Hot!IPSec Dual Stack cant handle IPv4 and IPv6 at the same time

Author
yoloknight
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/18 08:27:31
  • Status: offline
2020/11/18 08:41:32 (permalink)
0

IPSec Dual Stack cant handle IPv4 and IPv6 at the same time

Hi Guys,
 
I have a problem that my IPSec VPN cant handle IPv4 and IPv6 at the same time. In my Phase 2 Selectors I have this information in there:
IPv6:  
Remote Address: "::/0"
Local Address: "::/0"

IPv4:
Remote Address: "0.0.0.0"
Local Address: "0.0.0.0"

From my Strongswan client I have a stable IPSec Tunnel and get both IP addresses from Phase 1. (Example: 192.168.1.1 and fd00::1)

Now with both entries IPv4 and IPv6, I can only ping the IPv4 192.168.1.1 address. If I delete this entry of phase two and only "::/0" is there, then I can ping the fd00::1. And if I delete the IPv6 entry, I can ping Ipv4.

Ping:
Only IPv4 entry -> ping works
Only Ipv6 entry -> ping works
Both (IPv4 and IPv6) -> ping to IPv4 works and IPv6 is unreachable


For me it seems the IPSec tunnel cant handle both, the IPv4 and the IPv6 addresses and I can only choose one. Is this right or do I have overlooked something? (perhaps a special routing entry for this???)




#1
emnoc
Expert Member
  • Total Posts : 5919
  • Scores: 394
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/11/18 11:35:42 (permalink)
0
Q:
  • Did you run "diag vpn tunnel list"
  • did you run debug on fortigate for ike 
  • Did you run ipsec statusall & looked at the logs on Strongswan host
  • Did you try with specific Phase2 in both fgt and strongswan
 
And no, you can run dual stacked fortios for ipsec tunnels
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#2
yoloknight
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/18 08:27:31
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/11/23 05:06:30 (permalink)
0
Hi Emnoc,

to your questions.
Did you run "diag vpn tunnel list"
-> Jup, the tunnel is shown stable and nothing unusal
did you run debug on fortigate for ike

-> Jup, the tunnel is established and no error signs
 
Did you run ipsec statusall & looked at the logs on Strongswan host
-> Jup, also i had done this, but strongswan gets no response from the fortigate and the ip (seen with "journalctl -f" on linux); the fortigate logs shows nothing
 
Did you try with specific Phase2 in both fgt and strongswan
-> I tried, for example to set in particular "compress=no", but nothing works. In the end I only use the default configuration of strongswan

For me it looks like that Fortigate dont support a dual-stack client-to-client roadwarrior vpn.
#3
emnoc
Expert Member
  • Total Posts : 5919
  • Scores: 394
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/11/25 07:16:56 (permalink)
0
Drop your configuration  ( fgt and strongswan  ) not sure what your doing but ipsec ipv4/6 dual stack is supported and works. 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#4
yoloknight
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/18 08:27:31
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/11/26 23:34:24 (permalink)
0
Hi emnoc,
 
well I have made some progress in that matter.
https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/1905565
It seems that the Dual Stack configuration only works with two child_sa. We ask this question the support, but our contact (on Fortigate side) didnt see this as a technical issure and more of a consulting.

Perhaps you know the answer.

Is the Fortigate able to narrow the traffic selectors of a single CHILD_SA appropriately (e .g. does it proposes 0.0.0.0/0 AND ::/0 as remote traffic selectors). Or is it unable to do that and requires two CHILD_SAs?
#5
emnoc
Expert Member
  • Total Posts : 5919
  • Scores: 394
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/11/27 10:50:55 (permalink)
0
I will have to test but with junos we built one phase2-interface and it generated one child-SA iirc. Strongswan should be the same, dump your config fgt/strongswan ( phase2 )
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#6
yoloknight
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/18 08:27:31
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/12/04 03:53:01 (permalink)
0
The guy Tobias Brunner says its a know issue with Fortigate. (I think we dont need a dump perhaps)
https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet (known issue)
 
In short it seems the Fortigate invoke a error, that StrongSwans force to switch intern its mode. Because of that you cant have 1 valid child-SA. But i dont know if Fortigate is working on this, because my support dont answer me anymore.
#7
emnoc
Expert Member
  • Total Posts : 5919
  • Scores: 394
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPSec Dual Stack cant handle IPv4 and IPv6 at the same time 2020/12/04 07:56:47 (permalink)
0
So I remenber I just wrote about multiple conn before in a previous blog post;
 
Ken Felix Security Blog: Multiple Phase2 in Srongswan configuations (socpuppet.blogspot.com)
 
The old way of append  subnets to one "conn" is not ideal or even recommended
 
/strongswan
leftsubnet=192.168.1.0/24;192.168.2.0/24
rightsubnet=192.168.4.0/24;192.168.6.0/24
 
So you need to build a separate conn and associate it to the parent and define the ipv6 subnets
 
conn ipv6
leftsubnet=2001:db8:1::0/64
rightsubnet=2001:db8:2::0/64
also=mainconn
auto=route
 
Run the ipsecstatus and ip -6 route to see the ipv6 details on strongswan. Dual ipv4/v6 is doable just have to do it in that fashion.
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#8
Jump to:
© 2021 APG vNext Commercial Version 5.5