[strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Adrian Milanoski amilanoski at blackberry.com
Tue Nov 19 02:33:28 CET 2013 

Hi Martin,

Sorry for the confusing email...

I have set that IPv6 forwarding on ALL interfaces to be 1

/proc/sys/net/ipv6/conf/all/forwarding
1
cat /proc/sys/net/ipv6/conf/eth0/forwarding
1
cat /proc/sys/net/ipv6/conf/eth1/forwarding
1

Client is assigned the following
inet6 fc00::2:2 ->  prefixlen 64

so client address falls under my IPv6 subent fc00::/64

I can still ping my private interface on my GW from my client 

Client to Private Interface - SUCCSES
ping6 fc00::a
PING6(56=40+8+8 bytes) fc00::2:2 --> fc00::a
16 bytes from fc00::a, icmp_seq=0 hlim=64 time=11 ms
16 bytes from fc00::a, icmp_seq=1 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=2 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=3 hlim=64 time=10 ms
16 bytes from fc00::a, icmp_seq=4 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=5 hlim=64 time=3 ms

--- fc00::a ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max = 3/8/11 ms
   variance = -558 ms^2

Client to Default GW on Private subnet - FAILS

ping6 fc00::1
PING6(56=40+8+8 bytes) fc00::2:2 --> fc00::1

--- fc00::1 ping6 statistics ---
12 packets transmitted, 0 packets received, 100.0% packet loss

Tcpdump from GW on failed pings

tcpdump -n -i any proto 50 or proto 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:14:59.523462 IP 10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xdd), length 100
18:15:00.523155 IP 10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xde), length 100
18:15:01.523917 IP 10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xdf), length 100
18:15:02.523181 IP 10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xe0), length 100



Is there something else that needs to be set in the kernel for IPv6 to properly forward and route traffic?


Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801
Email  amilanoski at blackberry.com







-----Original Message-----
From: users-bounces+amilanoski=rim.com at lists.strongswan.org [mailto:users-bounces+amilanoski=rim.com at lists.strongswan.org] On Behalf Of Adrian Milanoski
Sent: Monday, November 18, 2013 2:15 PM
To: Martin Willi
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

HI,

Changed forwarding to 1 on all interfaces now.



Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801 Email  amilanoski at blackberry.com


rightsourceip=fc00::2:0/64

Subnet on the private side is
FCc00::/64

This should be fine. Should it not?

Is there any other parameter I need to adjust?




-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: Monday, November 18, 2013 5:02 AM
To: Adrian Milanoski
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Hi,

> cat /proc/sys/net/ipv6/conf/eth1/forwarding

And this is true for all involved interfaces?

> > Do LAN hosts know they have to forward rightsourceip addresses over 
> > the gateway? (the farp plugin works for IPv4 only)
> 
> Unsure how to address this. I see my client doing ARP requests, but I 
> never see anything come to my GW.

I assume you are talking about ICMPv6 Neighbor Discovery here?

Your LAN hosts most likely assume that the addresses you hand out to the road warrior are on the local LAN, while they are not. You'll need to allocate the rightsourceip addresses from a dedicated subnet, and make sure that the LAN hosts have a route for them over the IPsec gateway.
This can be an explicit route, or a port of the default route.

Regards
Martin

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

More information about the Users mailing list