<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi all,</p>
<p>I've tried to select IPv6 only in "VPN->Change adapter
options" parameters for the IKEv2 IPv6 connection.</p>
<p><img src="cid:part1.y2KI0gaI.6IeeKb4R@alu.unizg.hr" alt=""></p>
<p>/etc/ipsec.d/ikev2-ivp6.conf is:<br>
<br>
<font face="monospace">conn MYCONN-ikev2-ipv6-cp<br>
# The server's actual IP goes here - not elastic IPs<br>
left=2001:b68:2:2600::3<br>
leftcert=magrf-ipv6.grf.hr<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@magrf-ipv6.grf.hr">leftid=@magrf-ipv6.grf.hr</a><br>
leftsendcert=always<br>
leftsubnet=0::/0<br>
leftrsasigkey=%cert<br>
# Clients<br>
right=%any<br>
# your addresspool to use - you might need NAT rules if
providing full internet to clients<br>
rightaddresspool=fd00:2600:1000:0000::/96<br>
# optional rightid with restrictions<br>
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"<br>
rightca=%same<br>
rightrsasigkey=%cert<br>
#<br>
# connection configuration<br>
# DNS servers for clients to use<br>
modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001<br>
narrowing=yes<br>
# recommended dpd/liveness to cleanup vanished clients<br>
dpddelay=30<br>
# dpdtimeout=120<br>
dpdaction=clear<br>
auto=add<br>
ikev2=insist<br>
rekey=no<br>
# Set ikelifetime and keylife to same defaults windows
has<br>
# ikelifetime=8h<br>
# keylife=2h<br>
# ms-dh-downgrade=yes<br>
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1<br>
#
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null;modp1024<br>
# ikev2 fragmentation support requires libreswan 3.14 or
newer<br>
fragmentation=yes<br>
# optional PAM username verification (eg to implement
bandwidth quota<br>
# pam-authorize=yes<br>
authby=rsa-sha1<br>
hostaddrfamily=ipv6<br>
clientaddrfamily=ipv6</font><br>
</p>
<p>If interested in seeing what is going on, the session log is
here: <a moz-do-not-send="true"
href="https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221101-12.log"
class="moz-txt-link-freetext">https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv6-20221101-12.log</a></p>
<p>I thought that `ipsec barf` output might be interesting: <a
moz-do-not-send="true"
href="https://magrf.grf.hr/~mtodorov/tmp/ikey2-ipv6.barf"
class="moz-txt-link-freetext">https://magrf.grf.hr/~mtodorov/tmp/ikey2-ipv6.barf</a></p>
<p>I am not very skilled at debugging, but it seems that something
happens here:</p>
<p><font face="monospace">Nov 1 07:45:09.818966: | next payload
chain: setting previous 'ISAKMP Message'.'next payload type' to
current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)<br>
Nov 1 07:45:09.819018: | next payload chain: saving location
'IKEv2 Encryption Payload'.'next payload type' in 'information
exchange reply packet'<br>
Nov 1 07:45:09.819047: | emitting 16 zero bytes of IV into
IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819084: | adding 16 bytes of padding (including
1 byte padding-length)<br>
Nov 1 07:45:09.819109: | emitting 0 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819137: | emitting 1 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819162: | emitting 2 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819188: | emitting 3 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819214: | emitting 4 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819238: | emitting 5 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819260: | emitting 6 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819286: | emitting 7 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819311: | emitting 8 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819333: | emitting 9 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819358: | emitting 10 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819383: | emitting 11 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819409: | emitting 12 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819433: | emitting 13 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819457: | emitting 14 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819483: | emitting 15 as 1 bytes of padding and
length into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819509: | emitting 16 zero bytes of length of
truncated HMAC/KEY into IKEv2 Encryption Payload<br>
Nov 1 07:45:09.819535: | emitting length of IKEv2 Encryption
Payload: 52<br>
Nov 1 07:45:09.819556: | emitting length of ISAKMP Message: 80<br>
Nov 1 07:45:09.819646: | result: newref
clone-key@0x564de46775c0 (32-bytes, SHA256_HMAC)(init_symkey()
+99 /lib/libswan/ike_alg_prf_mac_nss_ops.c)<br>
Nov 1 07:45:09.819696: | integ: delref clone-key@0x564de46775c0<br>
Nov 1 07:45:09.819738: | recording outgoing fragment failed<br>
Nov 1 07:45:09.819768: | #1 complete_v2_state_transition()
ESTABLISHED_IKE_SA->ESTABLISHED_IKE_SA with status
STF_V2_RESPONDER_DELETE_IKE_FAMILY<br>
Nov 1 07:45:09.819815: | Message ID: IKE #1 finishing old
exchange (STF_V2_RESPONDER_DELETE_IKE_FAMILY) (initiator:
.sent=-1 .recv=-1 .recv_frags=0 .wip=-1 .last_sent=423503.900793
.last_recv=423503.900793 responder: .sent=1 .recv=1
.recv_frags=3 .wip=2 .last_sent=423504.263085
.last_recv=423504.262933)<br>
Nov 1 07:45:09.819853: | Message ID: IKE #1 updating responder
received message request 2 (initiator: responder: .recv=1->2
.recv_frags=3->0 .wip=2->-1
.last_recv=423504.262933->423504.308133)<br>
Nov 1 07:45:09.819887: | Message ID: IKE #1 updating responder
sent message response 2 (initiator: responder: .sent=1->2
.last_sent=423504.263085->423504.308169)<br>
Nov 1 07:45:09.819951: | sending 84 bytes for DELETE_IKE_FAMILY
through enp1s0 from [2001:b68:2:2600::3]:4500 to
[2a05:4f46:31a:7500::1]:4500 using UDP (for #1)<br>
Nov 1 07:45:09.819981: | 00 00 00 00 06 08 70 06 26 53 de
35 fa d2 2c 59 ......p.&S.5..,Y<br>
Nov 1 07:45:09.820006: | 37 38 4e e7 2e 20 25 20 00 00 00
02 00 00 00 50 78N.. % .......P<br>
Nov 1 07:45:09.820032: | 00 00 00 34 66 29 2e 94 42 25 a1
72 2d b9 66 7e ...4f)..B%.r-.f~<br>
Nov 1 07:45:09.820057: | 35 36 e7 6a b7 89 e5 36 91 2d 45
48 71 19 6e 47 56.j...6.-EHq.nG<br>
Nov 1 07:45:09.820083: | bc a9 7d 3c 10 36 05 69 8c 3a 98
95 27 72 95 96 ..}<.6.i.:..'r..<br>
Nov 1 07:45:09.820109: | 11 56 f1
ad .V..<br>
Nov 1 07:45:09.820262: | sent 1 messages<br>
Nov 1 07:45:09.820297: | delete_ike_family() called</font><br>
</p>
<p>... here pluto decides to call delete_ike_family() and tear down
already established up-lcinet-v6, prepare-client-v6 and
route-client-v6 ...</p>
<p>However, even after almost a year, I still cannot see through
this complexity, mainly because the Windows system is a black box.</p>
<p>The error from Windows 10 Ent event log is "840".</p>
<p><font face="monospace">"CoId={55E826AB-ED51-0003-7313-E95551EDD801}:
The user LAPTOP-MTODOROV\Mirsad dialed a connection named IKEv2
IPv6 magrf which has failed. The error code returned on failure
is 840."</font></p>
<p><font face="monospace">CoId={55E826AB-ED51-0003-7313-E95551EDD801}:
The user LAPTOP-MTODOROV\Mirsad has started dialing a VPN
connection using a per-user connection profile named IKEv2 IPv6
magrf. The connection settings are: <br>
Dial-in User = <br>
VpnStrategy = IKEv2<br>
DataEncryption = Requested<br>
PrerequisiteEntry = <br>
AutoLogon = No<br>
UseRasCredentials = Yes<br>
Authentication Type = Machine Certificate <br>
Ipv4DefaultGateway = Yes<br>
Ipv4AddressAssignment = By Server<br>
Ipv4DNSServerAssignment = By Server<br>
Ipv6DefaultGateway = Yes<br>
Ipv6AddressAssignment = By Server<br>
Ipv6DNSServerAssignment = By Server<br>
IpDnsFlags = <br>
IpNBTEnabled = Yes<br>
UseFlags = Private Connection<br>
ConnectOnWinlogon = No<br>
Mobility enabled for IKEv2 = Yes.</font></p>
<p>Somehow he doesn't want to realise that I have excluded IPv4 link
from connection here:</p>
<p><img src="cid:part2.RnSGEf50.Z185cVKa@alu.unizg.hr" alt=""></p>
<p><img src="cid:part3.k0g7V20X.YPcyRy17@alu.unizg.hr" alt=""></p>
<p>I have turned on NPT:</p>
<p><font face="monospace">root@magrf:~/libreswan_build#
ip6tables-save<br>
# Generated by ip6tables-save v1.8.7 on Tue Nov 1 08:23:09 2022<br>
*mangle<br>
:PREROUTING ACCEPT [0:0]<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
:POSTROUTING ACCEPT [0:0]<br>
-A PREROUTING ! -d 2001:b68:2:2600::3/128 -i enp1s0 -j DNPT
--src-pfx 2001:b68:2:2600::/64 --dst-pfx fd00:2600:1000::/64<br>
-A POSTROUTING -s fd00:2600:1000::/64 -o enp1s0 -j SNPT
--src-pfx fd00:2600:1000::/64 --dst-pfx 2001:b68:2:2600::/64<br>
COMMIT<br>
# Completed on Tue Nov 1 08:23:09 2022</font><br>
</p>
<p>Any idea would be welcome.</p>
<p>While there is danger of COVID I can always justify the need for
working from home and on VPNs.</p>
<p>Thank you very much in forward.<br>
I know that developers have a lot on their stack, so thank you for
your time and attention.<br>
</p>
<p>Kind regards,<br>
Mirsad<br>
</p>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>