[strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing
Adrian Milanoski
amilanoski at blackberry.com
Thu Nov 14 04:57:08 CET 2013
HI List,
I am having a serious issue with routing IPv6 packets through my GW.
I can ping my GW private side via IPV6, but no packets are seen trying to leave any interface when I ping another system on the internal network.
Configuration is as follows. Note this GW does use IPv4 as well and is for development purposes only.
Client
10.x.x.x
stronSwan
Pub: 10.137.205.x
Internal: fc00::A/16
Ipsec.conf
conn %default
ikelifetime=10m
keylife=7m
rekeymargin=3m
keyingtries=3
keyexchange=ikev2
reauth=no
left=%any
leftfirewall=yes
right=%any
auto=add
conn ikev2_ipv5_to_ipv6_psk_FQDN_Host_to_Subnet
leftid=ss3ecgdsaDEV.srpvpn.net
leftsubnet=fc00::/16
rightsourceip=fc00::2:1/112
rightid=subnet6user.srpvpn.net
authby=secret
Results
Client successfully authentications and get a IPv6 address and can ping GW Internal IPv6 address.
Client cannot ping anything else but the GW internal address and NO IPv6 packets are seen leaving any interface
ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all fc00::2:2/128 fc00::/16 policy match dir in pol ipsec reqid 6 proto esp
ACCEPT all fc00::/16 fc00::2:2/128 policy match dir out pol ipsec reqid 6 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip -s xfrm policy
src fc00::2:2/128 dst fc00::/16 uid 0
dir fwd action allow index 92642 priority 1475 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 21:52:16 use -
tmpl src 10.135.181.149 dst 10.137.205.167
proto esp spi 0x00000000(0) reqid 6(0x00000006) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src fc00::2:2/128 dst fc00::/16 uid 0
dir in action allow index 92632 priority 1475 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 21:52:16 use -
tmpl src 10.135.181.149 dst 10.137.205.167
proto esp spi 0x00000000(0) reqid 6(0x00000006) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src fc00::/16 dst fc00::2:2/128 uid 0
dir out action allow index 92625 priority 1475 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 21:52:16 use -
tmpl src 10.137.205.167 dst 10.135.181.149
proto esp spi 0x00000000(0) reqid 6(0x00000006) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 87099 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use 2013-11-13 21:52:16
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 87092 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use 2013-11-13 21:52:16
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 87083 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use 2013-11-13 20:46:50
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 87076 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use 2013-11-13 20:46:50
src ::/0 dst ::/0 uid 0
socket in action allow index 87067 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 87060 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 87051 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 87044 priority 0 share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 17:14:22 use -
ip -s xfrm state
src 10.137.205.167 dst 10.135.181.149
proto esp spi 0xb3b3061b(3014854171) reqid 6(0x00000006) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x9c436bee7b2e8e2a13e1fd66679014ec8a141f4e (160 bits) 96
enc cbc(aes) 0xf26295a5e98d5a3a85c561e8ff7d8d3e13f6536d7105f6adefec9925e883d8a1 (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 156(sec), hard 420(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2013-11-13 21:52:16 use -
stats:
replay-window 0 replay 0 failed 0
src 10.135.181.149 dst 10.137.205.167
proto esp spi 0xce3b713c(3460002108) reqid 6(0x00000006) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x82d84848a42217aefd74c96d4a28246ddd38cab5 (160 bits) 96
enc cbc(aes) 0x74fe1544112eaaf8d196cfef64859803f7e1231692ad22fb95e8d7ac068f8559 (256 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 174(sec), hard 420(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
9072(bytes), 156(packets)
add 2013-11-13 21:52:16 use 2013-11-13 21:52:17
stats:
replay-window 0 replay 0 failed 0
I am trying to ping FC00::2 and see nothing. Can someone please shed some light on this grim situation for me? Thanks in advance.
Regards,
Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing - R&D
4715 Tahoe Blvd, Mississauga, ON, Canada, L4W 0B5
Tel.(289) 261-5801 | Fax.(905) 629-7836
Email amilanoski at blackberry.com<mailto:amilanoski at blackberry.com>
[Description: Description: cid:image001.gif at 01CDFFB4.0099AD80][Description: Description: Description: hme_scrn_ind_new_notification_Precsn_Zen_801421_11]<http://www.blackberry.com/>
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/6e76fa53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 1633 bytes
Desc: image005.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/6e76fa53/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 724 bytes
Desc: image006.jpg
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/6e76fa53/attachment-0001.jpg>
More information about the Users
mailing list