Can't set up IPv6 for IKEv2 VPN

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
Hello,

I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
I can't get IPv6 working for the clients. The clients get a v6 IP
and a good route, but it seems routing doesn't work on OpenBSD's
side.

I am using an /48 IPv6 tunnel from HE.

    Server IPv4:209.51.161.14
    Server IPv6:2001:470:1f06:95f::1/64
    Client IPv4:207.246.122.61
    Client IPv6:2001:470:1f06:95f::2/64
    Routed IPv6 Prefixes
        Routed /48:2001:470:8c78::/48

IPv6 connectivity works from OpenBSD:

    freedom# uname -a
    OpenBSD freedom.mgk.ro 6.4 GENERIC.MP#364 amd64
    freedom#
    freedom# ifconfig gif0 # HE tunnel                                            
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            index 4 priority 0 llprio 3
            groups: gif egress
            tunnel: inet 207.246.122.61 -> 209.51.161.14 ttl 64 nodf
            inet6 fe80::42bc:4cfd:6395:7fe%gif0 ->  prefixlen 64 scopeid 0x4
            inet6 2001:470:1f06:95f::2 -> 2001:470:1f06:95f::1 prefixlen 128
    freedom#
    freedom# route show -inet6 | grep default
    default            tunnel521973.tunne UGS        0        3     -     8 gif0
    default            fe80::fc00:1ff:fed UGS        0        0     -    56 vio0
    freedom# traceroute6 google.com                                                
    traceroute6 to google.com (2607:f8b0:4006:81a::200e), 64 hops max, 60 byte packets
     1  tunnel521973.tunnel.tserv4.nyc4.ipv6.he.net (2001:470:1f06:95f::1)  9.048 ms  7.025 ms  6.35 ms
     2  ve422.core1.nyc4.he.net (2001:470:0:5d::1)  1.822 ms  1.727 ms  5.251 ms
     3  core1-0-0-8.lga.net.google.com (2001:504:f::27)  1.836 ms  1.661 ms  1.659 ms
     4  2001:4860:0:1125::1 (2001:4860:0:1125::1)  4.234 ms  3.801 ms 2001:4860:0:1127::1 (2001:4860:0:1127::1)  3.834 ms
     5  2001:4860:0:1::17b (2001:4860:0:1::17b)  3.613 ms 2001:4860:0:1::995 (2001:4860:0:1::995)  2.823 ms 2001:4860:0:1::17b (2001:4860:0:1::17b)  2.854 ms
     6  lga25s62-in-x0e.1e100.net (2607:f8b0:4006:81a::200e)  2.829 ms  2.764 ms  2.598 ms
    freedom#

I created enc0 for IPsec, and assigned the /48 to it:

    freedom# cat /etc/hostname.enc0                                                
    inet 172.24.24.1 255.255.255.0 172.24.24.255
    inet6 2001:470:8c78:a0:: 64
    up

I enabled IP forwarding:

    freedom# cat /etc/sysctl.conf                                                  
    hw.smt=1
    net.inet.ip.forwarding=1
    net.inet6.ip6.forwarding=1
    freedom#

My iked.conf is

    freedom# cat /etc/iked.conf                                                    
    ikev2 "vpn" passive ipcomp esp \
            from 0.0.0.0/0 to 0.0.0.0/0 \
            local egress peer any \
            psk "XXXXXXXX" \
            config address 172.24.24.0/24 \
            config address 2001:470:8c78:a0::/64 \
            config name-server 172.24.24.1 \
            config name-server 2001:470:8c78:a0:: \
            tag "vpn" tap enc0
    freedom#

The mac clients "see" the IPv6 address, and create a route:

    emerald:aram$ ifconfig ipsec0
    ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
    inet 172.24.24.193 --> 172.24.24.193 netmask 0xff000000
    inet6 fe80::3ac9:86ff:fe32:4e3f%ipsec0 prefixlen 64 scopeid 0xf
    inet6 2001:470:8c78:a0::82f8:21d4 prefixlen 64
    nd6 options=201<PERFORMNUD,DAD>
    emerald:aram$
    emerald:aram$ netstat -nr | grep default
    default            link#15            UCS           110        0  ipsec0      
    default            192.168.0.1        UGScI          19        0     en0      
    default            192.168.0.1        UGScI           3        0     en1      
    default                                 2001:470:8c78:a0::              UGc          ipsec0      
    default                                 fe80::%utun0                    UGcI          utun0      
    default                                 fe80::%utun1                    UGcI          utun1      
    default                                 fe80::%utun2                    UGcI          utun2

I can do IPv4 from the clients, but not IPv6.

    emerald:aram$ ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    64 bytes from 1.1.1.1: icmp_seq=0 ttl=58 time=106.972 ms
    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=107.661 ms
    64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=108.039 ms
    ^C
    --- 1.1.1.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 106.972/107.557/108.039/0.442 ms
    emerald:aram$ ping6 google.com
    PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 --> 2607:f8b0:4006:800::200e
    ^C
    --- google.com ping6 statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    emerald:aram$ ping6 2001:470:8c78:a0::
    PING6(56=40+8+8 bytes) 2001:470:8c78:a0::82f8:21d4 --> 2001:470:8c78:a0::
    ^C
    --- 2001:470:8c78:a0:: ping6 statistics ---
    4 packets transmitted, 0 packets received, 100.0% packet loss
    emerald:aram$
    emerald:aram$

As you can see I can't even ping the OpenBSD endpoint over IPv6.

From the OpenBSD side, I can't ping the client either on IPv6 (IPv4
works):

    freedom# ping6 2001:470:8c78:a0::82f8:21d4
    PING 2001:470:8c78:a0::82f8:21d4 (2001:470:8c78:a0::82f8:21d4): 56 data bytes
    ping6: sendmsg: Message too long
    ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
    ping6: sendmsg: Message too long
    ping: wrote 2001:470:8c78:a0::82f8:21d4 64 chars, ret=-1
    ^C
    --- 2001:470:8c78:a0::82f8:21d4 ping statistics ---
    2 packets transmitted, 0 packets received, 100.0% packet loss
    freedom# ping 172.24.24.193                
    PING 172.24.24.193 (172.24.24.193): 56 data bytes
    64 bytes from 172.24.24.193: icmp_seq=0 ttl=64 time=107.996 ms
    64 bytes from 172.24.24.193: icmp_seq=1 ttl=64 time=106.241 ms
    ^C
    --- 172.24.24.193 ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 106.241/107.118/107.996/0.878 ms
    freedom#

Also on the OpenBSD side, I can see the ICMP packets coming from
the client and arriving on enc0:

    freedom# tcpdump -n -e -ttt -i enc0  
    tcpdump: listening on enc0, link-type ENC
    Feb 11 13:59:48.962485 (authentic,confidential): SPI 0x1e6e0c04: 2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request [flowlabel 0xdea34] (encap)
    Feb 11 13:59:49.963477 (authentic,confidential): SPI 0x1e6e0c04: 2001:470:8c78:a0::82f8:21d4 > 2001:470:8c78:a0::: icmp6: echo request [flowlabel 0xdea34] (encap)
    ^C

So the packets come,  but something happens to them.

My pf.conf is:
                                                   
    set skip on lo
   
    block return    # block stateless traffic
    pass            # establish keep-state
   
    # NAT
    match in all scrub (no-df random-id max-mss 1440)
    match out on egress inet from !(egress:network) to any nat-to (egress:0)
    pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep state
    pass on enc0 from any to self keep state (if-bound)
   
    # By default, do not permit remote connections to X11
    block return in on ! lo0 proto tcp to port 6000:6010
   
    # Port build user does not need network
    block return out log proto {tcp udp} user _pbuild

And this is what pfctl -sr returns:

    freedom# pfctl -sr
    block return all
    pass all flags S/SA
    match in all scrub (no-df random-id max-mss 1440)
    match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin
    pass quick inet6 proto udp from any to ::1 port = 500
    pass quick on lo0 inet6 proto udp from any to fe80::1 port = 500
    pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd port = 500
    pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 500
    pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe port = 500
    pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 500
    pass quick inet6 proto udp from any to ::1 port = 4500
    pass quick on lo0 inet6 proto udp from any to fe80::1 port = 4500
    pass quick on vio0 inet6 proto udp from any to fe80::5400:1ff:fed3:aabd port = 4500
    pass quick inet6 proto udp from any to 2001:470:8c78:a0:: port = 4500
    pass quick on gif0 inet6 proto udp from any to fe80::42bc:4cfd:6395:7fe port = 4500
    pass quick inet6 proto udp from any to 2001:470:1f06:95f::2 port = 4500
    pass quick inet proto udp from any to 127.0.0.1 port = 500
    pass quick inet proto udp from any to 207.246.122.61 port = 500
    pass quick inet proto udp from any to 172.24.24.1 port = 500
    pass quick inet proto udp from any to 127.0.0.1 port = 4500
    pass quick inet proto udp from any to 207.246.122.61 port = 4500
    pass quick inet proto udp from any to 172.24.24.1 port = 4500
    pass on enc0 inet from any to 127.0.0.1 flags S/SA keep state (if-bound)
    pass on enc0 inet from any to 207.246.122.61 flags S/SA keep state (if-bound)
    pass on enc0 inet from any to 172.24.24.1 flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to ::1 flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to 2001:470:8c78:a0:: flags S/SA keep state (if-bound)
    pass on enc0 inet6 from any to 2001:470:1f06:95f::2 flags S/SA keep state (if-bound)
    block return in on ! lo0 proto tcp from any to any port 6000:6010
    block return out log proto tcp all user = 55
    block return out log proto udp all user = 55

Any tips on what to do next? Do I need some special pf.conf
configuration?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Stefan Sperling-5
On Mon, Feb 11, 2019 at 03:32:17PM +0100, Aram Hăvărneanu wrote:
> Hello,
>
> I am trying to set-up an dual-stack IKEv2/IPsec VPN. The server is
> OpenBSD (obviously). The clients are macs (so far). IPv4 works, but
> I can't get IPv6 working for the clients. The clients get a v6 IP
> and a good route, but it seems routing doesn't work on OpenBSD's
> side.

> My iked.conf is
>
>     freedom# cat /etc/iked.conf                                                    
>     ikev2 "vpn" passive ipcomp esp \
>             from 0.0.0.0/0 to 0.0.0.0/0 \
>             local egress peer any \
>             psk "XXXXXXXX" \
>             config address 172.24.24.0/24 \
>             config address 2001:470:8c78:a0::/64 \
>             config name-server 172.24.24.1 \
>             config name-server 2001:470:8c78:a0:: \
>             tag "vpn" tap enc0
>     freedom#

By default, iked inserts a flow which blocks IPv6. To prevent this,
either configure explicit IPv6 flows (from/to with IPv6 addresses),
or pass the -6 option to iked (see the man page).

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
> By default, iked inserts a flow which blocks IPv6. To prevent
> this, either configure explicit IPv6 flows (from/to with IPv6
> addresses), or pass the -6 option to iked (see the man page).

Forgot to mention that I already do this:

    freedom# cat /etc/rc.conf.local
    iked_flags=-6
    unbound_flags=

--
Aram Hăvărneanu

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Aram Hăvărneanu
>> By default, iked inserts a flow which blocks IPv6. To prevent
>> this, either configure explicit IPv6 flows (from/to with IPv6
>> addresses), or pass the -6 option to iked (see the man page).
>
> Forgot to mention that I already do this:
>
>     freedom# cat /etc/rc.conf.local
>     iked_flags=-6
>     unbound_flags=

Hmm.

I was, indeed, passing -6, but I wasn't passing an explicit ::0/0
in iked.conf. This set-up works:

freedom# cat /etc/iked.conf
ikev2 "vpn" passive ipcomp esp \
        from 0.0.0.0/0 to 0.0.0.0/0 \
        from ::0/0 to ::0/0 \
        local egress peer any \
        psk "XXXXX" \
        config address 172.24.24.0/24 \
        config address 2001:470:8c78:a0::/64 \
        config name-server 172.24.24.1 \
        config name-server 2001:470:8c78:a0:: \
        tag "vpn" tap enc0

Many thanks for the pointer!

--
Aram Hăvărneanu

Reply | Threaded
Open this post in threaded view
|

Re: Can't set up IPv6 for IKEv2 VPN

Stefan Sperling-5
In reply to this post by Aram Hăvărneanu
On Mon, Feb 11, 2019 at 03:51:00PM +0100, Aram Hăvărneanu wrote:
> > By default, iked inserts a flow which blocks IPv6. To prevent
> > this, either configure explicit IPv6 flows (from/to with IPv6
> > addresses), or pass the -6 option to iked (see the man page).
>
> Forgot to mention that I already do this:
>
>     freedom# cat /etc/rc.conf.local
>     iked_flags=-6
>     unbound_flags=

Have you tried configuring IPv6 flows instead?
Will 'from 0.0.0.0/0 to 0.0.0.0/0' actually match IPv6 traffic?