[strongSwan] Dynamic PPPoE-IPv6 IPaddress on WAN interface and StrongSwan-IPSec

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Jul 29 14:56:40 CEST 2011 

Hi

I am facing a issue with using strongswan on a GW with PPPoE-IPv6 address
(which is a dynamic ipv6 address..keeps changing). The setup is as below:

IPv6-PC1-------[lan]-GW1-[pppoe-ipv6-wan-ip]-----------[pppoe-ipv6]-IPv6-PPPoE-Server/Router-[static-ipv6-addr]-------[static-ipv6-wan-addr]-GW2-[lan]--------IPv6-PC2

- The ipsec tunnel is to be established between GW1 and GW2---all end-to-end
IPv6 (and with combination of IPv4 n/w in LAN too)

- The setup with static-ipv6 ipsec-tunnel works (and also with ipv4 over
ipv6 and vice-versa)

- The interface config on GW1 (the DUT for me here) is as below:

**********************************************************************
root at evm1gw:/# ifconfig
ath0      Link encap:Ethernet  HWaddr 00:03:7F:0B:E6:A4
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::203:7fff:fe0b:e6a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:7 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
eth0      Link encap:Ethernet  HWaddr 00:11:21:23:32:21
          inet6 addr: fe80::211:21ff:fe23:3221/64 Scope:Link
          inet6 addr: fec0::eec8/120 Scope:Site
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18552 (18.1 KiB)  TX bytes:4726 (4.6 KiB)
          Interrupt:53
eth1      Link encap:Ethernet  HWaddr 00:AA:BB:CC:DD:EE
          inet addr:169.254.0.1  Bcast:169.254.255.255  Mask:255.255.0.0
          inet6 addr: fe80::2aa:bbff:fecc:ddee/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:23 errors:0 dropped:1 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:652 (652.0 B)  TX bytes:626 (626.0 B)
          Interrupt:1
eth2      Link encap:Ethernet  HWaddr 00:2A:2B:2C:2D:2E
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2007:ac11:a65:db4::1/64 Scope:Global
          inet6 addr: fe80::22a:2bff:fe2c:2d2e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1474 (1.4 KiB)
          Interrupt:55
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ppp0      Link encap:Point-to-Point Protocol
          inet6 addr: 2003::e9f9:a139:8d82:8ebd/64 Scope:Global
          inet6 addr: fe80::e9f9:a139:8d82:8ebd/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:114 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:9860 (9.6 KiB)  TX bytes:250 (250.0 B)
wifi0     Link encap:UNSPEC  HWaddr
00-03-7F-0B-E6-A4-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:68 Memory:d0340000-d0350000
root at evm1gw:/# ip -6 route add default dev ppp0
root at evm1gw:/#
root at evm1gw:/#
root at evm1gw:/# ip -6 route
2003::/64 dev ppp0  proto kernel  metric 256  expires 85995sec mtu 1492
advmss 1432 hoplimit 4294967295
2007:ac11:a65:db4::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss
1440 hoplimit 4294967295
fe80::/64 dev ppp0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit
4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev ath0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/10 dev ppp0  metric 1  mtu 1492 advmss 1432 hoplimit 4294967295
fe80::/10 dev ppp0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit
4294967295
fec0::ee00/120 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440
hoplimit 4294967295
default dev ppp0  metric 1024  mtu 1492 advmss 1432 hoplimit 4294967295
root at evm1gw:/#
root at evm1gw:/# ping6 2003::1
PING 2003::1 (2003::1): 56 data bytes
64 bytes from 2003::1: icmp6_seq=0 ttl=64 time=2.7 ms
^C
--- 2003::1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.7/2.7/2.7 ms
root at evm1gw:/#
root at evm1gw:/# ping6 2006::3
PING 2006::3 (2006::3): 56 data bytes
64 bytes from 2006::3: icmp6_seq=0 ttl=63 time=3.9 ms
64 bytes from 2006::3: icmp6_seq=1 ttl=63 time=3.2 ms
************************************************************************

The ipsec.conf on GW1 is as below:

***********************************************
gw1:/etc# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
        strictcrlpolicy=no
        crlcheckinterval=180
        plutostart=yes
        charonstart=yes
        nat_traversal=yes
conn %default
        ikelifetime=60m
        keylife=30m
        rekeymargin=3m
        keyingtries=1
        mobike=no
conn gwtunnel1
        left=%defaultroute
        leftsubnet=2007:ac11:0a65:db4::/64
        right=2006::3
        rightsubnet=2007:ac12:0a64:db1::/64
        authby=rsasig
        leftcert=evm1gwcertnew.cer
        leftid="/C=IN/ST=AP/L=HYD/O=Mind
Inc/OU=QA/CN=evm1gw/emailAddress=postma
ster at mind.com"
        rightid="/C=IN/ST=AP/L=HYD/O=DVTTEST/OU=QA/CN=
dvtpc2.dvttest.com/emailAd
dress=postmaster at dvttest.com"
        type=tunnel
        keyexchange=ikev2
        pfs=no
        auto=route
#
*************************************************************

- Now, when i try to start ipsec using the command "ipsec start" or "ipsec
start --nofork" i get the following errors and the ipsec is not started on
GW1

**********************************
root at evm1gw:/etc# vi ipsec.conf 
root at evm1gw:/etc# ipsec start --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
no default route - cannot cope with %defaultroute!!!
# default route not known: left=%defaultroute
  bad argument value in conn 'gwtunnel1'
### 1 parsing error (0 fatal) ###
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
pluto (9182) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
hmac
  including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code
loading ca certificates from '/etc/ipsec.d/cacerts'
  loaded ca certificate from '/etc/ipsec.d/cacerts/certnew.cer'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
  loaded crl from 'certcrl.crl'
loading attribute certificates from '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface ath0/ath0 192.168.3.1:500
adding interface ath0/ath0 192.168.3.1:4500
adding interface eth1/eth1 169.254.0.1:500
adding interface eth1/eth1 169.254.0.1:4500
adding interface eth2/eth2 192.168.1.1:500
adding interface eth2/eth2 192.168.1.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface ppp0/ppp0 2003::e9f9:a139:8d82:8ebd:500
adding interface eth0/eth0 fec0::eec8:500
adding interface lo/lo ::1:500
adding interface eth2/eth2 2007:ac11:a65:db4::1:500
loading secrets from "/etc/ipsec.secrets"
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "CN=dvttestca" from
'/etc/ipsec.d/cacerts/certnew.cer'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/certcrl.crl'
00[CFG] loading secrets from '/etc/ipsec.secrets'
  loaded private key from 'evm1gwkey.pem'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/evm1gwkey.pem'
00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
openssl hmac kernel-pfkey stroke updown
00[JOB] spawning 16 worker threads
charon (9183) started after 860 ms
^Cshutting down
forgetting secrets
shutting down interface eth2/eth2 2007:ac11:a65:db4::1
shutting down interface lo/lo ::1
shutting down interface eth0/eth0 fec0::eec8
shutting down interface ppp0/ppp0 2003::e9f9:a139:8d82:8ebd
shutting down interface lo/lo 127.0.0.1
shutting down interface lo/lo 127.0.0.1
shutting down interface eth2/eth2 192.168.1.1
shutting down interface eth2/eth2 192.168.1.1
shutting down interface eth1/eth1 169.254.0.1
shutting down interface eth1/eth1 169.254.0.1
shutting down interface ath0/ath0 192.168.3.1
shutting down interface ath0/ath0 192.168.3.1
pluto stopped after 20 ms
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] thread 0 received 4
C library does not support backtrace().
00[DMN] killing ourself, received critical signal
charon stopped after 200 ms
ipsec starter stopped
root at evm1gw:/etc#
root at evm1gw:/etc#
***************************************************************************

- So next, if i change the "ipsec.conf" to below (by copying manually the
pppoe-ipv6 address assigned to this GW1 everytime i reboot or if the ip
address changes)

************************************
 conn gwtunnel1
        left=2003::e9f9:a139:8d82:8ebd
        leftsubnet=2007:ac11:0a65:db4::/64
        right=2006::3
        rightsubnet=2007:ac12:0a64:db1::/64
        authby=rsasig
        leftcert=evm1gwcertnew.cer
        leftid="/C=IN/ST=AP/L=HYD/O=Mind
Inc/OU=QA/CN=evm1gw/emailAddress=postma
ster at mind.com"
        rightid="/C=IN/ST=AP/L=HYD/O=DVTTEST/OU=QA/CN=
dvtpc2.dvttest.com/emailAd
dress=postmaster at dvttest.com"
        type=tunnel
        keyexchange=ikev2
        pfs=no
        auto=route
#

**************************************************

-and once again start ipsec. It works now

So in summary the "%defaultroute" keyword does not seem to work for
IPv6-PPPoE or IPv6 dynamic connections as it does for IPv4

So is this a design issue in strongswan?

Please note: the version iam using is 4.3, but i have run a check using 4.5
too and i guess the issue is also observed in all versions higher than 4.3
too.

regards
rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110729/e2f3725e/attachment.html>

More information about the Users mailing list