[strongSwan] IPv6 Remote Access
Stephen Ayotte
stephen.ayotte at gmail.com
Tue Jun 6 16:26:54 CEST 2017
Chrome uses an internal name resolver, different from Firefox's. Have you
tried connecting directly to an IPv6 address in Chrome?
e.g. "https://[2607:f8b0:4004:80f::200e]/" <-- this is
https://ipv6.google.com as resolved from my location, but please resolve on
your own so you know I'm not sending you to a nefarious destination :)
On Tue, Jun 6, 2017 at 6:10 AM, Dusan Ilic <dusan at comhem.se> wrote:
> Hello again,
>
> It seems that the issue actually isn't with either Strongswan nor Android
> OS. If I'm connected by wifi locally to the LAN, IPv6 works great in every
> way, however when remotely using Stronswan Android client to connect IPv6
> doesn't work in Google Chrome. First I thought it had something to do with
> DNS-assignment in Strongswan, but, when I try Firefox mobile IPv6 works. I
> have even ruled out IPv4 by creating a new, separate tunnel with only IPv6
> assignment (and enabling block IPv4-traffic in Strongswan client) and IPv6
> internet still work in Firefox, but not in Google Chrome (DNS-names). Also
> I can use other Android apps like ping and ping both IPv6 adresses directly
> and even domain names only having AAAA-records.
>
> Any ideas or suggestios why it's behaving like this?
>
>
>
> Den 2017-05-31 kl. 14:13, skrev Dusan Ilic:
>
>> Okey, that's too bad. There isn't any workaround to make IPv6 DNS work on
>> Android Strongswan client? When pushing an IPv6 DNS Strongswan iseem to
>> fail to install any DNSes, and just falls back to the
>> mobile/Wifis-networks configured DNS-servers.
>>
>>
>> Den 2017-05-31 kl. 12:52, skrev Noel Kuntze:
>>
>>> I can access IPv6 here just fine and the IPv4 DNS traffic is NATed to my
>>> local DNS server on my VPN server,
>>> but Android doesn't seem to be able to resolve any names, if I push just
>>> an IPv6 DNS server to it.
>>> It also doesn't send any DNS requests over IPv6.
>>>
>>> I think this is likely a bug in Android, rather than in the strongSwan
>>> app.
>>>
>>> PS: Always send to the list, too (unless it's actually private)
>>>
>>> On 31.05.2017 10:01, Dusan Ilic wrote:
>>>
>>>> I'm experiencing a new problem, somehow DNS is not working as it should
>>>> on IPv6.
>>>> I can see in the Strongswan Android app log that both IPv4 and IPv6
>>>> DNS-servers are assigned, according to my configuration in ipsec.conf (both
>>>> are my Strongswan host), but only IPv4 hostnames are resolved. I can ping
>>>> IPv6 addresses only by IP, but cannot access any domain with AAAA-record.
>>>>
>>>> I have tried replacing the IPv6 DNS-server with Googles public too, but
>>>> that doesn't make any difference.
>>>> Even more strange, when assigning both DNS-servers it seems that the
>>>> Android client is using the 4G-providers DNS-servers instead (no internal
>>>> hostnames on the local DNS resolves), when removing the IPv6 from rightdns
>>>> it starts working again (however, no IPv6 resolving). Also only assigning
>>>> IPv6 DNS-server doesn't work either.
>>>>
>>>>
>>>>
>>>> Could this be a bug?
>>>>
>>>>
>>>> Den 2017-05-30 kl. 11:57, skrev Dusan Ilic:
>>>>
>>>>> Okey, I found the issue. The Linux kernel modules for IPsec IPv6 were
>>>>> not loaded as I haven't used them before. Loaded them now and it works.
>>>>>
>>>>>
>>>>> Den 2017-05-29 kl. 08:41, skrev dusan at comhem.se:
>>>>>
>>>>>> Hi Noel,
>>>>>>
>>>>>> I have tried both command "ping" and "ping6". I can ping other local
>>>>>> hosts and external IPv6-adresses with "ping6".
>>>>>> Unfortunately command "iptables6-save" and " sysctl -A | grep
>>>>>> net.ipv6.conf.*forwarding" doesn't work on my Linux router (not found), but
>>>>>> here are "ip6tables -L -v".
>>>>>>
>>>>>> # ip6tables -L -v
>>>>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 DROP all any any anywhere
>>>>>> anywhere rt type:0 segsleft:0
>>>>>> 80 12467 ACCEPT all any any anywhere
>>>>>> anywhere state RELATED,ESTABLISHED
>>>>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
>>>>>> anywhere length 40
>>>>>> 0 0 shlimit tcp br0 any anywhere
>>>>>> anywhere tcp dpt:ssh state NEW
>>>>>> 14952 1175K ACCEPT all br0 any anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all lo any anywhere
>>>>>> anywhere
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp destination-unreachable
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp packet-too-big
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp time-exceeded
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp parameter-problem
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp echo-request
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp echo-reply
>>>>>> 522 37584 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 130
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 131
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 132
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp router-solicitation
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp router-advertisement
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp neighbour-solicitation
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp neighbour-advertisement
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 141
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 142
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 143
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 148
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 149
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 151
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 152
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmptype 153
>>>>>> 0 0 logaccept tcp any any anywhere
>>>>>> anywhere tcp dpt:webcache
>>>>>>
>>>>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 all vlan847 any
>>>>>> 2001:2002:5ae1:c206:5076:327e:xxx:xxx/128 anywhere
>>>>>> 0 0 DROP all any any anywhere
>>>>>> anywhere rt type:0 segsleft:0
>>>>>> 0 0 ACCEPT all br0 br0 anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br1 br1 anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br2 br2 anywhere
>>>>>> anywhere
>>>>>> 410 21787 DROP all any any anywhere
>>>>>> anywhere state INVALID
>>>>>> 154K 98M ACCEPT all any any anywhere
>>>>>> anywhere state RELATED,ESTABLISHED
>>>>>> 0 0 DROP all 6rd 6rd anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
>>>>>> anywhere length 40
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp destination-unreachable
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp packet-too-big
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp time-exceeded
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp parameter-problem
>>>>>> 4620 241K logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp echo-request
>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>> anywhere ipv6-icmp echo-reply
>>>>>> 0 0 ACCEPT ipv6-crypt 6rd any anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT udp 6rd any anywhere
>>>>>> anywhere udp dpt:500
>>>>>> 6246 1012K wanin all 6rd any anywhere
>>>>>> anywhere
>>>>>> 5040 646K wanout all any 6rd anywhere
>>>>>> anywhere
>>>>>> 5040 646K ACCEPT all br0 any anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br1 any anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br2 any anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br0 6rd anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br1 6rd anywhere
>>>>>> anywhere
>>>>>> 0 0 ACCEPT all br2 6rd anywhere
>>>>>> anywhere
>>>>>>
>>>>>> Chain OUTPUT (policy ACCEPT 3 packets, 363 bytes)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 DROP all any any anywhere
>>>>>> anywhere rt type:0 segsleft:0
>>>>>>
>>>>>> Chain logaccept (30 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 4769 253K LOG all any any anywhere
>>>>>> anywhere state NEW limit: avg 1/sec burst 5 LOG level warning
>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "ACCEPT "
>>>>>> 5306 292K ACCEPT all any any anywhere
>>>>>> anywhere
>>>>>>
>>>>>> Chain logdrop (0 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 LOG all any any anywhere
>>>>>> anywhere state NEW limit: avg 1/sec burst 5 LOG level warning
>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "DROP "
>>>>>> 0 0 DROP all any any anywhere
>>>>>> anywhere
>>>>>>
>>>>>> Chain logreject (0 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 LOG all any any anywhere
>>>>>> anywhere limit: avg 1/sec burst 5 LOG level warning
>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "REJECT "
>>>>>> 0 0 REJECT tcp any any anywhere
>>>>>> anywhere reject-with tcp-reset
>>>>>>
>>>>>> Chain shlimit (1 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>> 0 0 all any any anywhere
>>>>>> anywhere recent: SET name: shlimit side: source
>>>>>> 0 0 DROP all any any anywhere
>>>>>> anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit
>>>>>> side: source
>>>>>>
>>>>>> Chain wanin (1 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>>
>>>>>> Chain wanout (1 references)
>>>>>> pkts bytes target prot opt in out source
>>>>>> destination
>>>>>>
>>>>>> # ipsec statusall vpn-ipv6
>>>>>> Status of IKE charon daemon (strongSwan 5.5.1, Linux 2.6.36.4brcmarm,
>>>>>> armv7l):
>>>>>> uptime: 11 hours, since May 28 18:35:50 2017
>>>>>> malloc: sbrk 831488, mmap 0, used 416048, free 415440
>>>>>> worker threads: 10 of 16 idle, 6/0/0/0 working, job queue:
>>>>>> 0/0/0/0, scheduled: 13
>>>>>> loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish
>>>>>> rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1
>>>>>> pkcs8 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh agent xcbc
>>>>>> cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve
>>>>>> socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5
>>>>>> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
>>>>>> duplicheck addrblock unity
>>>>>> Listening IP addresses:
>>>>>> 85.24.xx.xx
>>>>>> 2001:2002:5ae1:xxx::xx
>>>>>> Connections:
>>>>>> vpn-ipv6: %any...%any IKEv2, dpddelay=300s
>>>>>> vpn-ipv6: local: [vpn.joksi.net] uses public key
>>>>>> authentication
>>>>>> vpn-ipv6: remote: uses EAP_MSCHAPV2 authentication with EAP
>>>>>> identity 'dulemis3'
>>>>>> vpn-ipv6: child: 2000::/3 === dynamic TUNNEL, dpdaction=clear
>>>>>> Security Associations (4 up, 0 connecting):
>>>>>> vpn-ipv6[26]: ESTABLISHED 2 minutes ago,
>>>>>> 85.24.xx.xx[x]...94.234.xx.xx[x]
>>>>>> vpn-ipv6[26]: IKEv2 SPIs: a7ac5d658a4a39ac_i
>>>>>> 278aaa324f402aaa_r*, public key reauthentication in 2 hours
>>>>>> vpn-ipv6[26]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>>>>> MAC_SHA1/MODP_3072
>>>>>> vpn-ipv6{1622}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs:
>>>>>> c9edd06c_i 66f8c36e_o
>>>>>> vpn-ipv6{1622}: AES_CBC_128/HMAC_SHA2_256_128, 11600 bytes_i,
>>>>>> 0 bytes_o, rekeying in 39 minutes
>>>>>> vpn-ipv6{1622}: 2000::/3 === 2001:2002:5ae1:c206:5076:327e:
>>>>>> xx:xx/128
>>>>>>
>>>>>> conn vpn-ikev2
>>>>>> auto=add
>>>>>> reauth=yes
>>>>>> dpdaction=clear
>>>>>> dpddelay=300s
>>>>>> mobike=yes
>>>>>>
>>>>>> leftid=xxx
>>>>>> leftsubnet=0.0.0.0/0,2000::/3
>>>>>> leftauth=pubkey
>>>>>>
>>>>>> right=%any
>>>>>> rightsubnet=%dynamic
>>>>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:5076:327e:xxx:xxx
>>>>>> rightauth=eap-mschapv2
>>>>>>
>>>>>> eap_identity=%any
>>>>>>
>>>>>> ----Ursprungligt meddelande----
>>>>>>> Från : noel.kuntze+strongswan-users-ml at thermi.consulting
>>>>>>> Datum : 29/05/2017 - 00:16 (V)
>>>>>>> Till : dusan at comhem.se, users at lists.strongswan.org
>>>>>>> Ämne : Re: [strongSwan] IPv6 Remote Access
>>>>>>>
>>>>>>> Hello Dusan,
>>>>>>>
>>>>>>> On 28.05.2017 19:24, Dusan Ilic wrote:
>>>>>>>
>>>>>>>> Hi Noel,
>>>>>>>>
>>>>>>>> The IPv6 prefix is on link so I've tried adding static NDP record,
>>>>>>>> when pinging from a local host before adding the static record it says
>>>>>>>> "destination host unreacable", but after adding it it says "request timed
>>>>>>>> out".
>>>>>>>>
>>>>>>>> When i try pinging the client from the strongswan host i get the
>>>>>>>> following error?
>>>>>>>> ping6: sendto: Address family not supported by protocol
>>>>>>>>
>>>>>>> What command are you trying to use?
>>>>>>>
>>>>>>> Strongswan now added a route for the IPv6 adress out the correct
>>>>>>>> WAN-interface, and I have added an input and forward rule in ip6tables
>>>>>>>> accepting traffic. I can see in "ipsec statusall" that the incoming packet
>>>>>>>> counter are increasing, but not the outgoing.
>>>>>>>>
>>>>>>> Provide `ip6tables-save`, your ipsec.conf, `ipsec statusall` and
>>>>>>> `sysctl -A | grep net.ipv6.conf.*forwarding`.
>>>>>>>
>>>>>>> Kind regards
>>>>>>>
>>>>>>> Noel
>>>>>>>
>>>>>>> Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
>>>>>>>>
>>>>>>>>> Hello Dusan,
>>>>>>>>>
>>>>>>>>> On 26.05.2017 16:52, Dusan Ilic wrote:
>>>>>>>>>
>>>>>>>>>> Hi everyone,
>>>>>>>>>>
>>>>>>>>>> My ISP have just recently enabled IPv6 in their network (well,
>>>>>>>>>> 6RD aactually) and I have it confiogured and working at the site.
>>>>>>>>>> I would now also like to enable it on my remote access VPN in
>>>>>>>>>> Strongswan too, so I made a try with the following config however it doesnt
>>>>>>>>>> seem work. According to Strongswan log the client asks for ipv6 (Android in
>>>>>>>>>> this case) and get's assigned one (global from my public prefix).
>>>>>>>>>>
>>>>>>>>>> leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
>>>>>>>>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>>>>>>>>>>
>>>>>>>>>> This is a test, so that's why Im only assigning one single IPv6
>>>>>>>>>> adress for the time being. IPv4 works as expected, but I can't neither
>>>>>>>>>> reach an IPv6 internet site nor ping the gateway or the Android client from
>>>>>>>>>> the gateway/clients behind the gateway.
>>>>>>>>>>
>>>>>>>>> Check if the IPv6 packets make it to the strongSwan host. And then
>>>>>>>>> make sure those IPv6 addresses are routed over the strongSwan host. If the
>>>>>>>>> subnet they're from is on the link,
>>>>>>>>> you'll need to create do proxy NDP on the strongSwan host with
>>>>>>>>> either static records in the NDP table on the strongSwan host or by using
>>>>>>>>> and configuring ndppd[1] on the strongSwan host.
>>>>>>>>>
>>>>>>>>>> What I'm reacting on is that a route gets created for the IPv4
>>>>>>>>>> adress in my routing table, but none for the IPv6 adress. Also checked with
>>>>>>>>>> "ip -6 route".
>>>>>>>>>> Is this a routing problem possibly, or maybe an firewall
>>>>>>>>>> (iptables) problem?
>>>>>>>>>>
>>>>>>>>> The latter maybe. IPv6 traffic goes through ip6tables, not
>>>>>>>>> iptables.
>>>>>>>>>
>>>>>>>>> Just to be clear, the client is connecting to the Strongswan
>>>>>>>>>> server with IPv4, should receive an IPv6 global adress inside the tunnel
>>>>>>>>>> and then my Strongswan server should route it out on the internet (through
>>>>>>>>>> the 6RD-tunnel).
>>>>>>>>>>
>>>>>>>>>> Read the FAQ[2], too.
>>>>>>>>>
>>>>>>>>> Kind regards
>>>>>>>>>
>>>>>>>>> Noel
>>>>>>>>>
>>>>>>>>> [1] https://github.com/DanielAdolfsson/ndppd
>>>>>>>>> [2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPs
>>>>>>>>> ec-and-iptablesnftables
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170606/7fc7556d/attachment-0001.html>
More information about the Users
mailing list