Project

General

Profile

Actions
Copy link

Bug #10296

closed

swanctl.conf may need multiple pools to support IPv4 and IPv6

Added by Michael Smith about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.5.0
Start date:
02/26/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

In 2.5.0-DEVELOPMENT after IPsec swanctl conversion, it looks like the mobile-pool may need to be split now to support both IPv4 and IPv6.

From https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf#pools-section

pools.<name>.addrs
Subnet or range defining addresses allocated in pool. Accepts a single CIDR subnet defining the pool to allocate addresses from or an address range (<from>-<to>). Pools must be unique and non-overlapping.

Configuring 192.168.4.0/24 and 2604:2000:2941:4604::/120 results in the following in /var/etc/ipsec/swanctl.conf

pools {
        mobile-pool {
                addrs = 192.168.4.0/24,2604:2000:2941:4604::/120
                dns = 192.168.10.1
                subnet = 0.0.0.0/0,::/0
                split_include = 0.0.0.0/0,::/0
                # Search domain and default domain
                28674 = "nyc.example.com" 
                28675 = "nyc.example.com" 
        }
}

But it appears that only the first (IPv4) addresses are used in the pool. 
$ swanctl --list-pools
mobile-pool          192.168.4.0                         0 / 0 / 254

Logs also show that no pool is found for IPv6:

09[IKE] <con-mobile|1> peer requested virtual IP %any
09[IKE] <con-mobile|1> assigning virtual IP 192.168.4.1 to peer 'msfone.nyc.example.com'
09[IKE] <con-mobile|1> peer requested virtual IP %any6
09[IKE] <con-mobile|1> no virtual IP found for %any6 requested by 'msfone.nyc.example.com'

If however, I temporarily change swanctl.conf to use two separate pools:

pools {
        mobile-pool-ipv4 {
                addrs = 192.168.4.0/24
                dns = 192.168.10.1
                subnet = 0.0.0.0/0
                split_include = 0.0.0.0/0
                # Search domain and default domain
                28674 = "nyc.example.com" 
                28675 = "nyc.example.com" 
        }
        mobile-pool-ipv6 {
                addrs = 2604:2000:2941:4604::/120
                subnet = ::/0
                split_include = ::/0
        }
}

then it appears that pools are created for both:

$ swanctl --list-pools
mobile-pool-ipv4     192.168.4.0                         0 / 0 / 254
mobile-pool-ipv6     2604:2000:2941:4604::               0 / 0 / 254

I'm able to work around by switching from EAP-TLS to EAP-RADIUS and adding an Additional RADIUS Attributes (REPLY-ITEM) for the user:

Framed-IPv6-Address = 2604:2000:2941:4604::55

and logs show working as expected:

14[IKE] <con-mobile|6> peer requested virtual IP %any
14[IKE] <con-mobile|6> assigning virtual IP 192.168.4.55 to peer 'msfone.nyc.example.com'
14[IKE] <con-mobile|6> peer requested virtual IP %any6
14[IKE] <con-mobile|6> assigning virtual IP 2604:2000:2941:4604::55 to peer 'msfone.nyc.example.com'
Actions
Copy link

Also available in: Atom PDF