[strongSwan] rightsubnet with "::/1, 8000::/1" causes updown script failure
Noel Kuntze
noel at familie-kuntze.de
Sat Jun 14 17:36:49 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Matthias,
You can copy and modify the _updown script in /usr/lib/strongswan/ to suit your needs, if the default one gives you problems.
You can then set the path to the script using leftupdown.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 14.06.2014 13:47, schrieb Matthias Dahl:
> Hello @all...
>
> Given the following config w/ Strongswan 5.1.2:
>
> conn %default
> authby=pubkey
> keyexchange=ikev2
> left=/*PUBLIC_INTERFACE_IP*/
> leftid="O=Private VPN (XXX), CN=XXX"
> leftcert=xxx.cert.pem
> rightca="O=Private VPN (XXX), CN=Private VPN CA (XXX)"
>
> conn remote-access-with-forward
> leftsubnet=0.0.0.0/0,::/1,8000::/1
> leftfirewall=yes
> rightdns=8.8.8.8,8.8.4.4
> rightsourceip=10.8.8.0/24,fd6f:4c2e:97a1:7ce1:9102:33fa:6c00::/104
> auto=add
>
> Results in the following failure (see updown lines):
>
> ipsec[315]: 11[NET] received packet: from /*REMOTE IPv6 IP*/[500] to
> /*SERVER IPv6 IP*/[500] (924 bytes)
> ipsec[315]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> ipsec[315]: 11[IKE] /*REMOTE IPv6 IP*/ is initiating an IKE_SA
> ipsec[315]: 11[IKE] sending cert request for "O=Private VPN (XXX),
> CN=Private VPN CA (XXX)"
> ipsec[315]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> ipsec[315]: 11[NET] sending packet: from /*SERVER IPv6 IP*/[500] to
> /*REMOTE IPv6 IP*/[500] (465 bytes)
> ipsec[315]: 08[NET] received packet: from /*REMOTE IPv6 IP*/[4500] to
> /*SERVER IPv6 IP*/[4500] (2588 bytes)
> ipsec[315]: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT)
> CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> ipsec[315]: 08[IKE] received cert request for "O=Private VPN (XXX),
> CN=Private VPN CA (XXX)"
> ipsec[315]: 08[IKE] received 1 cert requests for an unknown ca
> ipsec[315]: 08[IKE] received end entity cert "O=Private VPN (XXX), CN=XXX"
> ipsec[315]: 08[CFG] looking for peer configs matching /*SERVER IPv6
> IP*/[O=Private VPN (XXX), CN=/*SERVER IPv6 IP*/].../*REMOTE IPv6
> IP*/[O=Private VPN (XXX), CN=XXX]
> ipsec[315]: 08[CFG] selected peer config 'remote-access-with-forward'
> ipsec[315]: 08[CFG] using certificate "O=Private VPN (XXX), CN=XXX"
> ipsec[315]: 08[CFG] using trusted ca certificate "O=Private VPN (XXX),
> CN=Private VPN CA (XXX)"
> ipsec[315]: 08[CFG] checking certificate status of "O=Private VPN (XXX),
> CN=XXX"
> ipsec[315]: 08[CFG] certificate status is not available
> ipsec[315]: 08[CFG] reached self-signed root ca with a path length of 0
> ipsec[315]: 08[IKE] authentication of 'O=Private VPN (XXX), CN=XXX' with
> RSA signature successful
> ipsec[315]: 08[IKE] peer supports MOBIKE
> ipsec[315]: 08[IKE] authentication of 'O=Private VPN (XXX), CN=/*SERVER
> IPv6 IP*/' (myself) with RSA signature successful
> ipsec[315]: 08[IKE] IKE_SA remote-access-with-forward[1] established
> between /*SERVER IPv6 IP*/[O=Private VPN (XXX), CN=/*SERVER IPv6
> IP*/].../*REMOTE IPv6 IP*/[O=Private VPN (XXX), CN=khaos@
> ipsec[315]: 08[IKE] scheduling reauthentication in 10259s
> charon[326]: 08[IKE] CHILD_SA remote-access-with-forward{1} established
> with SPIs c2030a26_i cd9a6076_o and TS 0.0.0.0/0 ::/1 8000::/1 ===
> 10.248.128.1/32 fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128
> charon[326]: 08[IKE] CHILD_SA remote-access-with-forward{1} established
> with SPIs c2030a26_i cd9a6076_o and TS 0.0.0.0/0 ::/1 8000::/1 ===
> 10.248.128.1/32 fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128
> vpn[437]: + O=Private VPN (XXX), CN=XXX 10.248.128.1/32 == /*REMOTE IPv6
> IP*/ -- /*SERVER IPv6 IP*/ == %any/0
> charon[326]: 08[CHD] updown: ip6tables v1.4.21: host/network `%any6' not
> found
> charon[326]: 08[CHD] updown: Try `ip6tables -h' or 'ip6tables --help'
> for more information.
> charon[326]: 08[CHD] updown: ip6tables v1.4.21: host/network `%any6' not
> found
> charon[326]: 08[CHD] updown: Try `ip6tables -h' or 'ip6tables --help'
> for more information.
> vpn[449]: + O=Private VPN (XXX), CN=XXX
> fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128 == /*REMOTE IPv6 IP*/ --
> /*SERVER IPv6 IP*/ == %any6/1
> vpn[461]: + O=Private VPN (XXX), CN=XXX
> fd6f:4c2e:97a1:7ce1:9102:33fa:6c00:1/128 == /*REMOTE IPv6 IP*/ --
> /*SERVER IPv6 IP*/ == 8000::/1
> charon[326]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
> CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> charon[326]: 08[NET] sending packet: from /*SERVER IPv6 IP*/[4500] to
> /*REMOTE IPv6 IP*/[4500] (2428 bytes)
>
> Suffice to say, there are a few missing ip6tables rules missing which
> results in no access to the IPv6 outside world for the remote user. :(
>
> Even though it is besides the point but I guess I will get that info
> right away: Yes, I am doing IPv6 masquerading for the road warrior as I
> only get /64 subnets on this machine.
>
> If anyone can point me to the right spot, I'll have a look and try to
> fix this myself. Or maybe I am doing something horribly wrong-- in which
> case I'd very much appreciate any help as well. :)
>
> Thanks for any hints and advice in advance.
>
> So long,
> Matthias
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTnGwRAAoJEDg5KY9j7GZY0w8P/iUrXVC3eBBx1wX6Wb2mXYQg
JYUhS+xacNEqTGUzkYF2zClDPv3i1HdGoOttG3phBdGzBzmqVcNLSCJqDrO99V0a
7o92s9/THEKBXuaDOX9aH8MaSqLuryzCCbG788LPCazErQkdTW4A9rt2uPxBtYpa
E7jmRVQohhRt9Bv6SPpbrpGLAMjlEvXf0inkGGkP/V0Rksm7B3rPB+QiyZ3KAoDf
PCl2av9CO92VS4XxOihekW/jhmi2N3CR8JL5Zx94mBUsy4X0Dbo4Z6JviaFi1HXV
n0rhHOh/ovZ06v2pNbBpCrR91zUnhOMQd5cPlOaZiSTbzvT+jUcYYMTnLxM6/MvC
GYDF55SbfGDMaGXZ1Pf5TiTq0w2ngyZkADVkBaT87pnSVY5ae5krWkR2x6sWZ76q
8DP79tjtJxGUor37+MTCCzAHKp5FZdVD4DpJ22STW4Y+vb+W1n41gLfkpQwTfOQ6
5WWcCCSrJWQcBMKsfVgBp2LG8F2CoVKjQ+9aPshh8sqkWFmbDTkNW7jy+gW7S+vc
QBRJQnqhW85dfn0d822ZIAPsD1aXccSXPGdxrZBYhrxzpubChYaLQL572rLKEygL
S8xQiFYH400mjfzKt/5wdmJjw30QGFqZqkLRwW3IjAQH5jbC6RSrGBiWfIuFUTyd
mvdhlCweaNTUBHa1ewr6
=PeNn
-----END PGP SIGNATURE-----
More information about the Users
mailing list