Can't set up IPv6 for IKEv2 VPN

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
Hello,

I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
I can't get IPv6 working for the clients. The clients get a v6 IP
and a good route, but it seems routing doesn't work on OpenBSD's
side.

I am using an /48 IPv6 tunnel from HE.

    Server IPv4:209.51.161.14
    Server IPv6:2001:470:1f06:95f::1/64
    Client IPv4:207.246.122.61
    Client IPv6:2001:470:1f06:95f::2/64
    Routed IPv6 Prefixes
        Routed /48:2001:470:8c78::/48

IPv6 connectivity works from OpenBSD:

    freedom# uname -a
    OpenBSD freedom.mgk.ro 6.4 GENERIC.MP#364 amd64
    freedom#
    freedom# ifconfig gif0 # HE tunnel                                            
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            index 4 priority 0 llprio 3
            groups: gif egress
            tunnel: inet 207.246.122.61 -> 209.51.161.14 ttl 64 nodf
            inet6 fe80::42bc:4cfd:6395:7fe%gif0 ->  prefixlen 64 scopeid 0x4
            inet6 2001:470:1f06:95f::2 -> 2001:470:1f06:95f::1 prefixlen 128
    freedom#
    freedom# route show -inet6 | grep default
    default            tunnel521973.tunne UGS        0        3     -     8 gif0
    default            fe80::fc00:1ff:fed UGS        0        0     -    56 vio0
    freedom# traceroute6 google.com                                                
    traceroute6 to google.com (2607:f8b0:4006:81a::200e), 64 hops max, 60 byte packets
     1  tunnel521973.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:95f::1)  9.048 ms  7.025 ms  6.35 ms
     2  ve422.core1.nyc4.he.net (2001:470:0:5d::1)  1.822 ms  1.727 ms  5.251 ms
     3  core1-0-0-8.lga.net.google.com (2001:504:f::27)  1.836 ms  1.661 ms  1.659 ms
     4  2001:4860:0:1125::1 (2001:4860:0:1125::1)  4.234 ms  3.801 ms 2001:4860:0:1127::1 (2001:4860:0:1127::1)  3.834 ms
     5  2001:4860:0:1::17b (2001:4860:0:1::17b)  3.613 ms 2001:4860:0:1::995 (2001:4860:0:1::995)  2.823 ms 2001:4860:0:1::17b (2001:4860:0:1::17b)  2.854 ms
     6  lga25s62-in-x0e.1e100.net (2607:f8b0:4006:81a::200e)  2.829 ms  2.764 ms  2.598 ms
    freedom#

I created enc0 for IPsec, and assigned the /48 to it:

    freedom# cat /etc/hostname.enc0                                                
    inet 172.24.24.1 255.255.255.0 172.24.24.255
    inet6 2001:470:8c78:a0:: 64
    up

I enabled IP forwarding:

    freedom# cat /etc/sysctl.conf                                                  
    hw.smt=1
    net.inet.ip.forwarding=1
    net.inet6.ip6.forwarding=1
    freedom#

My iked.conf is

    freedom# cat /etc/iked.conf                                                    
    ikev2 "vpn" passive ipcomp esp \
            from 0.0.0.0/0 to 0.0.0.0/0 \
            local egress peer any \
            psk "XXXXXXXX" \
            config address 172.24.24.0/24 \
            config address 2001:470:8c78:a0::/64 \
            config name-server 172.24.24.1 \
            config name-server 2001:470:8c78:a0:: \
            tag "vpn" tap enc0
    freedom#

The mac clients "see" the IPv6 address, and create a route:

    emerald:aram$ ifconfig ipsec0
    ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
    inet 172.24.24.193 --> 172.24.24.193 netmask 0xff000000
    inet6 fe80::3ac9:86ff:fe32:4e3f%ipsec0 prefixlen 64 scopeid 0xf
    inet6 2001:470:8c78:a0::82f8:21d4 prefixlen 64
    nd6 options=201<PERFORMNUD,DAD>
    emerald:aram$
    emerald:aram$ netstat -nr | grep default
    default            link#15            UCS           110        0  ipsec0      
    default            192.168.0.1        UGScI          19        0     en0      
    default            192.168.0.1        UGScI           3        0     en1      
    default                                 2001:470:8c78:a0::              UGc          ipsec0      
    default                                 fe80::%utun0                    UGcI          utun0      
    default                                 fe80::%utun1                    UGcI          utun1      
    default                                 fe80::%utun2                    UGcI          utun2

I can do IPv4 from the clients, but not IPv6.

    emerald:aram$ ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=106.972 ms
    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=107.661 ms
    64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=108.039 ms
    ^C
    --- 1.1.1.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 106.972/107.557/108.039/0.442 ms
    emerald:aram$ ping6 google.com
    PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 --> 2607:f8b0:4006:800::200e
    ^C
    --- google.com ping6 statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    emerald:aram$ ping6 2001:470:8c78:a0::
    PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 --> 2001:470:8c78:a0::
    ^C
    --- 2001:470:8c78:a0:: ping6 statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    emerald:aram$
    emerald:aram$

As you can see I can't even ping the OpenBSD endpoint over IPv6.

From the OpenBSD side, I can't ping the client either on IPv6 (IPv4
works):

    freedom# ping6 2001:470:8c78:a0::82f8:21d4
    PING 2001:470:8c78:a0::82f8:21d4 (2001:470:8c78:a0::82f8:21d4): 56 data bytes
    ping6: sendmsg: Message too long
    ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
    ping6: sendmsg: Message too long
    ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
    ^C
    --- 2001:470:8c78:a0::82f8:21d4 ping statistics ---
    2 packets transmitted, 0 packets received, 100.0% packet loss
    freedom# ping 172.24.24.193                
    PING 172.24.24.193 (172.24.24.193): 56 data bytes
    64 bytes from 172.24.24.193: icmp_seq=0 ttl=64 time=107.996 ms
    64 bytes from 172.24.24.193: icmp_seq=1 ttl=64 time=106.241 ms
    ^C
    --- 172.24.24.193 ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 106.241/107.118/107.996/0.878 ms
    freedom#

Also on the OpenBSD side, I can see the ICMP packets coming from
the client and arriving on enc0:

    freedom# tcpdump -n -e -ttt -i enc0  
    tcpdump: listening on enc0, link-type ENC
    Feb 11 13:59:48.962485 (authentic,confidential): SPI 0x1e6e0c04: 2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request [flowlabel 0xdea34] (encap)
    Feb 11 13:59:49.963477 (authentic,confidential): SPI 0x1e6e0c04: 2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request [flowlabel 0xdea34] (encap)
    ^C

So the packets come,  but something happens to them.

My pf.conf is:
                                                   
    set skip on lo
   
    block return    # block stateless traffic
    pass            # establish keep-state
   
    # NAT
    match in all scrub (no-df random-id max-mss 1440)
    match out on egress inet from !(egress:network) to any nat-to (egress:0)
    pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
    pass on enc0 from any to self keep state (if-bound)
   
    # By default, do not permit remote connections to X11
    block return in on ! lo0 proto tcp to port 6000:6010
   
    # Port build user does not need network
    block return out log proto {tcp udp} user _pbuild

And this is what pfctl -sr returns:

    freedom# pfctl -sr
    block return all
    pass all flags S/SA
    match in all scrub (no-df random-id max-mss 1440)
    match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin
    pass quick inet6 proto udp from any to ::1 port = 500
    pass quick on lo0 inet6 proto udp from any to fe80::1 port = 500
    pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd port = 500
    pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 500
    pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe port = 500
    pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 500
    pass quick inet6 proto udp from any to ::1 port = 4500
    pass quick on lo0 inet6 proto udp from any to fe80::1 port = 4500
    pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd port = 4500
    pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 4500
    pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe port = 4500
    pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 4500
    pass quick inet proto udp from any to 127.0.0.1 port = 500
    pass quick inet proto udp from any to 207.246.122.61 port = 500
    pass quick inet proto udp from any to 172.24.24.1 port = 500
    pass quick inet proto udp from any to 127.0.0.1 port = 4500
    pass quick inet proto udp from any to 207.246.122.61 port = 4500
    pass quick inet proto udp from any to 172.24.24.1 port = 4500
    pass on enc0 inet from any to 127.0.0.1 flags S/SA keep state (if-bound)
    pass on enc0 inet from any to 207.246.122.61 flags S/SA keep state (if-bound)
    pass on enc0 inet from any to 172.24.24.1 flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to ::1 flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to 2001:470:8c78:a0:: flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to 2001:470:1f06:95f::2 flags S/SA keep state (if-bound)
    block return in on ! lo0 proto tcp from any to any port 6000:6010
    block return out log proto tcp all user = 55
    block return out log proto udp all user = 55

Any tips on what to do next? Do I need some special pf.conf
configuration?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Stefan Sperling-5
On Mon, Feb 11, 2019 at 03:32:17PM +0100, Aram Hăvărneanu wrote:
> Hello,
>
> I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
> OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
> I can't get IPv6 working for the clients. The clients get a v6 IP
> and a good route, but it seems routing doesn't work on OpenBSD's
> side.

> My iked.conf is
>
>     freedom# cat /etc/iked.conf                                                    
>     ikev2 "vpn" passive ipcomp esp \
>             from 0.0.0.0/0 to 0.0.0.0/0 \
>             local egress peer any \
>             psk "XXXXXXXX" \
>             config address 172.24.24.0/24 \
>             config address 2001:470:8c78:a0::/64 \
>             config name-server 172.24.24.1 \
>             config name-server 2001:470:8c78:a0:: \
>             tag "vpn" tap enc0
>     freedom#

By default, iked inserts a flow which blocks IPv6. To prevent this,
either configure explicit IPv6 flows (from/to with IPv6 addresses),
or pass the -6 option to iked (see the man page).

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
> By default, iked inserts a flow which blocks IPv6. To prevent
> this, either configure explicit IPv6 flows (from/to with IPv6
> addresses), or pass the -6 option to iked (see the man page).

Forgot to mention that I already do this:

    freedom# cat /etc/rc.conf.local
    iked_flags=-6
    unbound_flags=

--
Aram Hăvărneanu

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
>> By default, iked inserts a flow which blocks IPv6. To prevent
>> this, either configure explicit IPv6 flows (from/to with IPv6
>> addresses), or pass the -6 option to iked (see the man page).
>
> Forgot to mention that I already do this:
>
>     freedom# cat /etc/rc.conf.local
>     iked_flags=-6
>     unbound_flags=

Hmm.

I was, indeed, passing -6, but I wasn't passing an explicit ::0/0
in iked.conf. This set-up works:

freedom# cat /etc/iked.conf
ikev2 "vpn" passive ipcomp esp \
        from 0.0.0.0/0 to 0.0.0.0/0 \
        from ::0/0 to ::0/0 \
        local egress peer any \
        psk "XXXXX" \
        config address 172.24.24.0/24 \
        config address 2001:470:8c78:a0::/64 \
        config name-server 172.24.24.1 \
        config name-server 2001:470:8c78:a0:: \
        tag "vpn" tap enc0

Many thanks for the pointer!

--
Aram Hăvărneanu

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Stefan Sperling-5
In reply to this post by Aram Hăvărneanu
On Mon, Feb 11, 2019 at 03:51:00PM +0100, Aram Hăvărneanu wrote:
> > By default, iked inserts a flow which blocks IPv6. To prevent
> > this, either configure explicit IPv6 flows (from/to with IPv6
> > addresses), or pass the -6 option to iked (see the man page).
>
> Forgot to mention that I already do this:
>
>     freedom# cat /etc/rc.conf.local
>     iked_flags=-6
>     unbound_flags=

Have you tried configuring IPv6 flows instead?
Will 'from 0.0.0.0/0 to 0.0.0.0/0' actually match IPv6 traffic?

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Fernando Gont-2
In reply to this post by Aram Hăvărneanu
On 11/2/19 11:32, Aram Hăvărneanu wrote:
> Hello,
>
> I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
> OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
> I can't get IPv6 working for the clients. The clients get a v6 IP
> and a good route, but it seems routing doesn't work on OpenBSD's
> side.

I haven't checked the OpenBSD-specific details of your post. That said,
keep in mind that if you expect your VPN to work across the public
Internet, there may be problems resulting from the widespread drop of
packets that employ IPv6 Extension Headers (such as the IPsec EHs).

See https://tools.ietf.org/html/rfc7872 for details. Note: while for
some reason I didn't include the corresponding measurements in RFC7872,
IPsec EHs *are* also dropped by many ASes.

You may want to tunnel IPsec over, say, UDP, or employ something else.

Thanks,
--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1