Re: [Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"

Wed, 19 Oct 2022 23:56:16 -0700 

Hi all,

Now I'm really questioning the wisdom of implementing IPv6 on our networks,
for we lost VPN and I look incompetent or even not of a sound enough mind.
Here in Croatia, there are not really that many organisations who have implemented IPv6, and there is not too many people to ask and share experiences and solutions. 

Maybe I should raise an issue on this at the GitHub?

Thank you

On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote:


P.S.

Forgot to mention, the VPN client is Windows 10 Professional version 21H2:

Kind regards,

mt

On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote:

Hi all,
Our VPN worked well until we moved to IPv6, and now it works only with IPv6 disabled, which is not practical (change of network settings resets all Putty terminal and all ssh connections 
among others ... ).

The configuration is as follows:

conn MYCONN-ikev2-ipv6-cp
        # The server's actual IP goes here - not elastic IPs
        left=2001:b68:2:2600::3
        leftcert=magrf.grf.hr
[email protected]
        leftsendcert=always
        leftsubnet=0::/0
        leftrsasigkey=%cert
        # Clients
        right=%any
        # your addresspool to use - you might need NAT rules if providing full internet to clients 
        rightaddresspool=fd00:2600:1000:0000/64
        # optional rightid with restrictions
        # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
        rightca=%same
        rightrsasigkey=%cert
        #
        # connection configuration
        # DNS servers for clients to use
        modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
        narrowing=yes
        # recommended dpd/liveness to cleanup vanished clients
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        rekey=no
        # Set ikelifetime and keylife to same defaults windows has
        # ikelifetime=8h
        # keylife=2h
        ms-dh-downgrade=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1         # esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024 
        # ikev2 fragmentation support requires libreswan 3.14 or newer
        fragmentation=yes
        # optional PAM username verification (eg to implement bandwidth quota 
        # pam-authorize=yes
        authby=rsa-sha1
        hostaddrfamily=ipv6
        clientaddrfamily=ipv6
I am using a small script that should allow NPT to the VPN-allocated addr range: 

#!/bin/bash

# 2022-10-05 mtodorov

GWY_EXTERNAL=2001:b68:2:2600::3
EXTERNAL=2001:b68:2:2600::/64
INTERNAL=fd00:2600:1000:0000::/64

case "$1" in
        start)
                modprobe ip6table_mangle
                modprobe ip6t_NPT
                ip6tables -t mangle -A PREROUTING \! -d $GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL                 ip6tables -t mangle -A POSTROUTING -s $INTERNAL -o enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL 
                ;;
        stop)
                ip6tables -t mangle -D PREROUTING \! -d $GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL                 ip6tables -t mangle -D POSTROUTING -s $INTERNAL -o enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL 
                sleep 1
                modprobe -r ip6t_NPT
                modprobe -r ip6table_mangle
                ;;
        *) echo "Usage $0: start | stop"
esac

The result is:

root@magrf:~# ip6tables-save
# Generated by ip6tables-save v1.8.7 on Wed Oct  5 15:53:29 2022
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT --src-pfx 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64 -A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT --src-pfx fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64 
COMMIT
# Completed on Wed Oct  5 15:53:29 2022
# Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see them 
root@magrf:~#
The session log is here: https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log 

I hope this helps.
It seems to me that Libreswan attempts to retransmit to the VPN client too early withing the same second? 

Could that be a bug or is it a mistake in configuration?

Thank you.

Kind regards,
mt


--
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu


--
Mirsad Todorovac
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to