[Swan] IPv6 Question

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Mon Jul 11 21:51:32 EEST 2022 

Hi all,

I have a problem in which the configuration appears OK, but it doesn't 
connect the IKEv2 VPN. The certificate and negotiation pass, but then 
the server waits for the (Windows 10) client until the timeout.

Connection is rather straightforward:

conn MYCONN-ikev2-ipv6-cp
         # The server's actual IP goes here - not elastic IPs
         left=2001:b68:2:2600::3
         leftcert=magrf.grf.hr
         leftid=@magrf.grf.hr
         leftsendcert=always
         leftsubnet=0::/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=2001:b68:2:2600:1000::/70
         # optional rightid with restrictions
         # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
         # Set ikelifetime and keylife to same defaults windows has
         # ikelifetime=8h
         # keylife=2h
         ms-dh-downgrade=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
         # 
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes
         authby=rsa-sha1
         hostaddrfamily=ipv6
         clientaddrfamily=ipv6

Pluto log is here: https://magrf.grf.hr/~mtodorov/tmp/ikev2-20220711-01.log

I've seen that IPv6 works only in NETKEY (XFRM) stack as described in 
ipsec.conf (5), but it seems to be the default.

Regards,

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list