0

I am unable to get a connection with IPv6 host-to-host. Below is the log output (anonymized)

Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-9-amd64, x86_64)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] providers loaded by OpenSSL: legacy default
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, CN=R3" from '/etc/ipsec.d/cacerts/chain.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/privkey.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[CFG]   loaded EAP secret for xxxxxxx
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 00[JOB] spawning 16 worker threads
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] received stroke: add connection 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG]   loaded certificate "CN=www.xxxx.de" from 'fullchain.pem'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG]   id 'vpn.xxxxx.de' not confirmed by certificate, defaulting to 'CN=www.xxxxx.de'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 05[CFG] added configuration 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (632 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received MS-Negotiation Discovery Capable vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] received Vid-Initial-Contact vendor ID
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[IKE] xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42 is initiating an IKE_SA
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 09[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (456 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (1248 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 10[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] received packet: from xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] to xxxx:9f80:xxxx:83::xxxx:f633[500] (592 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1756 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] received 64 cert requests for an unknown ca
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[CFG] looking for peer configs matching xxxx:9f80:xxxx:83::xxxx:f633[%any]...xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[CFG] selected peer config 'mobile'
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] using configured EAP-Identity olekoeckemann
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x56)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] authentication of 'CN=www.xxxx.de' (myself) with RSA signature successful
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] sending end entity cert "CN=www.xxxx.de"
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/MSCHAPV2 ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] splitting IKE message (2988 bytes) into 3 fragments
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (1232 bytes)
Sep 27 14:25:18 vpn.xxxx.tld ipsec[13769]: 11[NET] sending packet: from xxxx:9f80:xxxx:83::xxxx:f633[500] to xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[500] (1232 bytes)

The log output just ended here And when running ipsec status immediately after this I can see

Security Associations (0 up, 1 connecting):
      mobile[1]: CONNECTING, xxxx:9f80:xxxx:83::xxxx:f633[CN=www.xxxx.de]...xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42[xxx:6020:xxx:8000:xxxx:a7ae:xxxx:9a42]

which result to below after some seconds

Security Associations (0 up, 0 connecting):
  none

This is my ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 1"
    uniqueids=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    mobike=no # no matter if on or off
 
conn mobile
    auto=add
    
    left=%any
    [email protected]
    leftcert=fullchain.pem
    #leftsubnet=10.0.3.0/24
    #leftfirewall=yes
    
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    #rightsourceip=10.0.3.2/24
    #rightdns=10.0.2.1
    rightsendcert=never
    eap_identity=xxxx

Any advice would be really helpful

3
  • 1
    Do you have access to the server-side logs? Commented Sep 27, 2023 at 18:46
  • This is the server side log. other VPN connection is Windows 11 VPN native client
    – Ole K
    Commented Sep 27, 2023 at 18:53
  • Try configuring eap_identity=%identity to actually request the EAP identity from the client.
    – ecdsa
    Commented Sep 28, 2023 at 7:05

0

You must log in to answer this question.

Browse other questions tagged .