search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.39k stars 6.34k forks source link

VPN disconnects after some time or if on high load #1612

Closed Chiorufarewerin closed 2 weeks ago

Chiorufarewerin commented 2 weeks ago

I use this VPN setup because I like some kind of native support without external clients, like OpenVPN. Thank you. And I have an issue with it, that I need to constantly reconnect after a while. Sometimes after an hour, sometimes if I request high load, like during using torrent.

Here the logs of grep pluto /var/log/auth.log. I intendedly started a torrent client, and after like a couple minutes the connection droped. After reconnect it works as expected.

2024-11-11T22:25:34.991075+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #6: ESP traffic information: in=16MiB out=250MiB
2024-11-11T22:25:35.030507+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11: Child SA proposals (new child):
2024-11-11T22:25:35.030906+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11:   1:ESP=AES_GCM_16_128+AES_GCM_16_256-NONE-NONE-ESN:YES+NO
2024-11-11T22:25:35.031307+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11:   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ESN:YES+NO
2024-11-11T22:25:35.031489+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11:   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ESN:YES+NO
2024-11-11T22:25:35.031682+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11:   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2024-11-11T22:25:35.031890+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11:   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2024-11-11T22:25:35.032066+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[3] 133.39.140.222 #11: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=NO

2024-11-11T22:32:23.763792+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: processing IKE_SA_INIT request from 133.39.140.222:UDP/2 containing SA,KE,Ni,N(IKEV2_FRAGMENTATION_SUPPORTED),N(NAT_DETECTION_SOURCE_IP),N(NAT_DETECTION_DESTINATION_IP),V,V,V,V
2024-11-11T22:32:23.768994+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: proposal 1:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
2024-11-11T22:32:23.777012+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: sent IKE_SA_INIT response to 133.39.140.222:UDP/2 {cipher=AES_CBC_128 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
2024-11-11T22:32:23.832372+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: received IKE_AUTH request fragment 1 (1 of 6), computing DH in the background
2024-11-11T22:32:23.835513+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: processing decrypted IKE_AUTH request from 133.39.140.222:UDP/16444 containing SK{IDi,CERT,CERTREQ,AUTH,CP,SA,TSi,TSr}
2024-11-11T22:32:23.836729+02:00 nlvm-pico47281 pluto[191791]: adding the CA+root cert O=IKEv2 VPN,CN=IKEv2 VPN CA
2024-11-11T22:32:23.841184+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: responder established IKE SA; authenticated peer certificate 'CN=vpnclient, O=IKEv2 VPN' and 3072-bit PKCS#1 1.5 RSA with SHA1 signature issued by 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
2024-11-11T22:32:23.855138+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #13: proposal 1:ESP=AES_CBC_128-HMAC_SHA2_256_128-ESN:NO SPI=2fa3f1de chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;ESN=NO[first-match]
2024-11-11T22:32:23.913134+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #13: responder established Child SA using #12; IPsec tunnel [0.0.0.0/0===192.168.43.11/32] {ESPinUDP=>0x2fa3f1de <0xa05d1ec4 xfrm=AES_CBC_128-HMAC_SHA2_256_128 NATD=133.39.140.222:16444 DPD=active}
2024-11-11T22:33:42.951953+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #14: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=NO
2024-11-11T22:33:42.960061+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #14: CREATE_CHILD_SA request failed, responder SA processing returned NO_PROPOSAL_CHOSEN
2024-11-11T22:33:42.967173+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: responding to CREATE_CHILD_SA message (ID 2) from 133.39.140.222:16444 with encrypted notification NO_PROPOSAL_CHOSEN
2024-11-11T22:34:17.492709+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #13: ESP traffic information: in=193MiB out=252MiB
2024-11-11T22:34:17.539656+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15: Child SA proposals (new child):
2024-11-11T22:34:17.540841+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15:   1:ESP=AES_GCM_16_128+AES_GCM_16_256-NONE-NONE-ESN:YES+NO
2024-11-11T22:34:17.541104+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15:   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ESN:YES+NO
2024-11-11T22:34:17.541304+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15:   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ESN:YES+NO
2024-11-11T22:34:17.541483+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15:   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2024-11-11T22:34:17.542491+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15:   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ESN:YES+NO
2024-11-11T22:34:17.542680+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=NO
2024-11-11T22:34:17.542859+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #15: CREATE_CHILD_SA request failed, responder SA processing returned NO_PROPOSAL_CHOSEN
2024-11-11T22:34:17.543065+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: responding to CREATE_CHILD_SA message (ID 4) from 133.39.140.222:16444 with encrypted notification NO_PROPOSAL_CHOSEN
2024-11-11T22:35:14.702059+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222 #12: deleting IKE SA (established IKE SA)
2024-11-11T22:35:14.703552+02:00 nlvm-pico47281 pluto[191791]: "ikev2-cp"[5] 133.39.140.222: deleting connection instance with peer 133.39.140.222
hwdsl2 commented 2 weeks ago

@Chiorufarewerin Hello! What is the type of your VPN client device (e.g. Windows)? From the logs, it looks like the client encountered some issues with CREATE_CHILD_SA requests, more specifically, there is a proposal mismatch between the client and the VPN server.

First, try upgrading to the latest Libreswan version on your server. See Upgrade Libreswan and CHANGES. After that, see if the issue is resolved. If not, I would suggest that you open an issue in the Libreswan repo and attach the logs.

Chiorufarewerin commented 2 weeks ago

Widnows. I already had the latest libreswan version at that moment. Thank you for the response.