[strongSwan] Problem with IPv4 through IPv6 IKEv2 tunnel

Marco Scholl develop at marco-scholl.de
Thu Jul 6 14:47:40 CEST 2017


Hi,

i have fix the problem by update from 5.3 to latest stable (self compiled).
now IPv4 over IPv6 tunnels work fine on linux and mac clients. only windows
clients couldn't access the network.
When i start a ping on client side i can see the esp packets came in on
server. when start ping on server side i see esp packets go out from
server. but i have never seen a esp packet with response.

anybody an idea?

greets marco


2017-07-05 23:11 GMT+02:00 Marco Scholl <develop at marco-scholl.de>:

> Hi guys,
>
> i have an IKEv2 roadwarrior setup (U5.3.5/K4.8.0-58-generic) that works
> fine with IPv4 through IPv4 tunnel.
> But now i want to allow connection also through IPv6. But when i connect
> through IPv6, the tunnel came up and i got the correct ip address..., but i
> didn't get any traffic through it.
>
> When i start a ping on client side i can see the esp packets came in. when
> start ping on server side i see esp packets go out. but i have never seen
> ean response esp packet. When i start xfrm monitor i got this errors:
>
> "Async event  (0x20)  timer expired"
>
> Here my Config
>
> conn %default
>   fragmentation=yes
>   ikelifetime=1d
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ikev2
>   authby=secret
>   right=%any
>   rightid=%any
>   rightsendcert=never
>   rightauth=eap-radius
>   rightsourceip=%radius
>   ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-
> sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-
> modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-
> sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-
> modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-
> sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-
> modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-
> sha256-modp1024,aes256-sha1-modp1024!
>   esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-
> sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,
> aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-
> modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-
> sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-
> modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-
> sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-
> modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-
> sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,
> aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,
> aes256-sha256,aes256-sha1!
>   eap_identity=%identity
>
> conn rw
>   auto=add
>   right=%any
>   rightid=%any
>   left=MYIPS
>   leftsubnet=10.0.0.0/8
>   leftfirewall=yes
>   leftauth=pubkey
>   leftcert=MYCERT
>   leftsendcert=always
>   leftid=@MYFQDN
>
> I hope somebody can help.
>
> Greets marco
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170706/c6521d1d/attachment.html>


More information about the Users mailing list