Hello Noel, Good call. I have tried it with *tcpdump icmp6*
12:51:32.014856 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114 12:51:32.014980 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111 12:51:33.015768 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 55160, length 114 12:51:33.015853 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52502, length 111 12:51:37.230741 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141 12:51:37.230773 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153 12:51:37.230832 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179 12:51:37.231091 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141 12:51:37.231276 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153 12:51:37.244840 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63401, length 179 12:51:41.217794 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117 12:51:41.399465 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 63183, length 141 12:51:41.399497 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 49622, length 153 12:51:41.399515 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179 12:51:41.399526 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 59089, length 141 12:51:41.399536 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 52451, length 179 12:51:41.399555 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60488, length 153 12:51:42.267324 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 62192, length 117 12:51:48.624243 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 57891, length 179 12:51:48.624270 IP6 2a01:4f8:c17:1f2d::1 > one.one.one.one: ICMP6, destination unreachable, unreachable port, 2a01:4f8:c17:1f2d::1 udp port 60718, length 153 This is strange because the firewall should be ok: *filter :INPUT DROP [0:0] :FORWARD DROP [4571:533993] :OUTPUT ACCEPT [3620:1295287] :OUTGOING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -m esp -j ACCEPT -A INPUT -m ah -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask 64 -j ACCEPT COMMIT IPv6 doesn't need NAT. So what is here unreachable? Thanks, Houman On Sun, 14 Nov 2021 at 23:26, Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hello Houman, > > Looks like it's time for tcpdump, wireshark, ... . > Collect traffic dumps as shown on the wiki[1] to figure out what replies > the peer gets and what is forwarded. > > Also, verify your testing method and client configuration, specifically > iptables/ip6tables if it's Linux. > > Kind regards > Noel > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump > > Am 12.11.21 um 08:26 schrieb Houman: > > Good morning, > > > > I have disabled forseencaps and enabled IPv6. I can establish a VPN > connection via IPv6. But no traffic goes through. IPv4 connection is > working. > > I'm sharing my config below. I would really appreciate it if > somebody could help me with that. > > > > */etc/sysctl.conf* > > net.ipv4.ip_forward = 1 > > net.ipv4.ip_no_pmtu_disc = 1 > > net.ipv4.conf.all.rp_filter = 1 > > net.ipv4.conf.all.accept_redirects = 0 > > net.ipv4.conf.all.send_redirects = 0 > > net.ipv6.conf.all.forwarding = 1 > > > > */etc/strongswan.d/charon/socket-default.conf* > > socket-default { > > load = yes > > use_ipv4 = yes > > use_ipv6 = yes > > } > > > > *charon.log* > > > > Fri, 2021-11-12, 07:05:02 09[NET] <3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to > 2a01:4f8:c17:1f2d:cafe::123[500] (232 bytes) > > > > Fri, 2021-11-12, 07:05:02 09[ENC] <3> parsed IKE_SA_INIT request 0 [ SA > KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> looking for an IKEv2 config for > 2a01:4f8:c17:1f2d:cafe::123...2a01:4b00:867c:6d00:461:484e:456f:317a > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> candidate: %any...%any, prio 28 > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> found matching ike config: > %any...%any with prio 28 > > > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> local endpoint changed from > 0.0.0.0[500] to 2a01:4f8:c17:1f2d:cafe::123[500] > > > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> remote endpoint changed from > 0.0.0.0 to 2a01:4b00:867c:6d00:461:484e:456f:317a[500] > > > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> > 2a01:4b00:867c:6d00:461:484e:456f:317a is initiating an IKE_SA > > > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> IKE_SA (unnamed)[3] state change: > CREATED => CONNECTING > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selecting proposal: > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> proposal matches > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> received proposals: > IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> configured proposals: > IKE:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048, > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_256/MODP_4096/MODP_2048 > > > > Fri, 2021-11-12, 07:05:02 09[CFG] <3> selected proposal: > IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256 > > > > Fri, 2021-11-12, 07:05:02 09[IKE] <3> sending cert request for "C=US, > O=Let's Encrypt, CN=R3" > > > > Fri, 2021-11-12, 07:05:02 09[ENC] <3> generating IKE_SA_INIT response 0 > [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) > N(MULT_AUTH) ] > > > > Fri, 2021-11-12, 07:05:02 09[NET] <3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[500] (281 bytes) > > > > Fri, 2021-11-12, 07:05:02 12[NET] <3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (352 bytes) > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <3> unknown attribute type > INTERNAL_DNS_DOMAIN > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <3> parsed IKE_AUTH request 1 [ IDi > N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) > N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) N(EAP_ONLY) ] > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <3> local endpoint changed from > 2a01:4f8:c17:1f2d:cafe::123[500] to 2a01:4f8:c17:1f2d:cafe::123[4500] > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <3> remote endpoint changed from > 2a01:4b00:867c:6d00:461:484e:456f:317a[500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] > > > > Fri, 2021-11-12, 07:05:02 12[CFG] <3> looking for peer configs matching > 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net < > http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain > VPN] > > > > Fri, 2021-11-12, 07:05:02 12[CFG] <3> candidate "TEST-1", match: 20/1/28 > (me/other/ike) > > > > Fri, 2021-11-12, 07:05:02 12[CFG] <TEST-1|3> selected peer config > 'TEST-1' > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> initiating EAP_IDENTITY > method (id 0x00) > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_IP4_ADDRESS attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_IP4_NETMASK attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_IP4_DHCP attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP4_DNS > attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_IP6_ADDRESS attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_IP6_DHCP attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing INTERNAL_IP6_DNS > attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> processing > INTERNAL_DNS_DOMAIN attribute > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> received > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> peer supports MOBIKE > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> authentication of ' > de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with RSA > signature successful > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending end entity cert "CN= > de-test-1.mydomain.net <http://de-test-1.mydomain.net>" > > > > Fri, 2021-11-12, 07:05:02 12[IKE] <TEST-1|3> sending issuer cert "C=US, > O=Let's Encrypt, CN=R3" > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH > response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> splitting IKE message (3004 > bytes) into 3 fragments > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH > response 1 [ EF(1/3) ] > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH > response 1 [ EF(2/3) ] > > > > Fri, 2021-11-12, 07:05:02 12[ENC] <TEST-1|3> generating IKE_AUTH > response 1 [ EF(3/3) ] > > > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes) > > > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (1228 bytes) > > > > Fri, 2021-11-12, 07:05:02 12[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (674 bytes) > > > > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes) > > > > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> parsed IKE_AUTH request 2 [ > EAP/RES/ID ] > > > > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> received EAP identity > 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' > > > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> RADIUS server 'server-a' is > candidate: 210 > > > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> sending RADIUS > Access-Request to server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 11[CFG] <TEST-1|3> received RADIUS > Access-Challenge from server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 11[IKE] <TEST-1|3> initiating EAP_MD5 method > (id 0x01) > > > > Fri, 2021-11-12, 07:05:02 11[ENC] <TEST-1|3> generating IKE_AUTH > response 2 [ EAP/REQ/MD5 ] > > > > Fri, 2021-11-12, 07:05:02 11[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (83 bytes) > > > > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes) > > > > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> parsed IKE_AUTH request 3 [ > EAP/RES/NAK ] > > > > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> sending RADIUS > Access-Request to server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 13[CFG] <TEST-1|3> received RADIUS > Access-Challenge from server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 13[ENC] <TEST-1|3> generating IKE_AUTH > response 3 [ EAP/REQ/MSCHAPV2 ] > > > > Fri, 2021-11-12, 07:05:02 13[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (104 bytes) > > > > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (160 bytes) > > > > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> parsed IKE_AUTH request 4 [ > EAP/RES/MSCHAPV2 ] > > > > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> sending RADIUS > Access-Request to server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 14[CFG] <TEST-1|3> received RADIUS > Access-Challenge from server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 14[ENC] <TEST-1|3> generating IKE_AUTH > response 4 [ EAP/REQ/MSCHAPV2 ] > > > > Fri, 2021-11-12, 07:05:02 14[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (112 bytes) > > > > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (72 bytes) > > > > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> parsed IKE_AUTH request 5 [ > EAP/RES/MSCHAPV2 ] > > > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> sending RADIUS > Access-Request to server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> received RADIUS > Access-Accept from server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 15[CFG] <TEST-1|3> scheduling RADIUS > Interim-Updates every 300s > > > > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> RADIUS authentication of > 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' successful > > > > Fri, 2021-11-12, 07:05:02 15[IKE] <TEST-1|3> EAP method EAP_MSCHAPV2 > succeeded, MSK established > > > > Fri, 2021-11-12, 07:05:02 15[ENC] <TEST-1|3> generating IKE_AUTH > response 5 [ EAP/SUCC ] > > > > Fri, 2021-11-12, 07:05:02 15[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (65 bytes) > > > > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> received packet: from > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] to > 2a01:4f8:c17:1f2d:cafe::123[4500] (104 bytes) > > > > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> parsed IKE_AUTH request 6 [ > AUTH ] > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of 'mydomain > VPN' with EAP successful > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> authentication of ' > de-test-1.mydomain.net <http://de-test-1.mydomain.net>' (myself) with EAP > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] > established between 2a01:4f8:c17:1f2d:cafe::123[de-test-1.mydomain.net < > http://de-test-1.mydomain.net>]...2a01:4b00:867c:6d00:461:484e:456f:317a[mydomain > VPN] > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> IKE_SA TEST-1[3] state > change: CONNECTING => ESTABLISHED > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP > %any > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease > to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP > 10.10.10.0 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> peer requested virtual IP > %any6 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> reassigning offline lease > to 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> assigning virtual IP > 2a01:4f8:c17:1f2d::1 to peer 'ceec523e-6059-4cba-b6e4-a1fd2eb0a469' > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP4_DNS > attribute > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> building INTERNAL_IP6_DNS > attribute > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> looking for a child config > for 0.0.0.0/0 <http://0.0.0.0/0> ::/0 === 0.0.0.0/0 <http://0.0.0.0/0> > ::/0 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors > for us: > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>0.0.0.0/0 <http://0.0.0.0/0> > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>::/0 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposing traffic selectors > for other: > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>10.10.10.0/32 < > http://10.10.10.0/32> > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>2a01:4f8:c17:1f2d::1/128 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> candidate "TEST-1" with > prio 15+3 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> found matching child config > "TEST-1" with prio 18 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting proposal: > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> proposal matches > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received proposals: > ESP:AES_GCM_16_256/NO_EXT_SEQ > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> configured proposals: > ESP:AES_GCM_16_256/AES_GCM_16_192/AES_GCM_16_128/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, > ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/ECP_521/ECP_256/MODP_4096/MODP_2048/NO_EXT_SEQ, > ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA1_96/NO_EXT_SEQ > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selected proposal: > ESP:AES_GCM_16_256/NO_EXT_SEQ > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> got SPI c1e8e177 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors > for us: > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 < > http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: > 0.0.0.0/0 <http://0.0.0.0/0> > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 0.0.0.0/0 < > http://0.0.0.0/0>, received: ::/0 => no match > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: > 0.0.0.0/0 <http://0.0.0.0/0> => no match > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: ::/0, received: ::/0 > => match: ::/0 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> selecting traffic selectors > for other: > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 < > http://10.10.10.0/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match: > 10.10.10.0/32 <http://10.10.10.0/32> > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: 10.10.10.0/32 < > http://10.10.10.0/32>, received: ::/0 => no match > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: > 2a01:4f8:c17:1f2d::1/128, received: 0.0.0.0/0 <http://0.0.0.0/0> => no > match > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3>config: > 2a01:4f8:c17:1f2d::1/128, received: ::/0 => match: 2a01:4f8:c17:1f2d::1/128 > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state > change: CREATED => INSTALLING > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> using AES_GCM_16 for > encryption > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding inbound ESP SA > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0xc1e8e177, src > 2a01:4b00:867c:6d00:461:484e:456f:317a dst 2a01:4f8:c17:1f2d:cafe::123 > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI > c1e8e177 and reqid {1} > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm > AES_GCM_16 with key size 288 > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 32 > packets > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> adding outbound ESP SA > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> SPI 0x01fb3039, src > 2a01:4f8:c17:1f2d:cafe::123 dst 2a01:4b00:867c:6d00:461:484e:456f:317a > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding SAD entry with SPI > 01fb3039 and reqid {1} > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using encryption algorithm > AES_GCM_16 with key size 288 > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> using replay window of 0 > packets > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> HW offload: no > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 > <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in [priority > 383615, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 10.10.10.0/32 > <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd [priority > 383615, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy 0.0.0.0/0 < > http://0.0.0.0/0> === 10.10.10.0/32 <http://10.10.10.0/32> out [priority > 383615, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in [priority 334463, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd [priority 334463, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[KNL] <TEST-1|3> adding policy ::/0 === > 2a01:4f8:c17:1f2d::1/128 out [priority 334463, refcount 1] > > > > Fri, 2021-11-12, 07:05:02 06[IKE] <TEST-1|3> CHILD_SA TEST-1{2} > established with SPIs c1e8e177_i 01fb3039_o and TS 0.0.0.0/0 < > http://0.0.0.0/0> ::/0 === 10.10.10.0/32 <http://10.10.10.0/32> > 2a01:4f8:c17:1f2d::1/128 > > > > Fri, 2021-11-12, 07:05:02 06[CHD] <TEST-1|3> CHILD_SA TEST-1{2} state > change: INSTALLING => INSTALLED > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> RADIUS server 'server-a' is > candidate: 210 > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> sending RADIUS > Accounting-Request to server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 06[CFG] <TEST-1|3> received RADIUS > Accounting-Response from server 'server-a' > > > > Fri, 2021-11-12, 07:05:02 06[ENC] <TEST-1|3> generating IKE_AUTH > response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) > N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] > > > > Fri, 2021-11-12, 07:05:02 06[NET] <TEST-1|3> sending packet: from > 2a01:4f8:c17:1f2d:cafe::123[4500] to > 2a01:4b00:867c:6d00:461:484e:456f:317a[4500] (394 bytes) > > > > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 connected > > > > Fri, 2021-11-12, 07:05:34 12[CFG] vici client 974 registered for: list-sa > > > > Fri, 2021-11-12, 07:05:34 05[CFG] vici client 974 requests: list-sas > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI > c1e8e177 > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd > > > > Fri, 2021-11-12, 07:05:34 05[KNL] <TEST-1|3> querying SAD entry with SPI > 01fb3039 > > > > Fri, 2021-11-12, 07:05:34 09[CFG] vici client 974 disconnected > > > > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 connected > > > > Fri, 2021-11-12, 07:06:14 16[CFG] vici client 975 registered for: list-sa > > > > Fri, 2021-11-12, 07:06:14 13[CFG] vici client 975 requests: list-sas > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI > c1e8e177 > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd > > > > Fri, 2021-11-12, 07:06:14 13[KNL] <TEST-1|3> querying SAD entry with SPI > 01fb3039 > > > > Fri, 2021-11-12, 07:06:14 06[CFG] vici client 975 disconnected > > > > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 connected > > > > Fri, 2021-11-12, 07:06:54 12[CFG] vici client 976 registered for: list-sa > > > > Fri, 2021-11-12, 07:06:54 05[CFG] vici client 976 requests: list-sas > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI > c1e8e177 > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd > > > > Fri, 2021-11-12, 07:06:54 05[KNL] <TEST-1|3> querying SAD entry with SPI > 01fb3039 > > > > Fri, 2021-11-12, 07:06:54 09[CFG] vici client 976 disconnected > > > > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 connected > > > > Fri, 2021-11-12, 07:07:34 16[CFG] vici client 977 registered for: list-sa > > > > Fri, 2021-11-12, 07:07:34 13[CFG] vici client 977 requests: list-sas > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI > c1e8e177 > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd > > > > Fri, 2021-11-12, 07:07:34 13[KNL] <TEST-1|3> querying SAD entry with SPI > 01fb3039 > > > > Fri, 2021-11-12, 07:07:34 06[CFG] vici client 977 disconnected > > > > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 connected > > > > Fri, 2021-11-12, 07:08:14 12[CFG] vici client 978 registered for: list-sa > > > > Fri, 2021-11-12, 07:08:14 05[CFG] vici client 978 requests: list-sas > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI > c1e8e177 > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> in > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy > 10.10.10.0/32 <http://10.10.10.0/32> === 0.0.0.0/0 <http://0.0.0.0/0> fwd > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 in > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying policy > 2a01:4f8:c17:1f2d::1/128 === ::/0 fwd > > > > Fri, 2021-11-12, 07:08:14 05[KNL] <TEST-1|3> querying SAD entry with SPI > 01fb3039 > > > > Fri, 2021-11-12, 07:08:14 09[CFG] vici client 978 disconnected > > > > > > *ipsec.conf* > > > > config setup > > > > strictcrlpolicy=yes > > > > uniqueids=never > > > > conn TEST-1 > > > > auto=add > > > > compress=no > > > > type=tunnel > > > > keyexchange=ikev2 > > > > fragmentation=yes > > > > forceencaps=no > > > > > ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, > aes256-sha256-ecp521-ecp256-modp4096-modp2048! > > > > esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, > aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1! > > > > dpdaction=clear > > > > dpddelay=2400s > > > > dpdtimeout=3600s > > > > rekey=no > > > > left=%any > > > > leftid=@de-test-1.mydomain.net <http://de-test-1.mydomain.net> > > > > leftcert=cert.pem > > > > leftsendcert=always > > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>, ::/0 > > > > right=%any > > > > rightid=%any > > > > rightauth=eap-radius > > > > eap_identity=%any > > > > rightdns=1.1.1.1,2606:4700:4700::1111 > > > > rightsourceip=10.10.10.0/17,2a01:4f8:c17:1f2d::/64 < > http://10.10.10.0/17,2a01:4f8:c17:1f2d::/64> > > > > leftfirewall=no > > > > > > *sudo systemctl status strongswan-starter* > > ● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using > ipsec.conf > > Loaded: loaded (/lib/systemd/system/strongswan-starter.service; > enabled; vendor preset: enabled) > > Active: active (running) since Thu 2021-11-11 20:16:27 UTC; 11h ago > > Main PID: 905 (starter) > > Tasks: 18 (limit: 2276) > > Memory: 11.3M > > CPU: 685ms > > CGroup: /system.slice/strongswan-starter.service > > ├─905 /usr/libexec/ipsec/starter --daemon charon --nofork > > └─918 /usr/libexec/ipsec/charon > > Nov 11 20:16:27 de-test-1 systemd[1]: Started strongSwan IPsec > IKEv1/IKEv2 daemon using ipsec.conf. > > Nov 11 20:16:27 de-test-1 ipsec[905]: Starting strongSwan 5.9.4 IPsec > [starter]... > > Nov 11 20:16:27 de-test-1 ipsec_starter[905]: Starting strongSwan 5.9.4 > IPsec [starter]... > > Nov 11 20:16:29 de-test-1 ipsec[905]: charon (918) started after 1620 ms > > Nov 11 20:16:29 de-test-1 ipsec_starter[905]: charon (918) started after > 1620 ms > > > > *ip6tables-save* > > *filter > > :INPUT DROP [0:0] > > :FORWARD DROP [176:15578] > > :OUTPUT ACCEPT [2539:673098] > > :OUTGOING - [0:0] > > -A INPUT -i lo -j ACCEPT > > -A INPUT -p ipv6-icmp -j ACCEPT > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > -A INPUT -p tcp -m tcp --dport 275 -j ACCEPT > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > > -A INPUT -p esp -m esp -j ACCEPT > > -A INPUT -m ah -j ACCEPT > > -A FORWARD -m policy --dir in --pol ipsec -j OUTGOING > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT > > -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A OUTGOING -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 > --hashlimit-mode srcip,dstip --hashlimit-name NETSCANv6 --hashlimit-dstmask > 64 -j ACCEPT > > COMMIT > > # Completed on Fri Nov 12 07:18:59 2021 > > # Generated by ip6tables-save v1.8.7 on Fri Nov 12 07:18:59 2021 > > *nat > > :PREROUTING ACCEPT [848:78316] > > :INPUT ACCEPT [12:2456] > > :OUTPUT ACCEPT [17:1616] > > :POSTROUTING ACCEPT [677:61898] > > -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT > > -A POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE > > COMMIT* > > * > > > > *ip route show table all* > > default via 172.31.1.1 dev eth0 > > 172.31.1.1 dev eth0 scope link > > broadcast 127.0.0.0 dev lo table local proto kernel scope link src > 127.0.0.1 > > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto kernel > scope host src 127.0.0.1 > > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 > > broadcast 127.255.255.255 dev lo table local proto kernel scope link src > 127.0.0.1 > > local 162.55.173.134 dev eth0 table local proto kernel scope host src > 162.55.173.134 > > broadcast 162.55.173.134 dev eth0 table local proto kernel scope link > src 162.55.173.134 > > ::1 dev lo proto kernel metric 256 pref medium > > 2a01:4f8:c17:1f2d::1 dev eth0 proto kernel metric 256 pref medium > > 2a01:4f8:c17:1f2d:cafe::123 dev eth0 proto kernel metric 256 pref medium > > 2a01:4f8:c17:1f2d:ffff::/80 dev eth0 proto kernel metric 256 pref medium > > fe80::/64 dev eth0 proto kernel metric 256 pref medium > > default via fe80::1 dev eth0 metric 1024 onlink pref medium > > local ::1 dev lo table local proto kernel metric 0 pref medium > > local 2a01:4f8:c17:1f2d::1 dev eth0 table local proto kernel metric 0 > pref medium > > local 2a01:4f8:c17:1f2d:cafe::123 dev eth0 table local proto kernel > metric 0 pref medium > > local 2a01:4f8:c17:1f2d:ffff:: dev eth0 table local proto kernel metric > 0 pref medium > > anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium > > local fe80::9400:ff:fef1:6bcb dev eth0 table local proto kernel metric 0 > pref medium > > multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref > medium* > > * > > > > *ip address* > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo > > valid_lft forever preferred_lft forever > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > > link/ether 96:00:00:f1:6b:cb brd ff:ff:ff:ff:ff:ff > > altname enp0s3 > > altname ens3 > > inet 162.55.173.134/32 <http://162.55.173.134/32> brd > 162.55.173.134 scope global dynamic eth0 > > valid_lft 82750sec preferred_lft 82750sec > > inet6 2a01:4f8:c17:1f2d:ffff::/80 scope global > > valid_lft forever preferred_lft forever > > inet6 2a01:4f8:c17:1f2d:cafe::123/128 scope global > > valid_lft forever preferred_lft forever > > inet6 2a01:4f8:c17:1f2d::1/128 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::9400:ff:fef1:6bcb/64 scope link > > valid_lft forever preferred_lft forever* > > * > > > > Please let me know if you need anything else. Much appreciated. > > Thank you, > > Houman >
