[Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"

Mirsad Todorovac mirsad.todorovac at alu.hr
Thu Oct 20 09:55:43 EEST 2022 

Hi all,

Now I'm really questioning the wisdom of implementing IPv6 on our networks,
for we lost VPN and I look incompetent or even not of a sound enough mind.

Here in Croatia, there are not really that many organisations who have 
implemented
IPv6, and there is not too many people to ask and share experiences and 
solutions.

Maybe I should raise an issue on this at the GitHub?

Thank you

On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote:
>
> P.S.
>
> Forgot to mention, the VPN client is Windows 10 Professional version 21H2:
>
> Kind regards,
>
> mt
>
> On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote:
>> Hi all,
>>
>> Our VPN worked well until we moved to IPv6, and now it works only 
>> with IPv6 disabled,
>> which is not practical (change of network settings resets all Putty 
>> terminal and all ssh connections
>> among others ... ).
>>
>> The configuration is as follows:
>>
>> conn MYCONN-ikev2-ipv6-cp
>>         # The server's actual IP goes here - not elastic IPs
>>         left=2001:b68:2:2600::3
>>         leftcert=magrf.grf.hr
>> leftid=@magrf.grf.hr
>>         leftsendcert=always
>>         leftsubnet=0::/0
>>         leftrsasigkey=%cert
>>         # Clients
>>         right=%any
>>         # your addresspool to use - you might need NAT rules if 
>> providing full internet to clients
>>         rightaddresspool=fd00:2600:1000:0000/64
>>         # optional rightid with restrictions
>>         # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
>>         rightca=%same
>>         rightrsasigkey=%cert
>>         #
>>         # connection configuration
>>         # DNS servers for clients to use
>>         modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
>>         narrowing=yes
>>         # recommended dpd/liveness to cleanup vanished clients
>>         dpddelay=30
>>         dpdtimeout=120
>>         dpdaction=clear
>>         auto=add
>>         ikev2=insist
>>         rekey=no
>>         # Set ikelifetime and keylife to same defaults windows has
>>         # ikelifetime=8h
>>         # keylife=2h
>>         ms-dh-downgrade=yes
>> esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1 
>>
>>         # 
>> esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024
>>         # ikev2 fragmentation support requires libreswan 3.14 or newer
>>         fragmentation=yes
>>         # optional PAM username verification (eg to implement 
>> bandwidth quota
>>         # pam-authorize=yes
>>         authby=rsa-sha1
>>         hostaddrfamily=ipv6
>>         clientaddrfamily=ipv6
>>
>> I am using a small script that should allow NPT to the VPN-allocated 
>> addr range:
>>
>> #!/bin/bash
>>
>> # 2022-10-05 mtodorov
>>
>> GWY_EXTERNAL=2001:b68:2:2600::3
>> EXTERNAL=2001:b68:2:2600::/64
>> INTERNAL=fd00:2600:1000:0000::/64
>>
>> case "$1" in
>>         start)
>>                 modprobe ip6table_mangle
>>                 modprobe ip6t_NPT
>>                 ip6tables -t mangle -A PREROUTING \! -d $GWY_EXTERNAL 
>> -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
>>                 ip6tables -t mangle -A POSTROUTING -s $INTERNAL -o 
>> enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
>>                 ;;
>>         stop)
>>                 ip6tables -t mangle -D PREROUTING \! -d $GWY_EXTERNAL 
>> -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx $INTERNAL
>>                 ip6tables -t mangle -D POSTROUTING -s $INTERNAL -o 
>> enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
>>                 sleep 1
>>                 modprobe -r ip6t_NPT
>>                 modprobe -r ip6table_mangle
>>                 ;;
>>         *) echo "Usage $0: start | stop"
>> esac
>>
>> The result is:
>>
>> root at magrf:~# ip6tables-save
>> # Generated by ip6tables-save v1.8.7 on Wed Oct  5 15:53:29 2022
>> *mangle
>> :PREROUTING ACCEPT [0:0]
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT --src-pfx 
>> 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64
>> -A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT --src-pfx 
>> fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64
>> COMMIT
>> # Completed on Wed Oct  5 15:53:29 2022
>> # Warning: ip6tables-legacy tables present, use ip6tables-legacy-save 
>> to see them
>> root at magrf:~#
>>
>> The session log is here: 
>> https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log
>>
>> I hope this helps.
>> It seems to me that Libreswan attempts to retransmit to the VPN 
>> client too early withing the same second?
>>
>> Could that be a bug or is it a mistake in configuration?
>>
>> Thank you.
>>
>> Kind regards,
>> mt
>>
> -- 
> Mirsad Todorovac
> System engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb
> Republic of Croatia, the European Union
> --
> Sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu

-- 
Mirsad Todorovac
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221020/0b54b170/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: k2xQoRcOs5shlHT9.png
Type: image/png
Size: 21593 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221020/0b54b170/attachment-0001.png>

More information about the Swan mailing list