
changed: [51.xx.xx.xx -> localhost] => (item=rand)

TASK [vpn : Build the client ipsec secret file] **********************************************************************
changed: [51.xx.xx.xx -> localhost] => (item=configs/51.xx.xx.xx)

TASK [vpn : Restrict permissions for the local private directories] **************************************************

TASK [vpn : strongSwan started] **************************************************************************************
ok: [51.xx.xx.xx]

RUNNING HANDLER [dns_adblocking : restart apparmor] ******************************************************************

RUNNING HANDLER [vpn : restart strongswan] ***************************************************************************
changed: [51.xx.xx.xx]

RUNNING HANDLER [vpn : daemon-reload] ********************************************************************************
changed: [51.xx.xx.xx]

RUNNING HANDLER [vpn : restart iptables] *****************************************************************************
changed: [51.xx.xx.xx]

TASK [Delete the CA key] *********************************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [Dump the configuration] ****************************************************************************************
changed: [51.xx.xx.xx -> localhost]

TASK [debug] *********************************************************************************************************
ok: [51.xx.xx.xx] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is xxxxx       #\"\n", 
        "    ", 
        "    \"#      Shell access: ssh -i configs/algo.pem root@51.xx.xx.xx        #\"\n"
    ]
}

PLAY RECAP ***********************************************************************************************************
51.xx.xx.xx               : ok=99   changed=75   unreachable=0    failed=0   
localhost                  : ok=49   changed=3    unreachable=0    failed=0   

(env) ➜  algo-master

ok: [51.xx.xx.xx] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is xxxx       #\"\n", 
        "    ", 
        "    \"#      Shell access: ssh -i configs/algo.pem root@51.xx.xx.xx        #\"\n"
    ]
}

The text was updated successfully, but these errors were encountered:

davidemyers · 2018-09-27T15:28:17Z

Are you able to connect to an IP address directly? Try browsing to 1.1.1.1 in Safari.

Please include the portion of the installation log directly below where it says --> Please include the following block of text when reporting issues:.

amarCosmospace · 2018-09-27T15:33:07Z

using safari on my iphone and browsing to 1.1.1.1 keeps the page loading and shows nothing. i'm adding the logs.

There is no error in the install process i think

davidemyers · 2018-09-27T16:45:15Z

While I don't think DNS is the problem, could you SSH in to the server and then post the output of systemctl status dnscrypt-proxy?

amarCosmospace · 2018-09-27T16:48:21Z

here what i got
`(env) ➜ algo-master ssh -i configs/algo.pem root@51.xx.xx.xx
The authenticity of host '51.xx.xx.xx (51.xx.xx.xx)' can't be established.
ECDSA key fingerprint is SHA256:9JKMG4GKP/bK5u1bAlBes5IuW0i4uqR1jRbAcZwf8gc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '51.xx.xx.xx' (ECDSA) to the list of known hosts.
Last login: Thu Sep 27 13:54:59 2018 from 212.xx.xx.xx
root@algo:~# systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - DNSCrypt-proxy client
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/dnscrypt-proxy.service.d
└─99-capabilities.conf
Active: active (running) since Thu 2018-09-27 13:51:59 UTC; 2h 54min ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
Main PID: 3608 (dnscrypt-proxy)
Tasks: 11 (limit: 2294)
CGroup: /system.slice/dnscrypt-proxy.service
└─3608 /usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Sep 27 13:51:59 algo dnscrypt-proxy[3608]: dnscrypt-proxy 2.0.16
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Loading the set of IP blocking rules from [ip-blacklist.txt]
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Now listening to 172.16.0.1:53 [UDP]
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Now listening to 172.16.0.1:53 [TCP]
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Wiring systemd TCP socket #0, dnscrypt-proxy.socket, 127.0.2.1:53
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Wiring systemd UDP socket #1, dnscrypt-proxy.socket, 127.0.2.1:53
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: [cloudflare] OK (DoH) - rtt: 12ms
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: [cloudflare-ipv6] OK (DoH) - rtt: 13ms
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: Server with the lowest initial latency: cloudflare (rtt: 12ms)
Sep 27 13:51:59 algo dnscrypt-proxy[3608]: dnscrypt-proxy is ready - live servers: 2
root@algo:~#`

davidemyers · 2018-09-27T16:55:33Z

Thanks, that looks normal.

The reason I was curious to see it was because you mentioned using 8.8.8.8 for DNS. FYI, if you leave the default setting of dns_encryption: true in config.cfg, the DNS service used is determined by the setting of dns_encryption_provider:, which defaults to cloudflare.

So DNS is configured properly, but I don't know why you can't connect through IPsec when using Scaleway.

TC1977 · 2018-09-27T17:10:21Z

I guess the question is, what do you mean by "I use 8.8.8.8 as the DNS resolver". Did you edit config.cfg, or...?

Also, what does sudo ipsec statusall say when you're ssh'd into the algo server with your iPhone connected?

amarCosmospace · 2018-09-28T08:04:07Z

@TC1977 no i didn't change it in the config file. But just in the wifi parameters. I've tried with and without it.

root@algo:~# sudo ipsec status all
Security Associations (0 up, 0 connecting):
  no match

@davidemyers i've also tried with the default configuration and i got the same issue that's wierd

TC1977 · 2018-09-28T12:52:06Z

@amarCosmospace Sorry, autocorrect messed things up for me. I meant sudo ipsec statusall (no space between status and all).

Also make sure you're connected to the VPN with at least one client when you type that. It should show at least one tunnel open.

amarCosmospace · 2018-09-28T12:55:41Z

Yes no problem :) he it is. i'm connected with my iphone on the vpn

root@algo:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-34-generic, x86_64):
  uptime: 22 hours, since Sep 27 13:54:57 2018
  malloc: sbrk 4894720, mmap 0, used 1730848, free 3163872
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Virtual IP pools (size/online/offline):
  10.19.48.0/24: 254/1/82
  fd9d:bc11:4020::/48: 2147483646/1/82
Listening IP addresses:
  10.14.211.135
  2001:bc8:4400:2b00::1e:307
  10.19.49.1
  fd9d:bc11:4021::1
Connections:
ikev2-pubkey:  %any...%any  IKEv2, dpddelay=35s
ikev2-pubkey:   local:  [51.xx.xx.xx] uses public key authentication
ikev2-pubkey:    cert:  "CN=51.xx.xx.xx"
ikev2-pubkey:   remote: uses public key authentication
ikev2-pubkey:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-pubkey[93]: ESTABLISHED 42 seconds ago, 10.14.211.135[51.xx.xx.xx]...80.214.xx.xx[user1]
ikev2-pubkey[93]: IKEv2 SPIs: fde56983d4397d91_i 2a9d1da47140a78e_r*, rekeying disabled
ikev2-pubkey[93]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
ikev2-pubkey{90}:  INSTALLED, TUNNEL, reqid 90, ESP in UDP SPIs: c68dbcc0_i 07211869_o
ikev2-pubkey{90}:  AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-pubkey{90}:   0.0.0.0/0 ::/0 === 10.19.48.1/32 fd9d:bc11:4020::1/128
root@algo:~#

TC1977 · 2018-09-28T13:00:32Z

@amarCosmospace Good, so the ipsec tunnel is up. Try loading some websites, then hit sudo ipsec statusall again and see if the line that says AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying disabled changes. Also, open up another SSH connection, and type tail -f /var/log/syslog|grep charon into it. This will give you a running log of any error messages from strongswan (charon).

If this doesn't show any problems, then the next step would be checking your firewalls, both on your Algo server/Scaleway console and on the Mac.

amarCosmospace · 2018-09-28T13:05:52Z

i tried to reach whoer.net and it keeps loading and never shows up. And the tail gave me file does not exist.

root@algo:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-34-generic, x86_64):
  uptime: 23 hours, since Sep 27 13:54:57 2018
  malloc: sbrk 4902912, mmap 0, used 1712704, free 3190208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Virtual IP pools (size/online/offline):
  10.19.48.0/24: 254/1/82
  fd9d:bc11:4020::/48: 2147483646/1/82
Listening IP addresses:
  10.14.211.135
  2001:bc8:4400:2b00::1e:307
  10.19.49.1
  fd9d:bc11:4021::1
Connections:
ikev2-pubkey:  %any...%any  IKEv2, dpddelay=35s
ikev2-pubkey:   local:  [51.xx.xx.xx] uses public key authentication
ikev2-pubkey:    cert:  "CN=51.xx.xx.xx"
ikev2-pubkey:   remote: uses public key authentication
ikev2-pubkey:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-pubkey[95]: ESTABLISHED 3 minutes ago, 10.14.211.135[51.xx.xx.xx]...80.214.xx.xx[user1]
ikev2-pubkey[95]: IKEv2 SPIs: c8add35be8a2c810_i ee2a8c8590672f40_r*, rekeying disabled
ikev2-pubkey[95]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
ikev2-pubkey{92}:  INSTALLED, TUNNEL, reqid 92, ESP in UDP SPIs: ce55b032_i 0e3fb8c4_o
ikev2-pubkey{92}:  AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-pubkey{92}:   0.0.0.0/0 ::/0 === 10.19.48.3/32 fd9d:bc11:4020::3/128
root@algo:~#

TC1977 · 2018-09-28T13:10:14Z

You still show no bytes transferred. So this is a problem with either the Scaleway instance firewall, the Algo firewall, or your Mac. Check your Scaleway console and make sure ports UDP/500 and UDP/4500 are open. (I can't help you with that...no Scaleway account.)

Actually check that, if those ports were closed then you wouldn't be able to even open a tunnel. Try googling the strongswan docs?

TC1977 · 2018-09-28T13:14:12Z

Ok @amarCosmospace , I checked out this error in the strongswan docs. Try this:

sudo nano /etc/ipsec.conf

Then modify the file by inserting the line forceencaps=yes into the conn %default section (anywhere is fine, but indent properly). Then do sudo ipsec reload, disconnect and reconnect your client, and try again.

amarCosmospace · 2018-09-28T13:18:57Z

@TC1977 i've checked scaleway conf and this vps is widely open so no firewall for testing purpose.

i've tried what are saying and it doesnt seem to work... that's wierd

TC1977 · 2018-09-28T13:25:25Z

@amarCosmospace Huh. The next step would be to sudo reboot and just make sure the new ipsec.conf is loaded, but before you do that, just rule out a home router problem. Switch the iPhone to LTE and try to connect. Can you connect, and can you load web pages if you do that? And if not, does the packet counter show any increase in packets?

amarCosmospace · 2018-09-28T13:40:36Z

I'm with lte from the beginning of the test and tried from an hotel and from home :)

i'll try a reboot and see how it's going

thanks for your help :)

amarCosmospace · 2018-09-28T13:44:54Z

After a reboot it's the same with 4G (lte)... it think there is an issue with scaleway
does any one tested it scaleway ?

TC1977 · 2018-09-28T13:49:33Z

@amarCosmospace if you read down to the end of the link I posted above, the guy had inadvertently set a firewall on his OVH console. I wonder if you've set a firewall on the security group on your Scaleway console somehow.

Are you getting any error messages from the window showing tail -f /var/log/syslog|grep charon as above?

amarCosmospace · 2018-09-28T13:52:37Z

I've edited the firewall policy to accept all on inbound and outbound so no firewall at all

the tail gave me this

root@algo:~# tail -f /var/log/syslog|grep charon
tail: cannot open '/var/log/syslog' for reading: No such file or directory
tail: no files remaining

TC1977 · 2018-09-28T13:54:44Z

Add specific rules in that Scaleway console to accept TCP/22, UDP/500 and UDP/4500 inbound, and accept all ports outbound. If you're going to use Wireguard, also add a rule for UDP/51820 inbound.

I guess your syslog isn't at /var/log/syslog? What do you get when you type uname -a on the Algo server?

amarCosmospace · 2018-09-28T14:00:09Z

Done and rebooted and test with lte (tried to reach whoer.net on google

root@algo:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-34-generic, x86_64):
  uptime: 103 seconds, since Sep 28 13:57:42 2018
  malloc: sbrk 2555904, mmap 0, used 593872, free 1962032
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlin
k socket-default stroke
Virtual IP pools (size/online/offline):
  10.19.48.0/24: 254/1/0
  fd9d:bc11:4020::/48: 2147483646/1/0
Listening IP addresses:
  10.14.211.135
  2001:bc8:4400:2b00::1e:307
  10.19.49.1
  fd9d:bc11:4021::1
Connections:
ikev2-pubkey:  %any...%any  IKEv2, dpddelay=35s
ikev2-pubkey:   local:  [51.xx.xx.xx] uses public key authentication
ikev2-pubkey:    cert:  "CN=51.xx.xx.xx"
ikev2-pubkey:   remote: uses public key authentication
ikev2-pubkey:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-pubkey[1]: ESTABLISHED 25 seconds ago, 10.14.211.135[51.xx.xx.xx]...80.214.xx.xx[user1]
ikev2-pubkey[1]: IKEv2 SPIs: 37db2b0b20486744_i ecb0a98cca070a65_r*, rekeying disabled
ikev2-pubkey[1]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
ikev2-pubkey{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0bad4b2_i 0ae202cc_o
ikev2-pubkey{1}:  AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-pubkey{1}:   0.0.0.0/0 ::/0 === 10.19.48.1/32 fd9d:bc11:4020::1/128
root@algo:~#

TC1977 · 2018-09-28T14:05:19Z

So your tunnel is still open, but no packets transferred? The next question is if iptables on your server is incorrect somehow. Do this on your Algo server, and post the output: sudo iptables -S

amarCosmospace · 2018-09-28T14:08:08Z

seems good 🤔

root@algo:~# sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500,51820 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -d 172.16.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 10.19.48.0/24 -d 10.19.48.0/24 -j DROP
-A FORWARD -s 10.19.48.0/24 -d 10.19.49.0/24 -j DROP
-A FORWARD -s 10.19.49.0/24 -d 10.19.48.0/24 -j DROP
-A FORWARD -s 10.19.49.0/24 -d 10.19.49.0/24 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -s 10.19.48.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -s 10.19.49.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol none -j ACCEPT

TC1977 · 2018-09-28T14:16:42Z

Those iptables rules all look correct to me.

One thing is bothering me. Why don't you have anything in /var/log/syslog? What version of Linux is this Scaleway server running? uname -a?

TC1977 · 2018-09-28T14:24:21Z

Maybe your rsyslogd is down for some bizarre reason. Try using journalctl instead: sudo journalctl -u strongswan on your Algo server and see if you have any suspicious error messages.

amarCosmospace · 2018-09-28T14:31:25Z

it's a Linux algo 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

there is no error or suspect thing on the "sudo journalctl -u strongswa". i've installed rsyslogd cause it seems that it's not installed yet on this image.
i'm rebooting the server right now and retest via my iphone

amarCosmospace · 2018-09-28T14:33:52Z

root@algo:~# tail -f /var/log/syslog|grep charon
^C
root@algo:~# tail -f /var/log/syslog
Sep 28 14:31:47 algo systemd[1101]: Listening on GnuPG network certificate management daemon.
Sep 28 14:31:47 algo systemd[1101]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep 28 14:31:47 algo systemd[1101]: Reached target Timers.
Sep 28 14:31:47 algo systemd[1101]: Reached target Paths.
Sep 28 14:31:47 algo systemd[1101]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Sep 28 14:31:47 algo systemd[1101]: Reached target Sockets.
Sep 28 14:31:47 algo systemd[1101]: Reached target Basic System.
Sep 28 14:31:47 algo systemd[1101]: Reached target Default.
Sep 28 14:31:47 algo systemd[1101]: Startup finished in 73ms.
Sep 28 14:31:47 algo systemd[1]: Started User Manager for UID 0.
Sep 28 14:32:04 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19444] to 10.14.211.135[500]
Sep 28 14:32:04 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:04 algo charon: 12[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i 0000000000000000_r
Sep 28 14:32:04 algo charon: 12[MGR] created IKE_SA (unnamed)[1]
Sep 28 14:32:04 algo charon: 12[NET] received packet: from 80.xx.xx.xx[19444] to 10.14.211.135[500] (272 bytes)
Sep 28 14:32:04 algo charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 28 14:32:04 algo charon: 12[CFG] looking for an ike config for 10.14.211.135...80.xx.xx.xx
Sep 28 14:32:04 algo charon: 12[CFG]   candidate: %any...%any, prio 28
Sep 28 14:32:04 algo charon: 12[CFG] found matching ike config: %any...%any with prio 28
Sep 28 14:32:04 algo charon: 12[IKE] 80.xx.xx.xx is initiating an IKE_SA
Sep 28 14:32:04 algo charon: 12[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Sep 28 14:32:04 algo charon: 12[CFG] selecting proposal:
Sep 28 14:32:04 algo charon: 12[CFG]   proposal matches
Sep 28 14:32:04 algo charon: 12[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:04 algo charon: 12[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:04 algo charon: 12[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:04 algo charon: 12[IKE] local host is behind NAT, sending keep alives
Sep 28 14:32:04 algo charon: 12[IKE] remote host is behind NAT
Sep 28 14:32:04 algo charon: 12[IKE] sending cert request for "CN=51.xx.xx.xx"
Sep 28 14:32:04 algo charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep 28 14:32:04 algo charon: 12[NET] sending packet: from 10.14.211.135[500] to 80.xx.xx.xx[19444] (305 bytes)
Sep 28 14:32:04 algo charon: 04[NET] sending packet: from 10.14.211.135[500] to 80.xx.xx.xx[19444]
Sep 28 14:32:04 algo charon: 12[MGR] checkin IKE_SA (unnamed)[1]
Sep 28 14:32:04 algo charon: 12[MGR] checkin of IKE_SA successful
Sep 28 14:32:05 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:05 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo ipsec[837]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-34-generic, x86_64)
Sep 28 14:32:05 algo ipsec[837]: 00[KNL] known interfaces and IP addresses:
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]   lo
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     127.0.0.1
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     172.16.0.1
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     fcaa::1
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     ::1
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]   ens2
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     10.14.211.135
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     fe80::dc1a:14ff:fe13:4
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]   wg0
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     10.19.49.1
Sep 28 14:32:05 algo ipsec[837]: 00[KNL]     fd9d:bc11:4021::1
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG]   loaded ca certificate "CN=51.xx.xx.xx" from '/etc/ipsec.d/cacerts/ca.crt'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 28 14:32:05 algo ipsec[837]: 00[CFG]   loaded ECDSA private key from '/etc/ipsec.d/private/51.xx.xx.xx.key'
Sep 28 14:32:05 algo ipsec[837]: 00[LIB] loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Sep 28 14:32:05 algo ipsec[837]: 00[LIB] dropped capabilities, running as uid 1000, gid 1000
Sep 28 14:32:05 algo ipsec[837]: 00[JOB] spawning 16 worker threads
Sep 28 14:32:05 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] received stroke: add connection 'ikev2-pubkey'
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] conn ikev2-pubkey
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   left=%any
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   leftsubnet=0.0.0.0/0,::/0
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   leftauth=pubkey
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   leftid=51.xx.xx.xx
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   leftcert=51.xx.xx.xx.crt
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   right=%any
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   rightsourceip=10.19.48.0/24,fd9d:bc11:4020::/48
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   rightdns=172.16.0.1
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   rightauth=pubkey
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   ike=aes256gcm16-prfsha512-ecp384!
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   esp=aes256gcm16-ecp384!
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   dpddelay=35
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   dpdtimeout=150
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   dpdaction=1
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   sha256_96=no
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   mediation=no
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   keyexchange=ikev2
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] adding virtual IP address pool 10.19.48.0/24
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] virtual IP pool too large, limiting to fd9d:bc11:4020::/97
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] adding virtual IP address pool fd9d:bc11:4020::/48
Sep 28 14:32:05 algo ipsec[837]: 08[CFG]   loaded certificate "CN=51.xx.xx.xx" from '51.xx.xx.xx.crt'
Sep 28 14:32:05 algo charon: 13[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:05 algo ipsec[837]: 08[CFG] added configuration 'ikev2-pubkey'
Sep 28 14:32:05 algo ipsec[837]: 10[KNL] creating roam job due to route change
Sep 28 14:32:05 algo ipsec[837]: 14[KNL] creating roam job due to route change
Sep 28 14:32:05 algo ipsec[837]: 16[KNL] 2001:bc8:4400:2b00::1e:307 appeared on ens2
Sep 28 14:32:05 algo ipsec[837]: 10[KNL] creating roam job due to address/link change
Sep 28 14:32:05 algo ipsec[837]: 03[NET] received packet: from 80.xx.xx.xx[19444] to 10.14.211.135[500]
Sep 28 14:32:05 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo ipsec[837]: 12[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i 0000000000000000_r
Sep 28 14:32:05 algo ipsec[837]: 12[MGR] created IKE_SA (unnamed)[1]
Sep 28 14:32:05 algo ipsec[837]: 12[NET] received packet: from 80.xx.xx.xx[19444] to 10.14.211.135[500] (272 bytes)
Sep 28 14:32:05 algo ipsec[837]: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] looking for an ike config for 10.14.211.135...80.xx.xx.xx
Sep 28 14:32:05 algo ipsec[837]: 12[CFG]   candidate: %any...%any, prio 28
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] found matching ike config: %any...%any with prio 28
Sep 28 14:32:05 algo ipsec[837]: 12[IKE] 80.xx.xx.xx is initiating an IKE_SA
Sep 28 14:32:05 algo ipsec[837]: 12[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] selecting proposal:
Sep 28 14:32:05 algo ipsec[837]: 12[CFG]   proposal matches
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:05 algo ipsec[837]: 12[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
Sep 28 14:32:05 algo ipsec[837]: 12[IKE] local host is behind NAT, sending keep alives
Sep 28 14:32:05 algo ipsec[837]: 12[IKE] remote host is behind NAT
Sep 28 14:32:05 algo ipsec[837]: 12[IKE] sending cert request for "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo ipsec[837]: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep 28 14:32:05 algo ipsec[837]: 12[NET] sending packet: from 10.14.211.135[500] to 80.xx.xx.xx[19444] (305 bytes)
Sep 28 14:32:05 algo ipsec[837]: 04[NET] sending packet: from 10.14.211.135[500] to 80.xx.xx.xx[19444]
Sep 28 14:32:05 algo ipsec[837]: 12[MGR] checkin IKE_SA (unnamed)[1]
Sep 28 14:32:05 algo ipsec[837]: 12[MGR] checkin of IKE_SA successful
Sep 28 14:32:05 algo ipsec[837]: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:05 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo ipsec[837]: 13[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:05 algo ipsec[837]: 13[MGR] IKE_SA (unnamed)[1] successfully checked out
Sep 28 14:32:05 algo ipsec[837]: 13[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (540 bytes)
Sep 28 14:32:05 algo charon: 13[MGR] IKE_SA (unnamed)[1] successfully checked out
Sep 28 14:32:05 algo ipsec[837]: 13[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 28 14:32:05 algo charon: 13[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (540 bytes)
Sep 28 14:32:05 algo charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 28 14:32:05 algo charon: 13[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 28 14:32:05 algo charon: 13[MGR] checkin IKE_SA (unnamed)[1]
Sep 28 14:32:05 algo charon: 13[MGR] checkin of IKE_SA successful
Sep 28 14:32:05 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:05 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo charon: 14[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:05 algo charon: 14[MGR] IKE_SA (unnamed)[1] successfully checked out
Sep 28 14:32:05 algo charon: 14[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (516 bytes)
Sep 28 14:32:05 algo charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 28 14:32:05 algo charon: 14[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Sep 28 14:32:05 algo charon: 14[ENC] unknown attribute type (25)
Sep 28 14:32:05 algo charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sep 28 14:32:05 algo charon: 14[IKE] received cert request for "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo charon: 14[IKE] received end entity cert "CN=user1"
Sep 28 14:32:05 algo charon: 14[CFG] looking for peer configs matching 10.14.211.135[51.xx.xx.xx]...80.xx.xx.xx[user1]
Sep 28 14:32:05 algo charon: 14[CFG]   candidate "ikev2-pubkey", match: 20/1/28 (me/other/ike)
Sep 28 14:32:05 algo charon: 14[CFG] selected peer config 'ikev2-pubkey'
Sep 28 14:32:05 algo charon: 14[CFG]   using certificate "CN=user1"
Sep 28 14:32:05 algo charon: 14[CFG]   certificate "CN=user1" key: 384 bit ECDSA
Sep 28 14:32:05 algo charon: 14[CFG]   using trusted ca certificate "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo charon: 14[CFG] checking certificate status of "CN=user1"
Sep 28 14:32:05 algo charon: 14[CFG] ocsp check skipped, no ocsp found
Sep 28 14:32:05 algo charon: 14[CFG] certificate status is not available
Sep 28 14:32:05 algo charon: 14[CFG]   certificate "CN=51.xx.xx.xx" key: 384 bit ECDSA
Sep 28 14:32:05 algo charon: 14[CFG]   reached self-signed root ca with a path length of 0
Sep 28 14:32:05 algo charon: 14[IKE] authentication of 'user1' with ECDSA-384 signature successful
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP4_DHCP attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP4_DNS attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP4_NETMASK attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP6_DHCP attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing INTERNAL_IP6_DNS attribute
Sep 28 14:32:05 algo charon: 14[IKE] processing (25) attribute
Sep 28 14:32:05 algo charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 28 14:32:05 algo charon: 14[IKE] peer supports MOBIKE
Sep 28 14:32:05 algo charon: 14[IKE] authentication of '51.xx.xx.xx' (myself) with ECDSA-384 signature successful
Sep 28 14:32:05 algo charon: 14[IKE] IKE_SA ikev2-pubkey[1] established between 10.14.211.135[51.xx.xx.xx]...80.xx.xx.xx[user1]
Sep 28 14:32:05 algo charon: 14[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Sep 28 14:32:05 algo charon: 14[IKE] sending end entity cert "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo charon: 14[IKE] peer requested virtual IP %any
Sep 28 14:32:05 algo charon: 14[CFG] assigning new lease to 'user1'
Sep 28 14:32:05 algo charon: 14[IKE] assigning virtual IP 10.19.48.1 to peer 'user1'
Sep 28 14:32:05 algo charon: 14[IKE] peer requested virtual IP %any6
Sep 28 14:32:05 algo charon: 14[CFG] assigning new lease to 'user1'
Sep 28 14:32:05 algo charon: 14[IKE] assigning virtual IP fd9d:bc11:4020::1 to peer 'user1'
Sep 28 14:32:05 algo charon: 14[IKE] building INTERNAL_IP4_DNS attribute
Sep 28 14:32:05 algo charon: 14[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Sep 28 14:32:05 algo charon: 14[CFG] proposing traffic selectors for us:
Sep 28 14:32:05 algo charon: 14[CFG]  0.0.0.0/0
Sep 28 14:32:05 algo charon: 14[CFG]  ::/0
Sep 28 14:32:05 algo charon: 14[CFG] proposing traffic selectors for other:
Sep 28 14:32:05 algo charon: 14[CFG]  10.19.48.1/32
Sep 28 14:32:05 algo charon: 14[CFG]  fd9d:bc11:4020::1/128
Sep 28 14:32:05 algo charon: 14[CFG]   candidate "ikev2-pubkey" with prio 15+3
Sep 28 14:32:05 algo charon: 14[CFG] found matching child config "ikev2-pubkey" with prio 18
Sep 28 14:32:05 algo charon: 14[CFG] selecting proposal:
Sep 28 14:32:05 algo charon: 14[CFG]   proposal matches
Sep 28 14:32:05 algo charon: 14[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Sep 28 14:32:05 algo charon: 14[CFG] configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Sep 28 14:32:05 algo charon: 14[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Sep 28 14:32:05 algo charon: 14[KNL] got SPI cdab0f32
Sep 28 14:32:05 algo charon: 14[CFG] selecting traffic selectors for us:
Sep 28 14:32:05 algo charon: 14[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Sep 28 14:32:05 algo charon: 14[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
Sep 28 14:32:05 algo charon: 14[CFG]  config: ::/0, received: 0.0.0.0/0 => no match
Sep 28 14:32:05 algo charon: 14[CFG]  config: ::/0, received: ::/0 => match: ::/0
Sep 28 14:32:05 algo charon: 14[CFG] selecting traffic selectors for other:
Sep 28 14:32:05 algo charon: 14[CFG]  config: 10.19.48.1/32, received: 0.0.0.0/0 => match: 10.19.48.1/32
Sep 28 14:32:05 algo charon: 14[CFG]  config: 10.19.48.1/32, received: ::/0 => no match
Sep 28 14:32:05 algo charon: 14[CFG]  config: fd9d:bc11:4020::1/128, received: 0.0.0.0/0 => no match
Sep 28 14:32:05 algo charon: 14[CFG]  config: fd9d:bc11:4020::1/128, received: ::/0 => match: fd9d:bc11:4020::1/128
Sep 28 14:32:05 algo charon: 14[KNL] adding SAD entry with SPI cdab0f32 and reqid {1}
Sep 28 14:32:05 algo charon: 14[KNL]   using encryption algorithm AES_GCM_16 with key size 288
Sep 28 14:32:05 algo charon: 14[KNL]   using replay window of 32 packets
Sep 28 14:32:05 algo ipsec[837]: 13[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 28 14:32:05 algo ipsec[837]: 13[MGR] checkin IKE_SA (unnamed)[1]
Sep 28 14:32:05 algo ipsec[837]: 13[MGR] checkin of IKE_SA successful
Sep 28 14:32:05 algo ipsec[837]: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:05 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:05 algo ipsec[837]: 14[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:05 algo ipsec[837]: 14[MGR] IKE_SA (unnamed)[1] successfully checked out
Sep 28 14:32:05 algo ipsec[837]: 14[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (516 bytes)
Sep 28 14:32:05 algo ipsec[837]: 14[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 28 14:32:05 algo ipsec[837]: 14[ENC] received fragment #2 of 2, reassembling fragmented IKE message
Sep 28 14:32:05 algo ipsec[837]: 14[ENC] unknown attribute type (25)
Sep 28 14:32:05 algo ipsec[837]: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] received cert request for "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] received end entity cert "CN=user1"
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] looking for peer configs matching 10.14.211.135[51.xx.xx.xx]...80.xx.xx.xx[user1]
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   candidate "ikev2-pubkey", match: 20/1/28 (me/other/ike)
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] selected peer config 'ikev2-pubkey'
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   using certificate "CN=user1"
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   certificate "CN=user1" key: 384 bit ECDSA
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   using trusted ca certificate "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] checking certificate status of "CN=user1"
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] ocsp check skipped, no ocsp found
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] certificate status is not available
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   certificate "CN=51.xx.xx.xx" key: 384 bit ECDSA
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   reached self-signed root ca with a path length of 0
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] authentication of 'user1' with ECDSA-384 signature successful
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP4_DHCP attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP4_DNS attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP4_NETMASK attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP6_DHCP attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing INTERNAL_IP6_DNS attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] processing (25) attribute
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 28 14:32:05 algo charon: 14[KNL] adding SAD entry with SPI 0397cf6f and reqid {1}
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] peer supports MOBIKE
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] authentication of '51.xx.xx.xx' (myself) with ECDSA-384 signature successful
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] IKE_SA ikev2-pubkey[1] established between 10.14.211.135[51.xx.xx.xx]...80.xx.xx.xx[user1]
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] sending end entity cert "CN=51.xx.xx.xx"
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] peer requested virtual IP %any
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] assigning new lease to 'user1'
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] assigning virtual IP 10.19.48.1 to peer 'user1'
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] peer requested virtual IP %any6
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] assigning new lease to 'user1'
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] assigning virtual IP fd9d:bc11:4020::1 to peer 'user1'
Sep 28 14:32:05 algo ipsec[837]: 14[IKE] building INTERNAL_IP4_DNS attribute
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] proposing traffic selectors for us:
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  0.0.0.0/0
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  ::/0
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] proposing traffic selectors for other:
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  10.19.48.1/32
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  fd9d:bc11:4020::1/128
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   candidate "ikev2-pubkey" with prio 15+3
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] found matching child config "ikev2-pubkey" with prio 18
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] selecting proposal:
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]   proposal matches
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] configured proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Sep 28 14:32:05 algo ipsec[837]: 14[KNL] got SPI cdab0f32
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] selecting traffic selectors for us:
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: ::/0, received: 0.0.0.0/0 => no match
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: ::/0, received: ::/0 => match: ::/0
Sep 28 14:32:05 algo ipsec[837]: 14[CFG] selecting traffic selectors for other:
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: 10.19.48.1/32, received: 0.0.0.0/0 => match: 10.19.48.1/32
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: 10.19.48.1/32, received: ::/0 => no match
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: fd9d:bc11:4020::1/128, received: 0.0.0.0/0 => no match
Sep 28 14:32:05 algo ipsec[837]: 14[CFG]  config: fd9d:bc11:4020::1/128, received: ::/0 => match: fd9d:bc11:4020::1/128
Sep 28 14:32:05 algo ipsec[837]: 14[KNL] adding SAD entry with SPI cdab0f32 and reqid {1}
Sep 28 14:32:05 algo ipsec[837]: 14[KNL]   using encryption algorithm AES_GCM_16 with key size 288
Sep 28 14:32:05 algo charon: 14[KNL]   using encryption algorithm AES_GCM_16 with key size 288
Sep 28 14:32:05 algo ipsec[837]: 14[KNL]   using replay window of 32 packets
Sep 28 14:32:05 algo charon: 14[KNL]   using replay window of 0 packets
Sep 28 14:32:05 algo charon: 14[KNL] adding policy 10.19.48.1/32 === 0.0.0.0/0 in [priority 383615, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] adding policy 10.19.48.1/32 === 0.0.0.0/0 fwd [priority 383615, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] adding policy 0.0.0.0/0 === 10.19.48.1/32 out [priority 383615, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] getting a local address in traffic selector 0.0.0.0/0
Sep 28 14:32:05 algo charon: 14[KNL] using host %any
Sep 28 14:32:05 algo charon: 14[KNL] getting iface name for index 2
Sep 28 14:32:05 algo charon: 14[KNL] using 10.14.211.134 as nexthop and ens2 as dev to reach 80.xx.xx.xx/32
Sep 28 14:32:05 algo charon: 14[KNL] installing route: 10.19.48.1/32 via 10.14.211.134 src %any dev ens2
Sep 28 14:32:05 algo charon: 14[KNL] getting iface index for ens2
Sep 28 14:32:05 algo charon: 14[KNL] adding policy fd9d:bc11:4020::1/128 === ::/0 in [priority 334463, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] adding policy fd9d:bc11:4020::1/128 === ::/0 fwd [priority 334463, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] adding policy ::/0 === fd9d:bc11:4020::1/128 out [priority 334463, refcount 1]
Sep 28 14:32:05 algo charon: 14[KNL] getting a local address in traffic selector ::/0
Sep 28 14:32:05 algo charon: 14[KNL] using host %any6
Sep 28 14:32:05 algo charon: 14[KNL] getting iface name for index 2
Sep 28 14:32:05 algo charon: 14[KNL] using 10.14.211.134 as nexthop and ens2 as dev to reach 80.xx.xx.xx/32
Sep 28 14:32:05 algo charon: 14[KNL] installing route: fd9d:bc11:4020::1/128 via 10.14.211.134 src %any6 dev ens2
Sep 28 14:32:05 algo charon: 14[KNL] getting iface index for ens2
Sep 28 14:32:05 algo charon: 14[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs cdab0f32_i 0397cf6f_o and TS 0.0.0.0/0 ::/0 === 10.19.48.1/32 fd9d:bc11:4020::1/128
Sep 28 14:32:05 algo charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sep 28 14:32:05 algo charon: 14[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (1014 bytes)
Sep 28 14:32:05 algo charon: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:05 algo charon: 14[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:05 algo charon: 14[MGR] checkin of IKE_SA successful
Sep 28 14:32:15 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:15 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:15 algo charon: 07[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:15 algo charon: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:15 algo charon: 07[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (64 bytes)
Sep 28 14:32:15 algo charon: 07[ENC] parsed INFORMATIONAL request 2 [ ]
Sep 28 14:32:15 algo charon: 07[ENC] generating INFORMATIONAL response 2 [ ]
Sep 28 14:32:15 algo charon: 07[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (57 bytes)
Sep 28 14:32:15 algo charon: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:15 algo charon: 07[MGR] checkin of IKE_SA successful
Sep 28 14:32:15 algo charon: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:24 algo charon: 15[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:24 algo charon: 15[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:24 algo charon: 15[KNL] querying policy 0.0.0.0/0 === 10.19.48.1/32 out
Sep 28 14:32:24 algo charon: 15[KNL] querying policy ::/0 === fd9d:bc11:4020::1/128 out
Sep 28 14:32:24 algo charon: 15[KNL] querying SAD entry with SPI 0397cf6f
Sep 28 14:32:24 algo charon: 15[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:24 algo charon: 15[MGR] checkin of IKE_SA successful
Sep 28 14:32:25 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:25 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:25 algo charon: 09[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:25 algo charon: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:25 algo charon: 09[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (64 bytes)
Sep 28 14:32:25 algo charon: 09[ENC] parsed INFORMATIONAL request 3 [ ]
Sep 28 14:32:25 algo charon: 09[ENC] generating INFORMATIONAL response 3 [ ]
Sep 28 14:32:25 algo charon: 09[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (57 bytes)
Sep 28 14:32:25 algo charon: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:25 algo charon: 09[MGR] checkin of IKE_SA successful
Sep 28 14:32:25 algo charon: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:34 algo charon: 10[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:34 algo charon: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:34 algo charon: 10[KNL] querying policy 0.0.0.0/0 === 10.19.48.1/32 out
Sep 28 14:32:34 algo charon: 10[KNL] querying policy ::/0 === fd9d:bc11:4020::1/128 out
Sep 28 14:32:34 algo charon: 10[KNL] querying SAD entry with SPI 0397cf6f
Sep 28 14:32:34 algo charon: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:34 algo charon: 10[MGR] checkin of IKE_SA successful
Sep 28 14:32:34 algo charon: 16[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:34 algo charon: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:34 algo charon: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:34 algo charon: 16[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding SAD entry with SPI 0397cf6f and reqid {1}
Sep 28 14:32:35 algo ipsec[837]: 14[KNL]   using encryption algorithm AES_GCM_16 with key size 288
Sep 28 14:32:35 algo ipsec[837]: 14[KNL]   using replay window of 0 packets
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy 10.19.48.1/32 === 0.0.0.0/0 in [priority 383615, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy 10.19.48.1/32 === 0.0.0.0/0 fwd [priority 383615, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy 0.0.0.0/0 === 10.19.48.1/32 out [priority 383615, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting a local address in traffic selector 0.0.0.0/0
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] using host %any
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting iface name for index 2
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] using 10.14.211.134 as nexthop and ens2 as dev to reach 80.xx.xx.xx/32
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] installing route: 10.19.48.1/32 via 10.14.211.134 src %any dev ens2
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting iface index for ens2
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy fd9d:bc11:4020::1/128 === ::/0 in [priority 334463, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy fd9d:bc11:4020::1/128 === ::/0 fwd [priority 334463, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] adding policy ::/0 === fd9d:bc11:4020::1/128 out [priority 334463, refcount 1]
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting a local address in traffic selector ::/0
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] using host %any6
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting iface name for index 2
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] using 10.14.211.134 as nexthop and ens2 as dev to reach 80.xx.xx.xx/32
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] installing route: fd9d:bc11:4020::1/128 via 10.14.211.134 src %any6 dev ens2
Sep 28 14:32:35 algo ipsec[837]: 14[KNL] getting iface index for ens2
Sep 28 14:32:35 algo ipsec[837]: 14[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs cdab0f32_i 0397cf6f_o and TS 0.0.0.0/0 ::/0 === 10.19.48.1/32 fd9d:bc11:4020::1/128
Sep 28 14:32:35 algo ipsec[837]: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sep 28 14:32:35 algo ipsec[837]: 14[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (1014 bytes)
Sep 28 14:32:35 algo ipsec[837]: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:35 algo ipsec[837]: 14[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo ipsec[837]: 14[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:35 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:35 algo ipsec[837]: 07[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo charon: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:35 algo ipsec[837]: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo ipsec[837]: 07[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (64 bytes)
Sep 28 14:32:35 algo ipsec[837]: 07[ENC] parsed INFORMATIONAL request 2 [ ]
Sep 28 14:32:35 algo ipsec[837]: 07[ENC] generating INFORMATIONAL response 2 [ ]
Sep 28 14:32:35 algo ipsec[837]: 07[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (57 bytes)
Sep 28 14:32:35 algo ipsec[837]: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo ipsec[837]: 07[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:35 algo ipsec[837]: 15[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo ipsec[837]: 15[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo ipsec[837]: 15[KNL] querying policy 0.0.0.0/0 === 10.19.48.1/32 out
Sep 28 14:32:35 algo ipsec[837]: 15[KNL] querying policy ::/0 === fd9d:bc11:4020::1/128 out
Sep 28 14:32:35 algo ipsec[837]: 15[KNL] querying SAD entry with SPI 0397cf6f
Sep 28 14:32:35 algo ipsec[837]: 15[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo ipsec[837]: 15[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 03[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500]
Sep 28 14:32:35 algo ipsec[837]: 03[NET] waiting for data on sockets
Sep 28 14:32:35 algo ipsec[837]: 09[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo ipsec[837]: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo ipsec[837]: 09[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (64 bytes)
Sep 28 14:32:35 algo ipsec[837]: 09[ENC] parsed INFORMATIONAL request 3 [ ]
Sep 28 14:32:35 algo ipsec[837]: 09[ENC] generating INFORMATIONAL response 3 [ ]
Sep 28 14:32:35 algo ipsec[837]: 09[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (57 bytes)
Sep 28 14:32:35 algo ipsec[837]: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo ipsec[837]: 09[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]
Sep 28 14:32:35 algo ipsec[837]: 10[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo ipsec[837]: 16[MGR] checkout IKEv2 SA with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo ipsec[837]: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo ipsec[837]: 10[KNL] querying policy 0.0.0.0/0 === 10.19.48.1/32 out
Sep 28 14:32:35 algo ipsec[837]: 10[KNL] querying policy ::/0 === fd9d:bc11:4020::1/128 out
Sep 28 14:32:35 algo ipsec[837]: 10[KNL] querying SAD entry with SPI 0397cf6f
Sep 28 14:32:35 algo ipsec[837]: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo ipsec[837]: 10[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo ipsec[837]: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo ipsec[837]: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo charon: 03[NET] waiting for data on sockets
Sep 28 14:32:35 algo ipsec[837]: 16[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo charon: 11[MGR] checkout IKEv2 SA by message with SPIs 03a8e17890fe300b_i a921c930b109d4ac_r
Sep 28 14:32:35 algo charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Sep 28 14:32:35 algo charon: 11[NET] received packet: from 80.xx.xx.xx[19348] to 10.14.211.135[4500] (64 bytes)
Sep 28 14:32:35 algo charon: 11[ENC] parsed INFORMATIONAL request 4 [ ]
Sep 28 14:32:35 algo charon: 11[ENC] generating INFORMATIONAL response 4 [ ]
Sep 28 14:32:35 algo charon: 11[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348] (57 bytes)
Sep 28 14:32:35 algo charon: 11[MGR] checkin IKE_SA ikev2-pubkey[1]
Sep 28 14:32:35 algo charon: 11[MGR] checkin of IKE_SA successful
Sep 28 14:32:35 algo charon: 04[NET] sending packet: from 10.14.211.135[4500] to 80.xx.xx.xx[19348]

amarCosmospace · 2018-09-28T14:34:16Z

it always retry to send the packets and fail....

TC1977 · 2018-09-28T14:38:54Z

SSH in with another connection, leaving the window with tail -f /var/log/syslog running, and try sudo ipsec statusall. Does it still say no packets received?

TC1977 · 2018-11-03T20:27:42Z

@amarCosmospace All the logs you have there look like everything is working correctly. The only idea I have at this point is an MTU issue. Check out https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn and also #1066

amarCosmospace · 2018-11-05T09:02:51Z

@TC1977 will give a try when i get some spare time, sorry 👍

noofaq · 2018-11-05T15:03:28Z

I have done a retry on Scaleway - I do local installation from inside Scaleway instance. OS is Ubuntu 16.04.

There is in fact something related to MTU as ping with MTU 1500 does not work. After reducing the MTU to values accepted I start to see difference in bytes sent/received. I have chosen max_mss: 1345, but I think low 14xx should also be fine with my basic tests

Websites started to work using their IPs (like 1.1.1.1), but DNS resolution does not work and I have no idea how to trace it - could you give me any help?

I see that dnscrypt-proxy fails and service cannot be started with error:

Nov  5 15:04:56 scw-4849ae dnscrypt-proxy[1131]: Unable to use source [public-resolvers]: [read udp 127.0.0.1:43777->127.0.0.53:53: read: connection refused]
Nov  5 15:04:56 scw-4849ae dnscrypt-proxy[1131]: No servers configured

[EDIT] It seems that I had to update fallback_resolver option in dnscrypt-proxy config. After I switched that option to '1.1.1.1:53' everything started to work. But I am not sure it is safe solution as I have no experience with DNSCrypt

davidemyers · 2018-11-05T15:05:56Z

@noofaq Ubuntu 16.04 is not supported. Use Ubuntu 18.04.

noofaq · 2018-11-05T15:33:26Z

@davidemyers I would love to use it, but on Scaleway 18.04 it is not available (at least for now) in smallest instance size (START1-XS) which is perfectly sufficient for my very little needs.

AlgoVPN seems to work after changing MTU and mentioned dnscrypt-proxy configuration

ghost · 2018-11-14T12:11:16Z

I'm facing similar issue, I can connect but websites don't load, some packets of messaging apps go through though.
I tried setting the MTU as low as 576 but it did not change the result.

the output of iptables -S is

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name icmp-echo-drop -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500,51820 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -d 172.16.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 10.19.48.0/24 -d 10.19.48.0/24 -j DROP
-A FORWARD -s 10.19.48.0/24 -d 10.19.49.0/24 -j DROP
-A FORWARD -s 10.19.49.0/24 -d 10.19.48.0/24 -j DROP
-A FORWARD -s 10.19.49.0/24 -d 10.19.49.0/24 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -s 10.19.48.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -s 10.19.49.0/24 -m conntrack --ctstate NEW -m policy --dir in --pol none -j ACCEPT

when I clear the iptables it works, but the settings above come back and then it does not work anymore, my guess is that there are iptable rules that result in packets dropped which should not get dropped

kristallizer · 2018-11-18T04:21:25Z

I'm not sure if it's related, but I've been trying Algo for the past few days and the VPN works absolutely great for a few hours and then websites just stop loading even if I'm able to successfully connect to the VPN. I've tried Lightsail, Digital Ocean, and Vultr and it's the same issue everywhere. The issues persists even after a system reboot. I still haven't deleted an instance which is misbehaving, so please let me know if there are some logs that would help debug the issue.

sid77 · 2018-11-23T17:43:58Z

I'm not on scaleaway but same issue here with both latest macos and ios clients: they both connect to the algo server but no DNS requests go through

I tried changing fallback_resolver as mentioned in #1130 (comment) but that only works temporary and eventually dnscrypt-proxy stops working again.

only "workaround" I've found so far is to set dns_encryption: false in config.cfg to completely bypass this feature and go straight to the preconfigured Cloudflare resolvers

TC1977 · 2018-11-23T18:15:37Z

@kristallizer @sid77 The general troubleshooting steps I'd check out while SSH'd into the Algo server are:
service dnscrypt-proxy status to confirm that dnscrypt-proxy is working correctly;
service dnsmasq status to confirm that dnsmasq is working correctly (assuming you enabled ad-blocking originally);
dig www.google.com to confirm that DNS is working properly on the Algo server;
tail -f /var/log/syslog|grep charon to keep a running log - then try to connect from a client and see if there are any error messages;
then hit ctrl-z to pause or ctrl-c to kill the running log, then sudo ipsec statusall while connected from a client, to confirm that your tunnel is up and transferring data;
then finally check out the MTU troubleshooting steps listed here.

sid77 · 2018-11-23T19:10:11Z

service dnscrypt-proxy status to confirm that dnscrypt-proxy is working correctly;

dnscrypt-proxy was enabled and running, now I've stopped it since setting dns_encryption: false

service dnsmasq status to confirm that dnsmasq is working correctly (assuming you enabled ad-blocking originally);

not using it atm

dig www.google.com to confirm that DNS is working properly on the Algo server;

working

tail -f /var/log/syslog|grep charon to keep a running log - then try to connect from a client and see if there are any error messages;
then hit ctrl-z to pause or ctrl-c to kill the running log, then sudo ipsec statusall while connected from a client, to confirm that your tunnel is up and transferring data;

all working

then finally check out the MTU troubleshooting steps listed here.

tried this as well, no effect

TC1977 · 2018-11-23T20:01:20Z

service dnscrypt-proxy status to confirm that dnscrypt-proxy is working correctly;

dnscrypt-proxy was enabled and running, now I've stopped it since setting dns_encryption: false

@sid77 What do you mean by this? You initially deployed with dns_encryption: true, then re-deployed with dns_encryption: false? Or you deployed with dns_encryption: true, changed the setting in the config.cfg file, then did service dnscrypt-proxy stop or similar on the existing server?

Changing the setting on the config.cfg file won't change anything on an existing server after you've already deployed.

ghost · 2018-11-23T21:15:33Z

deployed with dns_encryption: false

this solves my issue as well (on ubuntu 18.04 on Hetzner install) but ideally this should not be necessary I guess?

kristallizer · 2018-11-26T22:35:59Z

@TC1977 dnsmasq is getting killed on the VPN deployed with dns_encryption: true.

root@algo-ny-2-encr:~# service dnsmasq status
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/dnsmasq.service.d
           └─100-CustomLimitations.conf
   Active: failed (Result: signal) since Mon 2018-11-26 02:10:43 UTC; 20h ago
  Process: 25008 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf (code=exited, status=0/SUCCESS)
  Process: 20173 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 20152 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 25015 ExecStartPre=/usr/sbin/dnsmasq --test (code=killed, signal=KILL)
 Main PID: 20170 (code=exited, status=0/SUCCESS)
      CPU: 210ms

Nov 26 02:10:39 algo-ny-2-encr systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
Nov 26 02:10:43 algo-ny-2-encr systemd[1]: dnsmasq.service: Control process exited, code=killed status=9
Nov 26 02:10:43 algo-ny-2-encr systemd[1]: dnsmasq.service: Failed with result 'signal'.
Nov 26 02:10:43 algo-ny-2-encr systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server.
Nov 26 02:10:43 algo-ny-2-encr systemd[1]: dnsmasq.service: Consumed 210ms CPU time

Trying to bring it back up also fails...

root@algo-ny-2-encr:~# service dnsmasq start
Job for dnsmasq.service failed because a fatal signal was delivered to the control process.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.

davidemyers · 2018-11-27T00:37:19Z

@kristallizer Thanks for posting that output.

Here's something to try to possibly get things going again and narrow down the issue:

Remove (or move) the file: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf

Run: sudo systemctl daemon-reload

Run: sudo systemctl restart dnsmasq

(Edited to add sudo to the systemctl commands.)

davidemyers · 2018-11-27T13:42:20Z

OK, I think it's not resource limits as I speculated above.

02:10 is when /usr/local/sbin/adblock.sh is run to rebuild the list of hosts to block and store it as /etc/dnsmasq.d/block.hosts.conf, then restart dnsmasq. Perhaps that file is getting corrupted somehow?

If dns_encryption: true then the file /etc/dnsmasq.d/dnscrypt-proxy exists and will be read by dnsmasq at startup after block.hosts.conf. So maybe something is going wrong with the creation of block.hosts.conf that upsets dnsmasq when it goes to read dnscrypt-proxy?

kristallizer · 2018-11-27T14:18:52Z

I ran the commands mentioned in #1130 (comment) yesterday night and it started working fine again. There has been one scheduled dnsmasq restart after that - Active: active (running) since Tue 2018-11-27 02:10:47 UTC; 12h ago - which was successful.

davidemyers · 2018-11-27T17:33:59Z

This issue thread contains different failure reports, many of them not related to Scaleway, so I've opened a new issue #1221 to track the problem of dnsmasq not restarting correctly.

If your problem is that you are able to connect to your VPN server but host name resolution stops working, and you have installed ad blocking with the option:

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?

Please follow the new issue.

robertovalerio · 2018-12-17T08:20:05Z

For people using Hetzner and other vendors:

Check
journalctl -u strongswan | grep "pool"

If you see IPv6 pools filling up ("virtual IP pool too large, limiting to [IPv6-address]")

just open

/etc/dnscrypt-proxy/dnscrypt-proxy.toml

and change this

ipv6_servers = false

Then restart with

systemctl restart dnscrypt-proxy.service

I got it from here and it saved my day:

#1221 (comment)

davidemyers · 2018-12-17T12:14:13Z

The message:

virtual IP pool too large, limiting to fd9d:bc11:4020::/97

is actually normal and doesn't indicate a problem.

Does your server have working IPv6?

jackivanov · 2018-12-17T12:18:28Z

Looks like a dnscrypt-proxy bug, I'm able to reproduce it when ipv6_servers=true and ipv6 doesn't work, dnscrypt-proxy doesn't use ipv4 as failover

ameeno · 2018-12-27T22:14:45Z

any fix for this on hetzner?

deanishe · 2019-01-27T00:12:23Z

any fix for this on hetzner?

Does this have anything to do with Hetzner? It seems to be an issue with Algo.

My Hetzner Algo server worked flawlessly with IPv6 for ~1 year. I just re-installed it because I wanted to try out WireGuard, and now VPN clients have no DNS when ipv6_servers is true in dnscrypt-proxy.toml.

The server itself still has perfect IPv6 connectivity.

Nisthar · 2019-11-23T07:56:37Z

@TC1977 I am having the same issue. I am using digitalocean ubuntu 19.04 x64. It ran the algo setup correctly. I connected through my android device but i am not getting internet connection.

I ran the command sudo ipsec statusall while my android is connected to the vpn
This is the result:

Status of IKE charon daemon (strongSwan 5.7.1, Linux 5.0.0-36-generic, x86_64):
  uptime: 68 minutes, since Nov 23 06:47:11 2019
  malloc: sbrk 1716224, mmap 0, used 531824, free 1184400
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes sha2 random nonce x509 revocation pubkey pkcs7 pkcs8 pkcs12 pgp pem openssl hmac gcm kernel-netlink socket-default stroke
Virtual IP pools (size/online/offline):
  10.19.48.0/24: 254/0/0
  fd9d:bc11:4020::/48: 2147483646/0/0
Listening IP addresses:
  204.48.20.60
  10.10.0.6
  10.19.49.1
Connections:
ikev2-pubkey:  %any...%any  IKEv2, dpddelay=35s
ikev2-pubkey:   local:  [204.48.20.60] uses public key authentication
ikev2-pubkey:    cert:  "CN=204.48.20.60"
ikev2-pubkey:   remote: uses public key authentication
ikev2-pubkey:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none

Its saying 0 up. even though my android is connected.

TC1977 · 2019-11-23T11:02:37Z

@Nisthar youre adding onto an old thread with what sounds like a different problem and a different cloud provider. Want to either post on Gitter chat, or open a new issue?

...but first, make sure you’re not actually using WireGuard, as Algo now uses WireGuard on default for Android. With your Android connected, try sudo wg on the VPN server.

Nisthar · 2019-11-23T12:58:34Z

@TC1977 sent you a msg in gitter.

amarCosmospace changed the title ~~Scaleway traffic timeout~~ No internet connection on iPhone after successful connection to VPN server Scaleway Sep 27, 2018

This was referenced Nov 14, 2018

Failures on Ubuntu 16.04 on Hetzner #972

Closed

Add Hetzner Cloud #988

Closed

davidemyers mentioned this issue Nov 27, 2018

DNS stops working with ad blocking installed #1221

Closed

dguido closed this as completed Feb 17, 2019

TC1977 mentioned this issue Mar 12, 2019

Write a short debugging guide #514

Open

No internet connection on iPhone after successful connection to VPN server Scaleway #1130

No internet connection on iPhone after successful connection to VPN server Scaleway #1130

Comments

amarCosmospace commented Sep 27, 2018 • edited Loading

davidemyers commented Sep 27, 2018

amarCosmospace commented Sep 27, 2018 • edited Loading

davidemyers commented Sep 27, 2018

amarCosmospace commented Sep 27, 2018

davidemyers commented Sep 27, 2018

TC1977 commented Sep 27, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018

amarCosmospace commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018

amarCosmospace commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018

TC1977 commented Sep 28, 2018

amarCosmospace commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018

TC1977 commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018

TC1977 commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018

TC1977 commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018 • edited Loading

amarCosmospace commented Sep 28, 2018

amarCosmospace commented Sep 28, 2018 • edited Loading

TC1977 commented Sep 28, 2018 • edited Loading

TC1977 commented Nov 3, 2018

amarCosmospace commented Nov 5, 2018

noofaq commented Nov 5, 2018 • edited Loading

davidemyers commented Nov 5, 2018

noofaq commented Nov 5, 2018 • edited Loading

ghost commented Nov 14, 2018 • edited by ghost Loading

kristallizer commented Nov 18, 2018

sid77 commented Nov 23, 2018

TC1977 commented Nov 23, 2018

sid77 commented Nov 23, 2018

TC1977 commented Nov 23, 2018 • edited Loading

ghost commented Nov 23, 2018

kristallizer commented Nov 26, 2018

davidemyers commented Nov 27, 2018 • edited Loading

davidemyers commented Nov 27, 2018 • edited Loading

kristallizer commented Nov 27, 2018

davidemyers commented Nov 27, 2018

robertovalerio commented Dec 17, 2018

davidemyers commented Dec 17, 2018

jackivanov commented Dec 17, 2018

ameeno commented Dec 27, 2018

deanishe commented Jan 27, 2019 • edited Loading

Nisthar commented Nov 23, 2019

TC1977 commented Nov 23, 2019

Nisthar commented Nov 23, 2019

amarCosmospace commented Sep 27, 2018 •

edited

Loading

amarCosmospace commented Sep 27, 2018 •

edited

Loading

TC1977 commented Sep 27, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

amarCosmospace commented Sep 28, 2018 •

edited

Loading

TC1977 commented Sep 28, 2018 •

edited

Loading

noofaq commented Nov 5, 2018 •

edited

Loading

noofaq commented Nov 5, 2018 •

edited

Loading

ghost commented Nov 14, 2018 •

edited by ghost

Loading

TC1977 commented Nov 23, 2018 •

edited

Loading

davidemyers commented Nov 27, 2018 •

edited

Loading

davidemyers commented Nov 27, 2018 •

edited

Loading

deanishe commented Jan 27, 2019 •

edited

Loading