Re: [strongSwan] V4 in V6 tunnel return path broken

Sat, 02 Jun 2018 13:37:43 -0700 

Hello,

Please provide your iptables and ip6tables rules. Use iptables-save and 
ip6tables-save.

Kind regards

Noel

On 01.06.2018 23:15, Giorgos Mavrikas wrote:
> Hi,
>
> I have a problem that’s been bugging me for two days straight. I have looked 
> into the wiki documentation regarding routing, but I cannot figure this out. 
> Any help would be much appreciated.
> I have a simple “road warrior” type setup, with SW listening on both v4 and 
> v6. I want clients to be able to connect to both v4 and v6, but the tunnel 
> should only carry v4 traffic.
> The v4 part works great. The v6 part connects OK (after some extra module 
> loading) and tunnel traffic gets all the way from the client to the external 
> interface of the server where it get’s NAT-ted and a reply is received. After 
> that, the packet gets missing, it’s never received on the client’s tunnel 
> interface. I cannot find out why this happens, all xfrm policies look good to 
> my eyes.
>
> Snoop on the client (macOS)
> gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
> 00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, 
> length 64
> 00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, 
> length 64
> 00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, 
> length 64
> 00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, 
> length 64
>
> Snoop on the public interface of the server (Ubuntu 18.04)
> root@snf-823515:~# tcpdump -ni eth1 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 
> 6, length 64
> 00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, 
> length 64
> 00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 
> 7, length 64
> 00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, 
> length 64
>
> Thanks for taking the time!
>
> My config follows.
>
> -> ipsec.conf
> config setup
>  charondebug="ike 1, knl 1, cfg 0"
>  uniqueids=no
>
> conn ikev2-vpn
>  auto=add
>  compress=no
>  type=tunnel
>  keyexchange=ikev2
>  fragmentation=yes
>  forceencaps=no
>  
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>  
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>  dpdaction=clear
>  dpddelay=300s
>  rekey=no
>  left=%any
>  [email protected] <mailto:[email protected]>
>  leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem 
> <http://tunnel2.mavrikas.com/fullchain.pem>
>  leftsendcert=always
>  leftsubnet=0.0.0.0/0
>  right=%any
>  rightid=%any
>  rightauth=eap-mschapv2
>  rightsourceip=172.18.72.0/24
>  rightdns=1.0.0.1,1.1.1.1
>  rightsendcert=never
>  eap_identity=%identity
>
> -> v4 connection log (all OK):
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon 
> (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes 
> rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey 
> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent 
> xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke 
> updown eap-mschapv2 xauth-generic counters
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running 
> as uid 0, gid 0
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT 
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ 
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request 
> configured, but not supported
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 
> method (id 0xFB)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received 
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 
> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA 
> signature successful
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert 
> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 
> 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with 
> length of 1968 bytes into 2 fragments
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 
> 1 [ EF(1/2) ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 
> 1 [ EF(2/2) ]
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established 
> between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com 
> <http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ 
> EAP/RES/MSCHAPV2 ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 
> 2 [ EAP/REQ/MSCHAPV2 ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ 
> EAP/RES/MSCHAPV2 ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 
> succeeded, MSK established
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 
> 3 [ EAP/SUCC ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ 
> AUTH ]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' 
> with EAP successful
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 
> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] 
> established between 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com 
> <http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 
> 172.18.72.1 to peer 'gmv'
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP 
> %any6
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 
> requested by 'gmv'
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} 
> established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 
> 172.18.72.1/32
> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 
> 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 
> to peer 'gmv'
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 
> requested by 'gmv'
> Jun  2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established 
> with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
> Jun  2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ 
> AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) 
> N(ADD_4_ADDR) ]
> Jun  2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>
> -> v6 connection log
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon 
> (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes 
> rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey 
> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent 
> xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke 
> updown eap-mschapv2 xauth-generic counters
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running 
> as uid 0, gid 0
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 
> [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT 
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ 
> IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request 
> configured, but not supported
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 
> method (id 0x5E)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received 
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 
> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA 
> signature successful
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert 
> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 
> 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with 
> length of 1968 bytes into 2 fragments
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 
> 1 [ EF(1/2) ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 
> 1 [ EF(2/2) ]
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established 
> between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com 
> <http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ 
> EAP/RES/MSCHAPV2 ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 
> 2 [ EAP/REQ/MSCHAPV2 ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ 
> EAP/RES/MSCHAPV2 ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 
> succeeded, MSK established
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 
> 3 [ EAP/SUCC ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ 
> AUTH ]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' 
> with EAP successful
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 
> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] 
> established between 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com 
> <http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 
> 172.18.72.1 to peer 'gmv'
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP 
> %any6
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 
> requested by 'gmv'
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} 
> established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 
> 172.18.72.1/32
> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 
> 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 
> to peer 'gmv'
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 
> requested by 'gmv'
> Jun  2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established 
> with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
> Jun  2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ 
> AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) 
> N(ADD_4_ADDR) ]
> Jun  2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 
> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>
> -> routing tables after v4 gets connected (ignore the tun* interfaces, they 
> belong to OpenVPN)
> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 
> 101 
> 172.18.73.0/24 via 172.18.73.2 dev tun1 
> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 
> 83.212.111.156 
> local 83.212.111.156 dev eth1 table local proto kernel scope host src 
> 83.212.111.156 
> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 
> 83.212.111.156 
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
> 127.0.0.1 
> local 172.18.73.1 dev tun1 table local proto kernel scope host src 
> 172.18.73.1 
> local 172.18.73.1 dev tun0 table local proto kernel scope host src 
> 172.18.73.1 
> local ::1 dev lo proto kernel metric 256 pref medium
> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
> fe80::/64 dev eth0 proto kernel metric 100 pref medium
> fe80::/64 dev eth1 proto kernel metric 101 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev eth1 proto kernel metric 256 pref medium
> fe80::/64 dev tun1 proto kernel metric 256 pref medium
> fe80::/64 dev tun0 proto kernel metric 256 pref medium
> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
> local ::1 dev lo table local proto kernel metric 0 pref medium
> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel 
> metric 0 pref medium
> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 
> pref medium
> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 
> pref medium
> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 
> pref medium
> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 
> pref medium
> ff00::/8 dev eth0 table local metric 256 pref medium
> ff00::/8 dev eth1 table local metric 256 pref medium
> ff00::/8 dev tun1 table local metric 256 pref medium
> ff00::/8 dev tun0 table local metric 256 pref medium
>
> -> routing tables after v6 gets connected 
> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 
> 101 
> 172.18.73.0/24 via 172.18.73.2 dev tun1 
> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 
> 83.212.111.156 
> local 83.212.111.156 dev eth1 table local proto kernel scope host src 
> 83.212.111.156 
> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 
> 83.212.111.156 
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
> 127.0.0.1 
> local 172.18.73.1 dev tun1 table local proto kernel scope host src 
> 172.18.73.1 
> local 172.18.73.1 dev tun0 table local proto kernel scope host src 
> 172.18.73.1 
> local ::1 dev lo proto kernel metric 256 pref medium
> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
> fe80::/64 dev eth0 proto kernel metric 100 pref medium
> fe80::/64 dev eth1 proto kernel metric 101 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev eth1 proto kernel metric 256 pref medium
> fe80::/64 dev tun1 proto kernel metric 256 pref medium
> fe80::/64 dev tun0 proto kernel metric 256 pref medium
> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
> local ::1 dev lo table local proto kernel metric 0 pref medium
> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel 
> metric 0 pref medium
> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 
> pref medium
> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 
> pref medium
> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 
> pref medium
> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 
> pref medium
> ff00::/8 dev eth0 table local metric 256 pref medium
> ff00::/8 dev eth1 table local metric 256 pref medium
> ff00::/8 dev tun1 table local metric 256 pref medium
> ff00::/8 dev tun0 table local metric 256 pref medium
>
> -> interface configuration
> root@snf-823515:~# ip addr ls
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group 
> default qlen 1000
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 scope host lo
>       valid_lft forever preferred_lft forever
>    inet6 ::1/128 scope host 
>       valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
> group default qlen 1000
>    link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
>    inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute 
>       valid_lft forever preferred_lft forever
>    inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute 
>       valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
> group default qlen 1000
>    link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
>    inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic 
> noprefixroute eth1
>       valid_lft 603582sec preferred_lft 603582sec
>    inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute 
>       valid_lft forever preferred_lft forever
> 4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
>    link/sit 0.0.0.0 brd 0.0.0.0
> 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UNKNOWN group default qlen 100
>    link/none 
>    inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
>       valid_lft forever preferred_lft forever
>    inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy 
>       valid_lft forever preferred_lft forever
> 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> state UNKNOWN group default qlen 100
>    link/none 
>    inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
>       valid_lft forever preferred_lft forever
>    inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy 
>       valid_lft forever preferred_lft forever

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to