Hi, I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated. I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic. The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.
Snoop on the client (macOS) gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes 00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64 00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64 00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64 00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64 Snoop on the public interface of the server (Ubuntu 18.04) root@snf-823515:~# tcpdump -ni eth1 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64 00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64 00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64 00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64 Thanks for taking the time! My config follows. -> ipsec.conf config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=no ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any [email protected] <mailto:[email protected]> leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem> leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=172.18.72.0/24 rightdns=1.0.0.1,1.1.1.1 rightsendcert=never eap_identity=%identity -> v4 connection log (all OK): Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64) Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25) Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB) Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>" Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv' Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes) Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ] Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv' Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6 Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv' Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32 Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv' Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6 Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv' Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32 Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes) -> v6 connection log Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64) Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25) Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E) Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>" Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv' Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes) Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ] Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv' Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6 Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv' Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32 Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv' Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6 Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv' Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32 Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes) -> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN) 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static default via 83.212.110.1 dev eth1 proto dhcp metric 101 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 172.18.73.0/24 via 172.18.73.2 dev tun1 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 local ::1 dev lo proto kernel metric 256 pref medium 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium fe80::/64 dev eth0 proto kernel metric 100 pref medium fe80::/64 dev eth1 proto kernel metric 101 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth1 proto kernel metric 256 pref medium fe80::/64 dev tun1 proto kernel metric 256 pref medium fe80::/64 dev tun0 proto kernel metric 256 pref medium default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high local ::1 dev lo table local proto kernel metric 0 pref medium local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium ff00::/8 dev eth0 table local metric 256 pref medium ff00::/8 dev eth1 table local metric 256 pref medium ff00::/8 dev tun1 table local metric 256 pref medium ff00::/8 dev tun0 table local metric 256 pref medium -> routing tables after v6 gets connected 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static default via 83.212.110.1 dev eth1 proto dhcp metric 101 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101 172.18.73.0/24 via 172.18.73.2 dev tun1 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156 local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156 broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1 local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1 local ::1 dev lo proto kernel metric 256 pref medium 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium fe80::/64 dev eth0 proto kernel metric 100 pref medium fe80::/64 dev eth1 proto kernel metric 101 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev eth1 proto kernel metric 256 pref medium fe80::/64 dev tun1 proto kernel metric 256 pref medium fe80::/64 dev tun0 proto kernel metric 256 pref medium default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high local ::1 dev lo table local proto kernel metric 0 pref medium local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium ff00::/8 dev eth0 table local metric 256 pref medium ff00::/8 dev eth1 table local metric 256 pref medium ff00::/8 dev tun1 table local metric 256 pref medium ff00::/8 dev tun0 table local metric 256 pref medium -> interface configuration root@snf-823515:~# ip addr ls 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1 valid_lft 603582sec preferred_lft 603582sec inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute valid_lft forever preferred_lft forever 4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/sit 0.0.0.0 brd 0.0.0.0 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy valid_lft forever preferred_lft forever 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy valid_lft forever preferred_lft forever
