<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Tobias,<div><br></div><div>Thanks again for your help.</div><div><br></div><div>I have changed <b>forceencaps</b> to <b>no</b> in /etc/ipsec.conf, saved and rebooted. </div><div>I still get the same errors. Although the "faking NAT situation to enforce UDP encapsulation" is not showing anymore. Is this now something else?</div><div><br></div><div><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:58 de-fsn-6 charon: 12[ENC] generating INFORMATIONAL response 24 [ ]</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:58 de-fsn-6 charon: 12[NET] sending packet: from 144.76.11x.xxx[4500] to 2.50.157.xxx[4500] (80 bytes)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[NET] received packet: from 2001:8f8:xxx:xxx:504c:4f39:258e:8191[4500] to 2a01:4f8:192:xxxx::2[4500] (144 bytes)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, sending keep alives</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font color="#ff0000" face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI cf20af06</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font color="#ff0000" face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI 0b13a954</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] generating INFORMATIONAL response 11 [ N(NATD_S_IP) N(NATD_D_IP) ]</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 11[NET] sending packet: from 2a01:4f8:xxx:732c::2[4500] to 2001:8f8:xxx:53d3:504c:4f39:xxx:8191[4500] (128 bytes)</font></p>
<p style="margin:0px;font-stretch:normal;line-height:normal"><font face="monospace" style="font-size:12px">Jul 7 00:28:59 de-fsn-6 charon: 01[KNL] creating acquire job for policy 128.116.xxx.3/32[tcp/https] === </font>10.10.18.xxx/32[tcp/56633]<font face="monospace" style="font-size:12px"> with reqid {2595}</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:28:59 de-fsn-6 charon: 01[CFG] trap not found, unable to acquire reqid 2595</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:29:00 de-fsn-6 charon: 06[NET] received packet: from 2001:8f8:1163:xxxx:504c:4f39:258e:8191[4500] to 2a01:4f8:xxx:xxxx::2[4500] (144 bytes)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:29:00 de-fsn-6 charon: 06[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:29:00 de-fsn-6 charon: 06[IKE] received retransmit of request with ID 11, retransmitting response</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:29:00 de-fsn-6 charon: 06[NET] sending packet: from 2a01:4f8:192:xxxx::2[4500] to 2001:8f8:1163:53d3:504c:xxxx:258e:8191[4500] (128 bytes)</font></p>
<p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal"><font face="monospace">Jul 7 00:29:01 de-fsn-6 charon: 15[IKE] retransmit 5 of request with message ID 0</font></p><p style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica"><br></p>It is very strange that the same configuration works with StringSwan 5.7.2 but 5.8.2 throws these errors. Something must have changed that I'm missing, I think.<br>If you see no other possibility, I suppose I have no other choice than disabling IPV6 by setting <b>use_ipv6 = no</b> in <b>/etc/strongswan.d/charon/socket-default.conf</b> <br><br>I was hoping not to do it, as some ISP might only support IPv6 and by doing that I might cause new problems. What do you think? Maybe I should live with that error. After all, it happens only 5 times a day. What is the most sensible thing to do?</div><div><br></div><div>Many Thanks,</div><div>Houman</div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 6 Jul 2020 at 11:12, Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi Houman,<br>
<br>
> I could disable *forceencaps=no* but having it enabled helps overcoming<br>
> restrictive firewalls. So maybe it's better for my users if I<br>
> disabled IPv6 instead. Do you agree?<br>
> Or is forcing it not such a big deal after all?<br>
<br>
Depends on the clients. Many will be behind a NAT anyway, others (e.g.<br>
our Android client) will also force UDP encapsulation. Only for<br>
unnatted clients behind restrictive firewalls that can't force it<br>
themselves, will forcing it on the server make a difference.<br>
<br>
> What is strange is that I thought I had disabled ipv6, like this:<br>
> ...<br>
> net.ipv6.conf.all.disable_ipv6 = 1<br>
> net.ipv6.conf.default.disable_ipv6 = 1<br>
<br>
I don't think that affects interfaces that are already up, so you might<br>
have to explicitly set it for the specific interface too.<br>
<br>
> Where do I disable it then?<br>
<br>
You may disable charon.plugins.socket-default.use_ipv6 so the plugin<br>
won't open an IPv6 socket.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div>