Ubuntu - IPSec VPN with Dual Stack / Strongswan

premar

6/12/24, 10:34 AM

I'am trying to setup a IPSec VPN (ike1) for our Linux clients. But we need dual stack with ipv4 and ipv6.

The endpoint is a Fortigate firewall. With two phase2, one for IPv4 and one for IPv6. The setup is as followed:

config vpn ipsec phase1-interface
    edit "VPNRemote"
        set type dynamic
        set interface "port4"
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 14
        set xauthtype auto
        set authusrgrp "VPNRemote_Group"
        set assign-ip-from name
        set ipv4-name "VPNRemote_Network"
        set ipv6-name "VPNRemote_Network"
        set save-password enable
        set client-auto-negotiate enable
        set psksecret
    next
end
config vpn ipsec phase2-interface
    edit "VPNRemote_Network1"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
    next
    edit "VPNRemote_Network2"
        set phase1name "VPNRemote"
        set proposal aes256-sha256
        set dhgrp 14
        set src-addr-type subnet6
        set dst-addr-type subnet6
    next
end

To connect the vpn from the linux clients we using strongswan. Here I am using the following working config:

conn VPNRemote
  keyexchange = ikev1
  ikelifetime = 86400s
  keylife = 43200s
  aggressive = no
  ike = aes256-sha256-modp2048
  esp = aes256-sha256-modp2048
  xauth = client
  leftsourceip = %config4,%config6
  leftauth = psk
  rightauth = psk
  leftauth2 = xauth
  right = 123.123.123.123
  xauth_identity = muster.tester

conn VPNRemote1
  rightsubnet = 0.0.0.0/0
  also = VPNRemote
  auto = add

conn VPNRemote2
  rightsubnet = ::/0
  also = VPNRemote
  auto = add

With the config from above the Phase2 with name VPNRemote1 goes up. And is configured with a IPv4. But if I try the Phase VPNRemote2 there is a timeout.

Here the Fortigate log prints the following:

peer proposal is: peer:0:10.16.2.10-10.16.2.10:0, me:0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0

So strongswan is proposing the wrong IP type. It should propose the IPv6 but is using the IPv4 again.

If I switch rightsubnet = 0.0.0.0/0 with rightsubnet = ::/0 in the VPNRemote1 the problem is exactly the other way around.

So in conclusion strongswan should propose a IPv6 in VPNRemote2 but this is not working.

Is there someone with a running IPSec VPN in Dual Stack for Ubuntu who could give me a hint?

141

0 + 4

ipsec

strongswan

fortigate

ubuntu-22.04

ecdsa

6/12/24, 11:59 AM

Does FortiGate not support IKEv2? Not entirely sure if it works with IKEv1, but you could try `leftsourceip = %config4,%config6`.

premar

6/14/24, 6:02 AM

At the moment we have to work with IKEv1. But yes there was a plan to move to IKEv2 in a later stage. But here we still have to work again with two phase2. So the problem will be still there. I tried the option `leftsourceip = %config4,%config6` in the main part. But no luck, still only one phase2 goes up.

exeral

6/19/24, 3:09 PM

Have you tried other stuff than `::/0` ? like full address.. There is some ipv6 examples here: https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip6-in-ip4-ikev1/ https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip6-in-ip4-ikev1/moon.ipsec.conf

premar

6/21/24, 6:33 AM

Yes, tried that. Sorry forgot to write above. The Fortigate allows only a range of IP which than are used to give them to the vpn clients. I tried it with for example `rightsubnet = fd3c:61e9:7f85:a187::/64` or `right = fd3c:61e9:7f85:a187::10 - fd3c:61e9:7f85:a187::100` Same result, the first phase2 decides the IP version.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu - IPSec VPN with Dual Stack / Strongswan

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.