Bridging does not work

mauricev · Post by **mauricev** » Mon Jul 06, 2015 5:55 pm

I have used SecureNAT since it won't connect otherwise. The guidelines for submitting a ticket here suggest this should not be necessary. So I post info about the config with SecureNAT disabled.

The client fails to connect and reports
Jul 6 13:51:41 ussflux.fios-router.home racoon[1705]: IKEv1 Phase 2 Initiator: success. (Initiator, Quick-Mode).
Jul 6 13:51:41 ussflux.fios-router.home racoon[1705]: IPSec Phase 2 established (Initiated by me).
Jul 6 13:51:41 ussflux.fios-router.home racoon[1705]: >>>>> phase change status = Phase 2 established
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IPSec disconnecting from server 129.98.90.18
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IKE Packet: transmit success. (Information message).
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IKE Packet: transmit success. (Information message).
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: glob found no matches for path "/var/run/racoon/*.conf"
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: pfkey DELETE failed: No such file or directory
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: Connecting.
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: Unknown Informational exchange received.
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: IKE Packet: transmit failed. (Information message).
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: no configuration found for peer address.
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: Can't start the quick mode, there is no ISAKMP-SA, c8cdd648da19f17f:e02b2275d81ee32f:00003f28
Jul 6 13:51:50 ussflux.fios-router.home racoon[1705]: Unknown Informational exchange received.

The server
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1986
inet 129.98.90.18 netmask 255.255.255.0 broadcast 129.98.90.255
ether 00:50:56:b0:3e:1c txqueuelen 1000 (Ethernet)
RX packets 3634 bytes 526946 (514.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1556 bytes 261545 (255.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

The configuration
# Software Configuration File
# ---------------------------
#
# You may edit this file when the VPN Server / Client / Bridge program is not running.
#
# In prior to edit this file manually by your text editor,
# shutdown the VPN Server / Client / Bridge background service.
# Otherwise, all changes will be lost.
#
declare root
{
uint ConfigRevision 185
bool IPsecMessageDisplayed true
string Region US
bool VgsMessageDisplayed false

declare DDnsClient
{
bool Disabled false
byte Key aEXehq/TBVXhxAU4fo/eoC7HoQY=
string LocalHostname opensesame
string ProxyHostName $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
}
declare IPsec
{
bool EtherIP_IPsec false
string IPsec_Secret I$20always$20turn$20the$20car$20around
string L2TP_DefaultHub VPN
bool L2TP_IPsec true
bool L2TP_Raw false

declare EtherIP_IDSettingsList
{
}
}
declare ListenerList
{
declare Listener0
{
bool DisableDos false
bool Enabled true
uint Port 443
}
declare Listener1
{
bool DisableDos false
bool Enabled true
uint Port 992
}
declare Listener2
{
bool DisableDos false
bool Enabled true
uint Port 1194
}
declare Listener3
{
bool DisableDos false
bool Enabled true
uint Port 5555
}
}
declare LocalBridgeList
{
bool DoNotDisableOffloading false

declare LocalBridge0
{
string DeviceName eth0
string HubName VPN
bool LimitBroadcast false
bool MonitorMode false
bool NoPromiscuousMode false
bool TapMode false
}
}
declare ServerConfiguration
{
bool AcceptOnlyTls false
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
uint AutoDeleteCheckIntervalSecs 300
uint AutoSaveConfigSpan 300
bool BackupConfigOnlyWhenModified true
string CipherName RC4-MD5
uint CurrentBuild 9562
bool DisableCoreDumpOnUnix false
bool DisableDeadLockCheck false
bool DisableDosProction false
bool DisableGetHostNameWhenAcceptTcp false
bool DisableIntelAesAcceleration false
bool DisableIPv6Listener false
bool DisableNatTraversal false
bool DisableOpenVPNServer true
bool DisableSessionReconnect false
bool DisableSSTPServer false
bool DontBackupConfig false
bool EnableVpnAzure false
bool EnableVpnOverDns false
bool EnableVpnOverIcmp false
byte HashedPassword 1DkyrLKQVBiScayIQPYRZQLOQ6g=
string KeepConnectHost keepalive.softether.org
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 1
uint64 LoggerMaxLogSize 1073741823
uint MaxConcurrentDnsClientThreads 512
uint MaxConnectionsPerIP 256
uint MaxUnestablishedConnections 1000
bool NoHighPriorityProcess false
bool NoLinuxArpFilter false
bool NoSendSignature false
string OpenVPNDefaultClientOption dev-type$20tun,link-mtu$201500,tun-mtu$201500,cipher$20AES-128-CBC,auth$20SHA1,keysize$20128,key-method$202,tls-client
string OpenVPN_UdpPortList 1194
bool SaveDebugLog false
byte ServerCert MIID/DCCAuSgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtjEjMCEGA1UEAwwab3BlbnNlc2FtZS5laW5zdGVpbi55dS5lZHUxLDAqBgNVBAoMI0FsYmVydCBFaW5zdGVpbiBDb2xsZWdlIG9mIE1lZGljaW5lMTcwNQYDVQQLDC5Eb21pbmljayBQLiBQdXJwdXJhIERlcGFydG1lbnQgb2YgTmV1cm9zY2llbmNlMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxDjAMBgNVBAcMBUJyb254MB4XDTE0MDYyMDIxMzQ0MVoXDTI0MDYxNzIxMzQ0MVowgbYxIzAhBgNVBAMMGm9wZW5zZXNhbWUuZWluc3RlaW4ueXUuZWR1MSwwKgYDVQQKDCNBbGJlcnQgRWluc3RlaW4gQ29sbGVnZSBvZiBNZWRpY2luZTE3MDUGA1UECwwuRG9taW5pY2sgUC4gUHVycHVyYSBEZXBhcnRtZW50IG9mIE5ldXJvc2NpZW5jZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ4wDAYDVQQHDAVCcm9ueDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkzNWIJcibGPFhTeZE/1Ea+n/s+MAaunI+S+sEg7ic9w8Uar/1B3B8+ZBTni7pq44gZ7I822urO5luXujYM29WgZjwOuryFHITwHpzNSQsGWx/jGNyaiG3lqKhNeDH9y8hamvd9JL0YHlZqCGlLsYZvb/eif3/GWwsggca542fLYcbEwOrq7p1LJ2EFJJq1yqLQATCZPWZPictcwPqYxqEtswCMVFfug20sZRoZuxKfCAegrZQKe0xq0GAICyOMtqL5f2P5AWPYuFiN3bcorTUUmsBaaEjCjMJsG/+79AaK22JMs83go/Rg0iyE2QBhf7zRT0SrKOaAAhrE+yP0I2ECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV66oeCd/DKdozvFAyMbrYsYMvu9tSRnWJCQnMxmNgkvH5vi2e3+lBA/rEXdt+rg0MUYkYN6t1u5m0fc0rMNh9+gGnRZqTak+ruk7u0TPvnNQ3MTRCyCdfKmIPcjWcJYSdfx53ph7W2NNnzAkE0Z72qkmVdmYFD97K47OYqZ1YR8AAEqehA8HJ7MWkXAOKKcFxKJsM4/Gj9kj5NOAEDrTQandmDcaotCD2RO0Pdmuu+/pfazj7mY3CsxEefFpBR31ejsPV0evG7NrJUoUsC4iOJn8HIJVcBzvIlYQuCl2MXjTlG+/WWdiEFG+cXtAyXcpbuJZZIoV+nyv+uajKz4+Nw==
byte ServerKey MIIEpAIBAAKCAQEAuTM1YglyJsY8WFN5kT/URr6f+z4wBq6cj5L6wSDuJz3DxRqv/UHcHz5kFOeLumrjiBnsjzba6s7mW5e6Ngzb1aBmPA66vIUchPAenM1JCwZbH+MY3JqIbeWoqE14Mf3LyFqa930kvRgeVmoIaUuxhm9v96J/f8ZbCyCBxrnjZ8thxsTA6urunUsnYQUkmrXKotABMJk9Zk+Jy1zA+pjGoS2zAIxUV+6DbSxlGhm7Ep8IB6CtlAp7TGrQYAgLI4y2ovl/Y/kBY9i4WI3dtyitNRSawFpoSMKMwmwb/7v0BorbYkyzzeCj9GDSLITZAGF/vNFPRKso5oACGsT7I/QjYQIDAQABAoIBAQCjJZZgT9vshnOAh8CvEOCqlaEPTiA2srmezSby3VSO4x1D1Je2bb9BEtBNjhCMXz8jlVrMatF9Slip1Uan+LnsPgnx3DPqgQS3o2QEU9+Fw8qgk4lCRSvsTAVAhkZdG6vaSt77KJYlskp/a5cPUywHNsIXD2JsKEvpyHAqpXTL6GHbnoPrswA1lhErF3qQjAHGRtWsdX2aljgF2H7ED7JwbaQO220t/2iU3VN33i4YtBsjoUf1KRMAaIpUj3IgLdPwUj6QTsOtEY2LYvxhTrkSk7DmYNCxA7PJvEWHUMljqeoyBk7/nbN6BRFKFkvmAu+Ey5eHYaY88VSTl3mOt5fVAoGBAODskKxDCUHzLIT8fEJOcit2zCK6Bpz3FfdoF1jSQU7cSKJ1FOryI0ZM0G0BPvbfYImaF9TmB0hO7k/NT/cP3E2LEg84pAfqYCXngAg4t4DZVafPba0/4UwUZKhyBI40PYSx+/bT18XjsW0bxm38ujG28UQp0xC8KkBnsu2d99MfAoGBANLJoHEAaSqdlBj4ttCkCojM0+eHooXmXAb/jEfOvfd7iPEc6SK4DNzJoq4QDwPKqHVyAb4PKnIT8pc6HsRkNuiIIy5EAb+8ySAjDdN9BKvHRH8MZDbjIlojmhAS8fUJFLgIenxzUgOBITcNDCreIKmGI3WosGs3JbbSnqJcb7l/AoGAWkW33ttc2NI/WPR47qfLXLRmQ73Dr7XfZBer3yMrwPnaURGKnq0mCS4FLOqmGbEXbsKgs/rKi3PaY770TCVadujNC7zg4KhphG0ATsxsodMYdKxkyXbs9nrs10pDl8tRsXM5vBvT6wFykWbnYfdfx1o0RPZAVuQeVREJmCKhd2MCgYAPlG+TaqBbUgJcRiXdDgLpUZpoBpJwqzIqIkFQHWvVGwBoMebZdhkdSJoJm45AjX4eECsozR4qCGdp3hXgFjgov8c56DTo4x9KjMy80QTDXZsmeNf/ZpJnbzI39e6EWgN6BsZm5G8vax/1XbWEhZ6MaSm9zJYdlpnnBXJMNeDcKQKBgQDOfk6DpdAIXBRVvhJixIRuxTOzjgHIt5LHjulNmba7jlSsdBBJBz2uDjVN310/61+rlVc4sA/An9zEiq+KyiFXPENtFZNMBc49sfZzRmWDgaUIiW52zNX7sNaBrqgnT4xUdkvwzsCfFiYzUeVBOd9D1XFSeeVupBOMmUqFq9xw6Q==
uint ServerLogSwitchType 4
uint ServerType 0
bool UseKeepConnect true
bool UseWebTimePage false
bool UseWebUI false

declare GlobalParams
{
uint FIFO_BUDGET 10240000
uint HUB_ARP_SEND_INTERVAL 5000
uint IP_TABLE_EXPIRE_TIME 60000
uint IP_TABLE_EXPIRE_TIME_DHCP 300000
uint MAC_TABLE_EXPIRE_TIME 600000
uint MAX_BUFFERING_PACKET_SIZE 2560000
uint MAX_HUB_LINKS 1024
uint MAX_IP_TABLES 65536
uint MAX_MAC_TABLES 65536
uint MAX_SEND_SOCKET_QUEUE_NUM 128
uint MAX_SEND_SOCKET_QUEUE_SIZE 2560000
uint MAX_STORED_QUEUE_NUM 1024
uint MEM_FIFO_REALLOC_MEM_SIZE 655360
uint MIN_SEND_SOCKET_QUEUE_SIZE 320000
uint QUEUE_BUDGET 2048
uint SELECT_TIME 256
uint SELECT_TIME_FOR_NAT 30
uint STORM_CHECK_SPAN 500
uint STORM_DISCARD_VALUE_END 1024
uint STORM_DISCARD_VALUE_START 3
}
declare ServerTraffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 21337934754
uint64 BroadcastCount 196451005
uint64 UnicastBytes 397192037648
uint64 UnicastCount 569788290
}
declare SendTraffic
{
uint64 BroadcastBytes 24373538228
uint64 BroadcastCount 226048020
uint64 UnicastBytes 392127956918
uint64 UnicastCount 519439591
}
}
declare SyslogSettings
{
string HostName $
uint Port 514
uint SaveType 0
}
}
declare VirtualHUB
{
declare VPN
{
uint64 CreatedTime 1392051373215
byte HashedPassword +WzqGYrR3VYXrAhKPZLGEHcIwO8=
uint64 LastCommTime 1436172319055
uint64 LastLoginTime 1436172077705
uint NumLogin 121
bool Online true
uint RadiusRetryInterval 0
uint RadiusServerPort 1812
string RadiusSuffixFilter $
byte SecurePassword bpw3X/O5E8a6G6ccnl4uXmDtkwI=
uint Type 0

declare AccessList
{
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 0
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_hub_admin_change_ext_option 0
uint deny_qos 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_multilogins_per_user 0
uint max_sessions 0
uint max_sessions_bridge 0
uint max_sessions_client 0
uint max_sessions_client_bridge_apply 0
uint max_users 0
uint no_access_list_include_file 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_msg 0
uint no_change_users 0
uint no_delay_jitter_packet_loss 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
uint no_securenat_enabledhcp 0
uint no_securenat_enablenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 0
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 0
uint PACKET_LOG_ICMP 0
uint PACKET_LOG_IP 0
uint PACKET_LOG_TCP 0
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}
declare Message
{
}
declare Option
{
uint AccessListIncludeFileCacheLifetime 30
uint AdjustTcpMssValue 0
bool ApplyIPv4AccessListOnArpPacket false
bool AssignVLanIdByRadiusAttribute false
bool BroadcastLimiterStrictMode false
uint BroadcastStormDetectionThreshold 0
uint ClientMinimumRequiredBuild 0
uint DetectDormantSessionInterval 0
bool DisableAdjustTcpMss false
bool DisableCheckMacOnLocalBridge false
bool DisableCorrectIpOffloadChecksum false
bool DisableHttpParsing false
bool DisableIPParsing false
bool DisableKernelModeSecureNAT false
bool DisableUdpAcceleration false
bool DisableUdpFilterForLocalBridgeNic false
bool DisableUserModeSecureNAT false
bool DoNotSaveHeavySecurityLogs false
bool DropArpInPrivacyFilterMode true
bool DropBroadcastsInPrivacyFilterMode true
bool FilterBPDU false
bool FilterIPv4 false
bool FilterIPv6 false
bool FilterNonIP false
bool FilterOSPF false
bool FilterPPPoE false
uint FloodingSendQueueBufferQuota 33554432
bool ManageOnlyLocalUnicastIPv6 true
bool ManageOnlyPrivateIP true
uint MaxLoggedPacketsPerMinute 0
uint MaxSession 0
bool NoArpPolling false
bool NoDhcpPacketLogOutsideHub true
bool NoEnum false
bool NoIpTable false
bool NoIPv4PacketLog false
bool NoIPv6AddrPolling false
bool NoIPv6DefaultRouterInRAWhenIPv6 true
bool NoIPv6PacketLog false
bool NoLookBPDUBridgeId false
bool NoMacAddressLog true
bool NoManageVlanId false
bool NoPhysicalIPOnPacketLog false
bool NoSpinLockForPacketDelay false
bool RemoveDefGwOnDhcpForLocalhost true
uint RequiredClientId 0
uint SecureNAT_MaxDnsSessionsPerIp 0
uint SecureNAT_MaxIcmpSessionsPerIp 0
uint SecureNAT_MaxTcpSessionsPerIp 0
uint SecureNAT_MaxTcpSynSentPerIp 0
uint SecureNAT_MaxUdpSessionsPerIp 0
bool SecureNAT_RandomizeAssignIp false
bool SuppressClientUpdateNotification false
string VlanTypeId 0x8100
bool YieldAfterStorePacket false
}
declare SecureNAT
{
bool Disabled true
bool SaveLog true

declare VirtualDhcpServer
{
string DhcpDnsServerAddress 129.98.1.6
string DhcpDnsServerAddress2 129.98.1.4
string DhcpDomainName $
bool DhcpEnabled true
uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 129.98.90.1
string DhcpLeaseIPEnd 129.98.90.40
string DhcpLeaseIPStart 129.98.90.36
string DhcpPushRoutes 129.98.90.0/255.255.255.0/129.98.90.1
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp 129.98.90.35
string VirtualHostIpSubnetMask 255.255.255.0
string VirtualHostMacAddress 00-50-56-B0-3E-1C
}
declare VirtualRouter
{
bool NatEnabled true
uint NatMtu 1500
uint NatTcpTimeout 1800
uint NatUdpTimeout 60
}
}
declare SecurityAccountDatabase
{
declare CertList
{
declare Cert0
{
byte X509 MIIEoTCCA4mgAwIBAgIJANZoWLY7AMm+MA0GCSqGSIb3DQEBBQUAMIHmMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxDjAMBgNVBAcMBUJyb254MSwwKgYDVQQKDCNBbGJlcnQgRWluc3RlaW4gQ29sbGVnZSBvZiBNZWRpY2luZTE3MDUGA1UECwwuRG9taW5pY2sgUC4gUHVycHVyYSBEZXBhcnRtZW50IG9mIE5ldXJvc2NpZW5jZTEdMBsGA1UEAwwUa2VubmVkeS5hZWNvbS55dS5lZHUxLjAsBgkqhkiG9w0BCQEWH21hdXJpY2Uudm9sYXNraUBlaW5zdGVpbi55dS5lZHUwHhcNMTQwMTMxMTYxNjUwWhcNMTUwMTMxMTYxNjUwWjCB5jELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMQ4wDAYDVQQHDAVCcm9ueDEsMCoGA1UECgwjQWxiZXJ0IEVpbnN0ZWluIENvbGxlZ2Ugb2YgTWVkaWNpbmUxNzA1BgNVBAsMLkRvbWluaWNrIFAuIFB1cnB1cmEgRGVwYXJ0bWVudCBvZiBOZXVyb3NjaWVuY2UxHTAbBgNVBAMMFGtlbm5lZHkuYWVjb20ueXUuZWR1MS4wLAYJKoZIhvcNAQkBFh9tYXVyaWNlLnZvbGFza2lAZWluc3RlaW4ueXUuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzbiz/Ttv2XbJgc03ocGnWRkfvxjiEqbmc0CHSEZadZq2qTIs4BYiMQrgqeTk268O9lqMoozFTTQv3cOaDgWHNI/JnCDFweQFMH65tBqOSk1rFptVhRg/3MwDJbeVaC5GXi0xGIE3OohZjrp2eBwljkvES/eezB+ulmyAVGbt/wIPWcYz4JVFXXS6txnACNDZaaRG3ZiljausXFEfPsg9GMTzep7NDng8V0pFL9kclxFd1jE0Ts6QrAnlpUWfIulVB/x0nN9FAJDrYTuAKtBfkUss1REcfrW7cMCJRsBQCf3L11QeypFkUxTkGD62b9g9+InPszU6E+c/FE6/uxkzgwIDAQABo1AwTjAdBgNVHQ4EFgQU3xhiWHrtiD5VShT0xJY32GQSxUQwHwYDVR0jBBgwFoAU3xhiWHrtiD5VShT0xJY32GQSxUQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAywUaoigQWG2LjBOtBMi/p4sU5lSNV3p5LVSygJwkeALh7zOEEjGi0xdIvGa9IqXkpe0nXqVlHWlLjIAJmrRXhNFJc+1ALfvAoSNDkamgxG305PtBrxBXELQc0peK/L5UWIZ/Vnasd/45v55rhwhFJZ19Vle8dDOy72s4LceLWOYumQcrDjxFsY6rnY1fMfCAmzvmDHBsVOOwv96ZAcD595FIrXPSXSiuJmpvrU6kUeFT9soFY4MrR5/guV1VzvYsASOD9Edmt4mQVqBr9PUQwS0ei1i8CZXRteStrLe5dT00oo4hW3RS0bJINYRehWf4HnRYWT88nUA9XBUpi4FPEA==
}
}
declare CrlList
{
}
declare GroupList
{
}
declare IPAccessControlList
{
}
declare UserList
{
declare alex
{
uint AuthType 1
uint64 CreatedTime 1405941940445
uint64 ExpireTime 0
uint64 LastLoginTime 0
string Note $
uint NumLogin 0
string RealName Alexander$20Lucaci
uint64 UpdatedTime 1405941997995

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 0
uint64 BroadcastCount 0
uint64 UnicastBytes 0
uint64 UnicastCount 0
}
declare SendTraffic
{
uint64 BroadcastBytes 0
uint64 BroadcastCount 0
uint64 UnicastBytes 0
uint64 UnicastCount 0
}
}
}
declare magda
{
uint AuthType 1
uint64 CreatedTime 1403268123605
uint64 ExpireTime 0
uint64 LastLoginTime 1403495508365
string Note $
uint NumLogin 4
string RealName Magdalena$20Kalinowska
uint64 UpdatedTime 1403268123605

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 32354633
uint64 BroadcastCount 255913
uint64 UnicastBytes 103370746
uint64 UnicastCount 122221
}
declare SendTraffic
{
uint64 BroadcastBytes 14772
uint64 BroadcastCount 123
uint64 UnicastBytes 18385618
uint64 UnicastCount 93712
}
}
}
declare maria
{
uint AuthType 1
uint64 CreatedTime 1435815410105
uint64 ExpireTime 0
uint64 LastLoginTime 1436092975475
string Note $
uint NumLogin 7
string RealName Maria$20Gullinello
uint64 UpdatedTime 1435815410105

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 1658212
uint64 BroadcastCount 11413
uint64 UnicastBytes 13776
uint64 UnicastCount 328
}
declare SendTraffic
{
uint64 BroadcastBytes 24527
uint64 BroadcastCount 297
uint64 UnicastBytes 375652
uint64 UnicastCount 4757
}
}
}
declare maurice
{
uint AuthType 1
uint64 CreatedTime 1392052816015
uint64 ExpireTime 0
uint64 LastLoginTime 1436172077705
string Note $
uint NumLogin 110
string RealName Maurice$20Volaski
uint64 UpdatedTime 1392052816015

declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 3028792686
uint64 BroadcastCount 29480917
uint64 UnicastBytes 379567258909
uint64 UnicastCount 340451052
}
declare SendTraffic
{
uint64 BroadcastBytes 9465535
uint64 BroadcastCount 153389
uint64 UnicastBytes 9868200305
uint64 UnicastCount 147753374
}
}
}
}
}
declare Traffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 21337934754
uint64 BroadcastCount 196451005
uint64 UnicastBytes 397192037648
uint64 UnicastCount 569788290
}
declare SendTraffic
{
uint64 BroadcastBytes 24373538228
uint64 BroadcastCount 226048020
uint64 UnicastBytes 392127956918
uint64 UnicastCount 519439591
}
}
}
}
declare VirtualLayer3SwitchList
{
}
}

Post by **thisjun** » Thu Jul 16, 2015 6:24 am

Please show a server log.

mauricev · Post by **mauricev** » Fri Jul 17, 2015 5:38 pm

It seems the problem is the confusing interface. When I am trying to use the bridge, I disabled the SecureNAT function, but that also disables the virtual DHCP functionality. SecureNAT must be on for virtual DHCP, but doesn't automatically turn on actual NAT; that is a separate checkbox. I think the SecureNAT button should be removed from the interface; it doesn't add any functionality that I can see other than enable one to use these two. There should just be NAT and DHCP functions.

tomtix · Post by **tomtix** » Tue Jul 21, 2015 8:36 am

Yes,

SecureNAT is just the name of the module that deals with NAT and DHCP.
I think it never meant to be something else.
I never thought that it was another module handling anything else, since it is one level above VirtualNAT and DHCP in the interface.

I think those two modules are reunited under the same 'SecureNAT' flag because they both use
a virtual Host/client (plugged into the hub) that does the job. (and there is only one of it)

Aside from this interface problem,
There are a few points I don't get in your posts:
you said "I'm using SecureNAT or it won't connect otherwise"

What do you mean by connect? The client interface actually getting an IP?

Did you think that VirtualDHCP was working without SecureNAT when you said that?

What is confusing me is that I don't understand most of problems people have on this forum because I can't find out if they really know what is an Ethernet Network, and if they realise that SoftEther VPN is doing nothing more than setting up an ethernet network (as it is said in the name itself)

mauricev · Post by **mauricev** » Tue Jul 21, 2015 9:43 pm

"I am using SecureNAT otherwise it won't connect" means just what it says. With SecureNAT turned off, the client can't establish a connection. I think it's because it is not being assigned an IP address by SoftEther's DHCP function.

I tried an independent DHCP server and the functionality is the same; I get an IP, but the client can't route.

I assume now the bridge is what is tying the ppp connection to SoftEther to the real-world network on the SoftEther server. (In our case, there is only one since our internal IPs are real-world.)

My Mac client doesn't seem to get the router assigned to it via SoftEther's DHCP, but my Windows client does. Either way, packets aren't going anywhere. SoftEther doesn't seem to be putting packets on the bridge it creates.

If my understanding is correct, SoftEther is using the bridge to route packets from the client to its internal router (the network the clients are trying to connect to). Right now, I am using SoftEther to create that bridge on eth0. There is no bridge that shows up in ifconfig. It must be all internal, correct?

These instructions above for creating a bridge in Linux are incomplete and for some reason don't work. These commands do work:
ip tuntap add tap0 mode tap user root
ip link set tap0 up
ip link add br0 type bridge
ip link set tap0 master br0
ip link set dev eth0 down
ip addr flush dev eth0
ip link set dev eth0 up
ip link set eth0 master br0
ip link set dev br0 up

However, it's not clear where I tell to use this bridge. Should it be automatic based on IP? What IP should I give the bridge? I don't give it one inside SoftEther.

mauricev · Post by **mauricev** » Wed Jul 22, 2015 12:22 am

Here is the server log. This is with SoftEther handling bridging and DHCP. The client connecting is a Mac using L2TP. It connects, but cannot route. 129.98.90.18 is the IP of eth0 on the SoftEther machine. 129.98.90.36 is the IP assigned to the Mac client.

2015-07-21 20:13:55.882 IPsec Client 1 (108.14.231.94:500 -> 129.98.90.18:500): A new IPsec client is created.
2015-07-21 20:13:55.882 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:500 -> 129.98.90.18:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xECFAA7E5401949F2, Responder Cookie: 0xF214E1DB753DB01B, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-21 20:13:55.942 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500): The port number information of this client is updated.
2015-07-21 20:13:55.942 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500):
2015-07-21 20:13:55.942 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IKE SA is established between the server and the client.
2015-07-21 20:13:56.942 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): The client initiates a QuickMode negotiation.
2015-07-21 20:13:56.942 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xE98BECF0, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-21 20:13:56.942 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x66BB73E, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-21 20:13:56.962 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is established between the server and the client.
2015-07-21 20:13:56.982 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500): The L2TP Server Module is started.
2015-07-21 20:13:57.002 L2TP PPP Session [108.14.231.94:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 108.14.231.94 (Hostname: "ussflux.fios-router.home"), Port Number of PPP Client: 1701, IP Address of PPP Server: 129.98.90.18, Port Number of PPP Server: 1701, Client Software Name: "L2TP VPN Client", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2015-07-21 20:13:57.022 On the TCP Listener (Port 0), a Client (IP address 108.14.231.94, Host name "pool-108-14-231-94.nycmny.fios.verizon.net", Port number 1701) has connected.
2015-07-21 20:13:57.022 For the client (IP address: 108.14.231.94, host name: "pool-108-14-231-94.nycmny.fios.verizon.net", port number: 1701), connection "CID-3" has been created.
2015-07-21 20:13:57.022 SSL communication for connection "CID-3" has been started. The encryption algorithm name is "(null)".
2015-07-21 20:13:57.022 [HUB "VPN"] The connection "CID-3" (IP address: 108.14.231.94, Host name: pool-108-14-231-94.nycmny.fios.verizon.net, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.17, Build: 9562) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "maurice".
2015-07-21 20:13:57.022 [HUB "VPN"] Connection "CID-3": Successfully authenticated as user "maurice".
2015-07-21 20:13:57.022 [HUB "VPN"] Connection "CID-3": The new session "SID-MAURICE-[L2TP]-4" has been created. (IP address: 108.14.231.94, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2015-07-21 20:13:57.022 [HUB "VPN"] Session "SID-MAURICE-[L2TP]-4": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2015-07-21 20:13:57.022 [HUB "VPN"] Session "SID-MAURICE-[L2TP]-4": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 417, Client build number: 9562, Server product name: "SoftEther VPN Server (64 bit)", Server version: 417, Server build number: 9562, Client OS name: "L2TP VPN Client", Client OS version: "-", Client product ID: "-", Client host name: "ussflux.fios-router.home", Client IP address: "108.14.231.94", Client port number: 1701, Server host name: "129.98.90.18", Server IP address: "129.98.90.18", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0, Virtual Hub name: "VPN", Client unique ID: "5E32C7218B40FCA0ED51B9F6C6B2EB51")
2015-07-21 20:13:57.042 L2TP PPP Session [108.14.231.94:1701]: Trying to request an IP address from the DHCP server.
2015-07-21 20:13:57.322 [HUB "VPN"] SecureNAT: The DHCP entry 2 has been created. MAC address: CA-C3-9D-07-73-47, IP address: 129.98.90.37, host name: ussflux.fios-router.home, expiration span: 7200 seconds
2015-07-21 20:13:57.322 [HUB "VPN"] Session "SID-SECURENAT-1": The DHCP server of host "00-50-56-B0-3E-1C" (129.98.90.35) on this session allocated, for host "SID-MAURICE-[L2TP]-4" on another session "CA-C3-9D-07-73-47", the new IP address 129.98.90.37.
2015-07-21 20:13:57.322 L2TP PPP Session [108.14.231.94:1701]: An IP address is assigned. IP Address of Client: 129.98.90.37, Subnet Mask: 255.255.255.0, Default Gateway: 129.98.90.1, Domain Name: "", DNS Server 1: 129.98.1.6, DNS Server 2: 129.98.1.4, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Address of DHCP Server: 129.98.90.35, Lease Lifetime: 7200 seconds
2015-07-21 20:13:57.322 L2TP PPP Session [108.14.231.94:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: 129.98.90.37, Subnet Mask: 255.255.255.0, Default Gateway: 129.98.90.1, DNS Server 1: 129.98.1.6, DNS Server 2: 129.98.1.4, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0
2015-07-21 20:13:59.182 [HUB "VPN"] SecureNAT: The UDP session 191 has been created. Connection source 129.98.90.14:137, Connection destination 255.255.255.255:137
2015-07-21 20:13:59.522 [HUB "VPN"] SecureNAT: The UDP session 184 has been deleted.
2015-07-21 20:14:04.042 [HUB "VPN"] SecureNAT: The UDP session 185 has been deleted.
2015-07-21 20:14:04.122 [HUB "VPN"] SecureNAT: The UDP session 194 has been created. Connection source 129.98.90.36:137, Connection destination 255.255.255.255:137
2015-07-21 20:14:05.902 [HUB "VPN"] Session "SID-MAURICE-3": A large volume of broadcast packets has been detected. There are cases where packets are discarded based on the policy. The source MAC address is 00-AC-0B-20-C7-AD, the source IP address is 129.98.90.36, the destination IP address is 224.0.0.252. The number of broadcast packets is equal to or larger than 34 items per 1 second (note this information is the result of mechanical analysis of part of the packets and could be incorrect).
2015-07-21 20:14:18.742 [HUB "VPN"] SecureNAT: The UDP session 214 has been created. Connection source 129.98.90.177:137, Connection destination 255.255.255.255:137
2015-07-21 20:14:18.982 [HUB "VPN"] SecureNAT: The UDP session 215 has been created. Connection source 129.98.90.131:59186, Connection destination 255.255.255.255:137
2015-07-21 20:14:22.502 [HUB "VPN"] SecureNAT: The UDP session 222 has been created. Connection source 129.98.90.131:59187, Connection destination 255.255.255.255:137
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is deleted.
2015-07-21 20:14:28.162 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): The server initiates a QuickMode negotiation.
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 2 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xDD1E2424, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 2 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x0, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-21 20:14:28.162 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IKE SA is deleted.
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 2 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is deleted.
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is deleted.
2015-07-21 20:14:28.162 IPsec ESP Session (IPsec SA) 2 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is deleted.
2015-07-21 20:14:28.262 L2TP PPP Session [108.14.231.94:1701]: The PPP session is disconnected because the upper-layer protocol "L2TP" has been disconnected.
2015-07-21 20:14:28.262 L2TP PPP Session [108.14.231.94:1701]: The PPP session is disconnected.

mauricev · Post by **mauricev** » Wed Jul 22, 2015 12:49 am

Should I be able to ping the virtual host's interface from the server command line? I cannot.

tomtix · Post by **tomtix** » Thu Jul 23, 2015 10:06 am

you have to think of the virtual hub as a real HUB and the bridge as a real bridge between this HUB and the network eth0 is plugged in.

> If my understanding is correct, SoftEther is using the bridge to route packets from the client to its internal
> router (the network the clients are trying to connect to).

a bridge just redirect all Ethernet (L2) packet that flows on the HUB towards the interface (i.e it send the ethernet packet on the wire) and it also write incoming eth0 ethernet packet toward the virtual HUB
(L2 means that all of this stuff, (and thus SoftEther) works independent from the IP protocol (L3)
the DHCP embedded in SOftEther is just an extra because SoftEther is great)

Therefore SoftEther does not have an Internal router (routing is a L3 matter)
SoftEther is not routing anything.
You have to understand that once the connection with SoftEther server is made, all the client are one the same ETHERNET NETWORK, even if they don't have an IP !!
the IP network is not the mainl business of SoftEther. Ethernet is not a routed network
The basic idea is that every packet is sent on each wire, and client decide to take a packet or not if the MAC (Ethernet) Addr correspond to their address.

> Right now, I am using SoftEther to create that bridge
> on eth0. There is no bridge that shows up in ifconfig. It must be all internal, correct?
Yeah, kinda. "bridge" from SoftEther point of view are 'internal' to SoftEther.

That why I think the external method with linux commands is better, otherwise you can't use eth0
for IP networking anymore.

For the bridge setup,the command I used is:
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 tap0
# ifconfig eth0 0.0.0.0 promisc up
# ifconfig tap0 0.0.0.0 promisc up
# ifconfig br0 some_ip_here

This should be equivalent to your command set apart from the tap device creation which I did not handle here(you have to install bridge-utils in order for these commands to work)

In order to use a bridge of this kind with Soft Ether, tell SoftEther to bridge itself with the tap0 device.

If it does not work you can do the same, but creating the tap virtual device within the SoftEther Interface
(bridge with a new virtual device functionallity)
the name you give to it in SoftEther is prefix by 'tap_' in Linux
if you named it tap0 in soft ether it will be tap_tap0 in linux.

I found a way to set this up automatically at boot with ifupdown script (if your not using another network manager):
In this example eth0 is connected to the internet
and eth1 is connected to the local network I want to bridge to.
/etc/network/interfaces:
___________________________________________________________________

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.up.rules

iface eth1 inet manual

iface tap_tap0 inet manual

auto br0
iface br0 inet static
pre-up vpnserver start; sleep 2 # sleep to wait for the tap_tap0 interface to be created
post-up ifconfig tap_tap0 0.0.0.0 promisc up
post-up ifconfig eth1 0.0.0.0 promisc up
bridge_ports eth1 tap_tap0
address X.X.X.X
post-down vpnserver stop
__________________________________________________________________________

this way the tap_tap0 interface is started just before br0 is set-up and everything works.

mauricev · Post by **mauricev** » Fri Jul 24, 2015 12:56 am

I created br0 and tap0 in Linux and I assigned the IP of the SoftEther computer to br0 interface. I learned that if I set an IP to eth0, nothing works. tap0 also has no IP. SoftEther itself has its own IP. Virtual NAT is off, but I am using DHCP and pushing classless routes.

I wasn't sure what you meant above, but in the SoftEther interface, I created a local bridge to the tap0 device. This seems strange if I already have a bridge in Linux, why does SoftEther have to create a second one?
The bridge command in the interface lets me choose eth0, br0 and tap0. Why would both of these show up? I do want the tap0 one, correct?

It did not work. I lose connectivity to the Internet on the client as soon as the connection is made. I don't see any packets on the tap0 device, but I do see IPSEC traffic from the client on the br0 device and eth0.

tomtix · Post by **tomtix** » Fri Jul 24, 2015 8:36 am

if you set up the bridge with brctl you can verify if it really has both tap0 and eth0 under br0
with the command
# brctl show br0

there must be bot eth0 and tap0 under the interfaces section.
and if the bridge is working, any packet that you see on eth0, should also go in tap0

>This seems strange if I already have a bridge in Linux, why does SoftEther have to create a second one?
as you said :

> I learned that if I set an IP to eth0, nothing works. tap0 also has no IP

a bridged device has to have no ip and be in promiscuous mode (as i said before It is working at L2, one level below IP (L3))

The bridge of Soft ether is between The virtual HUB (inside soft ether) and an interface.
As it is internal to soft ether, (and thus not appearing in linux ifconfig) you cannot give an ip to this bridge.

The work around is to add a second 'Linux bridge' which is between two interfaces and you can give it an ip.

The final topology

VpnClient --[connects to]--> VirtualHUB <--[SoftEther Bridge]--> tap0 <--[Linux Bridge]--> eth0 <--> localnetwork / internet

mauricev · Post by **mauricev** » Fri Jul 24, 2015 6:10 pm

brctl does indeed show eth0 and tap0 and tap0 is up.

But tap0 does not show any packets under any circumstances. I assigned an IP to it and I can ping it, but it doesn't show these packets. They are invisible to ifconfig and tcpdump.

If take the IP away, the pings fail, so apparently tap devices work silently.

For some reason, I must have thought that the MAC of the virtual hub should be the same as that of eth0. Now that doesn't make sense, so I altered its number a bit to make it its own unique MAC, although it's not quite clear. Are we supposed to make up a value for it like that?

Anyway, I cannot ping the IP address I assigned to it. Arp can't find who has the MAC for the virtual hub's IP.

When a client connects, it connects to the IP of eth0 and it does connect, so it's not clear what the IP of the virtual hub is for. It's not connecting the way you described above and can't connect that way since the virtual hub's IP is unreachable.

kh_tsang · Post by **kh_tsang** » Sat Jul 25, 2015 4:07 pm

The virtual hub do not have an IP address.

After adding the tap device and eth0 to a linux bridge, you should assign the IP address of the VPN Server on the bridge. You should assign the IP address on neither eth0 nor the tap device.

The tap device and eth0 should have different MAC addresses. The linux bridge should have its own MAC address.

Where are you hosting your VPN Server? Where is the eth0 network located? Cloud? Your own LAN? Your ISP's public IP network?

mauricev · Post by **mauricev** » Mon Jul 27, 2015 5:19 pm

I've attached a screenshot showing the virtual hub's ip address,
[attachment=0]virtual hub's ip.png[/attachment]

What is this for? Where should MAC be coming from? What should this IP be representing if it's not what the interface claims it's for?

Everything you mention above is set correctly. Still packets can't route from the client once it connects to the VPN.

Our network is a bit different from others in that it is one connection for both the LAN and the Internet, eth0. We have our own Class B. The addresses the client wants to get to are firewalled. That's why we need the VPN.

kh_tsang · Post by **kh_tsang** » Tue Jul 28, 2015 2:58 am

This is the gateway of the SecureNAT. When you disable SecureNAT, this setting is useless.

mauricev · Post by **mauricev** » Tue Jul 28, 2015 10:26 pm

The gateway of SoftEther is not reachable regardless of whether SecureNAT is running.

I also notice this in the log
2015-07-28 18:19:11.864 [HUB "VPN"] The Local Bridge connection "tap0" has started. The bridge session "SID-LOCALBRIDGE-2" was created.
2015-07-28 18:19:11.864 The configuration file has been loaded.
2015-07-28 18:19:11.864 Starting the automatically saving background task. The interval between auto-saves is 300 seconds. You can change the interval by changing the pa
rameter AutoSaveConfigSpan in the configuration file.
2015-07-28 18:19:12.164 [HUB "VPN"] Session "SID-LOCALBRIDGE-2": A Local Bridge connection to physical Ethernet interface "tap0" was started.

But then the output,
4: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 500
link/ether 06:68:83:c8:0f:b4 brd ff:ff:ff:ff:ff:ff

tap0 has no carrier and is in a down state despite SoftEther saying that it is tied to it.

kh_tsang · Post by **kh_tsang** » Wed Jul 29, 2015 2:47 am

In your interface configuration, try to use sleep 4 instead of sleep 2.

tomtix · Post by **tomtix** » Wed Jul 29, 2015 2:24 pm

How did set up the tap0 interface?
did you created it with the SoftEther GUI or with the following command
# ip tuntap add tap0 mode tap user root

I had this setup work with the GUI. I don't know how an interface created with the ip utility is supposed to behave.

> The gateway of SoftEther is not reachable regardless of whether SecureNAT is running.
I'm not sure but I think it does not respond to ping anyway.

kh_tsang · Post by **kh_tsang** » Wed Jul 29, 2015 2:40 pm

tomtix wrote:
> How did set up the tap0 interface?
> did you created it with the SoftEther GUI or with the following command
> # ip tuntap add tap0 mode tap user root
>
> I had this setup work with the GUI. I don't know how an interface created with the ip
> utility is supposed to behave.
>
> > The gateway of SoftEther is not reachable regardless of whether SecureNAT is
> running.
> I'm not sure but I think it does not respond to ping anyway.

As I know the gateway of SecureNAT responses to ping.

However, I would like to know whether the packets can be sent to the linux bridge and then the server through eth1 properly.

kh_tsang · Post by **kh_tsang** » Wed Jul 29, 2015 2:46 pm

Try not to configure the tap device in interface configuration and do it in /etc/init.d/vpnserver instead. Add a line "sleep 4" to allow the tap device to be created and then add tap_tap0 to the linux bridge using a command after running sleep 4.

mauricev · Post by **mauricev** » Fri Jul 31, 2015 9:00 pm

I managed to get the tap device to work. I did it by using the interface to create the tap device and then I manually added it to the bridge (along with eth0). The tap device is now showing forwarding as the state. As far as I can, it's not possible to create a tap device outside of SoftEther and have SoftEther use it. Once the internally created tap device is working, it's possible to ping the SoftEther gateway.

However, it does not make a difference for connecting the endpoint. The client still can't route packets anywhere.

If I don't use SecureNAT, it also does not route packets. Here's the log of that.

2015-07-31 16:49:02.884 IPsec Client 1 (108.14.231.94:500 -> 129.98.90.18:500): A new IPsec client is created.
2015-07-31 16:49:02.884 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:500 -> 129.98.90.18:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0x150E7648C3D960D1, Responder Cookie: 0xC69C1BE598744EE, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 25
6 bits, Lifetime: 4294967295 Kbytes or 3600 seconds
2015-07-31 16:49:02.944 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500): The port number information of this client is updated.
2015-07-31 16:49:02.944 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500):
2015-07-31 16:49:02.944 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IKE SA is established between the server and the client.
2015-07-31 16:49:03.944 IPsec IKE Session (IKE SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): The client initiates a QuickMode negotiation.
2015-07-31 16:49:03.944 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Client -> Server) is created. SPI: 0xD580BFD, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seco
nds
2015-07-31 16:49:03.944 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): A new IPsec SA (Direction: Server -> Client) is created. SPI: 0x3095CBD, DH Group: (null), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 3600 seco
nds
2015-07-31 16:49:03.984 IPsec ESP Session (IPsec SA) 1 (Client: 1) (108.14.231.94:4500 -> 129.98.90.18:4500): This IPsec SA is established between the server and the client.
2015-07-31 16:49:03.984 IPsec Client 1 (108.14.231.94:4500 -> 129.98.90.18:4500): The L2TP Server Module is started.
2015-07-31 16:49:04.024 L2TP PPP Session [108.14.231.94:1701]: A new PPP session (Upper protocol: L2TP) is started. IP Address of PPP Client: 108.14.231.94 (Hostname: "ussflux.fios-router.home"), Port Number of PPP Client: 1701, IP Address of PPP Server: 129.98.90.18, Port Number of PPP Server: 1701, Client Software
Name: "L2TP VPN Client", IPv4 TCP MSS (Max Segment Size): 1314 bytes
2015-07-31 16:49:04.044 On the TCP Listener (Port 0), a Client (IP address 108.14.231.94, Host name "pool-108-14-231-94.nycmny.fios.verizon.net", Port number 1701) has connected.
2015-07-31 16:49:04.044 For the client (IP address: 108.14.231.94, host name: "pool-108-14-231-94.nycmny.fios.verizon.net", port number: 1701), connection "CID-2" has been created.
2015-07-31 16:49:04.044 SSL communication for connection "CID-2" has been started. The encryption algorithm name is "(null)".
2015-07-31 16:49:04.044 [HUB "VPN"] The connection "CID-2" (IP address: 108.14.231.94, Host name: pool-108-14-231-94.nycmny.fios.verizon.net, Port number: 1701, Client name: "L2TP VPN Client", Version: 4.17, Build: 9562) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentic
ation" and the user name is "maurice".
2015-07-31 16:49:04.044 [HUB "VPN"] Connection "CID-2": Successfully authenticated as user "maurice".
2015-07-31 16:49:04.044 [HUB "VPN"] Connection "CID-2": The new session "SID-MAURICE-[L2TP]-3" has been created. (IP address: 108.14.231.94, Port number: 1701, Physical underlying protocol: "Legacy VPN - L2TP")
2015-07-31 16:49:04.044 [HUB "VPN"] Session "SID-MAURICE-[L2TP]-3": The parameter has been set. Max number of TCP connections: 1, Use of encryption: Yes, Use of compression: No, Use of Half duplex communication: No, Timeout: 20 seconds.
2015-07-31 16:49:04.064 [HUB "VPN"] Session "SID-MAURICE-[L2TP]-3": VPN Client details: (Client product name: "L2TP VPN Client", Client version: 417, Client build number: 9562, Server product name: "SoftEther VPN Server (64 bit)", Server version: 417, Server build number: 9562, Client OS name: "L2TP VPN Client", Clie
nt OS version: "-", Client product ID: "-", Client host name: "ussflux.fios-router.home", Client IP address: "108.14.231.94", Client port number: 1701, Server host name: "129.98.90.18", Server IP address: "129.98.90.18", Server port number: 1701, Proxy host name: "", Proxy IP address: "0.0.0.0", Proxy port number: 0,
Virtual Hub name: "VPN", Client unique ID: "5E32C7218B40FCA0ED51B9F6C6B2EB51")
2015-07-31 16:49:04.064 L2TP PPP Session [108.14.231.94:1701]: Trying to request an IP address from the DHCP server.
2015-07-31 16:49:05.244 [HUB "VPN"] Session "SID-LOCALBRIDGE-2": The DHCP server of host "00-50-56-B0-3E-1C" (129.98.90.18) on this session allocated, for host "SID-MAURICE-[L2TP]-3" on another session "CA-C3-9D-07-73-47", the new IP address 129.98.90.40.
2015-07-31 16:49:05.244 L2TP PPP Session [108.14.231.94:1701]: An IP address is assigned. IP Address of Client: 129.98.90.40, Subnet Mask: 255.255.255.0, Default Gateway: 129.98.90.1, Domain Name: "aecom.yu.edu", DNS Server 1: 129.98.1.6, DNS Server 2: 129.98.1.4, WINS Server 1: 0.0.0.0, WINS Server 2: 0.0.0.0, IP Ad
dress of DHCP Server: 129.98.90.18, Lease Lifetime: 43200 seconds
2015-07-31 16:49:05.244 L2TP PPP Session [108.14.231.94:1701]: The IP address and other network information parameters are set successfully. IP Address of Client: 129.98.90.40, Subnet Mask: 255.255.255.0, Default Gateway: 129.98.90.1, DNS Server 1: 129.98.1.6, DNS Server 2: 129.98.1.4, WINS Server 1: 0.0.0.0, WINS Se
rver 2: 0.0.0.0

Packets show up as if everything is working:
16:49:02.874076 IP 108.14.231.94.500 > 129.98.90.18.500: isakmp: phase 1 I ident
16:49:02.884076 IP 129.98.90.18.500 > 108.14.231.94.500: isakmp: phase 1 R ident
16:49:02.904076 IP 108.14.231.94.500 > 129.98.90.18.500: isakmp: phase 1 I ident
16:49:02.914076 IP 129.98.90.18.500 > 108.14.231.94.500: isakmp: phase 1 R ident
16:49:02.944076 IP 108.14.231.94.4500 > 129.98.90.18.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:49:02.944076 IP 129.98.90.18.4500 > 108.14.231.94.4500: NONESP-encap: isakmp: phase 1 R ident[E]
16:49:03.954076 IP 108.14.231.94.4500 > 129.98.90.18.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
16:49:03.954076 IP 129.98.90.18.4500 > 108.14.231.94.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
16:49:03.984076 IP 108.14.231.94.4500 > 129.98.90.18.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
16:49:03.984076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x1), length 132
16:49:03.984076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x1), length 148
16:49:03.994076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x2), length 68
16:49:03.994076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x3), length 84
16:49:03.994076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x2), length 84
16:49:04.004076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x4), length 100
16:49:04.004076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x3), length 68
16:49:04.024076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x5), length 84
16:49:04.024076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x4), length 68
16:49:04.024076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x5), length 84
16:49:04.044076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x6), length 68
16:49:04.044076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x7), length 68
16:49:04.044076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x6), length 68
16:49:04.054076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x8), length 68
16:49:04.054076 IP 108.14.231.94.4500 > 129.98.90.18.4500: UDP-encap: ESP(spi=0x0d580bfd,seq=0x9), length 84
16:49:04.054076 IP 129.98.90.18.4500 > 108.14.231.94.4500: UDP-encap: ESP(spi=0x03095cbd,seq=0x7), length 68

This seems to be just handshaking between the client with is internal IP and the VPN. There are no packets from the IP the VPN assigned to it.

kh_tsang · Post by **kh_tsang** » Sat Aug 01, 2015 8:05 am

It seems that the problem comes from the client side. Are you using a Linux L2TP/IPsec client?

mauricev · Post by **mauricev** » Sun Aug 02, 2015 4:07 pm

Those logs come from Mac OS X 10.10.4 using the built-in client. I can get logs for Windows 7 using the Soft Ether client on Monday.

kh_tsang · Post by **kh_tsang** » Mon Aug 03, 2015 2:32 am

Can you show the routing table of the vpn client when connecting to the server?

mauricev · Post by **mauricev** » Tue Aug 04, 2015 4:13 pm

After connecting
Internet:
Destination Gateway Flags Refs Use Netif Expire
default link#17 UCS 6 0 ppp0
default 192.168.1.1 UGScI 11 0 en0
1.0.0.1 129.98.90.40 UH 0 0 ppp0
8.8.8.8 link#17 UHWIi 2 2 ppp0
17.253.84.253 link#17 UHWIi 1 1 ppp0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 9 2476344 lo0
129.98.1.4 link#17 UHWIi 25 65 ppp0
129.98.1.6 link#17 UHWIi 16 103 ppp0
129.98.90/24 ppp0 USc 1 0 ppp0
129.98.90.18 192.168.1.1 UGHS 1 211 en0
169.254 link#4 UCS 2 0 en0
169.254.151.208 0:11:d9:7c:60:d5 UHLSW 0 0 en0
169.254.169.102 20:c9:d0:15:8c:f4 UHLSW 0 19003782 en0
172.16.100/24 link#19 UC 2 0 vmnet8
172.16.100.255 ff:ff:ff:ff:ff:ff UHLWbI 0 10 vmnet8
172.16.206/24 link#18 UC 2 0 vmnet1
172.16.206.255 ff:ff:ff:ff:ff:ff UHLWbI 0 10 vmnet1
192.168.1 link#4 UCS 3 0 en0
192.168.1.1/32 link#4 UCS 1 0 en0
192.168.1.1 c8:a7:a:86:fa:c9 UHLWIir 14 28617 en0 1123
192.168.1.151 20:c9:d0:15:8c:f4 UHLWI 0 1472641 en0 768
192.168.1.152/32 link#4 UCS 0 0 en0
192.168.1.154 70:ee:50:6:76:1a UHLWI 0 0 en0 1081
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 52 en0
224.0.0.1 link#17 UHmW3I 0 1 ppp0 37
224.0.0.251 link#17 UHmW3I 0 0 ppp0 39

As you can see, the route for ppp0 is bogus. It's also not clear why the IP of the SoftEther machine, 129.98.90.18, is the route for the local client network.

mauricev · Post by **mauricev** » Tue Aug 04, 2015 4:17 pm

Windows does a little better. It seems to get the right gateway, but it also can't route. (File added to post)

kh_tsang · Post by **kh_tsang** » Wed Aug 05, 2015 11:30 am

Can you ping 129.98.90.41?

Can you get the results of running ebtables -L on the server ?

mauricev · Post by **mauricev** » Wed Aug 05, 2015 3:30 pm

On the Mac, I can ping only the SoftEther computer, 129.98.90.18. That means I can't even ping the address my DHCP assigned to ppp0.

On Windows, I can the SoftEther computer and the IP my DHCP assigned, which is 129.98.90.41. But I can't ping the gateway 129.98.90.1.

I don't have ebtables in my kernel, so I added it:
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

kh_tsang · Post by **kh_tsang** » Thu Aug 06, 2015 2:42 am

Where is your DHCP server? on the SecureNAT? on the external network?

mauricev · Post by **mauricev** » Thu Aug 06, 2015 4:30 am

I have tried both the SecureNAT's dhcp and my own, which runs on the SoftEther computer. No difference as far as I can tell.

There is only one network on the SoftEther computer, eth0 (br0 ties it to tap_tap0).

kh_tsang · Post by **kh_tsang** » Thu Aug 06, 2015 7:00 am

Currently,

1. Your server can ping 129.98.90.1 and 129.98.90.41.
2. Your client can only ping 129.98.90.41 but not 129.98.90.1.

Can you check the following parameter in your /etc/sysctl.conf file?
1. net.bridge.bridge-nf-call-iptables
If the value is 1, please allow forwarding between eth0 and tap_tap1.

mauricev · Post by **mauricev** » Tue Aug 11, 2015 9:46 pm

That setting does not exist, but I added it. It made no difference.

mauricev · Post by **mauricev** » Tue Aug 11, 2015 10:02 pm

The issue is not with bridging. The issue is that packets arriving at eth0 from the bridge aren't being routed/forwarded outside to the real-world network.

17:55:21.517258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 105, length 64
17:55:22.517258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 106, length 64
17:55:23.517258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 107, length 64
17:55:24.527258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 108, length 64
17:55:25.527258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 109, length 64
17:55:26.527258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 110, length 64
17:55:27.527258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 111, length 64

Above there are ping requests from the Mac client to the gateway and there is no reply. So it could be either these packets aren't leaving eth0 (doesn't their appearance here mean that they are?) or there are replies, but they are being somehow blocked.

mauricev · Post by **mauricev** » Tue Aug 11, 2015 10:04 pm

Local pings do work

17:58:43.577258 IP kennedy-1-gw.net.yu.edu > opensesame.aecom.yu.edu: ICMP echo reply, id 13267, seq 6, length 64
17:58:44.107258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 307, length 64
17:58:44.577258 IP opensesame.aecom.yu.edu > kennedy-1-gw.net.yu.edu: ICMP echo request, id 13267, seq 7, length 64
17:58:44.617258 IP kennedy-1-gw.net.yu.edu > opensesame.aecom.yu.edu: ICMP echo reply, id 13267, seq 7, length 64
17:58:45.097258 IP 129.98.90.40 > kennedy-1-gw.net.yu.edu: ICMP echo request, id 19401, seq 308, length 64
17:58:45.587258 IP opensesame.aecom.yu.edu > kennedy-1-gw.net.yu.edu: ICMP echo request, id 13267, seq 8, length 64
17:58:45.587258 IP kennedy-1-gw.net.yu.edu > opensesame.aecom.yu.edu: ICMP echo reply, id 13267, seq 8, length 64

So something is being very selective in its blocking.

kh_tsang · Post by **kh_tsang** » Wed Aug 12, 2015 11:16 am

Changing net.bridge.bridge-nf-call-iptables to 1 means bridge will also subject to iptables filtering.

opensesame.aecom.yu.edu is your VPN server according to your routing table after the connection and also the forward DNS lookup. That means your server can ping the gateway through the bridge but not the VPN client. It is interesting.

Can you use proxy arp instead of linux bridge?

mauricev · Post by **mauricev** » Fri Aug 14, 2015 3:15 pm

I'm quite sure how I can setup an proxy arp on a single interface.

kh_tsang · Post by **kh_tsang** » Sat Aug 15, 2015 3:12 am

It does not have to be two physical interfaces. Virtual adapters work as well. Your eth0 is one interface and your tap device is another interface. Use proxy arp instead of bridging.

mauricev · Post by **mauricev** » Tue Aug 18, 2015 11:28 pm

I'm not quite sure I follow. eth0 is 129.98.90.18. The client is connecting this IP, so what's telling it to connect SoftEther on tap_tap0? I have to give that interface an IP, but the client doesn't have this IP anywhere.

kh_tsang · Post by **kh_tsang** » Wed Aug 19, 2015 2:29 am

However, after searching for some information, I think Proxy ARP is not good. I think you may want to divide the /24 into two /25s. One used in the Virtual Hub and the other used in the LAN.

For example,
129.98.90.1/25 <--> 129.98.90.18/25(SoftEther VPN Server) 129.98.90.129/25 <-->Clients(129.98.90.128/25)

129.98.90.18 is on eth0.
129.98.90.125 is on the tap device.
Linux bridge is not used anymore.

This will break some applications like DLNA.

mauricev · Post by **mauricev** » Wed Aug 19, 2015 3:38 pm

I'm not clear if this means affecting any other devices beyond the SoftEther server and the client. Those are the only computers I can control. I have no control over the router.

kh_tsang · Post by **kh_tsang** » Wed Aug 19, 2015 3:47 pm

Using two /25s instead of one /24 requires changing the settings of the router.

mauricev · Post by **mauricev** » Wed Aug 19, 2015 3:52 pm

I can't change our networking. However, I think I can monitor packets on the virtual adapter in VMWare. I try my earlier setup where the pings from the client weren't getting responses from the router and see if these packets are really on the wire. Something seems fishy about their being no reply to these pings.

kh_tsang · Post by **kh_tsang** » Wed Aug 19, 2015 4:25 pm

Are you using SELinux?

Post by **thisjun** » Thu Aug 27, 2015 7:55 am

Did you enable promiscuous mode in VMware?