New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Comments
Hi all,
Upon successful connection with IKEv2 IPv6 VPN from Windows 10 client to libreswan server, the connection doesn’t seem to get a gateway for IPv6 traffic, so no IPv6 packets go to the Internet through IPv6 protocol and VPN server, the system backs down to the IPv4 connection which is not rerouted over VPN:
PPP adapter VPN GRF magrf IKEv2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN GRF magrf IKEv2
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:b68:2:2600:1000::(Preferred)
Link-local IPv6 Address . . . . . : fe80::1000:0:0:0%46(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 778583590
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-B6-F3-82-00-00-10-02-5A-A7
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Here is the relevant data for connection:
conn MYCONN-ikev2-ipv6-cp
# The server's actual IP goes here - not elastic IPs
left=2001:b68:2:2600::3
leftcert=magrf.grf.hr
leftid=@magrf.grf.hr
leftsendcert=always
leftsubnet=0::/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing full internet to clients
rightaddresspool=2001:b68:2:2600:1000::/80
# optional rightid with restrictions
# rightid="O=GRF-UNIZG,CN=win7client.grf.hr"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
# Set ikelifetime and keylife to same defaults windows has
# ikelifetime=8h
# keylife=2h
ms-dh-downgrade=yes
esp=aes_gcm256,aes_gcm128,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
authby=rsa-sha1
hostaddrfamily=ipv6
clientaddrfamily=ipv6
The session log is here.
P.S.
I recall I had to add ipv4.forwarding=1 in sysctl.conf and iptables --table nat --append POSTROUTING --jump MASQUERADE (for IPv4 VPN service).
I have turned on ipv6 forwarding, but I failed to Google ip6tables equivalent for IPv6.
root@magrf:~# cat /proc/sys/net/ipv6/conf/all/forwarding
1
This what it emitted:
Jul 28 23:05:31.203061: | Send Configuration Payload reply
Jul 28 23:05:31.203087: | ****emit IKEv2 Configuration Payload:
Jul 28 23:05:31.203120: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jul 28 23:05:31.203146: | flags: none (0x0)
Jul 28 23:05:31.203168: | ikev2_cfg_type: IKEv2_CP_CFG_REPLY (0x2)
Jul 28 23:05:31.203192: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Configuration Payload (47:ISAKMP_NEXT_v2CP)
Jul 28 23:05:31.203217: | next payload chain: saving location 'IKEv2 Configuration Payload'.'next payload type' in 'IKE_AUTH response'
Jul 28 23:05:31.203243: | *****emit IKEv2 Configuration Payload Attribute:
Jul 28 23:05:31.203264: | Attribute Type: IKEv2_INTERNAL_IP6_ADDRESS (0x8)
Jul 28 23:05:31.203289: | emitting 16 raw bytes of Internal IP Address into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203322: | Internal IP Address:
Jul 28 23:05:31.203346: | emitting 1 raw bytes of INTERNL_IP6_PREFIX_LEN into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203370: | INTERNL_IP6_PREFIX_LEN: 80
Jul 28 23:05:31.203394: | emitting length of IKEv2 Configuration Payload Attribute: 17
Jul 28 23:05:31.203417: | *****emit IKEv2 Configuration Payload Attribute:
Jul 28 23:05:31.203441: | Attribute Type: IKEv2_INTERNAL_IP6_DNS (0xa)
Jul 28 23:05:31.203466: | emitting 16 raw bytes of IP6_DNS into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203501: | IP6_DNS:
Jul 28 23:05:31.203525: | emitting 1 raw bytes of INTERNL_IP6_PREFIX_LEN into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203550: | INTERNL_IP6_PREFIX_LEN: 80
Jul 28 23:05:31.203572: | emitting length of IKEv2 Configuration Payload Attribute: 17
Jul 28 23:05:31.203596: | *****emit IKEv2 Configuration Payload Attribute:
Jul 28 23:05:31.203620: | Attribute Type: IKEv2_INTERNAL_IP6_DNS (0xa)
Jul 28 23:05:31.203643: | emitting 16 raw bytes of IP6_DNS into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203674: | IP6_DNS:
Jul 28 23:05:31.203697: | emitting 1 raw bytes of INTERNL_IP6_PREFIX_LEN into IKEv2 Configuration Payload Attribute
Jul 28 23:05:31.203719: | INTERNL_IP6_PREFIX_LEN: 80
Jul 28 23:05:31.203742: | emitting length of IKEv2 Configuration Payload Attribute: 17
Jul 28 23:05:31.203766: | emitting length of IKEv2 Configuration Payload: 71
Jul 28 23:05:31.203789: | emitting ikev2_proposal ...
so yes, no gateway
Well, I can ping the VPN server, but not the gw behind it and the general Internet, which was the idea?
C:\Users\Mirsad>ping 2001:b68:2:2600::3
Pinging 2001:b68:2:2600::3 with 32 bytes of data:
Reply from 2001:b68:2:2600::3: time=9ms
Reply from 2001:b68:2:2600::3: time=9ms
Reply from 2001:b68:2:2600::3: time=11ms
Reply from 2001:b68:2:2600::3: time=9ms
Ping statistics for 2001:b68:2:2600::3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 11ms, Average = 9ms
C:\Users\Mirsad>ping 2001:b68:2:2600::1
Pinging 2001:b68:2:2600::1 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 2001:b68:2:2600::1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Mirsad>
I even tried to mimic the IPv4 setup with iptables -t nat -A POSTROUTING -j MASQUERADE in form of ip6tables -t nat -A POSTROUTING -j MASQUERADE, but no luck there either …
(For IPv4 libreswan it was required.)
CP payloads do not include a gateway.
FYI, here is my Windows 10 client routing table 1. not connected to VPN 2. connected to the VPN.
It seems to do something odd rerouting my VPN to fe80:/16 address space?
C:\Users\Mirsad>route -6 print
===========================================================================
Interface List
17...68 3e 26 8a f1 ed ......Microsoft Wi-Fi Direct Virtual Adapter
4...6a 3e 26 8a f1 ec ......Microsoft Wi-Fi Direct Virtual Adapter #2
18...68 3e 26 8a f1 ec ......Intel(R) Wireless-AC 9560
9...68 3e 26 8a f1 f0 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
18 296 ::/0 fe80::9e30:5bff:fe88:302f
1 331 ::1/128 On-link
18 296 2a05:4f46:31a:7500::/56 fe80::9e30:5bff:fe88:302f
18 296 2a05:4f46:31a:7500::/64 On-link
18 296 2a05:4f46:31a:7500::2/128
On-link
18 296 2a05:4f46:31a:7500:c160:6f48:2839:27a3/128
On-link
18 296 2a05:4f46:31a:7500:f4ab:160e:24dc:df90/128
On-link
18 296 fe80::/64 On-link
18 296 fe80::f4ab:160e:24dc:df90/128
On-link
1 331 ff00::/8 On-link
18 296 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\Mirsad>route -6 print
===========================================================================
Interface List
46...........................VPN GRF magrf IKEv2
17...68 3e 26 8a f1 ed ......Microsoft Wi-Fi Direct Virtual Adapter
4...6a 3e 26 8a f1 ec ......Microsoft Wi-Fi Direct Virtual Adapter #2
18...68 3e 26 8a f1 ec ......Intel(R) Wireless-AC 9560
9...68 3e 26 8a f1 f0 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
18 4516 ::/0 fe80::9e30:5bff:fe88:302f
1 4556 ::1/128 On-link
18 4261 2001:b68:2:2600::3/128 fe80::9e30:5bff:fe88:302f
18 4516 2a05:4f46:31a:7500::/56 fe80::9e30:5bff:fe88:302f
18 4516 2a05:4f46:31a:7500::/64 On-link
18 4516 2a05:4f46:31a:7500::2/128
On-link
18 4516 2a05:4f46:31a:7500:c160:6f48:2839:27a3/128
On-link
18 4516 2a05:4f46:31a:7500:f4ab:160e:24dc:df90/128
On-link
18 4516 fe80::/64 On-link
46 281 fe80::/64 On-link
46 281 fe80::1000:0:0:0/128 On-link
18 4516 fe80::f4ab:160e:24dc:df90/128
On-link
1 4556 ff00::/8 On-link
18 4516 ff00::/8 On-link
46 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\Mirsad>
I did some homework and read from RFC 5739 «IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)».
I have also changed:
rightaddresspool=fd00:0:0:0:1000::/80
In IPv4 VPN setup, a PPP connection is getting opened:
ipconfig /all
PPP adapter GRF VPN IKEv2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : GRF VPN IKEv2
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.100.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 10.0.0.102
1.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
With IPv6 I get:
C:\WINDOWS\system32>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : PC-MTODOROV3
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.grf.hr
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : local.grf.hr
Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
Physical Address. . . . . . . . . : F4-8E-38-B4-84-F7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:b68:2:2600::51(Preferred)
Link-local IPv6 Address . . . . . : fe80::b16b:7f4a:919f:fa58%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.2.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Lease Obtained. . . . . . . . . . : 29. srpnja 2022. 8:04:51
Lease Expires . . . . . . . . . . : 30. srpnja 2022. 20:07:45
Default Gateway . . . . . . . . . : 2001:b68:2:2600::1
10.0.0.2
DHCP Server . . . . . . . . . . . : 10.0.0.101
DHCPv6 IAID . . . . . . . . . . . : 250908216
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-9C-37-3A-F4-8E-38-B4-84-F7
DNS Servers . . . . . . . . . . . : 2001:b68:2:2600::3
2001:b68:c:2::70:0
10.0.0.102
31.147.204.224
10.0.0.101
NetBIOS over Tcpip. . . . . . . . : Enabled
PPP adapter GRF VPN IKEv2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : GRF VPN IKEv2
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fd00::1000:0:0:0(Preferred)
Link-local IPv6 Address . . . . . : fe80::1000:0:0:0%33(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 553713561
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-9C-37-3A-F4-8E-38-B4-84-F7
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Phantom TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-99-F2-8D-FD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
C:\WINDOWS\system32>
There is certain moment where I should probably do something in ‘route-client-v6’ hook, but frankly I do not feel wise enough to discern what is to be routed through what. What is the interface called on the Linux VPN server and what is the address of the gw on that iface?
Here is something from the session log :
Jul 29 10:47:13.068285: | kernel: could_route called for MYCONN-ikev2-ipv6-cp; kind=CK_INSTANCE that.has_client=yes oppo=no this.host_port=500 sec_label=
Jul 29 10:47:13.068323: | FOR_EACH_SPD_ROUTE[remote_client_range=fd00::1000:0:0:0/128]... in (route_owner() +3511 /programs/pluto/connections.c)
Jul 29 10:47:13.068363: | found "MYCONN-ikev2-ipv6-cp"[10] 2001:b68:2:2600::51 ::/0 -<all>-> fd00::1000:0:0:0/128
Jul 29 10:47:13.068386: | matches: 1
Jul 29 10:47:13.068418: | route owner of "MYCONN-ikev2-ipv6-cp"[10] 2001:b68:2:2600::51 unrouted: NULL; eroute owner: NULL
Jul 29 10:47:13.068459: | kernel: setup_half_ipsec_sa() outbound ::/0-ALL->[2001:b68:2:2600::3=tunnel=>2001:b68:2:2600::51]-ALL->fd00::1000:0:0:0/128 sec_label=
I can’t really see what is going on here and the server program has 100K lines.
Many thanks for your help in forward.
Your initial configuration would need proxy ndp to be able to reach other machines on lan.
With fd00 addresses you need to do natting on your vpn gw to make things work. You have failed to do nat if fd00 address doesn’t work.
Your initial configuration would need proxy ndp to be able to reach other machines on lan.
With fd00 addresses you need to do natting on your vpn gw to make things work. You have failed to do nat if fd00 address doesn’t work.
In the light of RFC 4864 and RFC 4389, «Neighbor Discovery Proxies (ND Proxy)», the NAT66 and the fd00: address may be suboptimal and deprecated. Who is responsible for the NDP proxy stuff if I assign a 2001:b68::/64 address via the VPN gw?
What part of proxy NDP is to be done by the Win 10 VPN client and what pat by the libreswan on the VPN gw?
That seems like something that should be done during IKEv2 session initiation, I can’t make up for that if libreswan didn’t sync the address space between the VPN client and the VPN server, can I?
Thanks.
Network configuration is out of libreswan scope — IPsec can only work in case of properly configured networking. Generally, with IPv6 you want to route separate IPv6 subnet to your VPN gateway to be used for vpn clients.
profile
viewpoint
nodejs
Spring Boot
React
Rust
tensorflow
Hello.
Try the following adjustment to see if we can resolve your issue:
1. Open the IJ Scan Utility from your Desktop or the Canon Utilities listing of the Start Menu (Windows) or Applications folder (Mac).
2. Click Settings.
3. On the left, click the ‘Scan Document’ tab.
4. Click the ‘Default’ button at the bottom.
5. Repeat this process with each tab on the left.
6. Click OK at the bottom of the Settings menu.
Once this has been done, try scanning from the IJ Scan Utility to test the changes.
This didn’t answer your question or issue? Find more help at Contact Us.
Did this answer your question? Please click the Accept as Solution button so that others may find the answer as well.
Description
Chris Dumez
2019-10-17 09:40:25 PDT
ApplePaySession should never prevent entering the back/forward cache.
Comment 3
Chris Dumez
2019-11-04 20:52:28 PST
Comment on attachment 382805 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=382805&action=review > Source/WebCore/Modules/applepay/ApplePaySession.cpp:831 > +bool ApplePaySession::canSuspendWhileActive() const I find the naming very confusing. How about something like "needsAbortingOnSuspension" ? > Source/WebCore/Modules/applepay/ApplePaySession.cpp:838 > + case State::SuspendedWhileActive: Do we really need a new state? Why not go directly to canceled? > Source/WebCore/Modules/applepay/ApplePaySession.cpp:860 > + // FIXME: Is TaskSource::UserInteraction correct here? I know but it is not the same spec but UserInteraction is what's used in this spec at least: https://w3c.github.io/payment-request/ > Source/WebCore/Modules/applepay/ApplePaySession.cpp:861 > + context.eventLoop().queueTask(TaskSource::UserInteraction, context, [this, pendingActivity = makePendingActivity(*this)] { Why not queue the task in the suspend()? Since you're using the event loop, it would fire until you resume anyway. This way, you don't need a resume() method. Also, you should consider using ActiveDOMObject::queueTaskKeepingObjectAlive() instead to queue the task.
Comment 4
Chris Dumez
2019-11-04 20:53:28 PST
(In reply to Chris Dumez from comment #3)
> Comment on attachment 382805 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=382805&action=review
>
> > Source/WebCore/Modules/applepay/ApplePaySession.cpp:831
> > +bool ApplePaySession::canSuspendWhileActive() const
>
> I find the naming very confusing. How about something like
> "needsAbortingOnSuspension" ?
>
> > Source/WebCore/Modules/applepay/ApplePaySession.cpp:838
> > + case State::SuspendedWhileActive:
>
> Do we really need a new state? Why not go directly to canceled?
>
> > Source/WebCore/Modules/applepay/ApplePaySession.cpp:860
> > + // FIXME: Is TaskSource::UserInteraction correct here?
>
> I know but it is not the same spec but UserInteraction is what's used in
> this spec at least: https://w3c.github.io/payment-request/
>
> > Source/WebCore/Modules/applepay/ApplePaySession.cpp:861
> > + context.eventLoop().queueTask(TaskSource::UserInteraction, context, [this, pendingActivity = makePendingActivity(*this)] {
>
> Why not queue the task in the suspend()? Since you're using the event loop,
> it would fire until you resume anyway. This way, you don't need a resume()
> method.
it would *NOT* fire until you resume anyway
Comment 8
WebKit Commit Bot
2019-11-05 09:13:10 PST
All reviewed patches have been landed. Closing bug.
Loading