[strongSwan] IPv6 Remote Access
Dusan Ilic
dusan at comhem.se
Thu Jun 8 11:57:10 CEST 2017
Hi Stephen,
Thank you for taking time and sharing your thoughts.
I have no issues with IPV6 adresses in Chrome, only hostnames. However the same hostnames do work in other apps, for example Firefox and a random ping/dns-lookup app on the phone. It seems like Chrome isn't making any AAAA-lookups while connected to an IPv6 enabled VPN, if the underlying network connection isnt. So much for tunneling :)
I found the following discussion and believe this may very well be the problem. A bug in Chrome.
https://github.com/schwabe/ics-openvpn/issues/609
---- Stephen Ayotte skrev ----
>Chrome uses an internal name resolver, different from Firefox's. Have you
>tried connecting directly to an IPv6 address in Chrome?
>
>e.g. "https://[2607:f8b0:4004:80f::200e]/" <-- this is
>https://ipv6.google.com as resolved from my location, but please resolve on
>your own so you know I'm not sending you to a nefarious destination :)
>
>On Tue, Jun 6, 2017 at 6:10 AM, Dusan Ilic <dusan at comhem.se> wrote:
>
>> Hello again,
>>
>> It seems that the issue actually isn't with either Strongswan nor Android
>> OS. If I'm connected by wifi locally to the LAN, IPv6 works great in every
>> way, however when remotely using Stronswan Android client to connect IPv6
>> doesn't work in Google Chrome. First I thought it had something to do with
>> DNS-assignment in Strongswan, but, when I try Firefox mobile IPv6 works. I
>> have even ruled out IPv4 by creating a new, separate tunnel with only IPv6
>> assignment (and enabling block IPv4-traffic in Strongswan client) and IPv6
>> internet still work in Firefox, but not in Google Chrome (DNS-names). Also
>> I can use other Android apps like ping and ping both IPv6 adresses directly
>> and even domain names only having AAAA-records.
>>
>> Any ideas or suggestios why it's behaving like this?
>>
>>
>>
>> Den 2017-05-31 kl. 14:13, skrev Dusan Ilic:
>>
>>> Okey, that's too bad. There isn't any workaround to make IPv6 DNS work on
>>> Android Strongswan client? When pushing an IPv6 DNS Strongswan iseem to
>>> fail to install any DNSes, and just falls back to the
>>> mobile/Wifis-networks configured DNS-servers.
>>>
>>>
>>> Den 2017-05-31 kl. 12:52, skrev Noel Kuntze:
>>>
>>>> I can access IPv6 here just fine and the IPv4 DNS traffic is NATed to my
>>>> local DNS server on my VPN server,
>>>> but Android doesn't seem to be able to resolve any names, if I push just
>>>> an IPv6 DNS server to it.
>>>> It also doesn't send any DNS requests over IPv6.
>>>>
>>>> I think this is likely a bug in Android, rather than in the strongSwan
>>>> app.
>>>>
>>>> PS: Always send to the list, too (unless it's actually private)
>>>>
>>>> On 31.05.2017 10:01, Dusan Ilic wrote:
>>>>
>>>>> I'm experiencing a new problem, somehow DNS is not working as it should
>>>>> on IPv6.
>>>>> I can see in the Strongswan Android app log that both IPv4 and IPv6
>>>>> DNS-servers are assigned, according to my configuration in ipsec.conf (both
>>>>> are my Strongswan host), but only IPv4 hostnames are resolved. I can ping
>>>>> IPv6 addresses only by IP, but cannot access any domain with AAAA-record.
>>>>>
>>>>> I have tried replacing the IPv6 DNS-server with Googles public too, but
>>>>> that doesn't make any difference.
>>>>> Even more strange, when assigning both DNS-servers it seems that the
>>>>> Android client is using the 4G-providers DNS-servers instead (no internal
>>>>> hostnames on the local DNS resolves), when removing the IPv6 from rightdns
>>>>> it starts working again (however, no IPv6 resolving). Also only assigning
>>>>> IPv6 DNS-server doesn't work either.
>>>>>
>>>>>
>>>>>
>>>>> Could this be a bug?
>>>>>
>>>>>
>>>>> Den 2017-05-30 kl. 11:57, skrev Dusan Ilic:
>>>>>
>>>>>> Okey, I found the issue. The Linux kernel modules for IPsec IPv6 were
>>>>>> not loaded as I haven't used them before. Loaded them now and it works.
>>>>>>
>>>>>>
>>>>>> Den 2017-05-29 kl. 08:41, skrev dusan at comhem.se:
>>>>>>
>>>>>>> Hi Noel,
>>>>>>>
>>>>>>> I have tried both command "ping" and "ping6". I can ping other local
>>>>>>> hosts and external IPv6-adresses with "ping6".
>>>>>>> Unfortunately command "iptables6-save" and " sysctl -A | grep
>>>>>>> net.ipv6.conf.*forwarding" doesn't work on my Linux router (not found), but
>>>>>>> here are "ip6tables -L -v".
>>>>>>>
>>>>>>> # ip6tables -L -v
>>>>>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 DROP all any any anywhere
>>>>>>> anywhere rt type:0 segsleft:0
>>>>>>> 80 12467 ACCEPT all any any anywhere
>>>>>>> anywhere state RELATED,ESTABLISHED
>>>>>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
>>>>>>> anywhere length 40
>>>>>>> 0 0 shlimit tcp br0 any anywhere
>>>>>>> anywhere tcp dpt:ssh state NEW
>>>>>>> 14952 1175K ACCEPT all br0 any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all lo any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp destination-unreachable
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp packet-too-big
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp time-exceeded
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp parameter-problem
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp echo-request
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp echo-reply
>>>>>>> 522 37584 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 130
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 131
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 132
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp router-solicitation
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp router-advertisement
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp neighbour-solicitation
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp neighbour-advertisement
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 141
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 142
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 143
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 148
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 149
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 151
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 152
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmptype 153
>>>>>>> 0 0 logaccept tcp any any anywhere
>>>>>>> anywhere tcp dpt:webcache
>>>>>>>
>>>>>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 all vlan847 any
>>>>>>> 2001:2002:5ae1:c206:5076:327e:xxx:xxx/128 anywhere
>>>>>>> 0 0 DROP all any any anywhere
>>>>>>> anywhere rt type:0 segsleft:0
>>>>>>> 0 0 ACCEPT all br0 br0 anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br1 br1 anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br2 br2 anywhere
>>>>>>> anywhere
>>>>>>> 410 21787 DROP all any any anywhere
>>>>>>> anywhere state INVALID
>>>>>>> 154K 98M ACCEPT all any any anywhere
>>>>>>> anywhere state RELATED,ESTABLISHED
>>>>>>> 0 0 DROP all 6rd 6rd anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
>>>>>>> anywhere length 40
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp destination-unreachable
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp packet-too-big
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp time-exceeded
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp parameter-problem
>>>>>>> 4620 241K logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp echo-request
>>>>>>> 0 0 logaccept ipv6-icmp any any anywhere
>>>>>>> anywhere ipv6-icmp echo-reply
>>>>>>> 0 0 ACCEPT ipv6-crypt 6rd any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT udp 6rd any anywhere
>>>>>>> anywhere udp dpt:500
>>>>>>> 6246 1012K wanin all 6rd any anywhere
>>>>>>> anywhere
>>>>>>> 5040 646K wanout all any 6rd anywhere
>>>>>>> anywhere
>>>>>>> 5040 646K ACCEPT all br0 any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br1 any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br2 any anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br0 6rd anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br1 6rd anywhere
>>>>>>> anywhere
>>>>>>> 0 0 ACCEPT all br2 6rd anywhere
>>>>>>> anywhere
>>>>>>>
>>>>>>> Chain OUTPUT (policy ACCEPT 3 packets, 363 bytes)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 DROP all any any anywhere
>>>>>>> anywhere rt type:0 segsleft:0
>>>>>>>
>>>>>>> Chain logaccept (30 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 4769 253K LOG all any any anywhere
>>>>>>> anywhere state NEW limit: avg 1/sec burst 5 LOG level warning
>>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "ACCEPT "
>>>>>>> 5306 292K ACCEPT all any any anywhere
>>>>>>> anywhere
>>>>>>>
>>>>>>> Chain logdrop (0 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 LOG all any any anywhere
>>>>>>> anywhere state NEW limit: avg 1/sec burst 5 LOG level warning
>>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "DROP "
>>>>>>> 0 0 DROP all any any anywhere
>>>>>>> anywhere
>>>>>>>
>>>>>>> Chain logreject (0 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 LOG all any any anywhere
>>>>>>> anywhere limit: avg 1/sec burst 5 LOG level warning
>>>>>>> tcp-sequence tcp-options ip-options macdecode prefix "REJECT "
>>>>>>> 0 0 REJECT tcp any any anywhere
>>>>>>> anywhere reject-with tcp-reset
>>>>>>>
>>>>>>> Chain shlimit (1 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>> 0 0 all any any anywhere
>>>>>>> anywhere recent: SET name: shlimit side: source
>>>>>>> 0 0 DROP all any any anywhere
>>>>>>> anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit
>>>>>>> side: source
>>>>>>>
>>>>>>> Chain wanin (1 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>>
>>>>>>> Chain wanout (1 references)
>>>>>>> pkts bytes target prot opt in out source
>>>>>>> destination
>>>>>>>
>>>>>>> # ipsec statusall vpn-ipv6
>>>>>>> Status of IKE charon daemon (strongSwan 5.5.1, Linux 2.6.36.4brcmarm,
>>>>>>> armv7l):
>>>>>>> uptime: 11 hours, since May 28 18:35:50 2017
>>>>>>> malloc: sbrk 831488, mmap 0, used 416048, free 415440
>>>>>>> worker threads: 10 of 16 idle, 6/0/0/0 working, job queue:
>>>>>>> 0/0/0/0, scheduled: 13
>>>>>>> loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish
>>>>>>> rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1
>>>>>>> pkcs8 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh agent xcbc
>>>>>>> cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve
>>>>>>> socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5
>>>>>>> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
>>>>>>> duplicheck addrblock unity
>>>>>>> Listening IP addresses:
>>>>>>> 85.24.xx.xx
>>>>>>> 2001:2002:5ae1:xxx::xx
>>>>>>> Connections:
>>>>>>> vpn-ipv6: %any...%any IKEv2, dpddelay=300s
>>>>>>> vpn-ipv6: local: [vpn.joksi.net] uses public key
>>>>>>> authentication
>>>>>>> vpn-ipv6: remote: uses EAP_MSCHAPV2 authentication with EAP
>>>>>>> identity 'dulemis3'
>>>>>>> vpn-ipv6: child: 2000::/3 === dynamic TUNNEL, dpdaction=clear
>>>>>>> Security Associations (4 up, 0 connecting):
>>>>>>> vpn-ipv6[26]: ESTABLISHED 2 minutes ago,
>>>>>>> 85.24.xx.xx[x]...94.234.xx.xx[x]
>>>>>>> vpn-ipv6[26]: IKEv2 SPIs: a7ac5d658a4a39ac_i
>>>>>>> 278aaa324f402aaa_r*, public key reauthentication in 2 hours
>>>>>>> vpn-ipv6[26]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>>>>>> MAC_SHA1/MODP_3072
>>>>>>> vpn-ipv6{1622}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs:
>>>>>>> c9edd06c_i 66f8c36e_o
>>>>>>> vpn-ipv6{1622}: AES_CBC_128/HMAC_SHA2_256_128, 11600 bytes_i,
>>>>>>> 0 bytes_o, rekeying in 39 minutes
>>>>>>> vpn-ipv6{1622}: 2000::/3 === 2001:2002:5ae1:c206:5076:327e:
>>>>>>> xx:xx/128
>>>>>>>
>>>>>>> conn vpn-ikev2
>>>>>>> auto=add
>>>>>>> reauth=yes
>>>>>>> dpdaction=clear
>>>>>>> dpddelay=300s
>>>>>>> mobike=yes
>>>>>>>
>>>>>>> leftid=xxx
>>>>>>> leftsubnet=0.0.0.0/0,2000::/3
>>>>>>> leftauth=pubkey
>>>>>>>
>>>>>>> right=%any
>>>>>>> rightsubnet=%dynamic
>>>>>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:5076:327e:xxx:xxx
>>>>>>> rightauth=eap-mschapv2
>>>>>>>
>>>>>>> eap_identity=%any
>>>>>>>
>>>>>>> ----Ursprungligt meddelande----
>>>>>>>> Från : noel.kuntze+strongswan-users-ml at thermi.consulting
>>>>>>>> Datum : 29/05/2017 - 00:16 (V)
>>>>>>>> Till : dusan at comhem.se, users at lists.strongswan.org
>>>>>>>> Ämne : Re: [strongSwan] IPv6 Remote Access
>>>>>>>>
>>>>>>>> Hello Dusan,
>>>>>>>>
>>>>>>>> On 28.05.2017 19:24, Dusan Ilic wrote:
>>>>>>>>
>>>>>>>>> Hi Noel,
>>>>>>>>>
>>>>>>>>> The IPv6 prefix is on link so I've tried adding static NDP record,
>>>>>>>>> when pinging from a local host before adding the static record it says
>>>>>>>>> "destination host unreacable", but after adding it it says "request timed
>>>>>>>>> out".
>>>>>>>>>
>>>>>>>>> When i try pinging the client from the strongswan host i get the
>>>>>>>>> following error?
>>>>>>>>> ping6: sendto: Address family not supported by protocol
>>>>>>>>>
>>>>>>>> What command are you trying to use?
>>>>>>>>
>>>>>>>> Strongswan now added a route for the IPv6 adress out the correct
>>>>>>>>> WAN-interface, and I have added an input and forward rule in ip6tables
>>>>>>>>> accepting traffic. I can see in "ipsec statusall" that the incoming packet
>>>>>>>>> counter are increasing, but not the outgoing.
>>>>>>>>>
>>>>>>>> Provide `ip6tables-save`, your ipsec.conf, `ipsec statusall` and
>>>>>>>> `sysctl -A | grep net.ipv6.conf.*forwarding`.
>>>>>>>>
>>>>>>>> Kind regards
>>>>>>>>
>>>>>>>> Noel
>>>>>>>>
>>>>>>>> Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
>>>>>>>>>
>>>>>>>>>> Hello Dusan,
>>>>>>>>>>
>>>>>>>>>> On 26.05.2017 16:52, Dusan Ilic wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi everyone,
>>>>>>>>>>>
>>>>>>>>>>> My ISP have just recently enabled IPv6 in their network (well,
>>>>>>>>>>> 6RD aactually) and I have it confiogured and working at the site.
>>>>>>>>>>> I would now also like to enable it on my remote access VPN in
>>>>>>>>>>> Strongswan too, so I made a try with the following config however it doesnt
>>>>>>>>>>> seem work. According to Strongswan log the client asks for ipv6 (Android in
>>>>>>>>>>> this case) and get's assigned one (global from my public prefix).
>>>>>>>>>>>
>>>>>>>>>>> leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
>>>>>>>>>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>>>>>>>>>>>
>>>>>>>>>>> This is a test, so that's why Im only assigning one single IPv6
>>>>>>>>>>> adress for the time being. IPv4 works as expected, but I can't neither
>>>>>>>>>>> reach an IPv6 internet site nor ping the gateway or the Android client from
>>>>>>>>>>> the gateway/clients behind the gateway.
>>>>>>>>>>>
>>>>>>>>>> Check if the IPv6 packets make it to the strongSwan host. And then
>>>>>>>>>> make sure those IPv6 addresses are routed over the strongSwan host. If the
>>>>>>>>>> subnet they're from is on the link,
>>>>>>>>>> you'll need to create do proxy NDP on the strongSwan host with
>>>>>>>>>> either static records in the NDP table on the strongSwan host or by using
>>>>>>>>>> and configuring ndppd[1] on the strongSwan host.
>>>>>>>>>>
>>>>>>>>>>> What I'm reacting on is that a route gets created for the IPv4
>>>>>>>>>>> adress in my routing table, but none for the IPv6 adress. Also checked with
>>>>>>>>>>> "ip -6 route".
>>>>>>>>>>> Is this a routing problem possibly, or maybe an firewall
>>>>>>>>>>> (iptables) problem?
>>>>>>>>>>>
>>>>>>>>>> The latter maybe. IPv6 traffic goes through ip6tables, not
>>>>>>>>>> iptables.
>>>>>>>>>>
>>>>>>>>>> Just to be clear, the client is connecting to the Strongswan
>>>>>>>>>>> server with IPv4, should receive an IPv6 global adress inside the tunnel
>>>>>>>>>>> and then my Strongswan server should route it out on the internet (through
>>>>>>>>>>> the 6RD-tunnel).
>>>>>>>>>>>
>>>>>>>>>>> Read the FAQ[2], too.
>>>>>>>>>>
>>>>>>>>>> Kind regards
>>>>>>>>>>
>>>>>>>>>> Noel
>>>>>>>>>>
>>>>>>>>>> [1] https://github.com/DanielAdolfsson/ndppd
>>>>>>>>>> [2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPs
>>>>>>>>>> ec-and-iptablesnftables
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170608/3afe14c3/attachment-0001.html>
More information about the Users
mailing list