[Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Oct 5 16:58:32 EEST 2022


Hi all,

Our VPN worked well until we moved to IPv6, and now it works only with 
IPv6 disabled,
which is not practical (change of network settings resets all Putty 
terminal and all ssh connections
among others ... ).

The configuration is as follows:

conn MYCONN-ikev2-ipv6-cp
         # The server's actual IP goes here - not elastic IPs
         left=2001:b68:2:2600::3
         leftcert=magrf.grf.hr
         leftid=@magrf.grf.hr
         leftsendcert=always
         leftsubnet=0::/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=fd00:2600:1000:0000/64
         # optional rightid with restrictions
         # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
         # Set ikelifetime and keylife to same defaults windows has
         # ikelifetime=8h
         # keylife=2h
         ms-dh-downgrade=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
         # 
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes
         authby=rsa-sha1
         hostaddrfamily=ipv6
         clientaddrfamily=ipv6

I am using a small script that should allow NPT to the VPN-allocated 
addr range:

#!/bin/bash

# 2022-10-05 mtodorov

GWY_EXTERNAL=2001:b68:2:2600::3
EXTERNAL=2001:b68:2:2600::/64
INTERNAL=fd00:2600:1000:0000::/64

case "$1" in
         start)
                 modprobe ip6table_mangle
                 modprobe ip6t_NPT
                 ip6tables -t mangle -A PREROUTING \! -d $GWY_EXTERNAL 
-i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
                 ip6tables -t mangle -A POSTROUTING -s $INTERNAL -o 
enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
                 ;;
         stop)
                 ip6tables -t mangle -D PREROUTING \! -d $GWY_EXTERNAL 
-i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
                 ip6tables -t mangle -D POSTROUTING -s $INTERNAL -o 
enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
                 sleep 1
                 modprobe -r ip6t_NPT
                 modprobe -r ip6table_mangle
                 ;;
         *) echo "Usage $0: start | stop"
esac

The result is:

root at magrf:~# ip6tables-save
# Generated by ip6tables-save v1.8.7 on Wed Oct  5 15:53:29 2022
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT --src-pfx 
2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64
-A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT --src-pfx 
fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64
COMMIT
# Completed on Wed Oct  5 15:53:29 2022
# Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to 
see them
root at magrf:~#

The session log is here: 
https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log

I hope this helps.
It seems to me that Libreswan attempts to retransmit to the VPN client 
too early withing the same second?

Could that be a bug or is it a mistake in configuration?

Thank you.

Kind regards,
mt

-- 
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu



More information about the Swan mailing list