0

According to some tests on iOS using Firefox and ipleak.net, doesn’t look like it. Does strongSwan mitigate this properly?

$ cat /etc/ipsec.conf
config setup
  charondebug="ike -1, knl -1, cfg -1"
  uniqueids=never

conn ikev2
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  ike=aes256gcm16-prfsha512-ecp384!
  esp=aes256gcm16-ecp384!
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=my-vpn.com
  leftcert=vpn-server.crt
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-tls
  rightdns=1.1.1.1,1.0.0.1
  rightsourceip=%dhcp
  rightsendcert=never
  eap_identity=%identity
sunknudsen
  • 701
  • 3
  • 14
  • 28
  • It is not strongSwan (or any other VPN software) that is responsible for this, but the admin who configures it must account for IPv6. Please post your ipsec.conf. – Michael Hampton Jul 16 '20 at 16:44
  • @MichaelHampton Done! – sunknudsen Jul 16 '20 at 17:38
  • Hm. This config definitely leaks IPv6. Digging around a bit I think you need to use the new strongswan.conf file format to handle dual stack, and that's the only way to do it: The VPN must provide IPv6 connectivity to prevent IPv6 leaks. – Michael Hampton Jul 16 '20 at 17:59
  • @MichaelHampton Somehow, it doesn’t... at least not on ipleak.org. Do you know how how we could confirm if it does or doesn’t? – sunknudsen Jul 16 '20 at 19:56
  • They don't explain how they determine if there is an IPv6 leak. I suspect it's broken since their web site doesn't even respond on IPv6, and "No IPv6 leak detected" is hardcoded in their HTML. Anyway, connect to your VPN and then go to a website that shows both your IPv4 and IPv6 addresses. These are few and far between which is why I built one myself: https://myip.addr.space/ Then disconnect from the VPN and reload the page. Both the IPv4 and IPv6 addresses shown should be different. If they're the same, you're leaking. – Michael Hampton Jul 16 '20 at 20:02
  • @MichaelHampton Sorry, made a typo. The site I used to test for leaks is https://ipleak.net/. Is that one better? – sunknudsen Jul 16 '20 at 22:01
  • @MichaelHampton Using the above `ipsec.conf` config, I get "Couldn't determine an IPv6 address. You might not have IPv6 connectivity." on iOS and macOS using Firefox. No leaks right? – sunknudsen Jul 16 '20 at 22:03
  • No, that's bad news. That means you will leak IPv6. – Michael Hampton Jul 16 '20 at 22:05
  • @MichaelHampton Can you please expand on the above comment? Why will this setup leak IPV6? How can I see these leaks in action? – sunknudsen Jul 16 '20 at 22:15
  • Your IPv6 traffic will not go through the VPN because the VPN doesn't provide IPv6 connectivity. It will just go through your regular ISP, as soon as they provide IPv6 to you (which you aren't likely to notice when it happens). – Michael Hampton Jul 16 '20 at 22:20
  • @MichaelHampton If this is the case, why isn’t myip.addr.space revealing my true IPv6 IP address? – sunknudsen Jul 16 '20 at 22:21
  • Is your ISP providing IPv6 connectivity? I notice you failed to note the results of visiting when you were not connected to your VPN. – Michael Hampton Jul 16 '20 at 22:30
  • @MichaelHampton I confirm my mobile carrier supports IPv6. Actually, when connected to my test VPN over LTE, websites that don’t support IPv6 don’t load (such as duckduckgo.com), but IPv6 sites like ipleak.net work fine. Do you know what can cause this? According to my research, it has something to do with mobile carriers being IPv6 first. – sunknudsen Jul 16 '20 at 22:46

0 Answers0