[strongSwan] How to get StrongSwan work with IPv6?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Nov 15 00:26:51 CET 2021


Hello Houman,

Looks like it's time for tcpdump, wireshark, ... .
Collect traffic dumps as shown on the wiki[1] to figure out what replies the peer gets and what is forwarded.

Also, verify your testing method and client configuration, specifically iptables/ip6tables if it's Linux.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump

Am 12.11.21 um 08:26 schrieb Houman:
> Good morning,
> 
> I have disabled forseencaps and enabled IPv6.  I can establish a VPN connection via IPv6. But no traffic goes through. IPv4 connection is working.
> I'm sharing my config below. I would really appreciate it if somebody could help me with that.
> 
> */etc/sysctl.conf*
> net.ipv4.ip_forward = 1
> net.ipv4.ip_no_pmtu_disc = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv6.conf.all.forwarding = 1
> 
> */etc/strongswan.d/charon/socket-default.conf*
> socket-default {
>      load = yes
>      use_ipv4 = yes
>      use_ipv6 = yes
> }
> 
> *charon.log*
> 
> Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to 2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes)
> 
> Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for 2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> candidate: %any...%any, prio 28
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config: %any...%any with prio 28
> 
> Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from 0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500]
> 
> Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from 0.0.0.0 to 2a01:4b00:867c:6d00:461:484e:456f:317a[500]
> 
> Fri, 2021-11-12, 07:05:02 09[IKE] <3> 2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA
> 
> Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal:
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> proposal matches
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals: IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048
> 
> Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> 
> Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
> 
> Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
> 
> Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes)
> 
> Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes)
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type INTERNAL_DNS_DOMAIN
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500]
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500]
> 
> Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain VPN]
> 
> Fri, 2021-11-12, 07:05:02 12[CFG] <3> candidate "TEST-1", match: 20/1/28 (me/other/ike)
> 
> Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config 'TEST-1'
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY method (id 0x00)
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_ADDRESS attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_NETMASK attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DHCP attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_ADDRESS attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DHCP attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_DNS_DOMAIN attribute
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of 'de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with RSA signature successful
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN=de-test-1.mydomain.net <http://de-test-1.mydomain.net>"
> 
> Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004 bytes) into 3 fragments
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(1/3) ]
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(2/3) ]
> 
> Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(3/3) ]
> 
> Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> 
> Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> 
> Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes)
> 
> Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> 
> Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> 
> Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> 
> Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is candidate: 210
> 
> Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method (id 0x01)
> 
> Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> 
> Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes)
> 
> Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> 
> Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
> 
> Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> 
> Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes)
> 
> Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes)
> 
> Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> 
> Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
> 
> Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes)
> 
> Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> 
> Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
> 
> Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS Access-Accept from server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS Interim-Updates every 300s
> 
> Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful
> 
> Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
> 
> Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH response 5 [ EAP/SUCC ]
> 
> Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes)
> 
> Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> 
> Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [ AUTH ]
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain VPN' with EAP successful
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with EAP
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] established between 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain VPN]
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state change: CONNECTING => ESTABLISHED
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP 10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any6
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP 2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS attribute
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS attribute
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config for 0.0.0.0/0 <http://0.0.0.0/0> ::/0 === 0.0.0.0/0 <http://0.0.0.0/0> ::/0
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors for us:
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>0.0.0.0/0 <http://0.0.0.0/0>
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>::/0
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors for other:
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>10.10.10.0/32 <http://10.10.10.0/32>
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>2a01:4f8:c17:1f2d::1/128
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> candidate "TEST-1" with prio 15+3
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config "TEST-1" with prio 18
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal:
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposal matches
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals: ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors for us:
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: 0.0.0.0/0 <http://0.0.0.0/0>
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <http://0.0.0.0/0>, received: ::/0 => no match
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: 0.0.0.0/0 <http://0.0.0.0/0> => no match
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: ::/0 => match: ::/0
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors for other:
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <http://10.10.10.0/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: 10.10.10.0/32 <http://10.10.10.0/32>
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <http://10.10.10.0/32>, received: ::/0 => no match
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 <http://0.0.0.0/0> => no match
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state change: CREATED => INSTALLING
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> using AES_GCM_16 for encryption
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0xc1e8e177, src 2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI c1e8e177 and reqid {1}
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm AES_GCM_16 with key size 288
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 32 packets
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0x01fb3039, src 2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI 01fb3039 and reqid {1}
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm AES_GCM_16 with key size 288
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 0 packets
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in [priority 383615, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd [priority 383615, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 <http://0.0.0.0/0> === 10.10.10.0/32 <http://10.10.10.0/32> out [priority 383615, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 === 2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1]
> 
> Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2} established with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 <http://0.0.0.0/0> ::/0 === 10.10.10.0/32 <http://10.10.10.0/32> 2a01:4f8:c17:1f2d::1/128
> 
> Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state change: INSTALLING => INSTALLED
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is candidate: 210
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS Accounting-Request to server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS Accounting-Response from server 'server-a'
> 
> Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> 
> Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes)
> 
> Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected
> 
> Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa
> 
> Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> 
> Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> 
> Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected
> 
> Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected
> 
> Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa
> 
> Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> 
> Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> 
> Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected
> 
> Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected
> 
> Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa
> 
> Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> 
> Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> 
> Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected
> 
> Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected
> 
> Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa
> 
> Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> 
> Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> 
> Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected
> 
> Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected
> 
> Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa
> 
> Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> 
> Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> 
> Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected
> 
> 
> *ipsec.conf*
> 
> config setup
> 
> strictcrlpolicy=yes
> 
> uniqueids=never
> 
> conn TEST-1
> 
> auto=add
> 
> compress=no
> 
> type=tunnel
> 
> keyexchange=ikev2
> 
> fragmentation=yes
> 
> forceencaps=no
> 
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> 
> esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> 
> dpdaction=clear
> 
> dpddelay=2400s
> 
> dpdtimeout=3600s
> 
> rekey=no
> 
> left=%any
> 
> leftid=@de-test-1.mydomain.net <http://de-test-1.mydomain.net>
> 
> leftcert=cert.pem
> 
> leftsendcert=always
> 
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>, ::/0
> 
> right=%any
> 
> rightid=%any
> 
> rightauth=eap-radius
> 
> eap_identity=%any
> 
> rightdns=1.1.1.1,2606:4700:4700::1111
> 
> rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64 <http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64>
> 
> leftfirewall=no
> 
> 
> *sudo systemctl status strongswan-starter*
> ● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
>       Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
>       Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
>     Main PID: 905 (starter)
>        Tasks: 18 (limit: 2276)
>       Memory: 11.3M
>          CPU: 685ms
>       CGroup: /system.slice/strongswan-starter.service
>               ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
>               └─918 /usr/libexec/ipsec/charon
> Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
> Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec [starter]...
> Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4 IPsec [starter]...
> Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
> Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after 1620 ms
> 
> *ip6tables-save*
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [176:15578]
> :OUTPUT ACCEPT [2539:673098]
> :OUTGOING - [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -p esp -m esp -j ACCEPT
> -A INPUT -m ah -j ACCEPT
> -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
> -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT
> COMMIT
> # Completed on Fri Nov 12 07:18:59 2021
> # Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
> *nat
> :PREROUTING ACCEPT [848:78316]
> :INPUT ACCEPT [12:2456]
> :OUTPUT ACCEPT [17:1616]
> :POSTROUTING ACCEPT [677:61898]
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
> COMMIT*
> *
> 
> *ip route show table all*
> default via 172.31.1.1 dev eth0
> 172.31.1.1 dev eth0 scope link
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto kernel scope host src 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> local 162.55.173.134 dev eth0 table local proto kernel scope host src 162.55.173.134
> broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src 162.55.173.134
> ::1 dev lo proto kernel metric 256 pref medium
> 2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
> 2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
> 2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> default via fe80::1 dev eth0 metric 1024 onlink pref medium
> local ::1 dev lo table local proto kernel metric 0 pref medium
> local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref medium
> local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric 0 pref medium
> local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric 0 pref medium
> anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
> local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0 pref medium
> multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium*
> *
> 
> *ip address*
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>      link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
>      altname enp0s3
>      altname ens3
>      inet 162.55.173.134/32 <http://162.55.173.134/32> brd 162.55.173.134 scope global dynamic eth0
>         valid_lft 82750sec preferred_lft 82750sec
>      inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global
>         valid_lft forever preferred_lft forever
>      inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
>         valid_lft forever preferred_lft forever
>      inet6 2a01:4f8:c17:1f2d::1/128 scope global
>         valid_lft forever preferred_lft forever
>      inet6 fe80::9400:ff:fef1:6bcb/64 scope link
>         valid_lft forever preferred_lft forever*
> *
> 
> Please let me know if you need anything else. Much appreciated.
> Thank you,
> Houman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211115/968503ea/attachment-0001.sig>


More information about the Users mailing list