0

I'am trying to setup a IPSec VPN (ike1) for our Linux clients. But we need dual stack with ipv4 and ipv6.

The endpoint is a Fortigate firewall. With two phase2, one for IPv4 and one for IPv6. The setup is as followed:

config vpn ipsec phase1-interface
    edit "VPNRemote"
        set type dynamic
        set interface "port4"
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 14
        set xauthtype auto
        set authusrgrp "VPNRemote_Group"
        set assign-ip-from name
        set ipv4-name "VPNRemote_Network"
        set ipv6-name "VPNRemote_Network"
        set save-password enable
        set client-auto-negotiate enable
        set psksecret
    next
end
config vpn ipsec phase2-interface
    edit "VPNRemote_Network1"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
    next
    edit "VPNRemote_Network2"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

To connect the vpn from the linux clients we using strongswan. Here I am using the following working config:

conn VPNRemote
  keyexchange = ikev1
  ikelifetime = 86400s
  keylife = 43200s
  aggressive = no
  ike = aes256-sha256-modp2048
  esp = aes256-sha256-modp2048
  xauth = client
  leftsourceip = %config4,%config6
  leftauth = psk
  rightauth = psk
  leftauth2 = xauth
  right = 123.123.123.123
  xauth_identity = muster.tester

conn VPNRemote1
  rightsubnet = 0.0.0.0/0
  also = VPNRemote
  auto = add

conn VPNRemote2
  rightsubnet = ::/0
  also = VPNRemote
  auto = add

With the config from above the Phase2 with name VPNRemote1 goes up. And is configured with a IPv4. But if I try the Phase VPNRemote2 there is a timeout.

Here the Fortigate log prints the following:

peer proposal is: peer:0:10.16.2.10-10.16.2.10:0, me:0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0

So strongswan is proposing the wrong IP type. It should propose the IPv6 but is using the IPv4 again.

If I switch rightsubnet = 0.0.0.0/0 with rightsubnet = ::/0 in the VPNRemote1 the problem is exactly the other way around.

So in conclusion strongswan should propose a IPv6 in VPNRemote2 but this is not working.

Is there someone with a running IPSec VPN in Dual Stack for Ubuntu who could give me a hint?

premar
  • 21
  • 2
  • Does FortiGate not support IKEv2? Not entirely sure if it works with IKEv1, but you could try `leftsourceip = %config4,%config6`. – ecdsa Jun 12 '23 at 11:59
  • At the moment we have to work with IKEv1. But yes there was a plan to move to IKEv2 in a later stage. But here we still have to work again with two phase2. So the problem will be still there. I tried the option `leftsourceip = %config4,%config6` in the main part. But no luck, still only one phase2 goes up. – premar Jun 14 '23 at 06:02
  • Have you tried other stuff than `::/0` ? like full address.. There is some ipv6 examples here: https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip6-in-ip4-ikev1/ https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip6-in-ip4-ikev1/moon.ipsec.conf – exeral Jun 19 '23 at 15:09
  • Yes, tried that. Sorry forgot to write above. The Fortigate allows only a range of IP which than are used to give them to the vpn clients. I tried it with for example `rightsubnet = fd3c:61e9:7f85:a187::/64` or `right = fd3c:61e9:7f85:a187::10 - fd3c:61e9:7f85:a187::100` Same result, the first phase2 decides the IP version. – premar Jun 21 '23 at 06:33

0 Answers0