[Swan] Libreswan 4.8 IPv6 connection problem: "The parameter is incorrect"

Tuomo Soini tis at foobar.fi
Thu Oct 20 13:54:20 EEST 2022 

On Thu, 20 Oct 2022 08:55:43 +0200
Mirsad Todorovac <mirsad.todorovac at alu.hr> wrote:


> On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote:
> >
> > P.S.
> >
> > Forgot to mention, the VPN client is Windows 10 Professional
> > version 21H2:
> >
> > Kind regards,
> >
> > mt
> >
> > On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote:  
> >> Hi all,
> >>
> >> Our VPN worked well until we moved to IPv6, and now it works only 
> >> with IPv6 disabled,
> >> which is not practical (change of network settings resets all
> >> Putty terminal and all ssh connections
> >> among others ... ).
> >>
> >> The configuration is as follows:
> >>
> >> conn MYCONN-ikev2-ipv6-cp
> >>         # The server's actual IP goes here - not elastic IPs
> >>         left=2001:b68:2:2600::3
> >>         leftcert=magrf.grf.hr
> >> leftid=@magrf.grf.hr
> >>         leftsendcert=always
> >>         leftsubnet=0::/0
> >>         leftrsasigkey=%cert
> >>         # Clients
> >>         right=%any
> >>         # your addresspool to use - you might need NAT rules if 
> >> providing full internet to clients
> >>         rightaddresspool=fd00:2600:1000:0000/64

Your addresspool is too big. If I remember correctly, maximum size is 96
bits.

> >>         # optional rightid with restrictions
> >>         # rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
> >>         rightca=%same
> >>         rightrsasigkey=%cert
> >>         #
> >>         # connection configuration
> >>         # DNS servers for clients to use
> >>         modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
> >>         narrowing=yes
> >>         # recommended dpd/liveness to cleanup vanished clients
> >>         dpddelay=30
> >>         dpdtimeout=120

dpdtimeout is not valid with ikev2.

> >>         dpdaction=clear
> >>         auto=add
> >>         ikev2=insist
> >>         rekey=no
> >>         # Set ikelifetime and keylife to same defaults windows has
> >>         # ikelifetime=8h
> >>         # keylife=2h
> >>         ms-dh-downgrade=yes

This is not needed any more, Windows 10+ have been fixed to allow dh14
or dh19 without downgrade on rekey.

And I must say I haven't tested windows 10 with ipv6 yet so there might
unseen issues.

With libreswan I've been using dual stack IPsec for some years, with
ipv4 over ipv4 + ipv6 over ipv6. That works, but windows wants ipv4 +
ipv6 over ipv6 or ipv4 which is not yet supported.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan mailing list