[strongSwan] V4 in V6 tunnel return path broken

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Jun 3 21:48:00 CEST 2018


Hi,

Then try setting it to 0. I'm not criticising you or the provider. It's just the possible source of problems.

Kind regards

Noel

On 03.06.2018 21:13, Giorgos Mavrikas wrote:
> Hi Noel,
> 
> You are right, the default policy is set to ACCEPT for debugging purposes, once I have setup the IPv6 tunnel, I’ll set it to DROP.
> The IPv6 address on eth0 and IPv4 on eth1 is set by the cloud provider of the VM, nothing I can do about that.
> Setting the rp_filter for all interfaces to 2 makes no difference though…
> Any other suggestions are most welcome.
> 
> Thanks
> 
>> On Jun 3, 2018, at 14:47, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>> Hi,
>>
>> This looks okay, although the rules are largely useless, because it's a blacklist, not a whitelist.
>>
>> I could spot that you have IPv4 on eth1 and IPv6 on eth0. Because the return path to Mac OS is different between the two families, I think the return path filter drops the packets. Set it to 2 for both eth0 and eth1. Use sysctl -w net.ipv4.conf.eth0.rp_filter=2 net.ipv4.conf.eth1.rp_filter=2 for that, then test again. Use /etc/sysctl.d/ to make it permanent.
>>
>> Kind regards
>>
>> Noel
>>
>> On 02.06.2018 22:40, Giorgos Mavrikas wrote:
>>> Hi Noel,
>>>
>>> Thanks for replying.
>>> Here is the output of iptables-save and ip6tables-save:
>>>
>>> root at snf-823515:~# iptables-save 
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *mangle
>>> :PREROUTING ACCEPT [1267325:876958065]
>>> :INPUT ACCEPT [1237708:851646057]
>>> :FORWARD ACCEPT [29479:25297360]
>>> :OUTPUT ACCEPT [1254056:1043029543]
>>> :POSTROUTING ACCEPT [1283535:1068326903]
>>> -A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>> -A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *nat
>>> :PREROUTING ACCEPT [80004:7959890]
>>> :INPUT ACCEPT [79118:7842531]
>>> :OUTPUT ACCEPT [8028:605426]
>>> :POSTROUTING ACCEPT [8029:605466]
>>> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
>>> -A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
>>> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *filter
>>> :INPUT ACCEPT [79598:7901697]
>>> :FORWARD ACCEPT [522:75308]
>>> :OUTPUT ACCEPT [1254057:1043029895]
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> -A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
>>> -A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>>
>>>
>>> root at snf-823515:~# ip6tables-save 
>>> # Generated by ip6tables-save v1.6.1 on Sat Jun  2 23:39:30 2018
>>> *filter
>>> :INPUT ACCEPT [9613:6437361]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [7799:673126]
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> COMMIT
>>> # Completed on Sat Jun  2 23:39:30 2018
>>>
>>> Thanks,
>>> GeorgeM
>>>
>>>> On Jun 2, 2018, at 23:35, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>>>
>>>> Hello,
>>>>
>>>> Please provide your iptables and ip6tables rules. Use iptables-save and ip6tables-save.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> On 01.06.2018 23:15, Giorgos Mavrikas wrote:
>>>>> Hi,
>>>>>
>>>>> I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
>>>>> I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
>>>>> The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.
>>>>>
>>>>> Snoop on the client (macOS)
>>>>> gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>> listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
>>>>> 00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
>>>>> 00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
>>>>> 00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
>>>>> 00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
>>>>>
>>>>> Snoop on the public interface of the server (Ubuntu 18.04)
>>>>> root at snf-823515:~# tcpdump -ni eth1 icmp
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
>>>>> 00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
>>>>> 00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
>>>>> 00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
>>>>> 00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64
>>>>>
>>>>> Thanks for taking the time!
>>>>>
>>>>> My config follows.
>>>>>
>>>>> -> ipsec.conf
>>>>> config setup
>>>>> charondebug="ike 1, knl 1, cfg 0"
>>>>> uniqueids=no
>>>>>
>>>>> conn ikev2-vpn
>>>>> auto=add
>>>>> compress=no
>>>>> type=tunnel
>>>>> keyexchange=ikev2
>>>>> fragmentation=yes
>>>>> forceencaps=no
>>>>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>>>>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>>>>> dpdaction=clear
>>>>> dpddelay=300s
>>>>> rekey=no
>>>>> left=%any
>>>>> leftid=@tunnel2.mavrikas.com <mailto:leftid=@tunnel2.mavrikas.com>
>>>>> leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
>>>>> leftsendcert=always
>>>>> leftsubnet=0.0.0.0/0
>>>>> right=%any
>>>>> rightid=%any
>>>>> rightauth=eap-mschapv2
>>>>> rightsourceip=172.18.72.0/24
>>>>> rightdns=1.0.0.1,1.1.1.1
>>>>> rightsendcert=never
>>>>> eap_identity=%identity
>>>>>
>>>>> -> v4 connection log (all OK):
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>>>>>
>>>>> -> v6 connection log
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>>>>>
>>>>> -> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
>>>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
>>>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
>>>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 
>>>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 
>>>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
>>>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
>>>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 
>>>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 
>>>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 
>>>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
>>>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
>>>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 
>>>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 
>>>>> local ::1 dev lo proto kernel metric 256 pref medium
>>>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium
>>>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
>>>>> local ::1 dev lo table local proto kernel metric 0 pref medium
>>>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
>>>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
>>>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
>>>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
>>>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
>>>>> ff00::/8 dev eth0 table local metric 256 pref medium
>>>>> ff00::/8 dev eth1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun0 table local metric 256 pref medium
>>>>>
>>>>> -> routing tables after v6 gets connected 
>>>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
>>>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
>>>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 
>>>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 
>>>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
>>>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
>>>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 
>>>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 
>>>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 
>>>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
>>>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
>>>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 
>>>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 
>>>>> local ::1 dev lo proto kernel metric 256 pref medium
>>>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium
>>>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
>>>>> local ::1 dev lo table local proto kernel metric 0 pref medium
>>>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
>>>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
>>>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
>>>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
>>>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
>>>>> ff00::/8 dev eth0 table local metric 256 pref medium
>>>>> ff00::/8 dev eth1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun0 table local metric 256 pref medium
>>>>>
>>>>> -> interface configuration
>>>>> root at snf-823515:~# ip addr ls
>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>>>>>   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>>>   inet 127.0.0.1/8 scope host lo
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 ::1/128 scope host 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>>>>>   link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
>>>>>   inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>>>>>   link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
>>>>>   inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
>>>>>      valid_lft 603582sec preferred_lft 603582sec
>>>>>   inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 4: sit0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
>>>>>   link/sit 0.0.0.0 brd 0.0.0.0
>>>>> 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
>>>>>   link/none 
>>>>>   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
>>>>>   link/none 
>>>>>   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy 
>>>>>      valid_lft forever preferred_lft forever 
>>>
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180603/b6dde652/attachment-0001.sig>


More information about the Users mailing list