[strongSwan] IPv6 Remote Access
Robert Dyck
rob.dyck at telus.net
Wed May 31 17:58:36 CEST 2017
From issue 2130
That's because these properties are not really used anymore. At least not when
installing DNS servers via VpnService API. I think this is now handled by netd
and you might be able to get some information via ndc utility (e.g. the
monitor command). Other than that I can't say much as we really only pass the
received DNS servers to the VpnService.Builder instance. If the installation
or the use of these DNS servers does not work as intended, please report that
issue to Google.
On Wednesday, May 31, 2017 5:13:24 AM PDT Dusan Ilic wrote:
> Okey, that's too bad. There isn't any workaround to make IPv6 DNS work
> on Android Strongswan client? When pushing an IPv6 DNS Strongswan iseem
> to fail to install any DNSes, and just falls back to the
> mobile/Wifis-networks configured DNS-servers.
>
> Den 2017-05-31 kl. 12:52, skrev Noel Kuntze:
> > I can access IPv6 here just fine and the IPv4 DNS traffic is NATed to my
> > local DNS server on my VPN server, but Android doesn't seem to be able to
> > resolve any names, if I push just an IPv6 DNS server to it. It also
> > doesn't send any DNS requests over IPv6.
> >
> > I think this is likely a bug in Android, rather than in the strongSwan
> > app.
> >
> > PS: Always send to the list, too (unless it's actually private)
> >
> > On 31.05.2017 10:01, Dusan Ilic wrote:
> >> I'm experiencing a new problem, somehow DNS is not working as it should
> >> on IPv6. I can see in the Strongswan Android app log that both IPv4 and
> >> IPv6 DNS-servers are assigned, according to my configuration in
> >> ipsec.conf (both are my Strongswan host), but only IPv4 hostnames are
> >> resolved. I can ping IPv6 addresses only by IP, but cannot access any
> >> domain with AAAA-record.
> >>
> >> I have tried replacing the IPv6 DNS-server with Googles public too, but
> >> that doesn't make any difference. Even more strange, when assigning both
> >> DNS-servers it seems that the Android client is using the 4G-providers
> >> DNS-servers instead (no internal hostnames on the local DNS resolves),
> >> when removing the IPv6 from rightdns it starts working again (however,
> >> no IPv6 resolving). Also only assigning IPv6 DNS-server doesn't work
> >> either.
> >>
> >>
> >>
> >> Could this be a bug?
> >>
> >> Den 2017-05-30 kl. 11:57, skrev Dusan Ilic:
> >>> Okey, I found the issue. The Linux kernel modules for IPsec IPv6 were
> >>> not loaded as I haven't used them before. Loaded them now and it
works.>>>
> >>> Den 2017-05-29 kl. 08:41, skrev dusan at comhem.se:
> >>>> Hi Noel,
> >>>>
> >>>> I have tried both command "ping" and "ping6". I can ping other local
> >>>> hosts and external IPv6-adresses with "ping6". Unfortunately command
> >>>> "iptables6-save" and " sysctl -A | grep net.ipv6.conf.*forwarding"
> >>>> doesn't work on my Linux router (not found), but here are "ip6tables
> >>>> -L -v".
> >>>>
> >>>> # ip6tables -L -v
> >>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 DROP all any any anywhere
> >>>> anywhere rt type:0 segsleft:0>>>>
> >>>> 80 12467 ACCEPT all any any anywhere
> >>>> anywhere state RELATED,ESTABLISHED>>>>
> >>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
> >>>> anywhere length 40 0 0 shlimit tcp br0
> >>>> any anywhere anywhere tcp dpt:ssh state
> >>>> NEW>>>>
> >>>> 14952 1175K ACCEPT all br0 any anywhere
> >>>> anywhere
> >>>>
> >>>> 0 0 ACCEPT all lo any anywhere
> >>>> anywhere
> >>>> 0 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmp destination-unreachable 0 0
> >>>> logaccept ipv6-icmp any any anywhere anywhere
> >>>> ipv6-icmp packet-too-big 0 0 logaccept
> >>>> ipv6-icmp any any anywhere anywhere
> >>>> ipv6-icmp time-exceeded 0 0 logaccept ipv6-icmp any
> >>>> any anywhere anywhere ipv6-icmp
> >>>> parameter-problem 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp echo-request
> >>>> 0 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmp echo-reply>>>>
> >>>> 522 37584 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmptype 130>>>>
> >>>> 0 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmptype 131 0 0 logaccept
> >>>> ipv6-icmp any any anywhere anywhere
> >>>> ipv6-icmptype 132 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp
> >>>> router-solicitation 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp
> >>>> router-advertisement 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp
> >>>> neighbour-solicitation 0 0 logaccept ipv6-icmp any
> >>>> any anywhere anywhere ipv6-icmp
> >>>> neighbour-advertisement 0 0 logaccept ipv6-icmp any
> >>>> any anywhere anywhere ipv6-icmptype 141
> >>>> 0 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmptype 142 0 0 logaccept
> >>>> ipv6-icmp any any anywhere anywhere
> >>>> ipv6-icmptype 143 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmptype 148 0
> >>>> 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmptype 149 0 0 logaccept
> >>>> ipv6-icmp any any anywhere anywhere
> >>>> ipv6-icmptype 151 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmptype 152 0
> >>>> 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmptype 153 0 0 logaccept tcp
> >>>> any any anywhere anywhere tcp
> >>>> dpt:webcache>>>>
> >>>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 all vlan847 any
> >>>> 2001:2002:5ae1:c206:5076:327e:xxx:xxx/128 anywhere 0 0 DROP
> >>>> all any any anywhere anywhere
> >>>> rt type:0 segsleft:0 0 0 ACCEPT all br0 br0
> >>>> anywhere anywhere 0 0 ACCEPT all br1
> >>>> br1 anywhere anywhere 0 0 ACCEPT all
> >>>> br2 br2 anywhere anywhere>>>>
> >>>> 410 21787 DROP all any any anywhere
> >>>> anywhere state INVALID>>>>
> >>>> 154K 98M ACCEPT all any any anywhere
> >>>> anywhere state RELATED,ESTABLISHED>>>>
> >>>> 0 0 DROP all 6rd 6rd anywhere
> >>>> anywhere
> >>>> 0 0 ACCEPT ipv6-nonxt any any anywhere
> >>>> anywhere length 40 0 0 logaccept ipv6-icmp
> >>>> any any anywhere anywhere ipv6-icmp
> >>>> destination-unreachable 0 0 logaccept ipv6-icmp any
> >>>> any anywhere anywhere ipv6-icmp
> >>>> packet-too-big 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp
> >>>> time-exceeded 0 0 logaccept ipv6-icmp any any
> >>>> anywhere anywhere ipv6-icmp
> >>>> parameter-problem>>>>
> >>>> 4620 241K logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmp echo-request>>>>
> >>>> 0 0 logaccept ipv6-icmp any any anywhere
> >>>> anywhere ipv6-icmp echo-reply 0 0 ACCEPT
> >>>> ipv6-crypt 6rd any anywhere anywhere 0 0
> >>>> ACCEPT udp 6rd any anywhere anywhere
> >>>> udp dpt:500>>>>
> >>>> 6246 1012K wanin all 6rd any anywhere
> >>>> anywhere
> >>>> 5040 646K wanout all any 6rd anywhere
> >>>> anywhere
> >>>> 5040 646K ACCEPT all br0 any anywhere
> >>>> anywhere
> >>>>
> >>>> 0 0 ACCEPT all br1 any anywhere
> >>>> anywhere
> >>>> 0 0 ACCEPT all br2 any anywhere
> >>>> anywhere
> >>>> 0 0 ACCEPT all br0 6rd anywhere
> >>>> anywhere
> >>>> 0 0 ACCEPT all br1 6rd anywhere
> >>>> anywhere
> >>>> 0 0 ACCEPT all br2 6rd anywhere
> >>>> anywhere
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT 3 packets, 363 bytes)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 DROP all any any anywhere
> >>>> anywhere rt type:0 segsleft:0>>>>
> >>>> Chain logaccept (30 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>> 4769 253K LOG all any any anywhere
> >>>> anywhere state NEW limit: avg 1/sec burst 5 LOG level
> >>>> warning tcp-sequence tcp-options ip-options macdecode prefix
> >>>> "ACCEPT " 5306 292K ACCEPT all any any anywhere
> >>>> anywhere>>>>
> >>>> Chain logdrop (0 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 LOG all any any anywhere
> >>>> anywhere state NEW limit: avg 1/sec burst 5 LOG
> >>>> level warning tcp-sequence tcp-options ip-options macdecode
> >>>> prefix "DROP " 0 0 DROP all any any anywhere
> >>>> anywhere>>>>
> >>>> Chain logreject (0 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 LOG all any any anywhere
> >>>> anywhere limit: avg 1/sec burst 5 LOG level warning
> >>>> tcp-sequence tcp-options ip-options macdecode prefix "REJECT " 0
> >>>> 0 REJECT tcp any any anywhere
> >>>> anywhere reject-with tcp-reset>>>>
> >>>> Chain shlimit (1 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> 0 0 all any any anywhere
> >>>> anywhere recent: SET name: shlimit side: source 0
> >>>> 0 DROP all any any anywhere anywhere
> >>>> recent: UPDATE seconds: 60 hit_count: 4 name: shlimit
> >>>> side: source>>>>
> >>>> Chain wanin (1 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> Chain wanout (1 references)
> >>>>
> >>>> pkts bytes target prot opt in out source
> >>>> destination
> >>>>
> >>>> # ipsec statusall vpn-ipv6
> >>>>
> >>>> Status of IKE charon daemon (strongSwan 5.5.1, Linux 2.6.36.4brcmarm,
armv7l):
> >>>> uptime: 11 hours, since May 28 18:35:50 2017
> >>>> malloc: sbrk 831488, mmap 0, used 416048, free 415440
> >>>> worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0,
> >>>> scheduled: 13 loaded plugins: charon test-vectors ldap pkcs11 aes
> >>>> des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation
> >>>> constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem openssl
> >>>> gcrypt fips-prf gmp gmpdh agent xcbc cmac hmac ctr ccm gcm curl
> >>>> mysql sqlite attr kernel-netlink resolve socket-default
> >>>> socket-dynamic farp stroke smp updown eap-identity eap-md5
> >>>> eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led
> >>>> duplicheck addrblock unity>>>>
> >>>> Listening IP addresses:
> >>>> 85.24.xx.xx
> >>>> 2001:2002:5ae1:xxx::xx
> >>>>
> >>>> Connections:
> >>>> vpn-ipv6: %any...%any IKEv2, dpddelay=300s
> >>>> vpn-ipv6: local: [vpn.joksi.net] uses public key
> >>>> authentication
> >>>> vpn-ipv6: remote: uses EAP_MSCHAPV2 authentication with EAP
> >>>> identity 'dulemis3' vpn-ipv6: child: 2000::/3 === dynamic
> >>>> TUNNEL, dpdaction=clear
> >>>>
> >>>> Security Associations (4 up, 0 connecting):
> >>>> vpn-ipv6[26]: ESTABLISHED 2 minutes ago,
> >>>> 85.24.xx.xx[x]...94.234.xx.xx[x]
> >>>> vpn-ipv6[26]: IKEv2 SPIs: a7ac5d658a4a39ac_i 278aaa324f402aaa_r*,
> >>>> public key reauthentication in 2 hours vpn-ipv6[26]: IKE
> >>>> proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
> >>>> vpn-ipv6{1622}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs:
> >>>> c9edd06c_i 66f8c36e_o vpn-ipv6{1622}:
> >>>> AES_CBC_128/HMAC_SHA2_256_128, 11600 bytes_i, 0 bytes_o,
> >>>> rekeying in 39 minutes vpn-ipv6{1622}: 2000::/3 ===
> >>>> 2001:2002:5ae1:c206:5076:327e:xx:xx/128>>>>
> >>>> conn vpn-ikev2
> >>>>
> >>>> auto=add
> >>>> reauth=yes
> >>>> dpdaction=clear
> >>>> dpddelay=300s
> >>>> mobike=yes
> >>>>
> >>>> leftid=xxx
> >>>> leftsubnet=0.0.0.0/0,2000::/3
> >>>> leftauth=pubkey
> >>>>
> >>>> right=%any
> >>>> rightsubnet=%dynamic
> >>>>
> >>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:5076:327e:xxx:xxx
> >>>>
> >>>> rightauth=eap-mschapv2
> >>>>
> >>>> eap_identity=%any
> >>>>>
> >>>>> ----Ursprungligt meddelande----
> >>>>> Från : noel.kuntze+strongswan-users-ml at thermi.consulting
> >>>>> Datum : 29/05/2017 - 00:16 (V)
> >>>>> Till : dusan at comhem.se, users at lists.strongswan.org
> >>>>> Ämne : Re: [strongSwan] IPv6 Remote Access
> >>>>>
> >>>>> Hello Dusan,
> >>>>>
> >>>>> On 28.05.2017 19:24, Dusan Ilic wrote:
> >>>>>> Hi Noel,
> >>>>>>
> >>>>>> The IPv6 prefix is on link so I've tried adding static NDP record,
> >>>>>> when pinging from a local host before adding the static record it
> >>>>>> says "destination host unreacable", but after adding it it says
> >>>>>> "request timed out".
> >>>>>>
> >>>>>> When i try pinging the client from the strongswan host i get the
> >>>>>> following error? ping6: sendto: Address family not supported by
> >>>>>> protocol
> >>>>>
> >>>>> What command are you trying to use?
> >>>>>
> >>>>>> Strongswan now added a route for the IPv6 adress out the correct
> >>>>>> WAN-interface, and I have added an input and forward rule in
> >>>>>> ip6tables accepting traffic. I can see in "ipsec statusall" that the
> >>>>>> incoming packet counter are increasing, but not the outgoing.>>>>>
> >>>>> Provide `ip6tables-save`, your ipsec.conf, `ipsec statusall` and
> >>>>> `sysctl -A | grep net.ipv6.conf.*forwarding`.
> >>>>>
> >>>>> Kind regards
> >>>>>
> >>>>> Noel
> >>>>>
> >>>>>> Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
> >>>>>>> Hello Dusan,
> >>>>>>>
> >>>>>>> On 26.05.2017 16:52, Dusan Ilic wrote:
> >>>>>>>> Hi everyone,
> >>>>>>>>
> >>>>>>>> My ISP have just recently enabled IPv6 in their network (well, 6RD
> >>>>>>>> aactually) and I have it confiogured and working at the site. I
> >>>>>>>> would now also like to enable it on my remote access VPN in
> >>>>>>>> Strongswan too, so I made a try with the following config however
> >>>>>>>> it doesnt seem work. According to Strongswan log the client asks
> >>>>>>>> for ipv6 (Android in this case) and get's assigned one (global
> >>>>>>>> from my public prefix).
> >>>>>>>>
> >>>>>>>> leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
> >>>>>>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
> >>>>>>>>
> >>>>>>>> This is a test, so that's why Im only assigning one single IPv6
> >>>>>>>> adress for the time being. IPv4 works as expected, but I can't
> >>>>>>>> neither reach an IPv6 internet site nor ping the gateway or the
> >>>>>>>> Android client from the gateway/clients behind the gateway.>>>>>>>
> >>>>>>> Check if the IPv6 packets make it to the strongSwan host. And then
> >>>>>>> make sure those IPv6 addresses are routed over the strongSwan host.
> >>>>>>> If the subnet they're from is on the link, you'll need to create do
> >>>>>>> proxy NDP on the strongSwan host with either static records in the
> >>>>>>> NDP table on the strongSwan host or by using and configuring
> >>>>>>> ndppd[1] on the strongSwan host.>>>>>>>
> >>>>>>>> What I'm reacting on is that a route gets created for the IPv4
> >>>>>>>> adress in my routing table, but none for the IPv6 adress. Also
> >>>>>>>> checked with "ip -6 route". Is this a routing problem possibly, or
> >>>>>>>> maybe an firewall (iptables) problem?>>>>>>>
> >>>>>>> The latter maybe. IPv6 traffic goes through ip6tables, not iptables.
> >>>>>>>
> >>>>>>>> Just to be clear, the client is connecting to the Strongswan server
> >>>>>>>> with IPv4, should receive an IPv6 global adress inside the tunnel
> >>>>>>>> and then my Strongswan server should route it out on the internet
> >>>>>>>> (through the 6RD-tunnel).>>>>>>>
> >>>>>>> Read the FAQ[2], too.
> >>>>>>>
> >>>>>>> Kind regards
> >>>>>>>
> >>>>>>> Noel
> >>>>>>>
> >>>>>>> [1] https://github.com/DanielAdolfsson/ndppd
> >>>>>>> [2]
> >>>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-> >>>>>>> iptablesnftables
More information about the Users
mailing list