[strongSwan] Assigning ipv6 address out of a pool

Alex Sharaz alex.sharaz at york.ac.uk
Wed Dec 13 12:30:15 CET 2017 

Hi,
I've created a pair of ip pools

    name           start             end  timeout   size      online
 usage
itservices     172.18.64.2   172.18.64.127   static    126     1 ( 0%)
28 (22%)
itservicesIPv6 2001:630:61:6000::f 2001:630:61:6000::fff   static   4081
 0 ( 0%)     2 ( 0%)

My ipsec config is

conn it-services-ikev2
  left=%any
  leftauth=pubkey
  leftcert=vpn.york.ac.uk.pem
  #leftid="C=GB, ST=City of York, L=YORK, O=University of York, OU=IT
Services, CN=vpn.york.ac.uk"
  leftid=@vpn.york.ac.uk
  leftsendcert=always
  leftsubnet=0.0.0.0/0,::/0
  leftfirewall=yes
  right=%any
  rightauth=eap-radius
  rightsendcert=never
  rightgroups="Cserv"
  eap_identity=%any
  keyexchange=ikev2
  rightsourceip=%itservices,%itservicesIPv6
  fragmentation=yes
  auto=add

but  when I connect to the vpn I'm not getting an ip address assigned out
of the pool

on the client

oot at beebox1:~# ipsec status
Shunted Connections:
Bypass LAN 192.168.1.0/24:  192.168.1.0/24 === 192.168.1.0/24 PASS
Bypass LAN 2001:470:1f1d:c9f::/64:  2001:470:1f1d:c9f::/64 ===
2001:470:1f1d:c9f::/64 PASS
Bypass LAN fe80::/64:  fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
as1558-mschap[3]: ESTABLISHED 46 seconds ago,
2001:470:1f1d:c9f:c27c:d1ff:fec0:1843[as1558 at york.ac.uk
]...2001:630:61:180::1:c7[vpn.york.ac.uk]
as1558-mschap{4}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cd3b6b8a_i
c1b0d64f_o
as1558-mschap{4}:   172.18.64.7/32 === 0.0.0.0/0 ::/0

on the server
root at vpn10:/usr/local/etc# less ipsec.conf
root at vpn10:/usr/local/etc# ipsec status
Shunted Connections:
Bypass LAN 10.16.35.120/29:  10.16.35.120/29 === 10.16.35.120/29 PASS
Bypass LAN 144.32.128.0/23:  144.32.128.0/23 === 144.32.128.0/23 PASS
Bypass LAN 2001:630:61:4::/64:  2001:630:61:4::/64 === 2001:630:61:4::/64
PASS
Bypass LAN 2001:630:61:180::/64:  2001:630:61:180::/64 ===
2001:630:61:180::/64 PASS
Bypass LAN fe80::/64:  fe80::/64 === fe80::/64 PASS
Security Associations (1 up, 0 connecting):
it-services-ikev2[3]: ESTABLISHED 98 seconds ago, 2001:630:61:180::1:c7[
vpn.york.ac.uk]...2001:470:1f1d:c9f:c27c:d1ff:fec0:1843[as1558 at york.ac.uk]
it-services-ikev2{4}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c1b0d64f_i
cd3b6b8a_o
it-services-ikev2{4}:   0.0.0.0/0 ::/0 === 172.18.64.7/32

and the pool status is

root at vpn10:/usr/local/etc# ipsec pool --status
dns servers: 144.32.128.243 144.32.128.242
no nbns servers found.
    name           start             end  timeout   size      online
 usage
itservices     172.18.64.2   172.18.64.127   static    126     1 ( 0%)
28 (22%)
itservicesIPv6 2001:630:61:6000::f 2001:630:61:6000::fff   static   4081
 0 ( 0%)     2 ( 0%)
   Staff   172.18.64.128   172.18.64.191   static     64     0 ( 0%)     0
( 0%)
 General   172.18.64.192   172.18.64.254   static     63     0 ( 0%)     1
( 1%)

what am I doing wrong ?

Rgds
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171213/011701d5/attachment.html>

More information about the Users mailing list