Hi Noel, You are right, the default policy is set to ACCEPT for debugging purposes, once I have setup the IPv6 tunnel, I’ll set it to DROP. The IPv6 address on eth0 and IPv4 on eth1 is set by the cloud provider of the VM, nothing I can do about that. Setting the rp_filter for all interfaces to 2 makes no difference though… Any other suggestions are most welcome.
Thanks > On Jun 3, 2018, at 14:47, Noel Kuntze > <[email protected]> wrote: > > Hi, > > This looks okay, although the rules are largely useless, because it's a > blacklist, not a whitelist. > > I could spot that you have IPv4 on eth1 and IPv6 on eth0. Because the return > path to Mac OS is different between the two families, I think the return path > filter drops the packets. Set it to 2 for both eth0 and eth1. Use sysctl -w > net.ipv4.conf.eth0.rp_filter=2 net.ipv4.conf.eth1.rp_filter=2 for that, then > test again. Use /etc/sysctl.d/ to make it permanent. > > Kind regards > > Noel > > On 02.06.2018 22:40, Giorgos Mavrikas wrote: >> Hi Noel, >> >> Thanks for replying. >> Here is the output of iptables-save and ip6tables-save: >> >> root@snf-823515:~# iptables-save >> # Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018 >> *mangle >> :PREROUTING ACCEPT [1267325:876958065] >> :INPUT ACCEPT [1237708:851646057] >> :FORWARD ACCEPT [29479:25297360] >> :OUTPUT ACCEPT [1254056:1043029543] >> :POSTROUTING ACCEPT [1283535:1068326903] >> -A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec >> -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu >> -A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN >> -j TCPMSS --clamp-mss-to-pmtu >> COMMIT >> # Completed on Sat Jun 2 23:38:02 2018 >> # Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018 >> *nat >> :PREROUTING ACCEPT [80004:7959890] >> :INPUT ACCEPT [79118:7842531] >> :OUTPUT ACCEPT [8028:605426] >> :POSTROUTING ACCEPT [8029:605466] >> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j >> ACCEPT >> -A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 >> --persistent >> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 >> --persistent >> COMMIT >> # Completed on Sat Jun 2 23:38:02 2018 >> # Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018 >> *filter >> :INPUT ACCEPT [79598:7901697] >> :FORWARD ACCEPT [522:75308] >> :OUTPUT ACCEPT [1254057:1043029895] >> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT >> -A INPUT -p udp -m udp --dport 500 -j ACCEPT >> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT >> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset >> -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset >> -A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j >> ACCEPT >> -A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j >> ACCEPT >> COMMIT >> # Completed on Sat Jun 2 23:38:02 2018 >> >> >> root@snf-823515:~# ip6tables-save >> # Generated by ip6tables-save v1.6.1 on Sat Jun 2 23:39:30 2018 >> *filter >> :INPUT ACCEPT [9613:6437361] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [7799:673126] >> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset >> COMMIT >> # Completed on Sat Jun 2 23:39:30 2018 >> >> Thanks, >> GeorgeM >> >>> On Jun 2, 2018, at 23:35, Noel Kuntze >>> <[email protected]> wrote: >>> >>> Hello, >>> >>> Please provide your iptables and ip6tables rules. Use iptables-save and >>> ip6tables-save. >>> >>> Kind regards >>> >>> Noel >>> >>> On 01.06.2018 23:15, Giorgos Mavrikas wrote: >>>> Hi, >>>> >>>> I have a problem that’s been bugging me for two days straight. I have >>>> looked into the wiki documentation regarding routing, but I cannot figure >>>> this out. Any help would be much appreciated. >>>> I have a simple “road warrior” type setup, with SW listening on both v4 >>>> and v6. I want clients to be able to connect to both v4 and v6, but the >>>> tunnel should only carry v4 traffic. >>>> The v4 part works great. The v6 part connects OK (after some extra module >>>> loading) and tunnel traffic gets all the way from the client to the >>>> external interface of the server where it get’s NAT-ted and a reply is >>>> received. After that, the packet gets missing, it’s never received on the >>>> client’s tunnel interface. I cannot find out why this happens, all xfrm >>>> policies look good to my eyes. >>>> >>>> Snoop on the client (macOS) >>>> gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>>> listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 >>>> bytes >>>> 00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq >>>> 3, length 64 >>>> 00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq >>>> 4, length 64 >>>> 00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq >>>> 5, length 64 >>>> 00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq >>>> 6, length 64 >>>> >>>> Snoop on the public interface of the server (Ubuntu 18.04) >>>> root@snf-823515:~# tcpdump -ni eth1 icmp >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >>>> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes >>>> 00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, >>>> seq 6, length 64 >>>> 00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq >>>> 6, length 64 >>>> 00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, >>>> seq 7, length 64 >>>> 00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq >>>> 7, length 64 >>>> >>>> Thanks for taking the time! >>>> >>>> My config follows. >>>> >>>> -> ipsec.conf >>>> config setup >>>> charondebug="ike 1, knl 1, cfg 0" >>>> uniqueids=no >>>> >>>> conn ikev2-vpn >>>> auto=add >>>> compress=no >>>> type=tunnel >>>> keyexchange=ikev2 >>>> fragmentation=yes >>>> forceencaps=no >>>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! >>>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! >>>> dpdaction=clear >>>> dpddelay=300s >>>> rekey=no >>>> left=%any >>>> [email protected] <mailto:[email protected]> >>>> leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem >>>> <http://tunnel2.mavrikas.com/fullchain.pem> >>>> leftsendcert=always >>>> leftsubnet=0.0.0.0/0 >>>> right=%any >>>> rightid=%any >>>> rightauth=eap-mschapv2 >>>> rightsourceip=172.18.72.0/24 >>>> rightdns=1.0.0.1,1.1.1.1 >>>> rightsendcert=never >>>> eap_identity=%identity >>>> >>>> -> v4 connection log (all OK): >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon >>>> (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes >>>> rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey >>>> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent >>>> xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke >>>> updown eap-mschapv2 xauth-generic counters >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, >>>> running as uid 0, gid 0 >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request >>>> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT >>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 >>>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 >>>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request >>>> configured, but not supported >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 >>>> method (id 0xFB) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received >>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of >>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA >>>> signature successful >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert >>>> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>" >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH >>>> response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with >>>> length of 1968 bytes into 2 fragments >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH >>>> response 1 [ EF(1/2) ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH >>>> response 1 [ EF(2/2) ] >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established >>>> between >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 >>>> [ EAP/RES/MSCHAPV2 ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: >>>> 'gmv' >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH >>>> response 2 [ EAP/REQ/MSCHAPV2 ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 >>>> [ EAP/RES/MSCHAPV2 ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 >>>> succeeded, MSK established >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH >>>> response 3 [ EAP/SUCC ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes) >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 >>>> [ AUTH ] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of >>>> 'gmvmbp15r' with EAP successful >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of >>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] >>>> established between >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP >>>> %any >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP >>>> 172.18.72.1 to peer 'gmv' >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP >>>> %any6 >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for >>>> %any6 requested by 'gmv' >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} >>>> established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === >>>> 172.18.72.1/32 >>>> Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH >>>> response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) >>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP >>>> 172.18.72.1 to peer 'gmv' >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6 >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 >>>> requested by 'gmv' >>>> Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} >>>> established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === >>>> 172.18.72.1/32 >>>> Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 >>>> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>> Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes) >>>> >>>> -> v6 connection log >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon >>>> (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes >>>> rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey >>>> pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent >>>> xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke >>>> updown eap-mschapv2 xauth-generic counters >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, >>>> running as uid 0, gid 0 >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request >>>> 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT >>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 >>>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 >>>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request >>>> configured, but not supported >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 >>>> method (id 0x5E) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received >>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of >>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA >>>> signature successful >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert >>>> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>" >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH >>>> response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with >>>> length of 1968 bytes into 2 fragments >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH >>>> response 1 [ EF(1/2) ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH >>>> response 1 [ EF(2/2) ] >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established >>>> between >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 >>>> [ EAP/RES/MSCHAPV2 ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: >>>> 'gmv' >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH >>>> response 2 [ EAP/REQ/MSCHAPV2 ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 >>>> [ EAP/RES/MSCHAPV2 ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 >>>> succeeded, MSK established >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH >>>> response 3 [ EAP/SUCC ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes) >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 >>>> [ AUTH ] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of >>>> 'gmvmbp15r' with EAP successful >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of >>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] >>>> established between >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r] >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP >>>> %any >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP >>>> 172.18.72.1 to peer 'gmv' >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP >>>> %any6 >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for >>>> %any6 requested by 'gmv' >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} >>>> established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === >>>> 172.18.72.1/32 >>>> Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH >>>> response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) >>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP >>>> 172.18.72.1 to peer 'gmv' >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6 >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 >>>> requested by 'gmv' >>>> Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} >>>> established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === >>>> 172.18.72.1/32 >>>> Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 >>>> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>> Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from >>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to >>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes) >>>> >>>> -> routing tables after v4 gets connected (ignore the tun* interfaces, >>>> they belong to OpenVPN) >>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static >>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 >>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric >>>> 101 >>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 >>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 >>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 >>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src >>>> 83.212.111.156 >>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src >>>> 83.212.111.156 >>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src >>>> 83.212.111.156 >>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src >>>> 127.0.0.1 >>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 >>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >>>> 127.0.0.1 >>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src >>>> 172.18.73.1 >>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src >>>> 172.18.73.1 >>>> local ::1 dev lo proto kernel metric 256 pref medium >>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium >>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium >>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium >>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium >>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium >>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium >>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium >>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref >>>> high >>>> local ::1 dev lo table local proto kernel metric 0 pref medium >>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto >>>> kernel metric 0 pref medium >>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 >>>> pref medium >>>> ff00::/8 dev eth0 table local metric 256 pref medium >>>> ff00::/8 dev eth1 table local metric 256 pref medium >>>> ff00::/8 dev tun1 table local metric 256 pref medium >>>> ff00::/8 dev tun0 table local metric 256 pref medium >>>> >>>> -> routing tables after v6 gets connected >>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static >>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 >>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric >>>> 101 >>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 >>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 >>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 >>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src >>>> 83.212.111.156 >>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src >>>> 83.212.111.156 >>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src >>>> 83.212.111.156 >>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src >>>> 127.0.0.1 >>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 >>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >>>> 127.0.0.1 >>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src >>>> 172.18.73.1 >>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src >>>> 172.18.73.1 >>>> local ::1 dev lo proto kernel metric 256 pref medium >>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium >>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium >>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium >>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium >>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium >>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium >>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium >>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref >>>> high >>>> local ::1 dev lo table local proto kernel metric 0 pref medium >>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto >>>> kernel metric 0 pref medium >>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 >>>> pref medium >>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 >>>> pref medium >>>> ff00::/8 dev eth0 table local metric 256 pref medium >>>> ff00::/8 dev eth1 table local metric 256 pref medium >>>> ff00::/8 dev tun1 table local metric 256 pref medium >>>> ff00::/8 dev tun0 table local metric 256 pref medium >>>> >>>> -> interface configuration >>>> root@snf-823515:~# ip addr ls >>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group >>>> default qlen 1000 >>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >>>> inet 127.0.0.1/8 scope host lo >>>> valid_lft forever preferred_lft forever >>>> inet6 ::1/128 scope host >>>> valid_lft forever preferred_lft forever >>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >>>> UP group default qlen 1000 >>>> link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff >>>> inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global >>>> noprefixroute >>>> valid_lft forever preferred_lft forever >>>> inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute >>>> valid_lft forever preferred_lft forever >>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >>>> UP group default qlen 1000 >>>> link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff >>>> inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic >>>> noprefixroute eth1 >>>> valid_lft 603582sec preferred_lft 603582sec >>>> inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute >>>> valid_lft forever preferred_lft forever >>>> 4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen >>>> 1000 >>>> link/sit 0.0.0.0 brd 0.0.0.0 >>>> 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc >>>> pfifo_fast state UNKNOWN group default qlen 100 >>>> link/none >>>> inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0 >>>> valid_lft forever preferred_lft forever >>>> inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy >>>> valid_lft forever preferred_lft forever >>>> 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc >>>> pfifo_fast state UNKNOWN group default qlen 100 >>>> link/none >>>> inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1 >>>> valid_lft forever preferred_lft forever >>>> inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy >>>> valid_lft forever preferred_lft forever >> >
