Connected but no ping to gateway and other client.
33 views
Skip to first unread message
taxe...@gmail.com
Dec 29, 2017, 5:48:54 AM12/29/17
to tunnelblick-discuss
I set up an openvpn server on ubuntu, but when I use tunnelblink. It says connect success but no ping to he host and other client.
I have closed the firewall. It works fine for linux and windows.
This is the log:
2017-12-28 19:50:03 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.13.2; Tunnelblick 3.7.4b (build 4921)
2017-12-28 19:50:03 *Tunnelblick: Attempting connection with client1 using shadow copy; Set nameserver = 771; monitoring connection
2017-12-28 19:50:03 *Tunnelblick: openvpnstart start client1.tblk 1338 771 0 1 0 1065330 -ptADGNWradsgnw 2.4.4-openssl-1.0.2n
2017-12-28 19:50:04 *Tunnelblick: openvpnstart log:
Warning: Tunnelblick is using 'openvpn-down-root.so', so the route-pre-down script will not be used. You can override this by providing a custom route-pre-down script (which may be a copy of Tunnelblick's standard route-pre-down script) in a Tunnelblick VPN Configuration. However, that script will not be executed as root unless the 'user' and 'group' options are removed from the OpenVPN configuration file. If the 'user' and 'group' options are removed, then you don't need to use a custom route-pre-down script.Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sxiaojiang-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient1.tblk-SContents-SResources-Sconfig.ovpn.771_0_1_0_1065330.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 4921 3.7.4b (build 4921)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources
--management
127.0.0.1
1338
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--plugin
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
2017-12-28 19:50:04 *Tunnelblick: Established communication with OpenVPN
2017-12-28 19:50:04 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 7 2017
2017-12-28 19:50:04 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
2017-12-28 19:50:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2017-12-28 19:50:04 Need hold release from management interface, waiting...
2017-12-28 19:50:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2017-12-28 19:50:04 MANAGEMENT: CMD 'pid'
2017-12-28 19:50:04 MANAGEMENT: CMD 'state on'
2017-12-28 19:50:04 MANAGEMENT: CMD 'state'
2017-12-28 19:50:04 MANAGEMENT: CMD 'bytecount 1'
2017-12-28 19:50:04 MANAGEMENT: CMD 'hold release'
2017-12-28 19:50:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-12-28 19:50:04 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-9] [-a] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN
2017-12-28 19:50:04 TCP/UDP: Preserving recently used remote address: [AF_INET]my-vpn-host:1194
2017-12-28 19:50:04 Socket Buffers: R=[131072->131072] S=[131072->131072]
2017-12-28 19:50:04 Attempting to establish TCP connection with [AF_INET]my-vpn-host:1194 [nonblock]
2017-12-28 19:50:04 MANAGEMENT: >STATE:1514461804,TCP_CONNECT,,,,,,
2017-12-28 19:50:05 TCP connection established with [AF_INET]my-vpn-host:1194
2017-12-28 19:50:05 TCP_CLIENT link local: (not bound)
2017-12-28 19:50:05 TCP_CLIENT link remote: [AF_INET]my-vpn-host:1194
2017-12-28 19:50:05 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2017-12-28 19:50:05 MANAGEMENT: >STATE:1514461805,WAIT,,,,,,
2017-12-28 19:50:05 MANAGEMENT: >STATE:1514461805,AUTH,,,,,,
2017-12-28 19:50:05 TLS: Initial packet from [AF_INET]my-vpn-host:1194, sid=bc038ce9 b0b82906
2017-12-28 19:50:05 VERIFY OK: depth=1, C=CN, ST=SH, L=Shanghai, O=starwin, OU=nini, CN=starwin CA, name=server, emailAddress=chaol...@starwin.com
2017-12-28 19:50:05 VERIFY KU OK
2017-12-28 19:50:05 Validating certificate extended key usage
2017-12-28 19:50:05 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-12-28 19:50:05 VERIFY EKU OK
2017-12-28 19:50:05 VERIFY OK: depth=0, C=CN, ST=SH, L=Shanghai, O=starwin, OU=nini, CN=server, name=server, emailAddress=chaol...@starwin.com
2017-12-28 19:50:05 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-12-28 19:50:05 [server] Peer Connection Initiated with [AF_INET]my-vpn-host:1194
2017-12-28 19:50:06 MANAGEMENT: >STATE:1514461806,GET_CONFIG,,,,,,
2017-12-28 19:50:06 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-12-28 19:50:06 PUSH: Received control message: 'PUSH_REPLY,route 10.110.23.0 255.255.255.0,route-gateway 10.110.23.163,ping 10,ping-restart 120,ifconfig 10.110.23.170 255.255.0.0'
2017-12-28 19:50:06 OPTIONS IMPORT: timers and/or timeouts modified
2017-12-28 19:50:06 OPTIONS IMPORT: --ifconfig/up options modified
2017-12-28 19:50:06 OPTIONS IMPORT: route options modified
2017-12-28 19:50:06 OPTIONS IMPORT: route-related options modified
2017-12-28 19:50:06 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2017-12-28 19:50:06 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-12-28 19:50:06 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-28 19:50:06 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2017-12-28 19:50:06 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-12-28 19:50:06 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-28 19:50:06 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2017-12-28 19:50:06 TUN/TAP device /dev/tap0 opened
2017-12-28 19:50:06 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-28 19:50:06 MANAGEMENT: >STATE:1514461806,ASSIGN_IP,,10.110.23.170,,,,
2017-12-28 19:50:06 /sbin/ifconfig tap0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-12-28 19:50:06 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-28 19:50:06 /sbin/ifconfig tap0 10.110.23.170 netmask 255.255.0.0 mtu 1500 up
2017-12-28 19:50:06 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so/PLUGIN_UP status=0
2017-12-28 19:50:06 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1576 10.110.23.170 255.255.0.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
NOTE: No network configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
DNS servers '192.168.31.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.up.tunnelblick.sh
**********************************************
2017-12-28 19:50:09 *Tunnelblick: No 'connected.sh' script to execute
2017-12-28 19:50:09 MANAGEMENT: >STATE:1514461809,ADD_ROUTES,,,,,,
2017-12-28 19:50:09 /sbin/route add -net 10.110.23.0 10.110.23.163 255.255.255.0
add net 10.110.23.0: gateway 10.110.23.163
2017-12-28 19:50:09 GID set to nogroup
2017-12-28 19:50:09 UID set to nobody
2017-12-28 19:50:09 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-28 19:50:09 Initialization Sequence Completed
2017-12-28 19:50:09 MANAGEMENT: >STATE:1514461809,CONNECTED,SUCCESS,10.110.23.170,my-vpn-host,1194,192.168.31.98,51532
2017-12-28 19:50:17 *Tunnelblick: This computer's apparent public IP address (116.247.78.54) was unchanged after the connection was made
server.conf:
port 1194
proto tcp
dev tap
script-security 2
up /etc/openvpn/up.sh
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.110.23.163 255.255.0.0 10.110.23.170 10.110.23.200
push "route 10.110.23.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
client.conf:
client
dev tap
proto tcp
remote my-vpn-host 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
comp-lzo
verb 3
I have closed the firewall. It works fine for linux and windows.
This is the log:
2017-12-28 19:50:03 *Tunnelblick: openvpnstart starting OpenVPN
*Tunnelblick: OS X 10.13.2; Tunnelblick 3.7.4b (build 4921)
2017-12-28 19:50:03 *Tunnelblick: Attempting connection with client1 using shadow copy; Set nameserver = 771; monitoring connection
2017-12-28 19:50:03 *Tunnelblick: openvpnstart start client1.tblk 1338 771 0 1 0 1065330 -ptADGNWradsgnw 2.4.4-openssl-1.0.2n
2017-12-28 19:50:04 *Tunnelblick: openvpnstart log:
Warning: Tunnelblick is using 'openvpn-down-root.so', so the route-pre-down script will not be used. You can override this by providing a custom route-pre-down script (which may be a copy of Tunnelblick's standard route-pre-down script) in a Tunnelblick VPN Configuration. However, that script will not be executed as root unless the 'user' and 'group' options are removed from the OpenVPN configuration file. If the 'user' and 'group' options are removed, then you don't need to use a custom route-pre-down script.Loading tap-signed.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Sxiaojiang-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient1.tblk-SContents-SResources-Sconfig.ovpn.771_0_1_0_1065330.1338.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources
--setenv
IV_GUI_VER
"net.tunnelblick.tunnelblick 4921 3.7.4b (build 4921)"
--verb
3
--config
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Users/xiaojiang/client1.tblk/Contents/Resources
--management
127.0.0.1
1338
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
--plugin
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw
2017-12-28 19:50:04 *Tunnelblick: Established communication with OpenVPN
2017-12-28 19:50:04 OpenVPN 2.4.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Dec 7 2017
2017-12-28 19:50:04 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
2017-12-28 19:50:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2017-12-28 19:50:04 Need hold release from management interface, waiting...
2017-12-28 19:50:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2017-12-28 19:50:04 MANAGEMENT: CMD 'pid'
2017-12-28 19:50:04 MANAGEMENT: CMD 'state on'
2017-12-28 19:50:04 MANAGEMENT: CMD 'state'
2017-12-28 19:50:04 MANAGEMENT: CMD 'bytecount 1'
2017-12-28 19:50:04 MANAGEMENT: CMD 'hold release'
2017-12-28 19:50:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-12-28 19:50:04 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-9] [-a] [-d] [-f] [-m] [-w] [-ptADGNWradsgnw]' intercepted=PLUGIN_UP|PLUGIN_DOWN
2017-12-28 19:50:04 TCP/UDP: Preserving recently used remote address: [AF_INET]my-vpn-host:1194
2017-12-28 19:50:04 Socket Buffers: R=[131072->131072] S=[131072->131072]
2017-12-28 19:50:04 Attempting to establish TCP connection with [AF_INET]my-vpn-host:1194 [nonblock]
2017-12-28 19:50:04 MANAGEMENT: >STATE:1514461804,TCP_CONNECT,,,,,,
2017-12-28 19:50:05 TCP connection established with [AF_INET]my-vpn-host:1194
2017-12-28 19:50:05 TCP_CLIENT link local: (not bound)
2017-12-28 19:50:05 TCP_CLIENT link remote: [AF_INET]my-vpn-host:1194
2017-12-28 19:50:05 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2017-12-28 19:50:05 MANAGEMENT: >STATE:1514461805,WAIT,,,,,,
2017-12-28 19:50:05 MANAGEMENT: >STATE:1514461805,AUTH,,,,,,
2017-12-28 19:50:05 TLS: Initial packet from [AF_INET]my-vpn-host:1194, sid=bc038ce9 b0b82906
2017-12-28 19:50:05 VERIFY OK: depth=1, C=CN, ST=SH, L=Shanghai, O=starwin, OU=nini, CN=starwin CA, name=server, emailAddress=chaol...@starwin.com
2017-12-28 19:50:05 VERIFY KU OK
2017-12-28 19:50:05 Validating certificate extended key usage
2017-12-28 19:50:05 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-12-28 19:50:05 VERIFY EKU OK
2017-12-28 19:50:05 VERIFY OK: depth=0, C=CN, ST=SH, L=Shanghai, O=starwin, OU=nini, CN=server, name=server, emailAddress=chaol...@starwin.com
2017-12-28 19:50:05 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-12-28 19:50:05 [server] Peer Connection Initiated with [AF_INET]my-vpn-host:1194
2017-12-28 19:50:06 MANAGEMENT: >STATE:1514461806,GET_CONFIG,,,,,,
2017-12-28 19:50:06 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-12-28 19:50:06 PUSH: Received control message: 'PUSH_REPLY,route 10.110.23.0 255.255.255.0,route-gateway 10.110.23.163,ping 10,ping-restart 120,ifconfig 10.110.23.170 255.255.0.0'
2017-12-28 19:50:06 OPTIONS IMPORT: timers and/or timeouts modified
2017-12-28 19:50:06 OPTIONS IMPORT: --ifconfig/up options modified
2017-12-28 19:50:06 OPTIONS IMPORT: route options modified
2017-12-28 19:50:06 OPTIONS IMPORT: route-related options modified
2017-12-28 19:50:06 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2017-12-28 19:50:06 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-12-28 19:50:06 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-28 19:50:06 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2017-12-28 19:50:06 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-12-28 19:50:06 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-12-28 19:50:06 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2017-12-28 19:50:06 TUN/TAP device /dev/tap0 opened
2017-12-28 19:50:06 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-12-28 19:50:06 MANAGEMENT: >STATE:1514461806,ASSIGN_IP,,10.110.23.170,,,,
2017-12-28 19:50:06 /sbin/ifconfig tap0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-12-28 19:50:06 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-12-28 19:50:06 /sbin/ifconfig tap0 10.110.23.170 netmask 255.255.0.0 mtu 1500 up
2017-12-28 19:50:06 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.4-openssl-1.0.2n/openvpn-down-root.so/PLUGIN_UP status=0
2017-12-28 19:50:06 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -a -d -f -m -w -ptADGNWradsgnw tap0 1500 1576 10.110.23.170 255.255.0.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
NOTE: No network configuration changes need to be made.
WARNING: Will NOT monitor for other network configuration changes.
DNS servers '192.168.31.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
End of output from client.up.tunnelblick.sh
**********************************************
2017-12-28 19:50:09 *Tunnelblick: No 'connected.sh' script to execute
2017-12-28 19:50:09 MANAGEMENT: >STATE:1514461809,ADD_ROUTES,,,,,,
2017-12-28 19:50:09 /sbin/route add -net 10.110.23.0 10.110.23.163 255.255.255.0
add net 10.110.23.0: gateway 10.110.23.163
2017-12-28 19:50:09 GID set to nogroup
2017-12-28 19:50:09 UID set to nobody
2017-12-28 19:50:09 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-12-28 19:50:09 Initialization Sequence Completed
2017-12-28 19:50:09 MANAGEMENT: >STATE:1514461809,CONNECTED,SUCCESS,10.110.23.170,my-vpn-host,1194,192.168.31.98,51532
2017-12-28 19:50:17 *Tunnelblick: This computer's apparent public IP address (116.247.78.54) was unchanged after the connection was made
server.conf:
port 1194
proto tcp
dev tap
script-security 2
up /etc/openvpn/up.sh
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.110.23.163 255.255.0.0 10.110.23.170 10.110.23.200
push "route 10.110.23.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
client.conf:
client
dev tap
proto tcp
remote my-vpn-host 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
comp-lzo
verb 3
Reply all
Reply to author
Forward
0 new messages