[Swan] IPv6 Question

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Thu Jul 14 10:23:10 EEST 2022 

On 7/13/2022 9:58 PM, Paul Wouters wrote:

> On Wed, 13 Jul 2022, Mirsad Goran Todorovac wrote:
>
>> But I can't seem to find how to prevent Win 10 VPN client from trying 
>> to establish a NAT connection. I will try more Googling.
>
> The IKEv2 spec allows to use port 4500 even if there is no NAT, and it
> states one should always accept packets on the port. So libreswan should
> be doing that. If it is not listening to the IPv6 port 4500 per default,
> that's a bug.
Hopefully it will be fixed. ;-)

I tried and here is the result of the nmap and lsof scan:

C:\Users\mtodo>nmap -6 -sU -p 500,4500 magrf.grf.hr
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 09:14 Central 
European Daylight Time
Nmap scan report for magrf.grf.hr (2001:b68:2:2600::3)
Host is up (0.0027s latency).
Other addresses for magrf.grf.hr (not scanned): 161.53.83.3

PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp closed        nat-t-ike

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
C:\Users\mtodo>

root at magrf:~/libreswan-4.7-dh2/testing/pluto# lsof -p 3534408 | grep IP
pluto   3534408 root   15u     IPv4           40373142 0t0      UDP 
10.0.0.102:isakmp
pluto   3534408 root   16u     IPv4           40373143 0t0      UDP 
10.0.0.102:ipsec-nat-t
pluto   3534408 root   17u     IPv4           40373144 0t0      UDP 
magrf.grf.hr:isakmp
pluto   3534408 root   18u     IPv4           40373145 0t0      UDP 
magrf.grf.hr:ipsec-nat-t
pluto   3534408 root   19u     IPv4           40373146 0t0      UDP 
localhost:isakmp
pluto   3534408 root   20u     IPv4           40373147 0t0      UDP 
localhost:ipsec-nat-t
pluto   3534408 root   21u     IPv6           40373148 0t0      UDP 
localhost:isakmp
pluto   3534408 root   22u     IPv6           40373149 0t0      UDP 
magrf.grf.hr:isakmp
root at magrf:~/libreswan-4.7-dh2/testing/pluto# lsof -n -p 3534408 | grep IP
pluto   3534408 root   15u     IPv4           40373142 0t0      UDP 
10.0.0.102:isakmp
pluto   3534408 root   16u     IPv4           40373143 0t0      UDP 
10.0.0.102:ipsec-nat-t
pluto   3534408 root   17u     IPv4           40373144 0t0      UDP 
161.53.83.3:isakmp
pluto   3534408 root   18u     IPv4           40373145 0t0      UDP 
161.53.83.3:ipsec-nat-t
pluto   3534408 root   19u     IPv4           40373146 0t0      UDP 
127.0.0.1:isakmp
pluto   3534408 root   20u     IPv4           40373147 0t0      UDP 
127.0.0.1:ipsec-nat-t
pluto   3534408 root   21u     IPv6           40373148 0t0      UDP 
[::1]:isakmp
pluto   3534408 root   22u     IPv6           40373149 0t0      UDP 
[2001:b68:2:2600::3]:isakmp
root at magrf:~/libreswan-4.7-dh2/testing/pluto#

So, yes, it appears that it is not listening on IPv6 UDP 
[2001:b68:2:2600::3]:ipsec-nat-t .

Have a nice day,

Mirsad

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list