[strongSwan] IPSec and NAT64

Kristian McColm kristianmccolm at hotmail.com
Thu Mar 22 00:26:11 CET 2018 

Hello List,

I seem to have a very similar problem to the following:

https://wiki.strongswan.org/issues/1532

I am wondering if anyone on the list has had any success with IKEv2 or any other IPSec VPNs over NAT64.

I am currently working on a project to migrate a large number of mobile devices from dual-stack mode to IPv6 only mode. I have a stateful NAT64 / DNS64 solution that is working fine for the majority of protocols but I believe something is getting mangled when it comes to IPSec using UDP encapsulated ESP (NAT-T).

I have tested with both the latest Android and iPhone devices and they are not able to successfully do two-way data after phase 2 is established. Below is my connection defined in ipsec.conf:

conn ikev2-vpn-ipv4v6
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=no
  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!
  dpdaction=clear
  dpddelay=5s
  left=<vpn_server_fqdn>
  leftid=@<vpn_server_identifier>
  leftcert=/etc/strongswan/ipsec.d/certs/vpn-server-cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0,::/0
  leftdns=<ipv4_dns_server_ip>,<ipv6_dns_server_ip>
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=<ipv4_virtualIP_subnet>,<ipv6_virtualIP_prefix>
  rightsendcert=never
  eap_identity=%identity

Below is a strongswan statusall:

[root at gw ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.15.9-200.fc26.x86_64, x86_64):
  uptime: 20 hours, since Mar 20 22:57:20 2018
  malloc: sbrk 2703360, mmap 0, used 700784, free 2002576
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
  loaded plugins: charon pkcs11 tpm aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity
Virtual IP pools (size/online/offline):
  <redacted>
Listening IP addresses:
  <redacted>
Connections:
ikev2-vpn-ipv4v6:  <redacted>...%any  IKEv2, dpddelay=5s
ikev2-vpn-ipv4v6:   local:  [<redacted>] uses public key authentication
ikev2-vpn-ipv4v6:    cert:  "<redacted>"
ikev2-vpn-ipv4v6:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn-ipv4v6:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-vpn-ipv4v6[33]: ESTABLISHED 6 seconds ago, <redacted> [<redacted>]...<redacted> [<redacted>]
ikev2-vpn-ipv4v6[33]: Remote EAP identity: <redacted>
ikev2-vpn-ipv4v6[33]: IKEv2 SPIs: 877e5afe818caada_i 5eb7c2351f6a3a8d_r*, public key reauthentication in 2 hours
ikev2-vpn-ipv4v6[33]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ikev2-vpn-ipv4v6{16}:  INSTALLED, TUNNEL, reqid 15, ESP in UDP SPIs: cefb5147_i 0373162d_o
ikev2-vpn-ipv4v6{16}:  3DES_CBC/HMAC_SHA1_96, 1940 bytes_i (32 pkts, 2s ago), 6616 bytes_o (32 pkts, 2s ago), rekeying in 44 minutes
ikev2-vpn-ipv4v6{16}:   0.0.0.0/0 ::/0 === <redacted>/32 <redacted>/128

The connection works fine over IPv4 (via our NAT44), also over native IPv6, but when we use DNS64/NAT64 the tunnel comes up but data transfer fails (ICMP / HTTP / SSL / whatever..).

The Wiki post does not seem to have found any resolution. Can anyone suggest if this use case is valid, (ie. Should this even work at all), or what I might be missing to make it work?

Thanks
KM

More information about the Users mailing list