Problems with Windows client over PulseSecure VPN
Peter Whisker
peter.whisker at gmail.com
Thu Nov 26 14:04:05 CET 2020
Hi
I've taken a futher look at this today with client 0.3.1. The issue is
establishing a wireguard connection over a PulseConnect SSLVPN.
The Tunsafe client which works (I'm using an identical configuration on
both it and the Wireguard client) exchanges handshakes and then
Keepalives and then starts transporting packets.
My source address is 10.209.29.xxx and my destination address is
158.xxx.xxx.xxx. The config is as below.
After Tunsafe starts I see the routing created as:
C:\Users\whiskerp>route print /4 | find "10.2.80.226"
10.2.0.34 255.255.255.254 10.2.80.1 10.2.80.226 125
10.2.1.34 255.255.255.254 10.2.80.1 10.2.80.226 125
10.2.80.0 255.255.255.0 On-link 10.2.80.226 281
10.2.80.226 255.255.255.255 On-link 10.2.80.226 281
10.2.80.255 255.255.255.255 On-link 10.2.80.226 281
10.12.0.0 255.255.254.0 10.2.80.1 10.2.80.226 125
224.0.0.0 240.0.0.0 On-link 10.2.80.226 281
255.255.255.255 255.255.255.255 On-link 10.2.80.226 281
Wireguard client starts and exchanges handshakes, sends a keepalive but
it does not seem to get to the other end. After 25 seconds, a Keepalive
is sent by the other end (and noted by Wireguard at 10:04:41 in the
log). No traffic is sent.
The routing table created by Wireguard is slightly different too:
C:\Users\whiskerp>route print /4 | find "10.2.80.226"
10.2.0.34 255.255.255.254 On-link 10.2.80.226 5
10.2.0.35 255.255.255.255 On-link 10.2.80.226 261
10.2.1.34 255.255.255.254 On-link 10.2.80.226 5
10.2.1.35 255.255.255.255 On-link 10.2.80.226 261
10.2.80.0 255.255.255.0 On-link 10.2.80.226 5
10.2.80.226 255.255.255.255 On-link 10.2.80.226 261
10.2.80.255 255.255.255.255 On-link 10.2.80.226 261
10.12.0.0 255.255.254.0 On-link 10.2.80.226 5
10.12.1.255 255.255.255.255 On-link 10.2.80.226 261
Configuration:
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.2.80.226/32
[Peer]
PublicKey = QfjlPwEQa03gx7OYkM3Al8MIrfTx7WY0TT235eg0V1w=
PresharedKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
AllowedIPs = 10.2.80.0/24, 10.12.0.0/23, 10.2.0.34/31, 10.2.1.34/31
Endpoint = iris-fw1.xxxxxxxxxx.com:21820
PersistentKeepalive = 25
I can connect with Wireguard to another server across the direct
interface just not via the PulseConnect SSLVPN. Tunsafe works in both cases.
The log is below. I do not see any repeated Handshakes in a Wireguard
capture of all interfaces, just the first one and the one 25 seconds
later from the remote side.
2020-11-24 10:03:45.801982: [TUN] [lhirisseccom01] Starting
WireGuard/0.3.1 (Windows 10.0.18363; amd64)
2020-11-24 10:03:45.803758: [TUN] [lhirisseccom01] Watching network
interfaces
2020-11-24 10:03:45.809030: [TUN] [lhirisseccom01] Resolving DNS names
2020-11-24 10:03:45.841602: [TUN] [lhirisseccom01] Creating Wintun interface
2020-11-24 10:03:46.003480: [TUN] [lhirisseccom01] [Wintun]
CreateAdapter: Creating adapter
2020-11-24 10:03:48.023642: [TUN] [lhirisseccom01] Using Wintun/0.9
2020-11-24 10:03:48.069741: [TUN] [lhirisseccom01] Enabling firewall rules
2020-11-24 10:03:48.161811: [TUN] [lhirisseccom01] Dropping privileges
2020-11-24 10:03:48.165901: [TUN] [lhirisseccom01] Creating interface
instance
2020-11-24 10:03:48.171574: [TUN] [lhirisseccom01] Routine: event worker
- started
2020-11-24 10:03:48.174280: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.175675: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.178308: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.179950: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.180986: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.181626: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.185430: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.185934: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.186070: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.187147: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.190237: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.194832: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.196508: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.197094: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.198466: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.199475: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.199475: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.200682: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.201256: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.203447: [TUN] [lhirisseccom01] Routine: encryption
worker - started
2020-11-24 10:03:48.205727: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.208147: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.209167: [TUN] [lhirisseccom01] Routine: handshake
worker - started
2020-11-24 10:03:48.210297: [TUN] [lhirisseccom01] Routine: decryption
worker - started
2020-11-24 10:03:48.211810: [TUN] [lhirisseccom01] Routine: TUN reader -
started
2020-11-24 10:03:48.216323: [TUN] [lhirisseccom01] Setting interface
configuration
2020-11-24 10:03:48.224604: [TUN] [lhirisseccom01] UAPI: Updating
private key
2020-11-24 10:03:48.230859: [TUN] [lhirisseccom01] UAPI: Removing all peers
2020-11-24 10:03:48.238534: [TUN] [lhirisseccom01] UAPI: Transition to
peer configuration
2020-11-24 10:03:48.253111: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Created
2020-11-24 10:03:48.257120: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating preshared key
2020-11-24 10:03:48.257692: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating endpoint
2020-11-24 10:03:48.363693: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Updating persistent keepalive interval
2020-11-24 10:03:48.369795: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Removing all allowedips
2020-11-24 10:03:48.401343: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.410717: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.412264: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.412364: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
UAPI: Adding allowedip
2020-11-24 10:03:48.414098: [TUN] [lhirisseccom01] Bringing peers up
2020-11-24 10:03:48.421934: [TUN] [lhirisseccom01] Routine: receive
incoming IPv6 - started
2020-11-24 10:03:48.423727: [TUN] [lhirisseccom01] Routine: receive
incoming IPv4 - started
2020-11-24 10:03:48.427885: [TUN] [lhirisseccom01] UDP bind has been updated
2020-11-24 10:03:48.428445: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Starting...
2020-11-24 10:03:48.430048: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: sequential receiver - started
2020-11-24 10:03:48.432758: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: sequential sender - started
2020-11-24 10:03:48.434497: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending keepalive packet
2020-11-24 10:03:48.439271: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Routine: nonce worker - started
2020-11-24 10:03:48.439271: [TUN] [lhirisseccom01] Monitoring default v6
routes
2020-11-24 10:03:48.440310: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:03:48.444410: [TUN] [lhirisseccom01] Binding v6 socket to
interface 0 (blackhole=false)
2020-11-24 10:03:48.448834: [TUN] [lhirisseccom01] Setting device v6
addresses
2020-11-24 10:03:48.484249: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Awaiting keypair
2020-11-24 10:03:48.501366: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Received handshake response
2020-11-24 10:03:48.505199: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Obtained awaited keypair
2020-11-24 10:03:49.717724: [TUN] [lhirisseccom01] Monitoring default v4
routes
2020-11-24 10:03:49.735153: [TUN] [lhirisseccom01] Binding v4 socket to
interface 23 (blackhole=false)
2020-11-24 10:03:49.736441: [TUN] [lhirisseccom01] Setting device v4
addresses
2020-11-24 10:03:51.221490: [TUN] [lhirisseccom01] Listening for UAPI
requests
2020-11-24 10:03:51.225480: [TUN] [lhirisseccom01] Startup complete
2020-11-24 10:04:08.258064: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Retrying handshake because we stopped hearing back after 15 seconds
2020-11-24 10:04:08.260207: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:13.543272: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 2)
2020-11-24 10:04:13.545765: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:15.196489: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Receiving keepalive packet
2020-11-24 10:04:18.799504: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 3)
2020-11-24 10:04:18.801789: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:23.881986: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 4)
2020-11-24 10:04:23.883677: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:29.189703: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 5)
2020-11-24 10:04:29.191775: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:32.339743: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Retrying handshake because we stopped hearing back after 15 seconds
2020-11-24 10:04:34.334302: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 2)
2020-11-24 10:04:34.336489: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:39.477027: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying (try 3)
2020-11-24 10:04:39.477590: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Sending handshake initiation
2020-11-24 10:04:41.821019: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Receiving keepalive packet
2020-11-24 10:04:44.741589: [TUN] [lhirisseccom01] peer(Qfjl…0V1w) -
Handshake did not complete after 5 seconds, retrying
This is very strange.
Thanks
Peter
More information about the WireGuard
mailing list