[Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Oct 5 17:18:02 EEST 2022 

P.S.

Forgot to mention, the VPN client is Windows 10 Professional version 21H2:

Kind regards,

mt

On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote:
> Hi all,
>
> Our VPN worked well until we moved to IPv6, and now it works only with 
> IPv6 disabled,
> which is not practical (change of network settings resets all Putty 
> terminal and all ssh connections
> among others ... ).
>
> The configuration is as follows:
>
> conn MYCONN-ikev2-ipv6-cp
>         # The server's actual IP goes here - not elastic IPs
>         left=2001:b68:2:2600::3
>         leftcert=magrf.grf.hr
> leftid=@magrf.grf.hr
>         leftsendcert=always
>         leftsubnet=0::/0
>         leftrsasigkey=%cert
>         # Clients
>         right=%any
>         # your addresspool to use - you might need NAT rules if 
> providing full internet to clients
>         rightaddresspool=fd00:2600:1000:0000/64
>         # optional rightid with restrictions
>         # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
>         rightca=%same
>         rightrsasigkey=%cert
>         #
>         # connection configuration
>         # DNS servers for clients to use
>         modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
>         narrowing=yes
>         # recommended dpd/liveness to cleanup vanished clients
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         auto=add
>         ikev2=insist
>         rekey=no
>         # Set ikelifetime and keylife to same defaults windows has
>         # ikelifetime=8h
>         # keylife=2h
>         ms-dh-downgrade=yes
> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1 
>
>         # 
> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>         # ikev2 fragmentation support requires libreswan 3.14 or newer
>         fragmentation=yes
>         # optional PAM username verification (eg to implement 
> bandwidth quota
>         # pam-authorize=yes
>         authby=rsa-sha1
>         hostaddrfamily=ipv6
>         clientaddrfamily=ipv6
>
> I am using a small script that should allow NPT to the VPN-allocated 
> addr range:
>
> #!/bin/bash
>
> # 2022-10-05 mtodorov
>
> GWY_EXTERNAL=2001:b68:2:2600::3
> EXTERNAL=2001:b68:2:2600::/64
> INTERNAL=fd00:2600:1000:0000::/64
>
> case "$1" in
>         start)
>                 modprobe ip6table_mangle
>                 modprobe ip6t_NPT
>                 ip6tables -t mangle -A PREROUTING \! -d $GWY_EXTERNAL 
> -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
>                 ip6tables -t mangle -A POSTROUTING -s $INTERNAL -o 
> enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
>                 ;;
>         stop)
>                 ip6tables -t mangle -D PREROUTING \! -d $GWY_EXTERNAL 
> -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
>                 ip6tables -t mangle -D POSTROUTING -s $INTERNAL -o 
> enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
>                 sleep 1
>                 modprobe -r ip6t_NPT
>                 modprobe -r ip6table_mangle
>                 ;;
>         *) echo "Usage $0: start | stop"
> esac
>
> The result is:
>
> root at magrf:~# ip6tables-save
> # Generated by ip6tables-save v1.8.7 on Wed Oct  5 15:53:29 2022
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT --src-pfx 
> 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64
> -A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT --src-pfx 
> fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64
> COMMIT
> # Completed on Wed Oct  5 15:53:29 2022
> # Warning: ip6tables-legacy tables present, use ip6tables-legacy-save 
> to see them
> root at magrf:~#
>
> The session log is here: 
> https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log
>
> I hope this helps.
> It seems to me that Libreswan attempts to retransmit to the VPN client 
> too early withing the same second?
>
> Could that be a bug or is it a mistake in configuration?
>
> Thank you.
>
> Kind regards,
> mt
>
-- 
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221005/08b9e1cd/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: k2xQoRcOs5shlHT9.png
Type: image/png
Size: 21593 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221005/08b9e1cd/attachment-0001.png>

More information about the Swan mailing list