[strongSwan] Dynamic PPPoE-IPv6 IPaddress on WAN interface and StrongSwan-IPSec
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Fri Jul 29 14:56:40 CEST 2011
Hi
I am facing a issue with using strongswan on a GW with PPPoE-IPv6 address
(which is a dynamic ipv6 address..keeps changing). The setup is as below:
IPv6-PC1-------[lan]-GW1-[pppoe-ipv6-wan-ip]-----------[pppoe-ipv6]-IPv6-PPPoE-Server/Router-[static-ipv6-addr]-------[static-ipv6-wan-addr]-GW2-[lan]--------IPv6-PC2
- The ipsec tunnel is to be established between GW1 and GW2---all end-to-end
IPv6 (and with combination of IPv4 n/w in LAN too)
- The setup with static-ipv6 ipsec-tunnel works (and also with ipv4 over
ipv6 and vice-versa)
- The interface config on GW1 (the DUT for me here) is as below:
**********************************************************************
root at evm1gw:/# ifconfig
ath0 Link encap:Ethernet HWaddr 00:03:7F:0B:E6:A4
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::203:7fff:fe0b:e6a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 00:11:21:23:32:21
inet6 addr: fe80::211:21ff:fe23:3221/64 Scope:Link
inet6 addr: fec0::eec8/120 Scope:Site
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:216 errors:0 dropped:0 overruns:0 frame:0
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18552 (18.1 KiB) TX bytes:4726 (4.6 KiB)
Interrupt:53
eth1 Link encap:Ethernet HWaddr 00:AA:BB:CC:DD:EE
inet addr:169.254.0.1 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::2aa:bbff:fecc:ddee/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:23 errors:0 dropped:1 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:652 (652.0 B) TX bytes:626 (626.0 B)
Interrupt:1
eth2 Link encap:Ethernet HWaddr 00:2A:2B:2C:2D:2E
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2007:ac11:a65:db4::1/64 Scope:Global
inet6 addr: fe80::22a:2bff:fe2c:2d2e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1474 (1.4 KiB)
Interrupt:55
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ppp0 Link encap:Point-to-Point Protocol
inet6 addr: 2003::e9f9:a139:8d82:8ebd/64 Scope:Global
inet6 addr: fe80::e9f9:a139:8d82:8ebd/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:114 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:9860 (9.6 KiB) TX bytes:250 (250.0 B)
wifi0 Link encap:UNSPEC HWaddr
00-03-7F-0B-E6-A4-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:68 Memory:d0340000-d0350000
root at evm1gw:/# ip -6 route add default dev ppp0
root at evm1gw:/#
root at evm1gw:/#
root at evm1gw:/# ip -6 route
2003::/64 dev ppp0 proto kernel metric 256 expires 85995sec mtu 1492
advmss 1432 hoplimit 4294967295
2007:ac11:a65:db4::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss
1440 hoplimit 4294967295
fe80::/64 dev ppp0 proto kernel metric 256 mtu 1492 advmss 1432 hoplimit
4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev ath0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit
4294967295
fe80::/10 dev ppp0 metric 1 mtu 1492 advmss 1432 hoplimit 4294967295
fe80::/10 dev ppp0 proto kernel metric 256 mtu 1492 advmss 1432 hoplimit
4294967295
fec0::ee00/120 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
hoplimit 4294967295
default dev ppp0 metric 1024 mtu 1492 advmss 1432 hoplimit 4294967295
root at evm1gw:/#
root at evm1gw:/# ping6 2003::1
PING 2003::1 (2003::1): 56 data bytes
64 bytes from 2003::1: icmp6_seq=0 ttl=64 time=2.7 ms
^C
--- 2003::1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.7/2.7/2.7 ms
root at evm1gw:/#
root at evm1gw:/# ping6 2006::3
PING 2006::3 (2006::3): 56 data bytes
64 bytes from 2006::3: icmp6_seq=0 ttl=63 time=3.9 ms
64 bytes from 2006::3: icmp6_seq=1 ttl=63 time=3.2 ms
************************************************************************
The ipsec.conf on GW1 is as below:
***********************************************
gw1:/etc# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=yes
charonstart=yes
nat_traversal=yes
conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
mobike=no
conn gwtunnel1
left=%defaultroute
leftsubnet=2007:ac11:0a65:db4::/64
right=2006::3
rightsubnet=2007:ac12:0a64:db1::/64
authby=rsasig
leftcert=evm1gwcertnew.cer
leftid="/C=IN/ST=AP/L=HYD/O=Mind
Inc/OU=QA/CN=evm1gw/emailAddress=postma
ster at mind.com"
rightid="/C=IN/ST=AP/L=HYD/O=DVTTEST/OU=QA/CN=
dvtpc2.dvttest.com/emailAd
dress=postmaster at dvttest.com"
type=tunnel
keyexchange=ikev2
pfs=no
auto=route
#
*************************************************************
- Now, when i try to start ipsec using the command "ipsec start" or "ipsec
start --nofork" i get the following errors and the ipsec is not started on
GW1
**********************************
root at evm1gw:/etc# vi ipsec.conf [J
root at evm1gw:/etc# ipsec start --nofork[J
Starting strongSwan 4.3.6 IPsec [starter]...
no default route - cannot cope with %defaultroute!!!
# default route not known: left=%defaultroute
bad argument value in conn 'gwtunnel1'
### 1 parsing error (0 fatal) ###
starter_start_pluto entered
Pluto initialized
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
pluto (9182) started after 20 ms
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem openssl
hmac
including NAT-Traversal patch (Version 0.6c)
Using Linux 2.6 IPsec interface code
loading ca certificates from '/etc/ipsec.d/cacerts'
loaded ca certificate from '/etc/ipsec.d/cacerts/certnew.cer'
loading aa certificates from '/etc/ipsec.d/aacerts'
loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
loaded crl from 'certcrl.crl'
loading attribute certificates from '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface ath0/ath0 192.168.3.1:500
adding interface ath0/ath0 192.168.3.1:4500
adding interface eth1/eth1 169.254.0.1:500
adding interface eth1/eth1 169.254.0.1:4500
adding interface eth2/eth2 192.168.1.1:500
adding interface eth2/eth2 192.168.1.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface ppp0/ppp0 2003::e9f9:a139:8d82:8ebd:500
adding interface eth0/eth0 fec0::eec8:500
adding interface lo/lo ::1:500
adding interface eth2/eth2 2007:ac11:a65:db4::1:500
loading secrets from "/etc/ipsec.secrets"
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "CN=dvttestca" from
'/etc/ipsec.d/cacerts/certnew.cer'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loaded crl from '/etc/ipsec.d/crls/certcrl.crl'
00[CFG] loading secrets from '/etc/ipsec.secrets'
loaded private key from 'evm1gwkey.pem'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/evm1gwkey.pem'
00[DMN] loaded plugins: blowfish random x509 pubkey pkcs1 pgp dnskey pem
openssl hmac kernel-pfkey stroke updown
00[JOB] spawning 16 worker threads
charon (9183) started after 860 ms
^Cshutting down
forgetting secrets
shutting down interface eth2/eth2 2007:ac11:a65:db4::1
shutting down interface lo/lo ::1
shutting down interface eth0/eth0 fec0::eec8
shutting down interface ppp0/ppp0 2003::e9f9:a139:8d82:8ebd
shutting down interface lo/lo 127.0.0.1
shutting down interface lo/lo 127.0.0.1
shutting down interface eth2/eth2 192.168.1.1
shutting down interface eth2/eth2 192.168.1.1
shutting down interface eth1/eth1 169.254.0.1
shutting down interface eth1/eth1 169.254.0.1
shutting down interface ath0/ath0 192.168.3.1
shutting down interface ath0/ath0 192.168.3.1
pluto stopped after 20 ms
00[DMN] signal of type SIGINT received. Shutting down
00[DMN] thread 0 received 4
C library does not support backtrace().
00[DMN] killing ourself, received critical signal
charon stopped after 200 ms
ipsec starter stopped
root at evm1gw:/etc#
root at evm1gw:/etc#
***************************************************************************
- So next, if i change the "ipsec.conf" to below (by copying manually the
pppoe-ipv6 address assigned to this GW1 everytime i reboot or if the ip
address changes)
************************************
conn gwtunnel1
left=2003::e9f9:a139:8d82:8ebd
leftsubnet=2007:ac11:0a65:db4::/64
right=2006::3
rightsubnet=2007:ac12:0a64:db1::/64
authby=rsasig
leftcert=evm1gwcertnew.cer
leftid="/C=IN/ST=AP/L=HYD/O=Mind
Inc/OU=QA/CN=evm1gw/emailAddress=postma
ster at mind.com"
rightid="/C=IN/ST=AP/L=HYD/O=DVTTEST/OU=QA/CN=
dvtpc2.dvttest.com/emailAd
dress=postmaster at dvttest.com"
type=tunnel
keyexchange=ikev2
pfs=no
auto=route
#
**************************************************
-and once again start ipsec. It works now
So in summary the "%defaultroute" keyword does not seem to work for
IPv6-PPPoE or IPv6 dynamic connections as it does for IPv4
So is this a design issue in strongswan?
Please note: the version iam using is 4.3, but i have run a check using 4.5
too and i guess the issue is also observed in all versions higher than 4.3
too.
regards
rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110729/e2f3725e/attachment.html>
More information about the Users
mailing list