Re: [strongSwan] Problem on Vodafone in India
Hello John, There must be more going on. strongSwan configuration does not influence DNS resolution in any way. Kind regards Noel Am 29.08.21 um 15:38 schrieb John Serink: Hello: We are running the following on a Teltonika RUT-950 router: root@CORS144:~# ipsec --version Linux strongSwan U5.6.2/K3.18.44 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. I am not sure if this is a strongswan issue or not. IPv6 is disabled on the router: root@CORS144:/# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 1 root@CORS144:/# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 1 We use 2 cell providers in India, Airtel and Vodafone. Airtel works as expected, no issues. Vodafone has a strange problem. 1. It can take upto 3 minutes for a connection to come up, so strongswan fails as the name lookup fails for our IPSec responder, 2. When the connection finally does come up, from another ssh console I can ping our IPSec responder but watching the log, using logread -f, I see strongswan trying to connect to the IPSec responder using an IPV6 address. Why is it doing that? We have disabled IPV6 but nslookup is returning an IPv4 and IPV6 address for the responder. We never have this issue with airtel. But it gets more interesting: 3. If I setup the ipsec.conf (/etc/config/strongwan) as: right TheFullyQualifiedDomainName and then I do this: nslookup TheFullyQualifiedDomainName I will get an IPv4 and IPv6 address and strongswan will use the IPv6 address.there is no vpn setup on the IPv6 address of the destination responder. 4. If I setup ipsec.conf (/etc/config/strongswan) like this: right A.B.C.D and then I do this: nslookup TheFullyQualifiedDomainName I will get only the IPv4 address A.B.C.D and strongswan will use this for the connection and it works. But if we use airtel, it works either way. Can anyone make sense of this? So, my question is: Does this seem like a strongswan issue or an RUT-950 system issue? We have a work around which is to use the IP address of the responder as item 4 which is a non-ideal solution if we change ISPs at the control centreas then I'd have to manually go through 280 routers so I'd like to stay with the FQDN if possible. Cheers, john OpenPGP_signature Description: OpenPGP digital signature
[strongSwan] Problem on Vodafone in India
Hello: We are running the following on a Teltonika RUT-950 router: root@CORS144:~# ipsec --version Linux strongSwan U5.6.2/K3.18.44 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. I am not sure if this is a strongswan issue or not. IPv6 is disabled on the router: root@CORS144:/# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 1 root@CORS144:/# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 1 We use 2 cell providers in India, Airtel and Vodafone. Airtel works as expected, no issues. Vodafone has a strange problem. 1. It can take upto 3 minutes for a connection to come up, so strongswan fails as the name lookup fails for our IPSec responder, 2. When the connection finally does come up, from another ssh console I can ping our IPSec responder but watching the log, using logread -f, I see strongswan trying to connect to the IPSec responder using an IPV6 address. Why is it doing that? We have disabled IPV6 but nslookup is returning an IPv4 and IPV6 address for the responder. We never have this issue with airtel. But it gets more interesting: 3. If I setup the ipsec.conf (/etc/config/strongwan) as: right TheFullyQualifiedDomainName and then I do this: nslookup TheFullyQualifiedDomainName I will get an IPv4 and IPv6 address and strongswan will use the IPv6 address.there is no vpn setup on the IPv6 address of the destination responder. 4. If I setup ipsec.conf (/etc/config/strongswan) like this: right A.B.C.D and then I do this: nslookup TheFullyQualifiedDomainName I will get only the IPv4 address A.B.C.D and strongswan will use this for the connection and it works. But if we use airtel, it works either way. Can anyone make sense of this? So, my question is: Does this seem like a strongswan issue or an RUT-950 system issue? We have a work around which is to use the IP address of the responder as item 4 which is a non-ideal solution if we change ISPs at the control centreas then I'd have to manually go through 280 routers so I'd like to stay with the FQDN if possible. Cheers, john -- John Edward Serink Product Applications Engineer, Advanced Positioning Trimble Navigation Singapore PTE Ltd. 3 Harbourfront Place, #13-02 Harbourfrout Tower Two, Co. Reg. No. 199204958W Singapore 099254 Tel 65-6871-5878 Fax 65-6871-5879 DID 65-6871-5873 HP 65-9129-4250 Skype: johnserink
