[strongSwan] How to get StrongSwan work with IPv6?
Houman
houmie at gmail.com
Fri Nov 12 08:26:33 CET 2021
Good morning,
I have disabled forseencaps and enabled IPv6. I can establish a VPN
connection via IPv6. But no traffic goes through. IPv4 connection is
working.
I'm sharing my config below. I would really appreciate it if somebody could
help me with that.
*/etc/sysctl.conf*
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.forwarding = 1
*/etc/strongswan.d/charon/socket-default.conf*
socket-default {
load = yes
use_ipv4 = yes
use_ipv6 = yes
}
*charon.log*
Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes)
Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE
No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for
2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a
Fri, 2021-11-12, 07:05:02 09[CFG] <3> candidate: %any...%any, prio 28
Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config:
%any...%any with prio 28
Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from
0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500]
Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from 0.0.0.0
to 2a01:4b00:867c:6d00:461:484e:456f:317a[500]
Fri, 2021-11-12, 07:05:02 09[IKE] <3>
2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA
Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change:
CREATED => CONNECTING
Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal:
Fri, 2021-11-12, 07:05:02 09[CFG] <3> proposal matches
Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals:
IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048
Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US,
O=Let's Encrypt, CN=R3"
Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP)
N(MULT_AUTH) ]
Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes)
Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes)
Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type
INTERNAL_DNS_DOMAIN
Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from
2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500]
Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from
2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500]
Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching
2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
VPN]
Fri, 2021-11-12, 07:05:02 12[CFG] <3> candidate "TEST-1", match: 20/1/28
(me/other/ike)
Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config 'TEST-1'
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY method
(id 0x00)
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP4_ADDRESS attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP4_NETMASK attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DHCP
attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS
attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP6_ADDRESS attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DHCP
attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS
attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_DNS_DOMAIN
attribute
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of '
de-test-1.mydomain.net' (myself) with RSA signature successful
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN=
de-test-1.mydomain.net"
Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US,
O=Let's Encrypt, CN=R3"
Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ IDr CERT CERT AUTH EAP/REQ/ID ]
Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004
bytes) into 3 fragments
Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(1/3) ]
Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(2/3) ]
Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(3/3) ]
Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes)
Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is
candidate: 210
Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'
Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'
Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method (id
0x01)
Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH response 2
[ EAP/REQ/MD5 ]
Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes)
Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [
EAP/RES/NAK ]
Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'
Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'
Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH response 3
[ EAP/REQ/MSCHAPV2 ]
Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes)
Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes)
Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'
Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'
Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH response 4
[ EAP/REQ/MSCHAPV2 ]
Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes)
Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [
EAP/RES/MSCHAPV2 ]
Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'
Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS Access-Accept
from server 'server-a'
Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS
Interim-Updates every 300s
Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful
Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2
succeeded, MSK established
Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH response 5
[ EAP/SUCC ]
Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes)
Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [
AUTH ]
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain
VPN' with EAP successful
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of '
de-test-1.mydomain.net' (myself) with EAP
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] established
between 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
VPN]
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state change:
CONNECTING => ESTABLISHED
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any6
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS
attribute
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS
attribute
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config for
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
for us:
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> 0.0.0.0/0
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> ::/0
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
for other:
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> 10.10.10.0/32
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> 2a01:4f8:c17:1f2d::1/128
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> candidate "TEST-1" with prio
15+3
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config
"TEST-1" with prio 18
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal:
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposal matches
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals:
ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
for us:
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: 0.0.0.0/0, received:
0.0.0.0/0 => match: 0.0.0.0/0
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: 0.0.0.0/0, received:
::/0 => no match
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: ::/0, received:
0.0.0.0/0 => no match
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: ::/0, received: ::/0
=> match: ::/0
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
for other:
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: 10.10.10.0/32,
received: 0.0.0.0/0 => match: 10.10.10.0/32
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config: 10.10.10.0/32,
received: ::/0 => no match
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config:
2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 => no match
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> config:
2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
change: CREATED => INSTALLING
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> using AES_GCM_16 for
encryption
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0xc1e8e177, src
2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
c1e8e177 and reqid {1}
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm
AES_GCM_16 with key size 288
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 32
packets
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0x01fb3039, src
2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
01fb3039 and reqid {1}
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm
AES_GCM_16 with key size 288
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 0
packets
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
=== 0.0.0.0/0 in [priority 383615, refcount 1]
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
=== 0.0.0.0/0 fwd [priority 383615, refcount 1]
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 ===
10.10.10.0/32 out [priority 383615, refcount 1]
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1]
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1]
Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 ===
2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1]
Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2} established
with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 ::/0 === 10.10.10.0/32
2a01:4f8:c17:1f2d::1/128
Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
change: INSTALLING => INSTALLED
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is
candidate: 210
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS
Accounting-Request to server 'server-a'
Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS
Accounting-Response from server 'server-a'
Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH response 6
[ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes)
Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected
Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa
Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039
Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected
Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected
Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa
Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039
Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected
Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected
Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa
Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039
Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected
Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected
Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa
Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039
Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected
Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected
Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa
Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039
Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected
*ipsec.conf*
config setup
strictcrlpolicy=yes
uniqueids=never
conn TEST-1
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
dpdaction=clear
dpddelay=2400s
dpdtimeout=3600s
rekey=no
left=%any
leftid=@de-test-1.mydomain.net
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0, ::/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=1.1.1.1,2606:4700:4700::1111
rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64
leftfirewall=no
*sudo systemctl status strongswan-starter*
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using
ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan-starter.service;
enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
Main PID: 905 (starter)
Tasks: 18 (limit: 2276)
Memory: 11.3M
CPU: 685ms
CGroup: /system.slice/strongswan-starter.service
├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
└─918 /usr/libexec/ipsec/charon
Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec
[starter]...
Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4
IPsec [starter]...
Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after
1620 ms
*ip6tables-save*
*filter
:INPUT DROP [0:0]
:FORWARD DROP [176:15578]
:OUTPUT ACCEPT [2539:673098]
:OUTGOING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -m esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT
# Completed on Fri Nov 12 07:18:59 2021
# Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
*nat
:PREROUTING ACCEPT [848:78316]
:INPUT ACCEPT [12:2456]
:OUTPUT ACCEPT [17:1616]
:POSTROUTING ACCEPT [677:61898]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
COMMIT
*ip route show table all*
default via 172.31.1.1 dev eth0
172.31.1.1 dev eth0 scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
local 162.55.173.134 dev eth0 table local proto kernel scope host src
162.55.173.134
broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src
162.55.173.134
::1 dev lo proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 onlink pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref
medium
local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric
0 pref medium
local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric 0
pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0
pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
*ip address*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
altname enp0s3
altname ens3
inet 162.55.173.134/32 brd 162.55.173.134 scope global dynamic eth0
valid_lft 82750sec preferred_lft 82750sec
inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:c17:1f2d::1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fef1:6bcb/64 scope link
valid_lft forever preferred_lft forever
Please let me know if you need anything else. Much appreciated.
Thank you,
Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211112/ba726f05/attachment-0001.html>
More information about the Users
mailing list