[strongSwan] Problem on Vodafone in India

John Serink john_serink at trimble.com
Sun Aug 29 15:38:06 CEST 2021 

Hello:

We are running the following on a Teltonika RUT-950 router:
root at CORS144:~# ipsec --version
Linux strongSwan U5.6.2/K3.18.44
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

I am not sure if this is a strongswan issue or not.
IPv6 is disabled on the router:
root at CORS144:/# cat /proc/sys/net/ipv6/conf/default/disable_ipv6
1
root at CORS144:/# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1

We use 2 cell providers in India, Airtel and Vodafone. Airtel works as expected, no issues.
Vodafone has a strange problem.
1. It can take upto 3 minutes for a connection to come up, so strongswan fails as the name
lookup fails for our IPSec responder,

2. When the connection finally does come up, from another ssh console I can ping our IPSec
responder but watching the log, using logread -f, I see strongswan trying to connect to the
IPSec responder using an IPV6 address.

Why is it doing that? We have disabled IPV6 but nslookup is returning an IPv4 and IPV6 address
for the responder.

We never have this issue with airtel.
But it gets more interesting:
3. If I setup the ipsec.conf (/etc/config/strongwan) as:

right       TheFullyQualifiedDomainName

and then I do this:

nslookup TheFullyQualifiedDomainName

I will get an IPv4 and IPv6 address and strongswan will use the IPv6 address.....there is no
vpn setup on the IPv6 address of the destination responder.
4. If I setup ipsec.conf (/etc/config/strongswan) like this:

right       A.B.C.D

and then I do this:

nslookup TheFullyQualifiedDomainName

I will get only the IPv4 address A.B.C.D and strongswan will use this for the connection and
it works.

But if we use airtel, it works either way.

Can anyone make sense of this?

So, my question is:
Does this seem like a strongswan issue or an RUT-950 system issue?

We have a work around which is to use the IP address of the responder as item 4 which is a
non-ideal solution if we change ISPs at the control centre....as then I'd have to manually go
through 280 routers so I'd like to stay with the FQDN if possible.

Cheers,
john

-- 
John Edward Serink
Product Applications Engineer,
Advanced Positioning
Trimble Navigation Singapore PTE Ltd.
3 Harbourfront Place, 
#13-02 Harbourfrout Tower Two,
Co. Reg. No. 199204958W
Singapore 099254
Tel 65-6871-5878
Fax 65-6871-5879
DID 65-6871-5873
HP  65-9129-4250
Skype: johnserink

More information about the Users mailing list