Discussion:
[strongSwan] V4 in V6 tunnel return path broken
Giorgos Mavrikas
2018-06-01 21:15:55 UTC
Permalink
Hi,

I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.

Snoop on the client (macOS)
gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64

Snoop on the public interface of the server (Ubuntu 18.04)
***@snf-823515:~# tcpdump -ni eth1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64

Thanks for taking the time!

My config follows.

-> ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@tunnel2.mavrikas.com <mailto:leftid=@tunnel2.mavrikas.com>
leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=172.18.72.0/24
rightdns=1.0.0.1,1.1.1.1
rightsendcert=never
eap_identity=%identity

-> v4 connection log (all OK):
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>"
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)

-> v6 connection log
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with RSA signature successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>"
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>' (myself) with EAP
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com <http://tunnel2.mavrikas.com/>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)

-> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium

-> routing tables after v6 gets connected
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium

-> interface configuration
***@snf-823515:~# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
valid_lft 603582sec preferred_lft 603582sec
inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ***@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Giorgos Mavrikas
2018-06-02 20:40:30 UTC
Permalink
Hi Noel,

Thanks for replying.
Here is the output of iptables-save and ip6tables-save:

***@snf-823515:~# iptables-save
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*mangle
:PREROUTING ACCEPT [1267325:876958065]
:INPUT ACCEPT [1237708:851646057]
:FORWARD ACCEPT [29479:25297360]
:OUTPUT ACCEPT [1254056:1043029543]
:POSTROUTING ACCEPT [1283535:1068326903]
-A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*nat
:PREROUTING ACCEPT [80004:7959890]
:INPUT ACCEPT [79118:7842531]
:OUTPUT ACCEPT [8028:605426]
:POSTROUTING ACCEPT [8029:605466]
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*filter
:INPUT ACCEPT [79598:7901697]
:FORWARD ACCEPT [522:75308]
:OUTPUT ACCEPT [1254057:1043029895]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
# Completed on Sat Jun 2 23:38:02 2018


***@snf-823515:~# ip6tables-save
# Generated by ip6tables-save v1.6.1 on Sat Jun 2 23:39:30 2018
*filter
:INPUT ACCEPT [9613:6437361]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7799:673126]
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Sat Jun 2 23:39:30 2018

Thanks,
GeorgeM
Hello,
Please provide your iptables and ip6tables rules. Use iptables-save and ip6tables-save.
Kind regards
Noel
Hi,
I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.
Snoop on the client (macOS)
gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
Snoop on the public interface of the server (Ubuntu 18.04)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64
Thanks for taking the time!
My config follows.
-> ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=172.18.72.0/24
rightdns=1.0.0.1,1.1.1.1
rightsendcert=never
eap_identity=%identity
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> v6 connection log
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> routing tables after v6 gets connected
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> interface configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
valid_lft 603582sec preferred_lft 603582sec
inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute
valid_lft forever preferred_lft forever
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Giorgos Mavrikas
2018-06-03 19:13:07 UTC
Permalink
Hi Noel,

You are right, the default policy is set to ACCEPT for debugging purposes, once I have setup the IPv6 tunnel, I’ll set it to DROP.
The IPv6 address on eth0 and IPv4 on eth1 is set by the cloud provider of the VM, nothing I can do about that.
Setting the rp_filter for all interfaces to 2 makes no difference though…
Any other suggestions are most welcome.

Thanks
Hi,
This looks okay, although the rules are largely useless, because it's a blacklist, not a whitelist.
I could spot that you have IPv4 on eth1 and IPv6 on eth0. Because the return path to Mac OS is different between the two families, I think the return path filter drops the packets. Set it to 2 for both eth0 and eth1. Use sysctl -w net.ipv4.conf.eth0.rp_filter=2 net.ipv4.conf.eth1.rp_filter=2 for that, then test again. Use /etc/sysctl.d/ to make it permanent.
Kind regards
Noel
Post by Giorgos Mavrikas
Hi Noel,
Thanks for replying.
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*mangle
:PREROUTING ACCEPT [1267325:876958065]
:INPUT ACCEPT [1237708:851646057]
:FORWARD ACCEPT [29479:25297360]
:OUTPUT ACCEPT [1254056:1043029543]
:POSTROUTING ACCEPT [1283535:1068326903]
-A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*nat
:PREROUTING ACCEPT [80004:7959890]
:INPUT ACCEPT [79118:7842531]
:OUTPUT ACCEPT [8028:605426]
:POSTROUTING ACCEPT [8029:605466]
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*filter
:INPUT ACCEPT [79598:7901697]
:FORWARD ACCEPT [522:75308]
:OUTPUT ACCEPT [1254057:1043029895]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by ip6tables-save v1.6.1 on Sat Jun 2 23:39:30 2018
*filter
:INPUT ACCEPT [9613:6437361]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7799:673126]
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Sat Jun 2 23:39:30 2018
Thanks,
GeorgeM
Hello,
Please provide your iptables and ip6tables rules. Use iptables-save and ip6tables-save.
Kind regards
Noel
Hi,
I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.
Snoop on the client (macOS)
gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
Snoop on the public interface of the server (Ubuntu 18.04)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64
Thanks for taking the time!
My config follows.
-> ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=172.18.72.0/24
rightdns=1.0.0.1,1.1.1.1
rightsendcert=never
eap_identity=%identity
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> v6 connection log
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> routing tables after v6 gets connected
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> interface configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
valid_lft 603582sec preferred_lft 603582sec
inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute
valid_lft forever preferred_lft forever
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Giorgos Mavrikas
2018-06-03 20:03:49 UTC
Permalink
Sorry my tone was interpreted as offended. I was just explaining that things I can change for testing and the things I do not have power over.
I do appreciate your time and effort.
I am trying to test with the rp_filter set to 0, but charon seems to (wrongly) detect that the IPv6 to IPv6 traffic is NAT-ed and thus I cannot establish a tunnel due to the well known lack of IPv6 NAT support in the kernel.
I experimented with disabling MOBIKE support, same results.
Any ideas why this may be happening?

Thanks again (logs follow).

Jun 3 22:58:51 snf-823515 charon: 02[IKE] 2a02:1388:2091:41a4:9ad:edfa:975:c21b is initiating an IKE_SA
Jun 3 22:58:51 snf-823515 ipsec[2745]: 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 3 22:58:51 snf-823515 charon: 02[IKE] remote host is behind NAT
Jun 3 22:58:51 snf-823515 charon: 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 3 22:58:51 snf-823515 charon: 02[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[2201] (448 bytes)
Jun 3 22:58:51 snf-823515 charon: 03[NET] received packet: from 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 3 22:58:51 snf-823515 charon: 03[ENC] unknown attribute type (25)
Jun 3 22:58:51 snf-823515 charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 3 22:58:51 snf-823515 charon: 03[IKE] EAP-Identity request configured, but not supported
Jun 3 22:58:51 snf-823515 charon: 03[IKE] initiating EAP_MSCHAPV2 method (id 0x05)
Jun 3 22:58:51 snf-823515 charon: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 3 22:58:51 snf-823515 charon: 03[IKE] peer supports MOBIKE
Jun 3 22:58:51 snf-823515 charon: 03[IKE] authentication of 'tunnel2.mavrikas.com' (myself) with RSA signature successful
Jun 3 22:58:51 snf-823515 charon: 03[IKE] sending end entity cert "CN=tunnel2.mavrikas.com"
Jun 3 22:58:51 snf-823515 charon: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 3 22:58:51 snf-823515 charon: 03[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 3 22:58:51 snf-823515 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 3 22:58:51 snf-823515 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 3 22:58:51 snf-823515 charon: 03[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] (1220 bytes)
Jun 3 22:58:51 snf-823515 charon: 03[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] (820 bytes)
Jun 3 22:58:51 snf-823515 charon: 13[NET] received packet: from 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 3 22:58:51 snf-823515 charon: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 3 22:58:51 snf-823515 charon: 13[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 3 22:58:51 snf-823515 charon: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 3 22:58:51 snf-823515 charon: 13[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] (144 bytes)
Jun 3 22:58:51 snf-823515 charon: 15[NET] received packet: from 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 3 22:58:51 snf-823515 charon: 15[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 3 22:58:51 snf-823515 charon: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 3 22:58:51 snf-823515 charon: 15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 3 22:58:51 snf-823515 charon: 15[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] (80 bytes)
Jun 3 22:58:51 snf-823515 charon: 16[NET] received packet: from 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 3 22:58:51 snf-823515 charon: 16[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 3 22:58:51 snf-823515 charon: 16[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 3 22:58:51 snf-823515 charon: 16[IKE] authentication of 'tunnel2.mavrikas.com' (myself) with EAP
Jun 3 22:58:51 snf-823515 charon: 16[IKE] IKE_SA ikev2-vpn[7] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com]...2a02:1388:2091:41a4:9ad:edfa:975:c21b[gmvmbp15r]
Jun 3 22:58:51 snf-823515 charon: 16[IKE] peer requested virtual IP %any
Jun 3 22:58:51 snf-823515 charon: 16[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 3 22:58:51 snf-823515 charon: 16[IKE] peer requested virtual IP %any6
Jun 3 22:58:51 snf-823515 charon: 16[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 3 22:58:51 snf-823515 charon: 16[KNL] received netlink error: Invalid argument (22)
Jun 3 22:58:51 snf-823515 charon: 16[KNL] unable to add SAD entry with SPI c0ad8229 (FAILED)
Jun 3 22:58:51 snf-823515 charon: 16[KNL] received netlink error: Invalid argument (22)
Jun 3 22:58:51 snf-823515 charon: 16[KNL] unable to add SAD entry with SPI 06e533f6 (FAILED)
Jun 3 22:58:51 snf-823515 charon: 16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Jun 3 22:58:51 snf-823515 charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 3 22:58:51 snf-823515 charon: 16[KNL] deleting policy 172.18.72.1/32 === 0.0.0.0/0 in failed, not found
Jun 3 22:58:51 snf-823515 charon: 16[KNL] deleting policy 172.18.72.1/32 === 0.0.0.0/0 fwd failed, not found
Jun 3 22:58:51 snf-823515 charon: 16[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(NO_PROP) ]
Jun 3 22:58:51 snf-823515 charon: 16[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] (192 bytes)
Jun 3 22:58:51 snf-823515 charon: 06[NET] received packet: from 2a02:1388:2091:41a4:9ad:edfa:975:c21b[46793] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Hi,
Then try setting it to 0. I'm not criticising you or the provider. It's just the possible source of problems.
Kind regards
Noel
Post by Giorgos Mavrikas
Hi Noel,
You are right, the default policy is set to ACCEPT for debugging purposes, once I have setup the IPv6 tunnel, I’ll set it to DROP.
The IPv6 address on eth0 and IPv4 on eth1 is set by the cloud provider of the VM, nothing I can do about that.
Setting the rp_filter for all interfaces to 2 makes no difference though…
Any other suggestions are most welcome.
Thanks
Hi,
This looks okay, although the rules are largely useless, because it's a blacklist, not a whitelist.
I could spot that you have IPv4 on eth1 and IPv6 on eth0. Because the return path to Mac OS is different between the two families, I think the return path filter drops the packets. Set it to 2 for both eth0 and eth1. Use sysctl -w net.ipv4.conf.eth0.rp_filter=2 net.ipv4.conf.eth1.rp_filter=2 for that, then test again. Use /etc/sysctl.d/ to make it permanent.
Kind regards
Noel
Post by Giorgos Mavrikas
Hi Noel,
Thanks for replying.
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*mangle
:PREROUTING ACCEPT [1267325:876958065]
:INPUT ACCEPT [1237708:851646057]
:FORWARD ACCEPT [29479:25297360]
:OUTPUT ACCEPT [1254056:1043029543]
:POSTROUTING ACCEPT [1283535:1068326903]
-A FORWARD -s 172.18.72.0/24 -o eth1 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 172.18.73.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*nat
:PREROUTING ACCEPT [80004:7959890]
:INPUT ACCEPT [79118:7842531]
:OUTPUT ACCEPT [8028:605426]
:POSTROUTING ACCEPT [8029:605466]
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.18.73.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
-A POSTROUTING -s 172.18.72.0/24 -o eth1 -j SNAT --to-source 83.212.111.156 --persistent
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by iptables-save v1.6.1 on Sat Jun 2 23:38:02 2018
*filter
:INPUT ACCEPT [79598:7901697]
:FORWARD ACCEPT [522:75308]
:OUTPUT ACCEPT [1254057:1043029895]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
-A FORWARD -s 172.18.72.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 172.18.72.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
# Completed on Sat Jun 2 23:38:02 2018
# Generated by ip6tables-save v1.6.1 on Sat Jun 2 23:39:30 2018
*filter
:INPUT ACCEPT [9613:6437361]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7799:673126]
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Sat Jun 2 23:39:30 2018
Thanks,
GeorgeM
Hello,
Please provide your iptables and ip6tables rules. Use iptables-save and ip6tables-save.
Kind regards
Noel
Hi,
I have a problem that’s been bugging me for two days straight. I have looked into the wiki documentation regarding routing, but I cannot figure this out. Any help would be much appreciated.
I have a simple “road warrior” type setup, with SW listening on both v4 and v6. I want clients to be able to connect to both v4 and v6, but the tunnel should only carry v4 traffic.
The v4 part works great. The v6 part connects OK (after some extra module loading) and tunnel traffic gets all the way from the client to the external interface of the server where it get’s NAT-ted and a reply is received. After that, the packet gets missing, it’s never received on the client’s tunnel interface. I cannot find out why this happens, all xfrm policies look good to my eyes.
Snoop on the client (macOS)
gmvmbp15r:~ root# tcpdump -ni ipsec0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
00:11:43.251689 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 3, length 64
00:11:44.253234 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 4, length 64
00:11:45.257160 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 5, length 64
00:11:46.258467 IP 172.18.72.1 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
Snoop on the public interface of the server (Ubuntu 18.04)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:46.257089 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 6, length 64
00:11:46.259361 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 6, length 64
00:11:47.274263 IP 83.212.111.156 > 1.1.1.1: ICMP echo request, id 5125, seq 7, length 64
00:11:47.276714 IP 1.1.1.1 > 83.212.111.156: ICMP echo reply, id 5125, seq 7, length 64
Thanks for taking the time!
My config follows.
-> ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftcert=/etc/letsencrypt/live/tunnel2.mavrikas.com/fullchain.pem <http://tunnel2.mavrikas.com/fullchain.pem>
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=172.18.72.0/24
rightdns=1.0.0.1,1.1.1.1
rightsendcert=never
eap_identity=%identity
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:04:22 snf-823515 ipsec[2733]: 00[JOB] spawning 16 worker threads
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] unknown attribute type (25)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] peer supports MOBIKE
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 ipsec[2733]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:04:22 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:04:22 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:04:22 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c64b8761_i 0e498bf1_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:04:22 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:04:22 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> v6 connection log
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1010-kvm, x86_64)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 2 00:05:30 snf-823515 ipsec[2935]: 00[JOB] spawning 16 worker threads
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] (604 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[IKE] 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8 is initiating an IKE_SA
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 07[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[500] (448 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (512 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] unknown attribute type (25)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] EAP-Identity request configured, but not supported
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] peer supports MOBIKE
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with RSA signature successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[IKE] sending end entity cert "CN=tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>"
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] splitting IKE message with length of 1968 bytes into 2 fragments
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (1220 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 08[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (820 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[IKE] EAP-MS-CHAPv2 username: 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 09[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (144 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 10[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (80 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[NET] received packet: from 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] to 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] (112 bytes)
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'gmvmbp15r' with EAP successful
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] authentication of 'tunnel2.mavrikas.com <http://tunnel2.mavrikas.com>' (myself) with EAP
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] IKE_SA ikev2-vpn[1] established between 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[tunnel2.mavrikas.com<http://tunnel2.mavrikas.com>]...2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[gmvmbp15r]
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 ipsec[2935]: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any
Jun 2 00:05:30 snf-823515 charon: 11[IKE] assigning virtual IP 172.18.72.1 to peer 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] peer requested virtual IP %any6
Jun 2 00:05:30 snf-823515 charon: 11[IKE] no virtual IP found for %any6 requested by 'gmv'
Jun 2 00:05:30 snf-823515 charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c319aa3c_i 0858c6f9_o and TS 0.0.0.0/0 === 172.18.72.1/32
Jun 2 00:05:30 snf-823515 charon: 11[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jun 2 00:05:30 snf-823515 charon: 11[NET] sending packet: from 2001:648:2ffc:1225:a800:4ff:fe1e:a37e[4500] to 2a02:1388:2185:a7ab:d5ce:d99f:aec6:66d8[4500] (288 bytes)
-> routing tables after v4 gets connected (ignore the tun* interfaces, they belong to OpenVPN)
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> routing tables after v6 gets connected
172.18.72.1 via 83.212.110.1 dev eth1 table 220 proto static
default via 83.212.110.1 dev eth1 proto dhcp metric 101
83.212.110.0/23 dev eth1 proto kernel scope link src 83.212.111.156 metric 101
172.18.73.0/24 via 172.18.73.2 dev tun1
172.18.73.2 dev tun1 proto kernel scope link src 172.18.73.1
172.18.73.2 dev tun0 proto kernel scope link src 172.18.73.1
broadcast 83.212.110.0 dev eth1 table local proto kernel scope link src 83.212.111.156
local 83.212.111.156 dev eth1 table local proto kernel scope host src 83.212.111.156
broadcast 83.212.111.255 dev eth1 table local proto kernel scope link src 83.212.111.156
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.18.73.1 dev tun1 table local proto kernel scope host src 172.18.73.1
local 172.18.73.1 dev tun0 table local proto kernel scope host src 172.18.73.1
local ::1 dev lo proto kernel metric 256 pref medium
2001:648:2ffc:1225::/64 dev eth0 proto ra metric 100 pref medium
fe80::/64 dev eth0 proto kernel metric 100 pref medium
fe80::/64 dev eth1 proto kernel metric 101 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::ce47:52ff:fe4e:4554 dev eth0 proto ra metric 100 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:648:2ffc:1225:a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::3948:27b7:f4d2:fa55 dev eth1 table local proto kernel metric 0 pref medium
local fe80::8c31:575c:4950:fa28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a800:4ff:fe1e:a37e dev eth0 table local proto kernel metric 0 pref medium
local fe80::e403:923b:5769:5de dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
-> interface configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:00:04:1e:a3:7e brd ff:ff:ff:ff:ff:ff
inet6 2001:648:2ffc:1225:a800:4ff:fe1e:a37e/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a800:4ff:fe1e:a37e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:0c:f4:7b:f9:1d brd ff:ff:ff:ff:ff:ff
inet 83.212.111.156/23 brd 83.212.111.255 scope global dynamic noprefixroute eth1
valid_lft 603582sec preferred_lft 603582sec
inet6 fe80::3948:27b7:f4d2:fa55/64 scope link noprefixroute
valid_lft forever preferred_lft forever
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8c31:575c:4950:fa28/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.18.73.1 peer 172.18.73.2/32 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::e403:923b:5769:5de/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Loading...