[strongSwan] Virtual IP with IPv6

KRAEMER Isabelle isabelle.kraemer at cea.fr
Thu Sep 9 08:48:47 CEST 2010 

Hello,

I tried out StrongSwan with IPv6 and had some problems. Perhaps could
you help me ?

Here is the scenario. TRINITY is the VPN "client", CYPHER is the VPN
gateway, and TRINITY wants to communicate with SMITH through a VPN
tunnel. Furthermore, I want CYPHER to assign a virtual IPv6 address to
TRINITY (tunnel mode). 

TRINITY
eth1=2002:c130:13c1:440:216:6fff:fe69:6b23/64
||
||
||
||
||
eth0=2002:c130:13c1:110::5/64
CYPHER
eth2=2002:c130:13c1:110:1::ff/64
||
||	
||
||
||
eth0=2002:c130:13c1:110:1::fd/64
SMITH

I followed the indications of this page :
http://strongswan.org/uml/testresults4/ipv6/rw-ikev2/ and added to the
configuration the features described here :
http://wiki.strongswan.org/wiki/1/VirtualIp 
The VPN tunnel is well established, a virtual address is assigned : 
user at trinity$ sudo ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.4):
  uptime: 5 minutes, since Sep 07 16:01:40 2010
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc
hmac gmp kernel-netlink stroke updown attr resolv-conf 
Listening IP addresses:
  193.48.19.104
  2002:c130:13c1:440:216:6fff:fe69:6b23
  193.48.19.62
  2002:c130:13c1:113::ff
  193.48.19.54
  2002:c130:13c1:112::ff
  192.168.1.254
Connections:
        home:
2002:c130:13c1:440:216:6fff:fe69:6b23...2002:c130:13c1:110::5
        home:   local:  [C=fr, ST=idf, L=paris, O=r, OU=s, CN=trinity]
uses public key authentication
        home:    cert:  "C=fr, ST=idf, L=paris, O=r, OU=s, CN=trinity"
        home:   remote: [C=fr, ST=idf, L=paris, O=r, OU=s, CN=cypher]
uses any authentication
        home:   child:  dynamic === 2002:c130:13c1:110:1::/96
2002:c130:13c1:114::/64 
Security Associations:
        home[1]: ESTABLISHED 5 minutes ago,
2002:c130:13c1:440:216:6fff:fe69:6b23[C=fr, ST=idf, L=paris, O=r, OU=s,
CN=trinity]...2002:c130:13c1:110::5[C=fr, ST=idf, L=paris, O=r, OU=s,
CN=cypher]
        home[1]: IKE SPIs: f9524f20539ca6b6_i* fa46fbe93da5b508_r,
public key reauthentication in 48 minutes
        home[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
        home{1}:  INSTALLED, TUNNEL, ESP SPIs: ccec6537_i c365a77e_o
        home{1}:  AES_CBC_128/HMAC_SHA1_96, 728 bytes_i (278s ago),
12480 bytes_o (176s ago), rekeying in 9 minutes
        home{1}:   2002:c130:13c1:110:1::/128 ===
2002:c130:13c1:110:1::/96 2002:c130:13c1:114::/64 

TRINITY can ping CYPHER, CYPHER can ping SMITH, but TRINITY cannot ping
SMITH. The ping reply is stack at CYPHER.eth2. However, forwarding is
enabled for all interfaces of CYPHER, and for eth0 and eth2
particularly. 
user at cypher$ tcpdump -i eth2
16:41:06.402501 IP6 2002:c130:13c1:110:1:: > 2002:c130:13c1:110:1::fd:
ICMP6, echo request, seq 246, length 64
16:41:06.402784 IP6 2002:c130:13c1:110:1::fd > 2002:c130:13c1:110:1:::
ICMP6, echo reply, seq 246, length 64

user at cypher$ tcpdump -i eth0
16:41:15.474373 IP6 2002:c130:13c1:440:216:6fff:fe69:6b23 >
2002:c130:13c1:110::5: ESP(spi=0xc35a7398,seq=0x103), length 148
16:41:15.474423 IP6 2002:c130:13c1:110:1:: > 2002:c130:13c1:110:1::fd:
ICMP6, echo request, seq 255, length 64

I tried out the same scenario without assigning any virtual address to
TRINITY, and everything worked like I wanted (eg, SMITH and TRINITY can
communicate with each other). So, what's wrong in my configuration for
the tunnel mode? Here are the configuration information for CYPHER and
TRINITY.

# StrongSwan's version on CYPHER #
U4.3.4/k2.6.28-18.generic
# Kernel version on CYPHER #
Ubuntu 2.6.28-18-generic
# ipsec.conf for CYPHER #
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
	crlcheckinterval=180
	strictcrlpolicy=no
	plutostart=no
	charonstart=yes

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn host-host 
	left=2002:c130:13c1:110::5
        	leftcert=newcert.pem
	leftid="C=fr, ST=idf, L=paris, O=r, OU=s, CN=cypher"
	leftsubnet=2002:c130:13c1:110:1::0/96,2002:c130:13c1:114::0/64
	leftfirewall=yes
	right=%any6
	rightsourceip=2002:c130:13c1:110:1::0/96
	auto=add

include /var/lib/strongswan/ipsec.conf.inc
# Strongswan's version on TRINITY #
U4.3.4/k2.6.28-15.generic
# Kernel version on TRINITY #
Ubuntu 2.6.28-18-generic
# ipsec.conf for TRINITY #
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	crlcheckinterval=180
	strictcrlpolicy=no	
	plutostart=no
        charonstart=yes

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn home
	left=2002:c130:13c1:440:216:6fff:fe69:6b23
	leftsourceip=%config
	leftcert=newcert.pem
	leftfirewall=yes
	right=2002:c130:13c1:110::5
	rightsubnet=2002:c130:13c1:110:1::/96,2002:c130:13c1:114::0/64
	rightid="C=fr, ST=idf, L=paris, O=r, OU=s, CN=cypher"
	auto=add



Thank you for your help !
Regards,
Isabelle Kraemer

More information about the Users mailing list