[strongSwan] How to get StrongSwan work with IPv6?

Houman Thu, 11 Nov 2021 23:27:27 -0800

Good morning,

I have disabled forseencaps and enabled IPv6.  I can establish a VPN
connection via IPv6. But no traffic goes through. IPv4 connection is
working.
I'm sharing my config below. I would really appreciate it if somebody could
help me with that.


*/etc/sysctl.conf*
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.forwarding = 1

*/etc/strongswan.d/charon/socket-default.conf*
socket-default {
    load = yes
    use_ipv4 = yes
    use_ipv6 = yes
}

*charon.log*

Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes)

Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE
No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for
2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a

Fri, 2021-11-12, 07:05:02 09[CFG] <3>   candidate: %any...%any, prio 28

Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config:
%any...%any with prio 28

Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from
0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500]

Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from 0.0.0.0
to 2a01:4b00:867c:6d00:461:484e:456f:317a[500]

Fri, 2021-11-12, 07:05:02 09[IKE] <3>
2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA

Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change:
CREATED => CONNECTING

Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal:

Fri, 2021-11-12, 07:05:02 09[CFG] <3>   proposal matches

Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals:
IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048

Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256

Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US,
O=Let's Encrypt, CN=R3"

Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP)
N(MULT_AUTH) ]

Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes)

Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes)

Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type
INTERNAL_DNS_DOMAIN

Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ]

Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from
2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500]

Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from
2a01:4b00:867c:6d00:461:484e:456f:317a[500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500]

Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching
2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
VPN]

Fri, 2021-11-12, 07:05:02 12[CFG] <3>   candidate "TEST-1", match: 20/1/28
(me/other/ike)

Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config 'TEST-1'

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY method
(id 0x00)

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP4_ADDRESS attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP4_NETMASK attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DHCP
attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS
attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing
INTERNAL_IP6_ADDRESS attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DHCP
attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS
attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_DNS_DOMAIN
attribute

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of '
de-test-1.mydomain.net' (myself) with RSA signature successful

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN=
de-test-1.mydomain.net"

Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US,
O=Let's Encrypt, CN=R3"

Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ IDr CERT CERT AUTH EAP/REQ/ID ]

Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004
bytes) into 3 fragments

Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(1/3) ]

Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(2/3) ]

Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH response 1
[ EF(3/3) ]

Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)

Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes)

Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes)

Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)

Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [
EAP/RES/ID ]

Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'

Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is
candidate: 210

Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'

Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'

Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method (id
0x01)

Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH response 2
[ EAP/REQ/MD5 ]

Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes)

Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)

Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [
EAP/RES/NAK ]

Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'

Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'

Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH response 3
[ EAP/REQ/MSCHAPV2 ]

Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes)

Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes)

Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]

Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'

Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS
Access-Challenge from server 'server-a'

Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH response 4
[ EAP/REQ/MSCHAPV2 ]

Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes)

Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes)

Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [
EAP/RES/MSCHAPV2 ]

Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS Access-Request
to server 'server-a'

Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS Access-Accept
from server 'server-a'

Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS
Interim-Updates every 300s

Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful

Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2
succeeded, MSK established

Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH response 5
[ EAP/SUCC ]

Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes)

Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to
2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes)

Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [
AUTH ]

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain
VPN' with EAP successful

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of '
de-test-1.mydomain.net' (myself) with EAP

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] established
between 
2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain
VPN]

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state change:
CONNECTING => ESTABLISHED

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP %any6

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease to
'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP
2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469'

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS
attribute

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS
attribute

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config for
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
for us:

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  0.0.0.0/0

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  ::/0

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors
for other:

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  10.10.10.0/32

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  2a01:4f8:c17:1f2d::1/128

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>   candidate "TEST-1" with prio
15+3

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config
"TEST-1" with prio 18

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal:

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>   proposal matches

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals:
ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal:
ESP:AES_GCM_16_256/NO_EXT_SEQ

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
for us:

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: 0.0.0.0/0, received:
0.0.0.0/0 => match: 0.0.0.0/0

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: 0.0.0.0/0, received:
::/0 => no match

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: ::/0, received:
0.0.0.0/0 => no match

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: ::/0, received: ::/0
=> match: ::/0

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors
for other:

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: 10.10.10.0/32,
received: 0.0.0.0/0 => match: 10.10.10.0/32

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config: 10.10.10.0/32,
received: ::/0 => no match

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config:
2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 => no match

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>  config:
2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
change: CREATED => INSTALLING

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3>   using AES_GCM_16 for
encryption

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3>   SPI 0xc1e8e177, src
2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
c1e8e177 and reqid {1}

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   using encryption algorithm
AES_GCM_16 with key size 288

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   using replay window of 32
packets

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   HW offload: no

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3>   SPI 0x01fb3039, src
2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI
01fb3039 and reqid {1}

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   using encryption algorithm
AES_GCM_16 with key size 288

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   using replay window of 0
packets

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3>   HW offload: no

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
=== 0.0.0.0/0 in [priority 383615, refcount 1]

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32
=== 0.0.0.0/0 fwd [priority 383615, refcount 1]

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 ===
10.10.10.0/32 out [priority 383615, refcount 1]

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1]

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1]

Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 ===
2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1]

Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2} established
with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 ::/0 === 10.10.10.0/32
2a01:4f8:c17:1f2d::1/128

Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state
change: INSTALLING => INSTALLED

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is
candidate: 210

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS
Accounting-Request to server 'server-a'

Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS
Accounting-Response from server 'server-a'

Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH response 6
[ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]

Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from
2a01:4f8:c17:1f2d:cafe::123[4500] to
2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes)

Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected

Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa

Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd

Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039

Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected

Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected

Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa

Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd

Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039

Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected

Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected

Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa

Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd

Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039

Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected

Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected

Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa

Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd

Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039

Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected

Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected

Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa

Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
c1e8e177

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 in

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy 10.10.10.0/32
=== 0.0.0.0/0 fwd

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 in

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy
2a01:4f8:c17:1f2d::1/128 === ::/0 fwd

Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI
01fb3039

Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected

*ipsec.conf*

config setup

  strictcrlpolicy=yes

  uniqueids=never

conn TEST-1

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=no

  
ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!

  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!

  dpdaction=clear

  dpddelay=2400s

  dpdtimeout=3600s

  rekey=no

  left=%any

  leftid=@de-test-1.mydomain.net

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0, ::/0

  right=%any

  rightid=%any

  rightauth=eap-radius

  eap_identity=%any

  rightdns=1.1.1.1,2606:4700:4700::1111

  rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64

  leftfirewall=no

*sudo systemctl status strongswan-starter*
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using
ipsec.conf
     Loaded: loaded (/lib/systemd/system/strongswan-starter.service;
enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago
   Main PID: 905 (starter)
      Tasks: 18 (limit: 2276)
     Memory: 11.3M
        CPU: 685ms
     CGroup: /system.slice/strongswan-starter.service
             ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork
             └─918 /usr/libexec/ipsec/charon
Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec
[starter]...
Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4
IPsec [starter]...
Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms
Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after
1620 ms

*ip6tables-save*
*filter
:INPUT DROP [0:0]
:FORWARD DROP [176:15578]
:OUTPUT ACCEPT [2539:673098]
:OUTGOING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 275 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -m esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j OUTGOING
-A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
-A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5
--hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask
64 -j ACCEPT
COMMIT
# Completed on Fri Nov 12 07:18:59 2021
# Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021
*nat
:PREROUTING ACCEPT [848:78316]
:INPUT ACCEPT [12:2456]
:OUTPUT ACCEPT [17:1616]
:POSTROUTING ACCEPT [677:61898]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE
COMMIT

*ip route show table all*
default via 172.31.1.1 dev eth0
172.31.1.1 dev eth0 scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
local 162.55.173.134 dev eth0 table local proto kernel scope host src
162.55.173.134
broadcast 162.55.173.134 dev eth0 table local proto kernel scope link src
162.55.173.134
::1 dev lo proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium
2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 onlink pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 pref
medium
local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel metric
0 pref medium
local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric 0
pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0
pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium

*ip address*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
    link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    altname ens3
    inet 162.55.173.134/32 brd 162.55.173.134 scope global dynamic eth0
       valid_lft 82750sec preferred_lft 82750sec
    inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:c17:1f2d::1/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::9400:ff:fef1:6bcb/64 scope link
       valid_lft forever preferred_lft forever

Please let me know if you need anything else. Much appreciated.
Thank you,
Houman

[strongSwan] How to get StrongSwan work with IPv6?

Reply via email to