I am unable to get a connection with IPv6 host-to-host. Below is the log output (anonymized)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-9-amd64, x86_64)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] providers loaded by OpenSSL: legacy default
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=R3" from '/etc/ipsec.d/cacerts/chain.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/privkey.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loaded EAP secret for xxxxxxx
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[JOB] spawning 16 worker threads
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] received stroke: add connection 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] loaded certificate "CN=www.xxxx.de" from 'fullchain.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] id 'vpn.xxxxx.de' not confirmed by certificate, defaulting to 'CN=www.xxxxx.de'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] added configuration 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (632 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received MS-Negotiation Discovery Capable vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received Vid-Initial-Contact vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42 is initiating an IKE_SA
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (456 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (1248 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (592 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1756 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] received 64 cert requests for an unknown ca
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[CFG] looking for peer configs matching xxxx:9f80:xxxx:83::xxxx:f633[%any]...xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[CFG] selected peer config 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] using configured EAP-Identity olekoeckemann
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x56)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] authentication of 'CN=www.xxxx.de' (myself) with RSA signature successful
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] sending end entity cert "CN=www.xxxx.de"
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/MSCHAPV2 ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] splitting IKE message (2988 bytes) into 3 fragments
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (1232 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (1232 bytes)
The log output just ended here
And when running ipsec status
immediately after this I can see
Security Associations (0 up, 1 connecting):
mobile[1]: CONNECTING, xxxx:9f80:xxxx:83::xxxx:f633[CN=www.xxxx.de]...xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42]
which result to below after some seconds
Security Associations (0 up, 0 connecting):
none
This is my ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 1"
uniqueids=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no # no matter if on or off
conn mobile
auto=add
left=%any
[email protected]
leftcert=fullchain.pem
#leftsubnet=10.0.3.0/24
#leftfirewall=yes
right=%any
rightid=%any
rightauth=eap-mschapv2
#rightsourceip=10.0.3.2/24
#rightdns=10.0.2.1
rightsendcert=never
eap_identity=xxxx
Any advice would be really helpful
eap_identity=%identity
to actually request the EAP identity from the client.