<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi all,</p>
<p>Now I'm really questioning the wisdom of implementing IPv6 on our
networks,<br>
for we lost VPN and I look incompetent or even not of a sound
enough mind.</p>
<p>Here in Croatia, there are not really that many organisations who
have implemented<br>
IPv6, and there is not too many people to ask and share
experiences and solutions.</p>
<p>Maybe I should raise an issue on this at the GitHub?</p>
<p>Thank you<br>
</p>
<div class="moz-cite-prefix">On 10/5/2022 4:18 PM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f6fb18af-6c1b-fee1-33e8-aba3e4104596@alu.unizg.hr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>P.S.</p>
<p>Forgot to mention, the VPN client is Windows 10 Professional
version 21H2:</p>
<p><img src="cid:part1.0Qw7J1u8.J8r3nTVZ@alu.hr" alt="" class=""></p>
<p>Kind regards,</p>
<p>mt<br>
</p>
<div class="moz-cite-prefix">On 5.10.2022. 15:58, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9c0dbe92-6533-7b2e-c4d0-cd98106a0327@alu.unizg.hr">Hi
all, <br>
<br>
Our VPN worked well until we moved to IPv6, and now it works
only with IPv6 disabled, <br>
which is not practical (change of network settings resets all
Putty terminal and all ssh connections <br>
among others ... ). <br>
<br>
The configuration is as follows: <br>
<br>
conn MYCONN-ikev2-ipv6-cp <br>
# The server's actual IP goes here - not elastic IPs <br>
left=2001:b68:2:2600::3 <br>
leftcert=magrf.grf.hr <br>
<a class="moz-txt-link-abbreviated
moz-txt-link-freetext" href="mailto:leftid=@magrf.grf.hr"
moz-do-not-send="true">leftid=@magrf.grf.hr</a> <br>
leftsendcert=always <br>
leftsubnet=0::/0 <br>
leftrsasigkey=%cert <br>
# Clients <br>
right=%any <br>
# your addresspool to use - you might need NAT rules if
providing full internet to clients <br>
rightaddresspool=fd00:2600:1000:0000/64 <br>
# optional rightid with restrictions <br>
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr" <br>
rightca=%same <br>
rightrsasigkey=%cert <br>
# <br>
# connection configuration <br>
# DNS servers for clients to use <br>
modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001 <br>
narrowing=yes <br>
# recommended dpd/liveness to cleanup vanished clients <br>
dpddelay=30 <br>
dpdtimeout=120 <br>
dpdaction=clear <br>
auto=add <br>
ikev2=insist <br>
rekey=no <br>
# Set ikelifetime and keylife to same defaults windows
has <br>
# ikelifetime=8h <br>
# keylife=2h <br>
ms-dh-downgrade=yes <br>
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
<br>
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024<br>
# ikev2 fragmentation support requires libreswan 3.14 or
newer <br>
fragmentation=yes <br>
# optional PAM username verification (eg to implement
bandwidth quota <br>
# pam-authorize=yes <br>
authby=rsa-sha1 <br>
hostaddrfamily=ipv6 <br>
clientaddrfamily=ipv6 <br>
<br>
I am using a small script that should allow NPT to the
VPN-allocated addr range: <br>
<br>
#!/bin/bash <br>
<br>
# 2022-10-05 mtodorov <br>
<br>
GWY_EXTERNAL=2001:b68:2:2600::3 <br>
EXTERNAL=2001:b68:2:2600::/64 <br>
INTERNAL=fd00:2600:1000:0000::/64 <br>
<br>
case "$1" in <br>
start) <br>
modprobe ip6table_mangle <br>
modprobe ip6t_NPT <br>
ip6tables -t mangle -A PREROUTING \! -d
$GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx
$INTERNAL <br>
ip6tables -t mangle -A POSTROUTING -s $INTERNAL
-o enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL <br>
;; <br>
stop) <br>
ip6tables -t mangle -D PREROUTING \! -d
$GWY_EXTERNAL -i enp1s0 -j DNPT --src-pfx $EXTERNAL --dst-pfx
$INTERNAL <br>
ip6tables -t mangle -D POSTROUTING -s $INTERNAL
-o enp1s0 -j SNPT --src-pfx $INTERNAL --dst-pfx $EXTERNAL <br>
sleep 1 <br>
modprobe -r ip6t_NPT <br>
modprobe -r ip6table_mangle <br>
;; <br>
*) echo "Usage $0: start | stop" <br>
esac <br>
<br>
The result is: <br>
<br>
root@magrf:~# ip6tables-save <br>
# Generated by ip6tables-save v1.8.7 on Wed Oct 5 15:53:29 2022
<br>
*mangle <br>
:PREROUTING ACCEPT [0:0] <br>
:INPUT ACCEPT [0:0] <br>
:FORWARD ACCEPT [0:0] <br>
:OUTPUT ACCEPT [0:0] <br>
:POSTROUTING ACCEPT [0:0] <br>
-A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT
--src-pfx 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64 <br>
-A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT
--src-pfx fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64 <br>
COMMIT <br>
# Completed on Wed Oct 5 15:53:29 2022 <br>
# Warning: ip6tables-legacy tables present, use
ip6tables-legacy-save to see them <br>
root@magrf:~# <br>
<br>
The session log is here: <a class="moz-txt-link-freetext"
href="https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log"
moz-do-not-send="true">https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221005-01.log</a>
<br>
<br>
I hope this helps. <br>
It seems to me that Libreswan attempts to retransmit to the VPN
client too early withing the same second? <br>
<br>
Could that be a bug or is it a mistake in configuration? <br>
<br>
Thank you. <br>
<br>
Kind regards, <br>
mt <br>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>