[strongSwan] Encrypting connection between two public IPv6 prefixes

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jun 6 19:37:15 CEST 2017 

Hello,

Your ipsec.conf is wrong and crap.

Take a look at the example configurations[1] for site-to-site tunnels and use them.
It will be less work than describing all the wrong things in your configuration
and correcting them. Also kindly read the FAQ[2] and the HelpRequests[3] page.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ
[3] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 06.06.2017 14:49, Marek Szuba wrote:
> Hello,
> 
> I have been trying to establish an IPSec-encrypted connection between
> two IPv6-enabled sites configured as follows:
>  - ordinary machines on each site receive either static or
> DHCPv6-assigned addresses from their respective /56 prefixes. These
> prefixes are globally routeable and, just to make it clear, separate for
> each site;
>  - site gateways have got two interfaces, with the internal ones
> assigned addresses from respective site prefixes and the external ones
> sitting in two, again separate, /127 networks assigned to us by the ISP.
> 
> The gateways of both sites are Linux servers, running exactly the same
> OS and by extension using the same version of StrongSWAN. Needless to
> say, the two sites communicate perfectly well over IPv6 when no
> encryption is involved.
> 
> Unfortunately the tunnel as configured right now does not quite work
> right. When running ping6 on one site and tcpdump on the other:
>  - incoming ICMPv6 echo requests are visible twice, once as ESP and once
> unencrypted; Replies come out fine, i.e. only once as ESP;
>  - site-to-site connections do not seem to work, unencrypted ICMPv6 is
> visible for both echo-request and echo-reply packets.
> 
> Out of curiosity I tried switching the end-to-end connection to
> transport mode, in which case I no longer see duplicates - only ESP
> packets are seen instead of both incoming echo-request and outgoing
> echo-reply. I couldn't get site-to-site connectivity working in this
> mode, though.
> 
> Note: I should probably mention at this point that while I have used
> IPSec on local networks before, this is the first time I have ever tried
> using it connections between networks - so chances are I've made some
> rather silly mistake. I have also never tried it with IPv6 before either
> but at a glance nothing in the configs seems to be IPv6-specific so
> perhaps it doesn't matter in this case.
> 
> Anyway, ipsec.conf on the two gateway machines looks as follows (with
> redactions having been made using exactly the same regexes so am
> confident they are consistent):
> 
> *** ipsec.conf-sun ***
> 
> config setup
> 
> ca myca
>         cacert=/etc/ssl/certs/ca.pem
>         auto=start
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         fragmentation=yes
>         mobike=no
> 
> conn tunv6-sites
>         also=tunv6-ends
>         leftsubnet=2001:1234:5678:100::/56
>         rightsubnet=2001:1234:5678:200::/56
>         auto=start
> 
> conn tunv6-ends
>         left=2001:1234:5678::2
>         leftcert=/etc/ssl/certs/sun.pem
>         leftid=@sun.sunsite.example.com
>         leftfirewall=yes
>         right=2001:1234:5678::4
>         rightcert=/etc/ssl/certs/moon.pem
>         rightid=@moon.moonsite.example.com
>         auto=start
> 
> *** ipsec.conf-moon ***
> 
> config setup
> 
> ca myca
>         cacert=/etc/ssl/certs/ca.pem
>         auto=start
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         fragmentation=yes
>         mobike=no
> 
> conn tunv6-sites
>         also=tunv6-ends
>         leftsubnet=2001:1234:5678:200::/56
>         rightsubnet=2001:1234:5678:100::/56
>         auto=start
> 
> conn tunv6-ends
>         left=2001:1234:5678::f
>         leftcert=/etc/ssl/certs/moon.pem
>         leftid=@moon.moonsite.example.com
>         leftfirewall=yes
>         right=2001:1234:5678::d
>         rightcert=/etc/ssl/certs/sun.pem
>         rightid=@sun.sunsite.example.com
>         auto=start
> 
> ***
> 
> I will greatly appreciate any suggestions which will nudge me towards
> getting this to work! If you need any more information, just let me know.
> 
> All the best,
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170606/29d08cd6/attachment-0001.sig>

More information about the Users mailing list