[strongSwan] CHILD_SA failed on IPv6 tunnel

[Jan Engelhardt]

Hi,


I can't figure out why charon would not want to build a CHILD_SA over
IPv6. The config is exact the same as the v4 one. (And what's with
"Address family for hostname not supported"?)
Furthermore, initiating v6 from the other side magically works.


borg# rpm -q strongswan
strongswan-4.3.4-4.3.x86_64

borg# cat /etc/ipsec.conf
config setup
        plutostart=no
        uniqueids=no

conn nova4
        left=188.40.89.202
        right=178.63.15.147
        auto=start
        keyexchange=ikev2
        leftcert="/etc/ipsec.d/certs/borg.medozas.de.pem"
        rightcert="/etc/ipsec.d/certs/nova.medozas.de.pem"

conn nova6
        left=2001:470:1f0b:a59::1
        right=2001:470:1f0b:122c::7
        auto=start
        keyexchange=ikev2
        leftcert="/etc/ipsec.d/certs/borg.medozas.de.pem"
        rightcert="/etc/ipsec.d/certs/nova.medozas.de.pem"

(# making sure all connections are down beforehand)
borg# ipsec stroke up nova6
resolving '2001:470:1f0b:a59::1' failed: Address family for hostname not supported
initiating IKE_SA nova6[9] to 2001:470:1f0b:122c::7
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from %any to 2001:470:1f0b:122c::7[500]
received packet: from 2001:470:1f0b:122c::7[500] to 2001:470:1f0b:a59::1[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=DE, CN=nova.medozas.de"
received cert request for "CN=borg.medozas.de"
sending cert request for "CN=borg.medozas.de"
sending cert request for "CN=ares.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
authentication of 'CN=borg.medozas.de' (myself) with RSA signature successful
sending end entity cert "CN=borg.medozas.de"
establishing CHILD_SA nova6
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 2001:470:1f0b:a59::1[4500] to 2001:470:1f0b:122c::7[4500]
received packet: from 2001:470:1f0b:122c::7[4500] to 2001:470:1f0b:a59::1[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
received end entity cert "C=DE, CN=nova.medozas.de"
  using trusted certificate "C=DE, CN=nova.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' with RSA signature successful
scheduling reauthentication in 10171s
maximum IKE_SA lifetime 10711s
IKE_SA nova6[9] established between 2001:470:1f0b:a59::1[CN=borg.medozas.de]...2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

borg# ipsec stroke up nova4
initiating IKE_SA nova4[10] to 178.63.15.147
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 188.40.89.202[500] to 178.63.15.147[500]
received packet: from 178.63.15.147[500] to 188.40.89.202[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=DE, CN=nova.medozas.de"
received cert request for "CN=borg.medozas.de"
sending cert request for "CN=borg.medozas.de"
sending cert request for "CN=ares.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
authentication of 'CN=borg.medozas.de' (myself) with RSA signature successful
sending end entity cert "CN=borg.medozas.de"
establishing CHILD_SA nova4
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 188.40.89.202[4500] to 178.63.15.147[4500]
received packet: from 178.63.15.147[4500] to 188.40.89.202[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=DE, CN=nova.medozas.de"
  using trusted certificate "C=DE, CN=nova.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' with RSA signature successful
scheduling reauthentication in 10087s
maximum IKE_SA lifetime 10627s
IKE_SA nova4[10] established between 188.40.89.202[CN=borg.medozas.de]...178.63.15.147[C=DE, CN=nova.medozas.de]

borg# ipsec status
       nova6[13]: ESTABLISHED 3 seconds ago, 2001:470:1f0b:a59::1[CN=borg.medozas.de]...2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]
(no TUNNEL component listed)


Furthermore, initiating the v6 connection from nova itself does
build the CHILD_SA:


(# making sure all connections are down beforehand)
nova# ipsec stroke up borg6
resolving '2001:470:1f0b:122c::7' failed: Address family for hostname not supported
initiating IKE_SA borg6[46] to 2001:470:1f0b:a59::1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from %any to 2001:470:1f0b:a59::1[500]
received packet: from 2001:470:1f0b:a59::1[500] to 2001:470:1f0b:122c::7[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "CN=borg.medozas.de"
received cert request for unknown ca with keyid 17:4f:34:eb:5e:8a:dd:1c:b6:c3:2e:1d:e9:74:a6:16:c0:15:0a:e5
received cert request for "C=DE, CN=nova.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
sending cert request for "CN=borg.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' (myself) with RSA signature successful
sending end entity cert "C=DE, CN=nova.medozas.de"
establishing CHILD_SA borg6
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 2001:470:1f0b:122c::7[4500] to 2001:470:1f0b:a59::1[4500]
received packet: from 2001:470:1f0b:a59::1[4500] to 2001:470:1f0b:122c::7[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
received end entity cert "CN=borg.medozas.de"
  using trusted certificate "CN=borg.medozas.de"
authentication of 'CN=borg.medozas.de' with RSA signature successful
scheduling reauthentication in 9928s
maximum IKE_SA lifetime 10468s
IKE_SA borg6[46] established between 2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]...2001:470:1f0b:a59::1[CN=borg.medozas.de]

nova# cat /etc/ipsec.conf:
setup config
	plutostart=no
	uniqueids=no

conn borg6
        left=2001:470:1f0b:122c::7
        right=2001:470:1f0b:a59::1 
        auto=start
        keyexchange=ikev2
        leftcert="/etc/ipsec.d/certs/nova.medozas.de.pem"
        rightcert="/etc/ipsec.d/certs/borg.medozas.de.pem"

nova# ipsec status
Security Associations:
       borg6[46]: ESTABLISHED 98 seconds ago, 2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]...2001:470:1f0b:a59::1[CN=borg.medozas.de]
       borg6{46}:  INSTALLED, TUNNEL, ESP SPIs: c0cb26bd_i c4896dd9_o
       borg6{46}:   2001:470:1f0b:122c::7/128 === 2001:470:1f0b:a59::1/128