[strongSwan] IPv6 source address choice of charon-nm

Kajetan Staszkiewicz vegeta at tuxpowered.net
Wed Jun 10 17:34:12 CEST 2020

Hello group,

I'm successfully running VPN servers with Strongswan and being generally
happy with it but I was faced with a problem of providing VPN over IPv6.
Vodafone in Germany has some issues with ipsec connections over IPv4 and
solution advertised on their forums is always "Switch your VPN to IPv6".
I'm fine with this, IPv6 is the future after all.

On Strongswan server side everything seems fine. Windows, iOS and macOS
connect without any problems, they even automatically choose the AAAA
record when A is also available.

What does not play nice at all is nm-charon. For reason I can't
understand my home network blocks packets coming to some addresses of my
VM (Ubuntu 20 VM on Parallels on Mac OS). The VM has multiple IPv6
addresses, privacy extensions and whatnot.

[11:24:40] paral ~/ # ip a li enp0s5 | grep inet6
    inet6 2a02:XXXX:XXXX:XXXX::81d0/128 scope global dynamic noprefixroute
    inet6 2a02:XXXX:XXXX:XXXX:b9c7:b44d:ef21:a632/64 scope global
temporary dynamic
    inet6 2a02:XXXX:XXXX:XXXX:d7c:ae95:ef23:d026/64 scope global dynamic
mngtmpaddr noprefixroute
    inet6 fe80::8657:ba11:c58:db7d/64 scope link noprefixroute

[11:24:51] paral ~/ # ip a li dev enp0s5 | awk '/inet6/
{gsub("/.*","",$2);print $2}' | xargs -n1 -I{} sh -c 'ping6 -I {} -c1
google.com > /dev/null 2>&1 && echo {} works || echo {} is broken'
2a02:XXXX:XXXX:XXXX::81d0 works
2a02:XXXX:XXXX:XXXX:b9c7:b44d:ef21:a632 works
2a02:XXXX:XXXX:XXXX:d7c:ae95:ef23:d026 is broken
fe80::8657:ba11:c58:db7d is broken

Link local is expected to not work, that's fine.
...:d026 sends packets out, but incoming packets are lost on their way,
probably on the cable router.

So sure, we could blame my ISP. There is one "but", though. Other
programs choose different source IPv6 address and I've never observed
any other connectivity issues on this VM until I started testing VPN
over IPv6. For example:

[11:27:52] paral ~/ # curl -6 ifconfig.io

So why is charon-nm choosing different source address than every other
program? Can I somehow influence it?

| pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD |
|  Kajetan Staszkiewicz  |  www: http://vegeta.tuxpowered.net   |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200610/efc4b8f0/attachment.sig>

More information about the Users mailing list