<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>P.S.</p>
<p>Forgot to mention, the VPN client is Windows 10 Professional
version 21H2:</p>
<p><img src="cid:part1.eGaycu6A.0SF2mAig@alu.unizg.hr" alt=""></p>
<p>Kind regards,</p>
<p>mt<br>
</p>
<div class="moz-cite-prefix">On 5.10.2022. 15:58, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9c0dbe92-6533-7b2e-c4d0-cd98106a0327@alu.unizg.hr">Hi
all,
<br>
<br>
Our VPN worked well until we moved to IPv6, and now it works only
with IPv6 disabled,
<br>
which is not practical (change of network settings resets all
Putty terminal and all ssh connections
<br>
among others ... ).
<br>
<br>
The configuration is as follows:
<br>
<br>
conn MYCONN-ikev2-ipv6-cp
<br>
# The server's actual IP goes here - not elastic IPs
<br>
left=2001:b68:2:2600::3
<br>
leftcert=magrf.grf.hr
<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@magrf.grf.hr">leftid=@magrf.grf.hr</a>
<br>
leftsendcert=always
<br>
leftsubnet=0::/0
<br>
leftrsasigkey=%cert
<br>
# Clients
<br>
right=%any
<br>
# your addresspool to use - you might need NAT rules if
providing full internet to clients
<br>
rightaddresspool=fd00:2600:1000:0000/64
<br>
# optional rightid with restrictions
<br>
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
<br>
rightca=%same
<br>
rightrsasigkey=%cert
<br>
#
<br>
# connection configuration
<br>
# DNS servers for clients to use
<br>
modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
<br>
narrowing=yes
<br>
# recommended dpd/liveness to cleanup vanished clients
<br>
dpddelay=30
<br>
dpdtimeout=120
<br>
dpdaction=clear
<br>
auto=add
<br>
ikev2=insist
<br>
rekey=no
<br>
# Set ikelifetime and keylife to same defaults windows has
<br>
# ikelifetime=8h
<br>
# keylife=2h
<br>
ms-dh-downgrade=yes
<br>
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
<br>
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024<br>
# ikev2 fragmentation support requires libreswan 3.14 or
newer
<br>
fragmentation=yes
<br>
# optional PAM username verification (eg to implement
bandwidth quota
<br>
# pam-authorize=yes
<br>
authby=rsa-sha1
<br>
hostaddrfamily=ipv6
<br>
clientaddrfamily=ipv6
<br>
<br>
I am using a small script that should allow NPT to the
VPN-allocated addr range:
<br>
<br>
#!/bin/bash
<br>
<br>
# 2022-10-05 mtodorov
<br>
<br>
GWY_EXTERNAL=2001:b68:2:2600::3
<br>
EXTERNAL=2001:b68:2:2600::/64
<br>
INTERNAL=fd00:2600:1000:0000::/64
<br>
<br>
case "$1" in
<br>
start)
<br>
modprobe ip6table_mangle
<br>
modprobe ip6t_NPT
<br>
ip6tables -t mangle -A PREROUTING \! -d
$GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx
$INTERNAL
<br>
ip6tables -t mangle -A POSTROUTING -s $INTERNAL -o
enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
<br>
;;
<br>
stop)
<br>
ip6tables -t mangle -D PREROUTING \! -d
$GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx
$INTERNAL
<br>
ip6tables -t mangle -D POSTROUTING -s $INTERNAL -o
enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL
<br>
sleep 1
<br>
modprobe -r ip6t_NPT
<br>
modprobe -r ip6table_mangle
<br>
;;
<br>
*) echo "Usage $0: start | stop"
<br>
esac
<br>
<br>
The result is:
<br>
<br>
root@magrf:~# ip6tables-save
<br>
# Generated by ip6tables-save v1.8.7 on Wed Oct 5 15:53:29 2022
<br>
*mangle
<br>
:PREROUTING ACCEPT [0:0]
<br>
:INPUT ACCEPT [0:0]
<br>
:FORWARD ACCEPT [0:0]
<br>
:OUTPUT ACCEPT [0:0]
<br>
:POSTROUTING ACCEPT [0:0]
<br>
-A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT
--src-pfx 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64
<br>
-A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT --src-pfx
fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64
<br>
COMMIT
<br>
# Completed on Wed Oct 5 15:53:29 2022
<br>
# Warning: ip6tables-legacy tables present, use
ip6tables-legacy-save to see them
<br>
root@magrf:~#
<br>
<br>
The session log is here:
<a class="moz-txt-link-freetext" href="https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log">https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log</a>
<br>
<br>
I hope this helps.
<br>
It seems to me that Libreswan attempts to retransmit to the VPN
client too early withing the same second?
<br>
<br>
Could that be a bug or is it a mistake in configuration?
<br>
<br>
Thank you.
<br>
<br>
Kind regards,
<br>
mt
<br>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
</body>
</html>