[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing
From: Adrian Milanoski <amilanoski () blackberry ! com>
Date: 2013-11-19 1:33:28
Message-ID: 5508DE1B382B00488B786B030C251081733342B1 () XMB136CNC ! rim ! net
[Download RAW message or body]
Hi Martin,
Sorry for the confusing email...
I have set that IPv6 forwarding on ALL interfaces to be 1
/proc/sys/net/ipv6/conf/all/forwarding
1
cat /proc/sys/net/ipv6/conf/eth0/forwarding
1
cat /proc/sys/net/ipv6/conf/eth1/forwarding
1
Client is assigned the following
inet6 fc00::2:2 -> prefixlen 64
so client address falls under my IPv6 subent fc00::/64
I can still ping my private interface on my GW from my client
Client to Private Interface - SUCCSES
ping6 fc00::a
PING6(56=40+8+8 bytes) fc00::2:2 --> fc00::a
16 bytes from fc00::a, icmp_seq=0 hlim=64 time=11 ms
16 bytes from fc00::a, icmp_seq=1 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=2 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=3 hlim=64 time=10 ms
16 bytes from fc00::a, icmp_seq=4 hlim=64 time=9 ms
16 bytes from fc00::a, icmp_seq=5 hlim=64 time=3 ms
--- fc00::a ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max = 3/8/11 ms
variance = -558 ms^2
Client to Default GW on Private subnet - FAILS
ping6 fc00::1
PING6(56=40+8+8 bytes) fc00::2:2 --> fc00::1
--- fc00::1 ping6 statistics ---
12 packets transmitted, 0 packets received, 100.0% packet loss
Tcpdump from GW on failed pings
tcpdump -n -i any proto 50 or proto 1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:14:59.523462 IP 10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xdd), \
length 100 18:15:00.523155 IP 10.135.181.149 > 10.137.205.167: \
ESP(spi=0xc9265503,seq=0xde), length 100 18:15:01.523917 IP 10.135.181.149 > \
10.137.205.167: ESP(spi=0xc9265503,seq=0xdf), length 100 18:15:02.523181 IP \
10.135.181.149 > 10.137.205.167: ESP(spi=0xc9265503,seq=0xe0), length 100
Is there something else that needs to be set in the kernel for IPv6 to properly \
forward and route traffic?
Regards,
Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801
Email amilanoski@blackberry.com
-----Original Message-----
From: users-bounces+amilanoski=rim.com@lists.strongswan.org \
[mailto:users-bounces+amilanoski=rim.com@lists.strongswan.org] On Behalf Of Adrian \
Milanoski
Sent: Monday, November 18, 2013 2:15 PM
To: Martin Willi
Cc: Users@lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing
HI,
Changed forwarding to 1 on all interfaces now.
Regards,
Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801 Email amilanoski@blackberry.com
rightsourceip=fc00::2:0/64
Subnet on the private side is
FCc00::/64
This should be fine. Should it not?
Is there any other parameter I need to adjust?
-----Original Message-----
From: Martin Willi [mailto:martin@strongswan.org]
Sent: Monday, November 18, 2013 5:02 AM
To: Adrian Milanoski
Cc: Users@lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing
Hi,
> cat /proc/sys/net/ipv6/conf/eth1/forwarding
And this is true for all involved interfaces?
> > Do LAN hosts know they have to forward rightsourceip addresses over
> > the gateway? (the farp plugin works for IPv4 only)
>
> Unsure how to address this. I see my client doing ARP requests, but I
> never see anything come to my GW.
I assume you are talking about ICMPv6 Neighbor Discovery here?
Your LAN hosts most likely assume that the addresses you hand out to the road warrior \
are on the local LAN, while they are not. You'll need to allocate the rightsourceip \
addresses from a dedicated subnet, and make sure that the LAN hosts have a route for \
them over the IPsec gateway. This can be an explicit route, or a port of the default \
route.
Regards
Martin
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, \
privileged material (including material protected by the solicitor-client or other \
applicable privileges), or constitute non-public information. Any use of this \
information by anyone other than the intended recipient is prohibited. If you have \
received this transmission in error, please immediately reply to the sender and \
delete this information from your system. Use, dissemination, distribution, or \
reproduction of this transmission by unintended recipients is not authorized and may \
be unlawful. _______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, \
privileged material (including material protected by the solicitor-client or other \
applicable privileges), or constitute non-public information. Any use of this \
information by anyone other than the intended recipient is prohibited. If you have \
received this transmission in error, please immediately reply to the sender and \
delete this information from your system. Use, dissemination, distribution, or \
reproduction of this transmission by unintended recipients is not authorized and may \
be unlawful. _______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic