[Swan] IPv6 Question
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Mon Jul 11 21:51:32 EEST 2022
Hi all,
I have a problem in which the configuration appears OK, but it doesn't
connect the IKEv2 VPN. The certificate and negotiation pass, but then
the server waits for the (Windows 10) client until the timeout.
Connection is rather straightforward:
conn MYCONN-ikev2-ipv6-cp
# The server's actual IP goes here - not elastic IPs
left=2001:b68:2:2600::3
leftcert=magrf.grf.hr
leftid=@magrf.grf.hr
leftsendcert=always
leftsubnet=0::/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if
providing full internet to clients
rightaddresspool=2001:b68:2:2600:1000::/70
# optional rightid with restrictions
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# Set ikelifetime and keylife to same defaults windows has
# ikelifetime=8h
# keylife=2h
ms-dh-downgrade=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth
quota
# pam-authorize=yes
authby=rsa-sha1
hostaddrfamily=ipv6
clientaddrfamily=ipv6
Pluto log is here: https://magrf.grf.hr/~mtodorov/tmp/ikev2-20220711-01.log
I've seen that IPv6 works only in NETKEY (XFRM) stack as described in
ipsec.conf (5), but it seems to be the default.
Regards,
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list