Re: [Swan] IPv6 Question

Wed, 13 Jul 2022 07:38:53 -0700 

On 12.7.2022. 14:57, Mirsad Goran Todorovac wrote:


On 7/11/2022 9:35 PM, Paul Wouters wrote:


On Mon, 11 Jul 2022, Mirsad Goran Todorovac wrote:
Pluto log is here: https://magrf.grf.hr/~mtodorov/tmp/ikev2-20220711-01.log
Jul 11 20:20:47.820601: | sending 473 bytes for STATE_V2_PARENT_R0 through enp1s0 from [2001:b68:2:2600::3]:500 to [2a05:4f46:31a:7500:f4ab:160e:24dc:df90]:500 using UDP (for #4) 

The client does not respond to libreswan's answer. The reason for a lack
of response would be on the client side log ?

Hi, Paul, thank Heavens you are here!

We have lost VPN connectivity since we introduced IPv6, I suppose.
The problem is that MS VPN client has IPv6 preference.

The Windows 10 client reports in evtlog:
"The user SYSTEM dialed a connection named GRF IKEv2 magrf which has failed. The error code returned on failure is 809."
Google says this Rasclient error is connected with a firewall or lack of connectivity between the client and server computer. 
Connectivity scan shows this:

C:\Users\mtodo>nmap -6 -sU -p 500,4500 magrf.grf.hr
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 08:35 Central European Daylight Time 
Nmap scan report for magrf.grf.hr (2001:b68:2:2600::3)
Host is up (0.0015s latency).
Other addresses for magrf.grf.hr (not scanned): 161.53.83.3

PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp closed        nat-t-ike

Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
C:\Users\mtodo>
I checked with our NOC and they asserted that there it is not the IPv6 firewall. This goes in line with the fact that I tried to establish a connection to the local server on the same subnet.
There seems to be a gotcha here: Windows 10 VPN client attempts to connect to port 4500 (nat-t-ike):
16:29:26.860159 IP6 (flowlabel 0xd2a37, hlim 128, next-header UDP (17) payload length: 1264) 2001:b68:2:2600::51.4500 > 2001:b68:2:2600::3.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie 9db4ab32a688a0c0->bbedac47611d87f2: child_sa  ikev2_auth[I]: 
    (#53) [|v2IDi]
And here you say you do not listen on 4500: https://lists.libreswan.org/pipermail/swan/2018/002487.html 

Is there a way around this?

Thank you.

Mirsad

--
Mirsad Todorovac
System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to