[strongSwan] Help with Issue#2583

Anne Ambe anne.ambe at air-lynx.com
Thu Mar 22 14:42:49 CET 2018 

Hi all,

Please can someone look into my issue with the forecast plugin?

Issue number: 2583.

Thank you for your assistance.


Anne


On 3/22/2018 12:26 AM, Kristian McColm wrote:
> Hello List,
>
> I seem to have a very similar problem to the following:
>
> https://wiki.strongswan.org/issues/1532
>
> I am wondering if anyone on the list has had any success with IKEv2 or any other IPSec VPNs over NAT64.
>
> I am currently working on a project to migrate a large number of mobile devices from dual-stack mode to IPv6 only mode. I have a stateful NAT64 / DNS64 solution that is working fine for the majority of protocols but I believe something is getting mangled when it comes to IPSec using UDP encapsulated ESP (NAT-T).
>
> I have tested with both the latest Android and iPhone devices and they are not able to successfully do two-way data after phase 2 is established. Below is my connection defined in ipsec.conf:
>
> conn ikev2-vpn-ipv4v6
>    auto=add
>    compress=no
>    type=tunnel
>    keyexchange=ikev2
>    fragmentation=yes
>    forceencaps=no
>    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>    esp=aes256-sha1,3des-sha1!
>    dpdaction=clear
>    dpddelay=5s
>    left=<vpn_server_fqdn>
>    leftid=@<vpn_server_identifier>
>    leftcert=/etc/strongswan/ipsec.d/certs/vpn-server-cert.pem
>    leftsendcert=always
>    leftsubnet=0.0.0.0/0,::/0
>    leftdns=<ipv4_dns_server_ip>,<ipv6_dns_server_ip>
>    right=%any
>    rightid=%any
>    rightauth=eap-mschapv2
>    rightsourceip=<ipv4_virtualIP_subnet>,<ipv6_virtualIP_prefix>
>    rightsendcert=never
>    eap_identity=%identity
>
> Below is a strongswan statusall:
>
> [root at gw ~]# strongswan statusall
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.15.9-200.fc26.x86_64, x86_64):
>    uptime: 20 hours, since Mar 20 22:57:20 2018
>    malloc: sbrk 2703360, mmap 0, used 700784, free 2002576
>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
>    loaded plugins: charon pkcs11 tpm aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity
> Virtual IP pools (size/online/offline):
>    <redacted>
> Listening IP addresses:
>    <redacted>
> Connections:
> ikev2-vpn-ipv4v6:  <redacted>...%any  IKEv2, dpddelay=5s
> ikev2-vpn-ipv4v6:   local:  [<redacted>] uses public key authentication
> ikev2-vpn-ipv4v6:    cert:  "<redacted>"
> ikev2-vpn-ipv4v6:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
> ikev2-vpn-ipv4v6:   child:  0.0.0.0/0 ::/0 === dynamic TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> ikev2-vpn-ipv4v6[33]: ESTABLISHED 6 seconds ago, <redacted> [<redacted>]...<redacted> [<redacted>]
> ikev2-vpn-ipv4v6[33]: Remote EAP identity: <redacted>
> ikev2-vpn-ipv4v6[33]: IKEv2 SPIs: 877e5afe818caada_i 5eb7c2351f6a3a8d_r*, public key reauthentication in 2 hours
> ikev2-vpn-ipv4v6[33]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> ikev2-vpn-ipv4v6{16}:  INSTALLED, TUNNEL, reqid 15, ESP in UDP SPIs: cefb5147_i 0373162d_o
> ikev2-vpn-ipv4v6{16}:  3DES_CBC/HMAC_SHA1_96, 1940 bytes_i (32 pkts, 2s ago), 6616 bytes_o (32 pkts, 2s ago), rekeying in 44 minutes
> ikev2-vpn-ipv4v6{16}:   0.0.0.0/0 ::/0 === <redacted>/32 <redacted>/128
>
> The connection works fine over IPv4 (via our NAT44), also over native IPv6, but when we use DNS64/NAT64 the tunnel comes up but data transfer fails (ICMP / HTTP / SSL / whatever..).
>
> The Wiki post does not seem to have found any resolution. Can anyone suggest if this use case is valid, (ie. Should this even work at all), or what I might be missing to make it work?
>
> Thanks
> KM
>
>
>
>
>


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

More information about the Users mailing list