[strongSwan] V4 in V6 tunnel return path broken

Giorgos Mavrikas gmavrikas at gmail.com
Fri Jun 1 23:15:55 CEST 2018


Hi,

I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.

Snoop on the client (macOS)
gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64

Snoop on the public interface of the server (Ubuntu 18.04)
root at snf-823515:~# tcpdump -ni eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64

Thanks for taking the time!

My config follows.

-> ipsec.conf
config setup
 charondebug="ike 1, knl 1, cfg 0"
 uniqueids=no

conn ikev2-vpn
 auto=add
 compress=no
 type=tunnel
 keyexchange=ikev2
 fragmentation=yes
 forceencaps=no
 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
 esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
 dpdaction=clear
 dpddelay=300s
 rekey=no
 left=%any
 leftid=@tunnel2.mavrikas.com <mailto:leftid=@tunnel2.mavrikas.com>
 leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 right=%any
 rightid=%any
 rightauth=eap-mschapv2
 rightsourceip=172.18.72.0/24
 rightdns=1.0.0.1,1.1.1.1
 rightsendcert=never
 eap_identity=%identity

-> v4 connection log (all OK):
Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>"
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun  2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun  2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun  2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun  2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun  2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun  2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)

-> v6 connection log
Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>"
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun  2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun  2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun  2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun  2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun  2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun  2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)

-> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
default via 83.212.110.1 dev eth1 proto dhcp metric 101 
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 
172.18.73.0/24 via 172.18.73.2 dev tun1 
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium

-> routing tables after v6 gets connected 
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
default via 83.212.110.1 dev eth1 proto dhcp metric 101 
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 
172.18.73.0/24 via 172.18.73.2 dev tun1 
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium

-> interface configuration
root at snf-823515:~# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
   inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute 
      valid_lft forever preferred_lft forever
   inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
   inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
      valid_lft 603582sec preferred_lft 603582sec
   inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
4: sit0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
   link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
   link/none 
   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
      valid_lft forever preferred_lft forever
   inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
   link/none 
   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
      valid_lft forever preferred_lft forever
   inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180602/106a2d83/attachment-0001.html>


More information about the Users mailing list