[strongSwan] rightsubnet with "::/1, 8000::/1" causes updown script failure

Matthias Dahl ml-strongswan at binary-island.eu
Sat Jun 14 13:47:20 CEST 2014 

Hello @all...

Given the following config w/ Strongswan 5.1.2:

conn %default
      authby=pubkey
      keyexchange=ikev2
      left=/*PUBLIC_INTERFACE_IP*/
      leftid="O=Private VPN (XXX), CN=XXX"
      leftcert=xxx.cert.pem
      rightca="O=Private VPN (XXX), CN=Private VPN CA (XXX)"

conn remote-access-with-forward
      leftsubnet=0.0.0.0/0,::/1,8000::/1
      leftfirewall=yes
      rightdns=8.8.8.8,8.8.4.4
      rightsourceip=10.8.8.0/24,fd6f:4c2e:97a1:7ce1:9102:33fa:6c00::/104
      auto=add

Results in the following failure (see updown lines):

ipsec[315]: 11[NET] received packet: from /*REMOTE IPv6 IP*/[500] to
/*SERVER IPv6 IP*/[500] (924 bytes)
ipsec[315]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
ipsec[315]: 11[IKE] /*REMOTE IPv6 IP*/ is initiating an IKE_SA
ipsec[315]: 11[IKE] sending cert request for "O=Private VPN (XXX),
CN=Private VPN CA (XXX)"
ipsec[315]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
ipsec[315]: 11[NET] sending packet: from /*SERVER IPv6 IP*/[500] to
/*REMOTE IPv6 IP*/[500] (465 bytes)
ipsec[315]: 08[NET] received packet: from /*REMOTE IPv6 IP*/[4500] to
/*SERVER IPv6 IP*/[4500] (2588 bytes)
ipsec[315]: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
ipsec[315]: 08[IKE] received cert request for "O=Private VPN (XXX),
CN=Private VPN CA (XXX)"
ipsec[315]: 08[IKE] received 1 cert requests for an unknown ca
ipsec[315]: 08[IKE] received end entity cert "O=Private VPN (XXX), CN=XXX"
ipsec[315]: 08[CFG] looking for peer configs matching /*SERVER IPv6
IP*/[O=Private VPN (XXX), CN=/*SERVER IPv6 IP*/].../*REMOTE IPv6
IP*/[O=Private VPN (XXX), CN=XXX]
ipsec[315]: 08[CFG] selected peer config 'remote-access-with-forward'
ipsec[315]: 08[CFG]   using certificate "O=Private VPN (XXX), CN=XXX"
ipsec[315]: 08[CFG]   using trusted ca certificate "O=Private VPN (XXX),
CN=Private VPN CA (XXX)"
ipsec[315]: 08[CFG] checking certificate status of "O=Private VPN (XXX),
CN=XXX"
ipsec[315]: 08[CFG] certificate status is not available
ipsec[315]: 08[CFG]   reached self-signed root ca with a path length of 0
ipsec[315]: 08[IKE] authentication of 'O=Private VPN (XXX), CN=XXX' with
RSA signature successful
ipsec[315]: 08[IKE] peer supports MOBIKE
ipsec[315]: 08[IKE] authentication of 'O=Private VPN (XXX), CN=/*SERVER
IPv6 IP*/' (myself) with RSA signature successful
ipsec[315]: 08[IKE] IKE_SA remote-access-with-forward[1] established
between /*SERVER IPv6 IP*/[O=Private VPN (XXX), CN=/*SERVER IPv6
IP*/].../*REMOTE IPv6 IP*/[O=Private VPN (XXX), CN=khaos@
ipsec[315]: 08[IKE] scheduling reauthentication in 10259s
charon[326]: 08[IKE] CHILD_SA remote-access-with-forward{1} established
with SPIs c2030a26_i cd9a6076_o and TS 0.0.0.0/0 ::/1 8000::/1 ===
10.248.128.1/32 fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128
charon[326]: 08[IKE] CHILD_SA remote-access-with-forward{1} established
with SPIs c2030a26_i cd9a6076_o and TS 0.0.0.0/0 ::/1 8000::/1 ===
10.248.128.1/32 fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128
vpn[437]: + O=Private VPN (XXX), CN=XXX 10.248.128.1/32 == /*REMOTE IPv6
IP*/ -- /*SERVER IPv6 IP*/ == %any/0
charon[326]: 08[CHD] updown: ip6tables v1.4.21: host/network `%any6' not
found
charon[326]: 08[CHD] updown: Try `ip6tables -h' or 'ip6tables --help'
for more information.
charon[326]: 08[CHD] updown: ip6tables v1.4.21: host/network `%any6' not
found
charon[326]: 08[CHD] updown: Try `ip6tables -h' or 'ip6tables --help'
for more information.
vpn[449]: + O=Private VPN (XXX), CN=XXX
fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128 == /*REMOTE IPv6 IP*/ --
/*SERVER IPv6 IP*/ == %any6/1
vpn[461]: + O=Private VPN (XXX), CN=XXX
fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128 == /*REMOTE IPv6 IP*/ --
/*SERVER IPv6 IP*/ == 8000::/1
charon[326]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_6_ADDR) ]
charon[326]: 08[NET] sending packet: from /*SERVER IPv6 IP*/[4500] to
/*REMOTE IPv6 IP*/[4500] (2428 bytes)

Suffice to say, there are a few missing ip6tables rules missing which
results in no access to the IPv6 outside world for the remote user. :(

Even though it is besides the point but I guess I will get that info
right away: Yes, I am doing IPv6 masquerading for the road warrior as I
only get /64 subnets on this machine.

If anyone can point me to the right spot, I'll have a look and try to
fix this myself. Or maybe I am doing something horribly wrong-- in which
case I'd very much appreciate any help as well. :)

Thanks for any hints and advice in advance.

So long,
Matthias

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration

More information about the Users mailing list