[Swan] IPv6 Question
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Wed Jul 13 17:38:20 EEST 2022
On 12.7.2022. 14:57, Mirsad Goran Todorovac wrote:
> On 7/11/2022 9:35 PM, Paul Wouters wrote:
>
>> On Mon, 11 Jul 2022, Mirsad Goran Todorovac wrote:
>>
>>> Pluto log is here:
>>> https://magrf.grf.hr/~mtodorov/tmp/ikev2-20220711-01.log
>>
>> Jul 11 20:20:47.820601: | sending 473 bytes for STATE_V2_PARENT_R0
>> through enp1s0 from [2001:b68:2:2600::3]:500 to
>> [2a05:4f46:31a:7500:f4ab:160e:24dc:df90]:500 using UDP (for #4)
>>
>> The client does not respond to libreswan's answer. The reason for a lack
>> of response would be on the client side log ?
> Hi, Paul, thank Heavens you are here!
>
> We have lost VPN connectivity since we introduced IPv6, I suppose.
> The problem is that MS VPN client has IPv6 preference.
>
> The Windows 10 client reports in evtlog:
>
> "The user SYSTEM dialed a connection named GRF IKEv2 magrf which has
> failed. The error code returned on failure is 809."
>
> Google says this Rasclient error is connected with a firewall or lack
> of connectivity between the client and server computer.
> Connectivity scan shows this:
>
> C:\Users\mtodo>nmap -6 -sU -p 500,4500 magrf.grf.hr
> Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 08:35 Central
> European Daylight Time
> Nmap scan report for magrf.grf.hr (2001:b68:2:2600::3)
> Host is up (0.0015s latency).
> Other addresses for magrf.grf.hr (not scanned): 161.53.83.3
>
> PORT STATE SERVICE
> 500/udp open|filtered isakmp
> 4500/udp closed nat-t-ike
>
> Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
> C:\Users\mtodo>
>
> I checked with our NOC and they asserted that there it is not the IPv6
> firewall. This goes in line with the fact
> that I tried to establish a connection to the local server on the same
> subnet.
There seems to be a gotcha here: Windows 10 VPN client attempts to
connect to port 4500 (nat-t-ike):
16:29:26.860159 IP6 (flowlabel 0xd2a37, hlim 128, next-header UDP (17)
payload length: 1264) 2001:b68:2:2600::51.4500 >
2001:b68:2:2600::3.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid
00000001 cookie 9db4ab32a688a0c0->bbedac47611d87f2: child_sa ikev2_auth[I]:
(#53) [|v2IDi]
And here you say you do not listen on 4500:
https://lists.libreswan.org/pipermail/swan/2018/002487.html
Is there a way around this?
Thank you.
Mirsad
--
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
More information about the Swan
mailing list