Strongswan, Ipv4/v6 VPN from a Windows client

IPv4 has been working basically forever from certificates, but when I wind up on a connection that does both v4 and v6 there's trouble because the phone has handed a v6 address and DNS to the client, so it tries to resolve hosts via that method. I can get around it by not having the client get a v6 address in the first place but it would be better of course if both routed properly.

I'm aware of the issues with VPNs on Windows with v6 and it not installing routes, but have the workaround for that (basically have it load a route for 2000::/3 whenever the VPN comes up) and this works as I can see it.

I'm getting a /56 from my ISP and the first ("0") subnet goes on the internal interface of the gateway; all the internal hosts grab addresses off SLACC and that (with rtadvd and such) are fine on the internal network; both v4 and v6 are functioning just fine. I use ipfw as a firewall and have checked to make sure I didn't miss something stupid in the logs there that's blocking this from working.

The problem is figuring out how to get StrongSwan to actually route down the VPN connection (Strongswan is running on the gateway.)

I'm on 14.1-STABLE, strongSwan swanctl 5.9.14.

The internal interface at present is
igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4e1203b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 00:0d:b9:46:71:89
inet 192.168.10.200 netmask 0xffffff00 broadcast 192.168.10.255
inet 192.168.2.200 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::20d:b9ff:fe46:7189%igb1 prefixlen 64 scopeid 0x2
inet6 2600:6c5d:5d01:8600:20d:b9ff:fe46:7189 prefixlen 64
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

There are also a couple of VLANs that are restricted but shouldn't be in play here.

If I allow a pool out of that /64 (which should not overlap since it will start at ::1) I get this and it connects which LOOKS ok:

root@IpGw:/usr/local/etc/swanctl/conf.d # swanctl -l
android: #2, ESTABLISHED, IKEv2, c8c6c5afcfba2dc1_i 01d359c938814be8_r*
local 'ipgw.denninger.net' @ 71.15.252.132[4500]
remote 'C=US, ST=Tennessee, O=Karl Denninger, CN=karl@denninger.net' @ 172.58.151.251[34965] [192.168.2.1 2600:6c5d:5d01:8600::1]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 14s ago, rekeying in 13981s
android: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
installed 14s ago
in c391d42f, 0 bytes, 0 packets
out 149d5b3c, 0 bytes, 0 packets
local 0.0.0.0/0 fe80::20d:b9ff:fe46:7188/128
remote 192.168.2.1/32 2600:6c5d:5d01:8600::1/128

Except... nobody can see if. If I stick a tcpdump icmp6 on the external interface and ping it from the internet (off site) I get this in the log:
17:24:41.139556 IP6 market-ticker.org > syn-2600-6c5d-5d01-8600-0000-0000-0000-0001.biz6.spectrum.com: ICMP6, echo request, id 43421, seq 0, length 16
17:24:42.140695 IP6 market-ticker.org > syn-2600-6c5d-5d01-8600-0000-0000-0000-0001.biz6.spectrum.com: ICMP6, echo request, id 43421, seq 1, length 16
17:24:44.139655 IP6 syn-2600-6c5d-7009-0600-1446-c2e6-68af-b20d.biz6.spectrum.com > market-ticker.org: ICMP6, destination unreachable, unreachable address syn-2600-6c5d-5d01-8600-0000-0000-0000-0001.biz6.spectrum.com, length 64

And on the site sending the ping, no response.

If I ping it from INSIDE it appears that the neighbor solicitation is failing somewhere; running a tcpdump on the internal interface of the gateway (where the ping comes in from on an internal machine) has this showing up:

17:29:17.849867 IP6 syn-2600-6c5d-5d01-8600-526b-4bff-fe12-c858.biz6.spectrum.com > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has syn-2600-6c5d-5d01-8600-0000-0000-0000-0001.biz6.spectrum.com, length 32

And there's no response with a neighbor advertisement and target.

If I move the pool to a VLAN's (otherwise unused but assigned on igb1.4) /64 (e.g. ..8601) or a completely-unused /64 (e.g. ..8602) I get the same thing.

I also tried using ::/0 as the local side (instead of the local address of the external interface) and that too doesn't work.

ndp -a doesn't show the entry in the table for the client.

Am I missing something in the strongswan configuration to insert this when the connection comes up? The address could be different (there can be more than one remote "road warrior" machine connected to the gateway at a time) and I'm not sure how you'd tell it to set up a "permanent" link anyway since Strongswan doesn't "appear" as an interface anyway.

Swanctl.conf is pretty basic; the salient section is:

connections {
android {
version = 2
pools = remote_pool, remote_pool6
local {
auth = pubkey
certs = ipgw-ecdsa.denninger.net.crt
id = ipgw.denninger.net
}
remote {
auth = pubkey
}
children {
android {
# local_ts = 0.0.0.0/0
local_ts = 0.0.0.0/0, ::/0
# local_ts = 0.0.0.0/0, fe80::20d:b9ff:fe46:7188/128

rekey_time = 0
}
}
}

Thanks in advance.
 
Back
Top