From: Peter Whisker <peter.whisker@gmail.com>
To: Simon Rozman <simon@rozman.si>, "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Problems with Windows client
Date: Tue, 24 Nov 2020 10:17:09 +0000 [thread overview]
Message-ID: <9f621ce6-ec3d-0641-c359-756d0ad36f65@gmail.com> (raw)
In-Reply-To: <2718d8de-42a1-00dc-2932-a4d253d33423@gmail.com>
Hi
I've taken a futher look at this today with the latest client 0.3.1. The
issue is establishing a wireguard connection over a PulseConnect SSLVPN.
The Tunsafe client which works (I'm using an identical configuration on
both it and the Wireguard client) exchanges handshakes and then
Keepalives and then starts transporting packets.
My source address is 10.209.29.xxx and my destination address is
158.xxx.xxx.xxx. The config is as below.
After Tunsafe starts I see the routing created as:
C:\Users\whiskerp>route print /4 | find "10.2.80.226"
10.2.0.34 255.255.255.254 10.2.80.1 10.2.80.226 125
10.2.1.34 255.255.255.254 10.2.80.1 10.2.80.226 125
10.2.80.0 255.255.255.0 On-link 10.2.80.226 281
10.2.80.226 255.255.255.255 On-link 10.2.80.226 281
10.2.80.255 255.255.255.255 On-link 10.2.80.226 281
10.12.0.0 255.255.254.0 10.2.80.1 10.2.80.226 125
224.0.0.0 240.0.0.0 On-link 10.2.80.226 281
255.255.255.255 255.255.255.255 On-link 10.2.80.226 281
Wireguard client starts and exchanges handshakes, sends a keepalive but
it does not seem to get to the other end. After 25 seconds, a Keepalive
is sent by the other end (and noted by Wireguard at 10:04:41 in the
log). No traffic is sent.
The routing table created by Wireguard is slightly different too:
C:\Users\whiskerp>route print /4 | find "10.2.80.226"
10.2.0.34 255.255.255.254 On-link 10.2.80.226 5
10.2.0.35 255.255.255.255 On-link 10.2.80.226 261
10.2.1.34 255.255.255.254 On-link 10.2.80.226 5
10.2.1.35 255.255.255.255 On-link 10.2.80.226 261
10.2.80.0 255.255.255.0 On-link 10.2.80.226 5
10.2.80.226 255.255.255.255 On-link 10.2.80.226 261
10.2.80.255 255.255.255.255 On-link 10.2.80.226 261
10.12.0.0 255.255.254.0 On-link 10.2.80.226 5
10.12.1.255 255.255.255.255 On-link 10.2.80.226 261
Configuration:
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.2.80.226/32
[Peer]
PublicKey = QfjlPwEQa03gx7OYkM3Al8MIrfTx7WY0TT235eg0V1w=
PresharedKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
AllowedIPs = 10.2.80.0/24, 10.12.0.0/23, 10.2.0.34/31, 10.2.1.34/31
Endpoint = iris-fw1.xxxxxxxxxx.com:21820
PersistentKeepalive = 25
I can connect with Wireguard to another server across the direct
interface just not via the PulseConnect SSLVPN. Tunsafe works in both cases.
The log is below. I do not see any repeated Handshakes in a Wireguard
capture of all interfaces, just the first one and the one 25 seconds
later from the remote side.
2020-11-24 10:03:45.801982: [TUN] [lhirisseccom01] Starting
WireGuard/0.3.1 (Windows 10.0.18363; amd64)
2020-11-24 10:03:45.803758: [TUN] [lhirisseccom01] Watching network
interfaces
2020-11-24 10:03:45.809030: [TUN] [lhirisseccom01] Resolving DNS names
2020-11-24 10:03:45.841602: [TUN] [lhirisseccom01] Creating Wintun interface
2020-11-24 10:03:46.003480: [TUN] [lhirisseccom01] [Wintun]
CreateAdapter: Creating adapter
2020-11-24 10:03:48.023642: [TUN] [lhirisseccom01] Using Wintun/0.9
2020-11-24 10:03:48.069741: [TUN] [lhirisseccom01] Enabling firewall rules
2020-11-24 10:03:48.161811: [TUN] [lhirisseccom01] Dropping privileges
2020-11-24 10:03:48.165901: [TUN] [lhirisseccom01] Creating interface
instance
2020-11-24 10:03:48.171574: [TUN] [lhirisseccom01] Routine: event worker
- started
2020-11-24 10:03:48.174280: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.175675: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.178308: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.179950: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.180986: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.181626: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.185430: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.185934: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.186070: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.187147: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.190237: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.194832: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.196508: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.197094: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.198466: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.199475: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.199475: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.200682: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.201256: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.203447: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.205727: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.208147: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.209167: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.210297: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.211810: [TUN] [lhirisseccom01] Routine: TUN reader -
started
2020-11-24 10:03:48.216323: [TUN] [lhirisseccom01] Setting interface
configuration
2020-11-24 10:03:48.224604: [TUN] [lhirisseccom01] UAPI: Updating
private key
2020-11-24 10:03:48.230859: [TUN] [lhirisseccom01] UAPI: Removing all peers
2020-11-24 10:03:48.238534: [TUN] [lhirisseccom01] UAPI: Transition to
peer configuration
2020-11-24 10:03:48.253111: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Created
2020-11-24 10:03:48.257120: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating preshared key
2020-11-24 10:03:48.257692: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating endpoint
2020-11-24 10:03:48.363693: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating persistent keepalive interval
2020-11-24 10:03:48.369795: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Removing all allowedips
2020-11-24 10:03:48.401343: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.410717: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.412264: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.412364: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.414098: [TUN] [lhirisseccom01] Bringing peers up
2020-11-24 10:03:48.421934: [TUN] [lhirisseccom01] Routine: receive
incoming IPv6 - started
2020-11-24 10:03:48.423727: [TUN] [lhirisseccom01] Routine: receive
incoming IPv4 - started
2020-11-24 10:03:48.427885: [TUN] [lhirisseccom01] UDP bind has been updated
2020-11-24 10:03:48.428445: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Starting...
2020-11-24 10:03:48.430048: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: sequential receiver - started
2020-11-24 10:03:48.432758: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: sequential sender - started
2020-11-24 10:03:48.434497: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending keepalive packet
2020-11-24 10:03:48.439271: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: nonce worker - started
2020-11-24 10:03:48.439271: [TUN] [lhirisseccom01] Monitoring default v6
routes
2020-11-24 10:03:48.440310: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:03:48.444410: [TUN] [lhirisseccom01] Binding v6 socket to
interface 0 (blackhole=false)
2020-11-24 10:03:48.448834: [TUN] [lhirisseccom01] Setting device v6
addresses
2020-11-24 10:03:48.484249: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Awaiting keypair
2020-11-24 10:03:48.501366: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Received handshake response
2020-11-24 10:03:48.505199: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Obtained awaited keypair
2020-11-24 10:03:49.717724: [TUN] [lhirisseccom01] Monitoring default v4
routes
2020-11-24 10:03:49.735153: [TUN] [lhirisseccom01] Binding v4 socket to
interface 23 (blackhole=false)
2020-11-24 10:03:49.736441: [TUN] [lhirisseccom01] Setting device v4
addresses
2020-11-24 10:03:51.221490: [TUN] [lhirisseccom01] Listening for UAPI
requests
2020-11-24 10:03:51.225480: [TUN] [lhirisseccom01] Startup complete
2020-11-24 10:04:08.258064: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Retrying handshake because we stopped hearing back after 15 seconds
2020-11-24 10:04:08.260207: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:13.543272: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 2)
2020-11-24 10:04:13.545765: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:15.196489: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Receiving keepalive packet
2020-11-24 10:04:18.799504: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 3)
2020-11-24 10:04:18.801789: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:23.881986: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 4)
2020-11-24 10:04:23.883677: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:29.189703: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 5)
2020-11-24 10:04:29.191775: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:32.339743: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Retrying handshake because we stopped hearing back after 15 seconds
2020-11-24 10:04:34.334302: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 2)
2020-11-24 10:04:34.336489: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:39.477027: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 3)
2020-11-24 10:04:39.477590: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:41.821019: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Receiving keepalive packet
2020-11-24 10:04:44.741589: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying
This is very strange.
Thanks
Peter
next prev parent reply other threads:[~2020-11-24 10:17 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-27 13:35 Peter Whisker
2020-08-27 19:20 ` Jason A. Donenfeld
2020-09-01 8:30 ` Peter Whisker
2020-09-03 13:35 ` Simon Rozman
2020-09-21 10:39 ` Peter Whisker
2020-11-24 10:17 ` Peter Whisker [this message]
2020-11-26 13:04 ` Problems with Windows client over PulseSecure VPN Peter Whisker
2020-11-26 13:11 ` Jason A. Donenfeld
[not found] ` <2dc629e2-93c9-4ed9-ea57-4318c8b62a73@gmail.com>
2021-01-13 15:13 ` Peter Whisker
[not found] ` <CAN5wt5r9rQpYcCkshBimOARoAxx7T529oUw6RSNnr4q3_y_31g@mail.gmail.com>
2021-01-15 10:32 ` Fwd: " Christopher Ng
2021-01-19 8:53 ` Peter Whisker
2021-01-30 10:51 ` Christopher Ng
2021-01-19 10:39 ` Peter Whisker
2021-03-02 21:32 ` Steffen Sledz
2021-03-03 10:54 ` Jason A. Donenfeld
2021-03-03 12:01 ` Heiko Kendziorra
2021-03-04 9:11 ` Peter Whisker
2021-03-04 13:07 ` Jason A. Donenfeld
2021-03-23 11:01 ` Christopher Ng
2021-04-14 9:40 ` Christopher Ng
2021-04-14 20:19 ` Jason A. Donenfeld
2021-04-14 21:17 ` Christopher Ng
2021-07-29 11:00 ` Jason A. Donenfeld
2021-07-30 7:28 ` Peter Whisker
2021-07-30 15:57 ` Jason A. Donenfeld
2021-08-03 8:57 ` Peter Whisker
2021-08-03 10:57 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f621ce6-ec3d-0641-c359-756d0ad36f65@gmail.com \
--to=peter.whisker@gmail.com \
--cc=Jason@zx2c4.com \
--cc=simon@rozman.si \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).