Re: [strongSwan] V4 in V6 tunnel return path broken

Noel Kuntze Sun, 03 Jun 2018 12:50:28 -0700

Hi,

Then try setting it to 0. I'm not criticising you or the provider. It's just 
the possible source of problems.


Kind regards

Noel

On 03.06.2018 21:13, Giorgos Mavrikas wrote:
> Hi Noel,
> 
> You are right, the default policy is set to ACCEPT for debugging purposes, 
> once I have setup the IPv6 tunnel, I’ll set it to DROP.
> The IPv6 address on eth0 and IPv4 on eth1 is set by the cloud provider of the 
> VM, nothing I can do about that.
> Setting the rp_filter for all interfaces to 2 makes no difference though…
> Any other suggestions are most welcome.
> 
> Thanks
> 
>> On Jun 3, 2018, at 14:47, Noel Kuntze 
>> <[email protected]> wrote:
>>
>> Hi,
>>
>> This looks okay, although the rules are largely useless, because it's a 
>> blacklist, not a whitelist.
>>
>> I could spot that you have IPv4 on eth1 and IPv6 on eth0. Because the return 
>> path to Mac OS is different between the two families, I think the return 
>> path filter drops the packets. Set it to 2 for both eth0 and eth1. Use 
>> sysctl -w net.ipv4.conf.eth0.rp_filter=2 net.ipv4.conf.eth1.rp_filter=2 for 
>> that, then test again. Use /etc/sysctl.d/ to make it permanent.
>>
>> Kind regards
>>
>> Noel
>>
>> On 02.06.2018 22:40, Giorgos Mavrikas wrote:
>>> Hi Noel,
>>>
>>> Thanks for replying.
>>> Here is the output of iptables-save and ip6tables-save:
>>>
>>> root@snf-823515:~# iptables-save 
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *mangle
>>> :PREROUTING ACCEPT [1267325:876958065]
>>> :INPUT ACCEPT [1237708:851646057]
>>> :FORWARD ACCEPT [29479:25297360]
>>> :OUTPUT ACCEPT [1254056:1043029543]
>>> :POSTROUTING ACCEPT [1283535:1068326903]
>>> -A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec 
>>> -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>>> -A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN 
>>> -j TCPMSS --clamp-mss-to-pmtu
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *nat
>>> :PREROUTING ACCEPT [80004:7959890]
>>> :INPUT ACCEPT [79118:7842531]
>>> :OUTPUT ACCEPT [8028:605426]
>>> :POSTROUTING ACCEPT [8029:605466]
>>> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j 
>>> ACCEPT
>>> -A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 
>>> --persistent
>>> -A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 
>>> --persistent
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>> # Generated by iptables-save v1.6.1 on Sat Jun  2 23:38:02 2018
>>> *filter
>>> :INPUT ACCEPT [79598:7901697]
>>> :FORWARD ACCEPT [522:75308]
>>> :OUTPUT ACCEPT [1254057:1043029895]
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> -A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j 
>>> ACCEPT
>>> -A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j 
>>> ACCEPT
>>> COMMIT
>>> # Completed on Sat Jun  2 23:38:02 2018
>>>
>>>
>>> root@snf-823515:~# ip6tables-save 
>>> # Generated by ip6tables-save v1.6.1 on Sat Jun  2 23:39:30 2018
>>> *filter
>>> :INPUT ACCEPT [9613:6437361]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [7799:673126]
>>> -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
>>> COMMIT
>>> # Completed on Sat Jun  2 23:39:30 2018
>>>
>>> Thanks,
>>> GeorgeM
>>>
>>>> On Jun 2, 2018, at 23:35, Noel Kuntze 
>>>> <[email protected]> wrote:
>>>>
>>>> Hello,
>>>>
>>>> Please provide your iptables and ip6tables rules. Use iptables-save and 
>>>> ip6tables-save.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> On 01.06.2018 23:15, Giorgos Mavrikas wrote:
>>>>> Hi,
>>>>>
>>>>> I have a problem that’s been bugging me for two days straight. I have 
>>>>> looked into the wiki documentation regarding routing, but I cannot figure 
>>>>> this out. Any help would be much appreciated.
>>>>> I have a simple “road warrior” type setup, with SW listening on both v4 
>>>>> and v6. I want clients to be able to connect to both v4 and v6, but the 
>>>>> tunnel should only carry v4 traffic.
>>>>> The v4 part works great. The v6 part connects OK (after some extra module 
>>>>> loading) and tunnel traffic gets all the way from the client to the 
>>>>> external interface of the server where it get’s NAT-ted and a reply is 
>>>>> received. After that, the packet gets missing, it’s never received on the 
>>>>> client’s tunnel interface. I cannot find out why this happens, all xfrm 
>>>>> policies look good to my eyes.
>>>>>
>>>>> Snoop on the client (macOS)
>>>>> gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>> listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 
>>>>> bytes
>>>>> 00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 
>>>>> 3, length 64
>>>>> 00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 
>>>>> 4, length 64
>>>>> 00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 
>>>>> 5, length 64
>>>>> 00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 
>>>>> 6, length 64
>>>>>
>>>>> Snoop on the public interface of the server (Ubuntu 18.04)
>>>>> root@snf-823515:~# tcpdump -ni eth1 icmp
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>>> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
>>>>> 00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, 
>>>>> seq 6, length 64
>>>>> 00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, 
>>>>> seq 6, length 64
>>>>> 00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, 
>>>>> seq 7, length 64
>>>>> 00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, 
>>>>> seq 7, length 64
>>>>>
>>>>> Thanks for taking the time!
>>>>>
>>>>> My config follows.
>>>>>
>>>>> -> ipsec.conf
>>>>> config setup
>>>>> charondebug="ike 1, knl 1, cfg 0"
>>>>> uniqueids=no
>>>>>
>>>>> conn ikev2-vpn
>>>>> auto=add
>>>>> compress=no
>>>>> type=tunnel
>>>>> keyexchange=ikev2
>>>>> fragmentation=yes
>>>>> forceencaps=no
>>>>> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>>>>> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>>>>> dpdaction=clear
>>>>> dpddelay=300s
>>>>> rekey=no
>>>>> left=%any
>>>>> [email protected] <mailto:[email protected]>
>>>>> leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem 
>>>>> <http://tunnel2.mavrikas.com/fullchain.pem>
>>>>> leftsendcert=always
>>>>> leftsubnet=0.0.0.0/0
>>>>> right=%any
>>>>> rightid=%any
>>>>> rightauth=eap-mschapv2
>>>>> rightsourceip=172.18.72.0/24
>>>>> rightdns=1.0.0.1,1.1.1.1
>>>>> rightsendcert=never
>>>>> eap_identity=%identity
>>>>>
>>>>> -> v4 connection log (all OK):
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon 
>>>>> daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon 
>>>>> aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints 
>>>>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf 
>>>>> gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default 
>>>>> connmark stroke updown eap-mschapv2 xauth-generic counters
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, 
>>>>> running as uid 0, gid 0
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT 
>>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT 
>>>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type 
>>>>> (25)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 
>>>>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
>>>>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request 
>>>>> configured, but not supported
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 
>>>>> method (id 0xFB)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received 
>>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 
>>>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA 
>>>>> signature successful
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert 
>>>>> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message 
>>>>> with length of 1968 bytes into 2 fragments
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ EF(1/2) ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ EF(2/2) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] 
>>>>> established between 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 
>>>>> [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 
>>>>> 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH 
>>>>> response 2 [ EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 
>>>>> [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 
>>>>> succeeded, MSK established
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH 
>>>>> response 3 [ EAP/SUCC ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 
>>>>> [ AUTH ]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 
>>>>> 'gmvmbp15r' with EAP successful
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 
>>>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] 
>>>>> established between 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP 
>>>>> %any
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 
>>>>> 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP 
>>>>> %any6
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for 
>>>>> %any6 requested by 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} 
>>>>> established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 
>>>>> 172.18.72.1/32
>>>>> Jun  2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH 
>>>>> response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) 
>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 
>>>>> 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 
>>>>> requested by 'gmv'
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} 
>>>>> established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 
>>>>> 172.18.72.1/32
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 
>>>>> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>>>>>
>>>>> -> v6 connection log
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon 
>>>>> daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon 
>>>>> aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints 
>>>>> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf 
>>>>> gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default 
>>>>> connmark stroke updown eap-mschapv2 xauth-generic counters
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, 
>>>>> running as uid 0, gid 0
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT 
>>>>> request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT 
>>>>> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type 
>>>>> (25)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 
>>>>> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 
>>>>> DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request 
>>>>> configured, but not supported
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 
>>>>> method (id 0x5E)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received 
>>>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 
>>>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA 
>>>>> signature successful
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert 
>>>>> "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message 
>>>>> with length of 1968 bytes into 2 fragments
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ EF(1/2) ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH 
>>>>> response 1 [ EF(2/2) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] 
>>>>> established between 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 
>>>>> [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 
>>>>> 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH 
>>>>> response 2 [ EAP/REQ/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 
>>>>> [ EAP/RES/MSCHAPV2 ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 
>>>>> succeeded, MSK established
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH 
>>>>> response 3 [ EAP/SUCC ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 
>>>>> [ AUTH ]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 
>>>>> 'gmvmbp15r' with EAP successful
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 
>>>>> 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] 
>>>>> established between 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP 
>>>>> %any
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 
>>>>> 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP 
>>>>> %any6
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for 
>>>>> %any6 requested by 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} 
>>>>> established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 
>>>>> 172.18.72.1/32
>>>>> Jun  2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH 
>>>>> response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) 
>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 
>>>>> 172.18.72.1 to peer 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 
>>>>> requested by 'gmv'
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} 
>>>>> established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 
>>>>> 172.18.72.1/32
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 
>>>>> [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> Jun  2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 
>>>>> 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 
>>>>> 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
>>>>>
>>>>> -> routing tables after v4 gets connected (ignore the tun* interfaces, 
>>>>> they belong to OpenVPN)
>>>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
>>>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
>>>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 
>>>>> metric 101 
>>>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 
>>>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
>>>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
>>>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 
>>>>> 83.212.111.156 
>>>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src 
>>>>> 83.212.111.156 
>>>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 
>>>>> 83.212.111.156 
>>>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 
>>>>> 127.0.0.1 
>>>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 
>>>>> 127.0.0.1 
>>>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
>>>>> 127.0.0.1 
>>>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src 
>>>>> 172.18.73.1 
>>>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src 
>>>>> 172.18.73.1 
>>>>> local ::1 dev lo proto kernel metric 256 pref medium
>>>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium
>>>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref 
>>>>> high
>>>>> local ::1 dev lo table local proto kernel metric 0 pref medium
>>>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto 
>>>>> kernel metric 0 pref medium
>>>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 
>>>>> 0 pref medium
>>>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 
>>>>> 0 pref medium
>>>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 
>>>>> pref medium
>>>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 
>>>>> pref medium
>>>>> ff00::/8 dev eth0 table local metric 256 pref medium
>>>>> ff00::/8 dev eth1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun0 table local metric 256 pref medium
>>>>>
>>>>> -> routing tables after v6 gets connected 
>>>>> 172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static 
>>>>> default via 83.212.110.1 dev eth1 proto dhcp metric 101 
>>>>> 83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 
>>>>> metric 101 
>>>>> 172.18.73.0/24 via 172.18.73.2 dev tun1 
>>>>> 172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1 
>>>>> 172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1 
>>>>> broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 
>>>>> 83.212.111.156 
>>>>> local 83.212.111.156 dev eth1 table local proto kernel scope host src 
>>>>> 83.212.111.156 
>>>>> broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 
>>>>> 83.212.111.156 
>>>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 
>>>>> 127.0.0.1 
>>>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 
>>>>> 127.0.0.1 
>>>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
>>>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
>>>>> 127.0.0.1 
>>>>> local 172.18.73.1 dev tun1 table local proto kernel scope host src 
>>>>> 172.18.73.1 
>>>>> local 172.18.73.1 dev tun0 table local proto kernel scope host src 
>>>>> 172.18.73.1 
>>>>> local ::1 dev lo proto kernel metric 256 pref medium
>>>>> 2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 100 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 101 pref medium
>>>>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev eth1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun1 proto kernel metric 256 pref medium
>>>>> fe80::/64 dev tun0 proto kernel metric 256 pref medium
>>>>> default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref 
>>>>> high
>>>>> local ::1 dev lo table local proto kernel metric 0 pref medium
>>>>> local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto 
>>>>> kernel metric 0 pref medium
>>>>> local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 
>>>>> 0 pref medium
>>>>> local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 
>>>>> 0 pref medium
>>>>> local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 
>>>>> pref medium
>>>>> local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 
>>>>> pref medium
>>>>> ff00::/8 dev eth0 table local metric 256 pref medium
>>>>> ff00::/8 dev eth1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun1 table local metric 256 pref medium
>>>>> ff00::/8 dev tun0 table local metric 256 pref medium
>>>>>
>>>>> -> interface configuration
>>>>> root@snf-823515:~# ip addr ls
>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group 
>>>>> default qlen 1000
>>>>>   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>>>   inet 127.0.0.1/8 scope host lo
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 ::1/128 scope host 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
>>>>> state UP group default qlen 1000
>>>>>   link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
>>>>>   inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global 
>>>>> noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
>>>>> state UP group default qlen 1000
>>>>>   link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
>>>>>   inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic 
>>>>> noprefixroute eth1
>>>>>      valid_lft 603582sec preferred_lft 603582sec
>>>>>   inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 
>>>>> 1000
>>>>>   link/sit 0.0.0.0 brd 0.0.0.0
>>>>> 5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
>>>>> pfifo_fast state UNKNOWN group default qlen 100
>>>>>   link/none 
>>>>>   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy 
>>>>>      valid_lft forever preferred_lft forever
>>>>> 6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
>>>>> pfifo_fast state UNKNOWN group default qlen 100
>>>>>   link/none 
>>>>>   inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
>>>>>      valid_lft forever preferred_lft forever
>>>>>   inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy 
>>>>>      valid_lft forever preferred_lft forever 
>>>
>>
>

signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] V4 in V6 tunnel return path broken

Reply via email to