Unable to use IPv4-mapped IPv6 address for mobile IPsec DNS
-
@jimp Here it goes:
# This file is automatically generated. Do not edit connections { bypass { remote_addrs = 127.0.0.1 } con-mobile : con-mobile-defaults { # Stub to load con-mobile-defaults } con4000 { fragmentation = yes unique = replace version = 2 proposals = aes256-sha256-ecp256 dpd_delay = 10s dpd_timeout = 60s rekey_time = 3240s reauth_time = 0s over_time = 360s rand_time = 360s encap = no mobike = yes local_addrs = n.n.n.n remote_addrs = f.q.d.n.com pools = local { id = n.n.n.n auth = psk } remote { id = z.z.z.z auth = psk } children { con4000 { dpd_action = trap mode = tunnel policies = yes life_time = 7200s rekey_time = 6480s rand_time = 720s start_action = trap remote_ts = a.a.a.a local_ts = b.b.b.b esp_proposals = aes256-sha256-ecp256 } } } con5000 { fragmentation = yes unique = replace version = 2 proposals = aes256-sha256-ecp256 dpd_delay = 10s dpd_timeout = 60s rekey_time = 3240s reauth_time = 0s over_time = 360s rand_time = 360s encap = no mobike = yes local_addrs = ::something:1 remote_addrs = ::somethingelse:1 pools = local { id = ::something:1 auth = psk } remote { id = ::somethingelse:1 auth = psk } children { con5000 { dpd_action = trap mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = trap remote_ts = F::something:1 local_ts = F::something:2 esp_proposals = aes256-sha256-ecp256 } } } con2000 { fragmentation = yes unique = replace version = 2 proposals = aes256-sha256-ecp256 dpd_delay = 10s dpd_timeout = 60s rekey_time = 3240s reauth_time = 0s over_time = 360s rand_time = 360s encap = no mobike = yes local_addrs = n.n.n.n remote_addrs = f.q.d.n.com pools = local { id = n.n.n.n auth = psk } remote { id = z.z.z.z auth = psk } children { con2000 { dpd_action = trap mode = tunnel policies = yes life_time = 7200s rekey_time = 6480s rand_time = 720s start_action = trap remote_ts = a.b.c.d local_ts = e.f.g.h esp_proposals = aes256-sha256-ecp256 } } } con6000 { fragmentation = yes unique = replace version = 2 proposals = aes256-sha256-ecp256 dpd_delay = 10s dpd_timeout = 60s rekey_time = 3240s reauth_time = 0s over_time = 360s rand_time = 360s encap = no mobike = yes local_addrs = ::something:1 remote_addrs = f.q.d.n.6.com pools = local { id = ::something:1 auth = psk } remote { id = ::something:2 auth = psk } children { con6000 { dpd_action = trap mode = tunnel policies = yes life_time = 7200s rekey_time = 6480s rand_time = 720s start_action = trap remote_ts = F::something:1 local_ts = F::something:1 esp_proposals = aes256-sha256-ecp256 } } } con300000 { fragmentation = yes unique = replace version = 1 aggressive = no proposals = aes256-sha256-ecp256 dpd_delay = 10s dpd_timeout = 60s reauth_time = 3240s over_time = 360s rand_time = 360s encap = no mobike = yes local_addrs = n.n.n.n remote_addrs = f.q.d.n.com pools = local { id = n.n.n.n auth = psk } remote { id = z.z.z.z auth = psk } children { con0 { dpd_action = trap mode = tunnel policies = yes life_time = 7200s rekey_time = 6480s rand_time = 720s start_action = trap local_ts = a.b.c.1 remote_ts = a.b.c.2 esp_proposals = aes256-sha256-ecp256 } } } } con-mobile-defaults { fragmentation = yes unique = replace version = 2 proposals = aes256-sha384-modp2048 dpd_delay = 10s dpd_timeout = 60s rekey_time = 0s reauth_time = 0s over_time = 180s rand_time = 180s encap = yes mobike = yes local_addrs = a.a.a.a,::something:1 remote_addrs = 0.0.0.0/0,::/0 pools = mobile-pool-v4, mobile-pool-v6 send_cert = always local { id = fqdn:something.com auth = pubkey cert { file = /var/etc/ipsec/x509/cert-1.crt } } remote { eap_id = %any auth = eap-mschapv2 } children { con-mobile { dpd_action = clear mode = tunnel policies = yes life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = none local_ts = 0.0.0.0/0,::/0 esp_proposals = aes256gcm128-ecp384 } } } pools { mobile-pool-v4 : mobile-pool { addrs = a.b.c.0/24 } mobile-pool-v6 : mobile-pool { addrs = ::something:0/112 } } mobile-pool { dns = a.b.c.d,f::something:a.b.c.d } secrets { private-0 { file = /var/etc/ipsec/private/cert-1.key } ike-1 { secret = parsnips grow here id-0 = %any id-1 = z.z.z.z } ike-2 { secret = parsnips grow here id-0 = %any id-1 = ::something:2 } ike-3 { secret = parsnips grow here id-0 = %any id-1 = n.n.n.n } ike-4 { secret = parsnips grow here id-0 = %any id-1 = ::something:3 } ike-5 { secret = parsnips grow here id-0 = %any id-1 = f.f.f.f } eap-6 { secret = parsnips grow here id-0 = uid@domain.tld } eap-7 { secret = parsnips grow here id-0 = uid2@domain.tld }
Looks pretty much the same as on 2.4.5 bar formatting, maybe I'm missing something important. But it seems like the issue is somewhere else as in it fails to load this completely.
...yeah, I noticed the switch to vici now. So I take it you have a PHP client for vici? Or do you load stuff with swanctl?
-
OK, getting warmer...
swanctl --load-all --file /var/etc/ipsec/swanctl.conf loaded certificate from '/var/etc/ipsec/x509/cert-1.crt' loaded certificate from '/var/etc/ipsec/x509ca/8d33f237.0' loaded RSA key from '/var/etc/ipsec/private/cert-1.key' loaded ike secret 'ike-1' loaded ike secret 'ike-2' loaded ike secret 'ike-3' loaded ike secret 'ike-4' loaded ike secret 'ike-5' loaded eap secret 'eap-6' loaded eap secret 'eap-7' no authorities found, 0 unloaded loading pool 'mobile-pool-v4' failed: invalid attribute value for dns loading pool 'mobile-pool-v6' failed: invalid attribute value for dns loaded 0 of 2 pools, 2 failed to load, 0 unloaded
-
my DNS entry looked like this:
mobile-pool { dns = 1.2.3.4,fXXX::1.2.3.4 }
In other words, one IPv4 address and one IPV4-mapped IPV6 address, I do this all the time. It started to work after I left the IPv4 only. I'll try a regular IPv6.
Edit: Confirmed: changing the IPv4 mapped IPv6 address to a standard IPv6 address in DNS fixed it.
What is a bit of a shame is that I can't see the actual swanctl error in the logs as it tries to load the config file - unless I wasn't looking in the right log.
-
@jimp Jim - as always, thanks for pointing me in the right direction, and apologies for me reading some of your responses too quickly; I must be getting old and not as sharp as I used to be ;)
-
I split this off into its own thread.
Are you certain this worked on previous versions? It may have been silently rejected / not sent to clients.
I can reproduce the config parsing problem here but I can't find any info in strongSwan about that being allowed. It may have been accepted by the old ipsec.conf config parser and now rejected by the swanctl parser.
I also don't see it mentioned in the IKEv2 config payload RFC that it would be allowed.
If nothing else we could add input validation to reject entering those values since they are now known not to work.
I opened https://redmine.pfsense.org/issues/11446 to fix the validation.