[Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"
Tuomo Soini
tis at foobar.fi
Thu Oct 20 13:54:20 EEST 2022
On Thu, 20 Oct 2022 08:55:43 +0200
Mirsad Todorovac <mirsad.todorovac at alu.hr> wrote:
> On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote:
> >
> > P.S.
> >
> > Forgot to mention, the VPN client is Windows 10 Professional
> > version 21H2:
> >
> > Kind regards,
> >
> > mt
> >
> > On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote:
> >> Hi all,
> >>
> >> Our VPN worked well until we moved to IPv6, and now it works only
> >> with IPv6 disabled,
> >> which is not practical (change of network settings resets all
> >> Putty terminal and all ssh connections
> >> among others ... ).
> >>
> >> The configuration is as follows:
> >>
> >> conn MYCONN-ikev2-ipv6-cp
> >> # The server's actual IP goes here - not elastic IPs
> >> left=2001:b68:2:2600::3
> >> leftcert=magrf.grf.hr
> >> leftid=@magrf.grf.hr
> >> leftsendcert=always
> >> leftsubnet=0::/0
> >> leftrsasigkey=%cert
> >> # Clients
> >> right=%any
> >> # your addresspool to use - you might need NAT rules if
> >> providing full internet to clients
> >> rightaddresspool=fd00:2600:1000:0000/64
Your addresspool is too big. If I remember correctly, maximum size is 96
bits.
> >> # optional rightid with restrictions
> >> # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
> >> rightca=%same
> >> rightrsasigkey=%cert
> >> #
> >> # connection configuration
> >> # DNS servers for clients to use
> >> modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
> >> narrowing=yes
> >> # recommended dpd/liveness to cleanup vanished clients
> >> dpddelay=30
> >> dpdtimeout=120
dpdtimeout is not valid with ikev2.
> >> dpdaction=clear
> >> auto=add
> >> ikev2=insist
> >> rekey=no
> >> # Set ikelifetime and keylife to same defaults windows has
> >> # ikelifetime=8h
> >> # keylife=2h
> >> ms-dh-downgrade=yes
This is not needed any more, Windows 10+ have been fixed to allow dh14
or dh19 without downgrade on rekey.
And I must say I haven't tested windows 10 with ipv6 yet so there might
unseen issues.
With libreswan I've been using dual stack IPsec for some years, with
ipv4 over ipv4 + ipv6 over ipv6. That works, but windows wants ipv4 +
ipv6 over ipv6 or ipv4 which is not yet supported.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list