[strongSwan] How to get StrongSwan work with IPv6?
Noel Kuntze
noel.kuntze at thermi.consulting
Mon Nov 22 07:30:14 CET 2021
Hello Houman,
The ICMP messages indicate that the client's UDP ports are not opened (verbatim message). You really need to find out what traffic is causing that, and diagnose the underlying issue better.
The roblem is unlikely to be on the server right now. Check what the client is sending, and what is not working exactly.
Kind regards
Noel
Am 22.11.21 um 01:20 schrieb Houman:
> Hi Noel,
>
> Sorry, I didn't say it properly. I meant that when a routed prefix is available (which is the case for me) then there shouldn't be a need for NAT.
>
> I have tried everything today, the logs indicate that the IPv6 is even assigned to the client when the auth is successful:
> *
> *
> *assigning virtual IP 2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-xxxx-b6e4-a1fd2eb0a469'*
>
> However when I check on the client side, there is no IPv6 established. (What-is-my-ip-address)
> Every example I have found on the internet so far describes how to setup StrongSwan with local IPv6 addresses, but nothing with a routed subnet (real global addresses).
> Do you know an example by any chance that you could share with me? Otherwise I keep looking for what I can do...
>
> Many Thanks,
> Houman
>
> On Sun, 21 Nov 2021 at 23:38, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
> Hello Houman,
>
> > IPv6 doesn't need NAT.
>
> That general statement is not true. You do need NAT in IPv6 in the same situations as with IPv4. Just with IPv6 you are more likely to have a routable subnet, than with IPv4.
>
> You probably want to investigate what exactly is in these ICMP messages.
> They contain the complete IP and UDP headers of the packet causing the error, so you can check the source port and maybe tell what these packets are a reply to.
>
> Kind regards
> Noel
>
>
> Am 21.11.21 um 13:58 schrieb Houman:
> > Hello Noel,
> >
> > Good call. I have tried it with *tcpdump icmp6*
> > *
> > *
> > 12:51:32.014856 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114
> > 12:51:32.014980 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111
> > 12:51:33.015768 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114
> > 12:51:33.015853 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111
> > 12:51:37.230741 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141
> > 12:51:37.230773 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153
> > 12:51:37.230832 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179
> > 12:51:37.231091 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141
> > 12:51:37.231276 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153
> > 12:51:37.244840 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63401, length 179
> > 12:51:41.217794 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117
> > 12:51:41.399465 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141
> > 12:51:41.399497 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153
> > 12:51:41.399515 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179
> > 12:51:41.399526 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141
> > 12:51:41.399536 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179
> > 12:51:41.399555 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153
> > 12:51:42.267324 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117
> > 12:51:48.624243 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179
> > 12:51:48.624270 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60718, length 153*
> > *
> >
> > This is strange because the firewall should be ok:
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [4571:533993]
> > :OUTPUT ACCEPT [3620:1295287]
> > :OUTGOING - [0:0]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -p ipv6-icmp -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A INPUT -p esp -m esp -j ACCEPT
> > -A INPUT -m ah -j ACCEPT
> > -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT
> > COMMIT
> >
> > IPv6 doesn't need NAT. So what is here unreachable?
> >
> > Thanks,
> > Houman
> >
> >
> > On Sun, 14 Nov 2021 at 23:26, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> >
> > Hello Houman,
> >
> > Looks like it's time for tcpdump, wireshark, ... .
> > Collect traffic dumps as shown on the wiki[1] to figure out what replies the peer gets and what is forwarded.
> >
> > Also, verify your testing method and client configuration, specifically iptables/ip6tables if it's Linux.
> >
> > Kind regards
> > Noel
> >
> > [1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
> >
> > Am 12.11.21 um 08:26 schrieb Houman:
> > > Good morning,
> > >
> > > I have disabled forseencaps and enabled IPv6. I can establish a VPN connection via IPv6. But no traffic goes through. IPv4 connection is working.
> > > I'm sharing my config below. I would really appreciate it if somebody could help me with that.
> > >
> > > */etc/sysctl.conf*
> > > net.ipv4.ip_forward = 1
> > > net.ipv4.ip_no_pmtu_disc = 1
> > > net.ipv4.conf.all.rp_filter = 1
> > > net.ipv4.conf.all.accept_redirects = 0
> > > net.ipv4.conf.all.send_redirects = 0
> > > net.ipv6.conf.all.forwarding = 1
> > >
> > > */etc/strongswan.d/charon/socket-default.conf*
> > > socket-default {
> > > load = yes
> > > use_ipv4 = yes
> > > use_ipv6 = yes
> > > }
> > >
> > > *charon.log*
> > >
> > > Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to 2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for 2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> candidate: %any...%any, prio 28
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config: %any...%any with prio 28
> > >
> > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from 0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500]
> > >
> > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from 0.0.0.0 to 2a01:4b00:867c:6d00:461:484e:456f:317a[500]
> > >
> > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> 2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA
> > >
> > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal:
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> proposal matches
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals: IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048
> > >
> > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
> > >
> > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US, O=Let's Encrypt, CN=R3"
> > >
> > > Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type INTERNAL_DNS_DOMAIN
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain VPN]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[CFG] <3> candidate "TEST-1", match: 20/1/28 (me/other/ike)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config 'TEST-1'
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY method (id 0x00)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_ADDRESS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_NETMASK attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DHCP attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_ADDRESS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DHCP attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_DNS_DOMAIN attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of 'de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>' (myself) with RSA signature successful
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN=de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>"
> > >
> > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004 bytes) into 3 fragments
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(1/3) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(2/3) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1 [ EF(3/3) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
> > >
> > > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> > >
> > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is candidate: 210
> > >
> > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method (id 0x01)
> > >
> > > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> > >
> > > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
> > >
> > > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> > >
> > > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> > >
> > > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS Access-Challenge from server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
> > >
> > > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
> > >
> > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS Access-Request to server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS Access-Accept from server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS Interim-Updates every 300s
> > >
> > > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful
> > >
> > > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
> > >
> > > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH response 5 [ EAP/SUCC ]
> > >
> > > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [ AUTH ]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain VPN' with EAP successful
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>' (myself) with EAP
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] established between 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain VPN]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state change: CONNECTING => ESTABLISHED
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP 10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any6
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP 2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS attribute
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config for 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0 === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors for us:
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>::/0
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors for other:
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32>
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>2a01:4f8:c17:1f2d::1/128
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> candidate "TEST-1" with prio 15+3
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config "TEST-1" with prio 18
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal:
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposal matches
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals: ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors for us:
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> => match: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>, received: ::/0 => no match
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> => no match
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: ::/0 => match: ::/0
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors for other:
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> => match: 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32>
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32>, received: ::/0 => no match
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> => no match
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state change: CREATED => INSTALLING
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> using AES_GCM_16 for encryption
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0xc1e8e177, src 2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI c1e8e177 and reqid {1}
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm AES_GCM_16 with key size 288
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 32 packets
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0x01fb3039, src 2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI 01fb3039 and reqid {1}
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm AES_GCM_16 with key size 288
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 0 packets
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in [priority 383615, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd [priority 383615, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> === 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> out [priority 383615, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 === 2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2} established with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0 === 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> 2a01:4f8:c17:1f2d::1/128
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state change: INSTALLING => INSTALLED
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is candidate: 210
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS Accounting-Request to server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS Accounting-Response from server 'server-a'
> > >
> > > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> > >
> > > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from 2a01:4f8:c17:1f2d:cafe::123[4500] to 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes)
> > >
> > > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected
> > >
> > > Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa
> > >
> > > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> > >
> > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> > >
> > > Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected
> > >
> > > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected
> > >
> > > Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa
> > >
> > > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> > >
> > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> > >
> > > Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected
> > >
> > > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected
> > >
> > > Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa
> > >
> > > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> > >
> > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> > >
> > > Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected
> > >
> > > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected
> > >
> > > Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa
> > >
> > > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> > >
> > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> > >
> > > Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected
> > >
> > > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected
> > >
> > > Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa
> > >
> > > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI c1e8e177
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> in
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32 <http://10.10.10.0/32> <http://10.10.10.0/32> <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> fwd
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 in
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd
> > >
> > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI 01fb3039
> > >
> > > Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected
> > >
> > >
> > > *ipsec.conf*
> > >
> > > config setup
> > >
> > > strictcrlpolicy=yes
> > >
> > > uniqueids=never
> > >
> > > conn TEST-1
> > >
> > > auto=add
> > >
> > > compress=no
> > >
> > > type=tunnel
> > >
> > > keyexchange=ikev2
> > >
> > > fragmentation=yes
> > >
> > > forceencaps=no
> > >
> > > ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> > >
> > > esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> > >
> > > dpdaction=clear
> > >
> > > dpddelay=2400s
> > >
> > > dpdtimeout=3600s
> > >
> > > rekey=no
> > >
> > > left=%any
> > >
> > > leftid=@de-test-1.mydomain.net <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net> <http://de-test-1.mydomain.net>
> > >
> > > leftcert=cert.pem
> > >
> > > leftsendcert=always
> > >
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>, ::/0
> > >
> > > right=%any
> > >
> > > rightid=%any
> > >
> > > rightauth=eap-radius
> > >
> > > eap_identity=%any
> > >
> > > rightdns=1.1.1.1,2606:4700:4700::1111
> > >
> > > rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64 <http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64> <http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64> <http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64>
> > >
> > > leftfirewall=no
> > >
> > >
> > > *sudo systemctl status strongswan-starter*
> > > ● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
> > > Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor preset: enabled)
> > > Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
> > > Main PID: 905 (starter)
> > > Tasks: 18 (limit: 2276)
> > > Memory: 11.3M
> > > CPU: 685ms
> > > CGroup: /system.slice/strongswan-starter.service
> > > ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
> > > └─918 /usr/libexec/ipsec/charon
> > > Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
> > > Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec [starter]...
> > > Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4 IPsec [starter]...
> > > Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
> > > Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after 1620 ms
> > >
> > > *ip6tables-save*
> > > *filter
> > > :INPUT DROP [0:0]
> > > :FORWARD DROP [176:15578]
> > > :OUTPUT ACCEPT [2539:673098]
> > > :OUTGOING - [0:0]
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -p ipv6-icmp -j ACCEPT
> > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > -A INPUT -p esp -m esp -j ACCEPT
> > > -A INPUT -m ah -j ACCEPT
> > > -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
> > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT
> > > COMMIT
> > > # Completed on Fri Nov 12 07:18:59 2021
> > > # Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
> > > *nat
> > > :PREROUTING ACCEPT [848:78316]
> > > :INPUT ACCEPT [12:2456]
> > > :OUTPUT ACCEPT [17:1616]
> > > :POSTROUTING ACCEPT [677:61898]
> > > -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> > > -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
> > > COMMIT*
> > > *
> > >
> > > *ip route show table all*
> > > default via 172.31.1.1 dev eth0
> > > 172.31.1.1 dev eth0 scope link
> > > broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> > > local 127.0.0.0/8 <http://127.0.0.0/8> <http://127.0.0.0/8> <http://127.0.0.0/8> dev lo table local proto kernel scope host src 127.0.0.1
> > > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> > > broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> > > local 162.55.173.134 dev eth0 table local proto kernel scope host src 162.55.173.134
> > > broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src 162.55.173.134
> > > ::1 dev lo proto kernel metric 256 pref medium
> > > 2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
> > > 2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
> > > 2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium
> > > fe80::/64 dev eth0 proto kernel metric 256 pref medium
> > > default via fe80::1 dev eth0 metric 1024 onlink pref medium
> > > local ::1 dev lo table local proto kernel metric 0 pref medium
> > > local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref medium
> > > local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric 0 pref medium
> > > local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric 0 pref medium
> > > anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
> > > local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0 pref medium
> > > multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium*
> > > *
> > >
> > > *ip address*
> > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > > inet 127.0.0.1/8 <http://127.0.0.1/8> <http://127.0.0.1/8> <http://127.0.0.1/8> scope host lo
> > > valid_lft forever preferred_lft forever
> > > inet6 ::1/128 scope host
> > > valid_lft forever preferred_lft forever
> > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
> > > link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
> > > altname enp0s3
> > > altname ens3
> > > inet 162.55.173.134/32 <http://162.55.173.134/32> <http://162.55.173.134/32> <http://162.55.173.134/32> brd 162.55.173.134 scope global dynamic eth0
> > > valid_lft 82750sec preferred_lft 82750sec
> > > inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global
> > > valid_lft forever preferred_lft forever
> > > inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
> > > valid_lft forever preferred_lft forever
> > > inet6 2a01:4f8:c17:1f2d::1/128 scope global
> > > valid_lft forever preferred_lft forever
> > > inet6 fe80::9400:ff:fef1:6bcb/64 scope link
> > > valid_lft forever preferred_lft forever*
> > > *
> > >
> > > Please let me know if you need anything else. Much appreciated.
> > > Thank you,
> > > Houman
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211122/aad052ca/attachment-0001.sig>
More information about the Users
mailing list