[strongSwan] Resolved: IOS connection only working over ipv6
Lewis Robson
robsonl at conscious.co.uk
Tue Jul 5 16:24:03 CEST 2022
RESOLVED
I have managed to fix this, the cause was that I was using the same left
subnet ip address as the one I connect into by hostname creating two
routes, I noticed this by running a ping from the ipsec adapter to the
server and it worked.
when I changed the left subnet side, I was able to telnet to the ports
the server provides on that left subnet.
On 04/07/2022 15:01, Lewis Robson wrote:
> Hello all,
>
> I am having issues under certain conditions with IOS devices not
> correctly connecting into my ipsec solution.
>
> my full set up consists of two parts:
> An android connection using the strongswan application which works as
> expected, the device connects and the server / client can ping each other.
> The device can fully access the servers listening ports and the solution
> works.
>
> An Iphone connection which connects and works on mobile data that is
> only provided an ipv6 address, however, does not work on ipv4 addresses,
> including the same network that the android solution works on.
> Iphone 11, software version: 15.5
>
> In addition to this and worth a mention in case it's related:
> when attempting connection from a macbook (Monterey 12.3.1), the device
> connects and gets assigned an IP, the server can then ping the device
> and receive a response, however, the device cant ping the server
> directly or connect to any of the ports, we dont require for the mac to
> be a part of the final solution currently so this isnt an issue however
> maybe this is a clue?
>
> I believe it is likely I am missing a policy rule in one of the
> strongswan config files because the android device works without issue
> and the iphone works over mobile data with only an ipv6 address (the
> provider using nat64 translate to ipv4).
>
>
> the ipsec.conf is as follows:
>
>
> config setup
> charondebug="all"
> uniqueids=no
>
> conn android
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=@cerberus.conscious.co.uk
> leftcert=cerberus.conscious.co.uk.crt
> leftsendcert=always
> leftsubnet=156.67.0.0/16
> right=%any
> rightid=%any
> rightauth=pubkey
> rightsourceip=10.10.10.0/16
> rightdns=10.1.0.50,8.8.8.8,8.8.4.4
> rightsendcert=never
> eap_identity=%identity
>
> ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
>
>
> esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
>
>
> conn apple
> inactivity = 6000
> dpdtimeout =6000s
> dpddelay = 30
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=@cerberus.conscious.co.uk
> leftcert=cerberus.conscious.co.uk.crt
> leftsendcert=always
> leftsubnet=156.67.0.0/16
> right=%any
> rightid=%any
> rightauth=eap-tls #pubkey didnt work so using eap-tls
> rightsourceip=10.10.10.0/24
> rightdns=10,1,0,50,8.8.8.8,8.8.4.4
> rightsendcert=never
> eap_identity=%identity
>
> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
>
>
> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
>
>
>
>
>
> here is the last few lines from the logs when connection is attempted
> from the iphone over wifi / with an ipv4 address.
>
>
> Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] parsed IKE_AUTH
> request 9 [ EAP/RES/TLS ]
> Jul 4 14:22:43 cerberus charon[3945804]: 05[IKE] EAP method EAP_TLS
> succeeded, MSK established
> Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] generating IKE_AUTH
> response 9 [ EAP/SUCC ]
> Jul 4 14:22:43 cerberus charon[3945804]: 05[NET] sending packet: from
> external-ip[4500] to clients-ip[4500] (76 bytes)
> Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] received packet: from
> clients-ip[4500] to external-ip[4500] (92 bytes)
> Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] parsed IKE_AUTH
> request 10 [ AUTH ]
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
> 'user at conscious.co.uk' with EAP successful
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
> 'cerberus.conscious.co.uk' (myself) with EAP
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
> established between
> external-ip[cerberus.conscious.co.uk]...clients-ip[user at conscious.co.uk]
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
> IP %any
> Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] reassigning offline
> lease to 'user at conscious.co.uk'
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] assigning virtual IP
> 10.10.10.1 to peer 'user at conscious.co.uk'
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
> IP %any6
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] no virtual IP found
> for %any6 requested by 'user at conscious.co.uk'
> Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] selected proposal:
> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
> established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
> 10.10.10.1/32
> Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
> response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
> external-ip[4500] to clients-ip[4500] (252 bytes)
> Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
> response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
> external-ip[4500] to clients-ip[4500] (252 bytes)
> Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] received packet: from
> clients-ip[4500] to external-ip[4500] (76 bytes)
> Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] parsed INFORMATIONAL
> request 11 [ D ]
> Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] received DELETE for
> IKE_SA apple[4]
> Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] deleting IKE_SA
> apple[4] between
> external-ip[cerberus.conscious.co.uk]...clients-ip[andy at conscious.co.uk]
> Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] IKE_SA deleted
> Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] generating
> INFORMATIONAL response 11 [ ]
> Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] sending packet: from
> external-ip[4500] to clients-ip4500] (76 bytes)
> Jul 4 14:23:29 cerberus charon[3945804]: 01[CFG] lease 10.10.10.1 by
> 'user at conscious.co.uk' went offline
>
>
>
> ==> /var/log/secure <==
> Jul 4 14:22:43 cerberus charon[3945804]: 15[IKE] clients-ip is
> initiating an IKE_SA
> Jul 4 14:22:43 cerberus charon[3945804]: 06[IKE] clients-ip is
> initiating an IKE_SA
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
> established between
> external-ip[cerberus.conscious.co.uk]...clients-ip[user at conscious.co.uk]
> Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
> established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
> 10.10.10.1/32
>
>
> does anyone have any thoughts and / or suggestions as to what I could be
> missing or guidance on where to look to fix this?
> Thankyou
>
>
--
Lewis Robson
Systems Administrator
Conscious Solutions Limited
Tel: 0117 325 0200
Web: https://www.conscious.co.uk
More information about the Users
mailing list