Project

General

Profile

Feature #2757

Android strongSwan over IPv6

Added by Yang Zhaofeng about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
android
Target version:
-
Start date:
12.09.2018
Due date:
Estimated time:
Resolution:
Duplicate

Description

I use strongSwan 5.5.3 on Linux 4.9.0-8-amd64 x86_64 as server. I connected to the VPN on Windows and found that it supports connecting over ipv6. However, the Android client support IPv4 only. It seems that the content of ipv6 in 1.3.0 changelog (2013-07-08) is now outdated. Can you add the ipv6 tunneling back?


Related issues

Has duplicate Feature #892: Android client and ipv6 gatewayFeedback15.03.2015

History

#1 Updated by Tobias Brunner about 2 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

It seems that the content of ipv6 in 1.3.0 changelog (2013-07-08) is now outdated.

Why would you think so?

#2 Updated by Tobias Brunner about 2 years ago

  • Has duplicate Feature #892: Android client and ipv6 gateway added

#3 Updated by Yang Zhaofeng about 2 years ago

Tobias Brunner wrote:

It seems that the content of ipv6 in 1.3.0 changelog (2013-07-08) is now outdated.

Why would you think so?

Because I have successfully tested IPv6 UDP encapsulation of ESP between Windows and Linux.

Or do you mean the Android Linux kernel does not support this? But as I have known, strongSwan Android client runs in user mod and calls Android TUN API to set the VPN up. There should be nothing to do with the kernel.

logs of the session is following

```
16[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:4991500 to 2001:da8:d800:95::82500 (1152 bytes)
16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
16[IKE] received MS-Negotiation Discovery Capable vendor ID
16[IKE] received Vid-Initial-Contact vendor ID
16[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
16[IKE] 2001:da8:d800:149:2247:47ff:fee6:4991 is initiating an IKE_SA
16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
16[NET] sending packet: from 2001:da8:d800:95::82500 to 2001:da8:d800:149:2247:47ff:fee6:4991500 (320 bytes)
13[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (1248 bytes)
13[ENC] parsed IKE_AUTH request 1 [ EF ]
13[ENC] received fragment #1 of 2, waiting for complete IKE message
13[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (768 bytes)
13[ENC] parsed IKE_AUTH request 1 [ EF ]
13[ENC] received fragment #2 of 2, reassembling fragmented IKE message
13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ SA TSi TSr ]
13[IKE] received 71 cert requests for an unknown ca
13[CFG] looking for peer configs matching 2001:da8:d800:95::82[%any]...2001:da8:d800:149:2247:47ff:fee6:4991[2001:da8:d800:149:2247:47ff:fee6:4991]
13[CFG] selected peer config 'radius-eap'
13[IKE] initiating EAP_IDENTITY method (id 0x00)
13[IKE] peer supports MOBIKE
13[IKE] authentication of 'CN=vpn.lug.ustc.edu.cn' (myself) with RSA signature successful
13[IKE] sending end entity cert "CN=vpn.lug.ustc.edu.cn"
13[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
13[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
13[ENC] splitting IKE message with length of 3132 bytes into 3 fragments
13[ENC] generating IKE_AUTH response 1 [ EF ]
13[ENC] generating IKE_AUTH response 1 [ EF ]
13[ENC] generating IKE_AUTH response 1 [ EF ]
13[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (1216 bytes)
13[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (1216 bytes)
13[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (848 bytes)
06[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (108 bytes)
06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
06[IKE] received EAP identity ''
06[CFG] sending RADIUS Access-Request to server 'local'
06[CFG] received RADIUS Access-Challenge from server 'local'
06[IKE] initiating EAP_MD5 method (id 0x01)
06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MD5 ]
06[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (92 bytes)
10[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (76 bytes)
10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
10[CFG] sending RADIUS Access-Request to server 'local'
10[CFG] received RADIUS Access-Challenge from server 'local'
10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
10[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (108 bytes)
08[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (156 bytes)
08[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
08[CFG] sending RADIUS Access-Request to server 'local'
08[CFG] received RADIUS Access-Challenge from server 'local'
08[ENC] generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
08[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (124 bytes)
07[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (76 bytes)
07[ENC] parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
07[CFG] sending RADIUS Access-Request to server 'local'
07[CFG] received RADIUS Access-Accept from server 'local'
07[IKE] received AUTH_LIFETIME of 30445463s, scheduling reauthentication in 30445463s
07[IKE] RADIUS authentication of '' successful
07[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
07[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
07[NET] sending packet: from 2001:da8:d800:95::824500 to 2001:da8:d800:149:2247:47ff:fee6:49914500 (76 bytes)
12[NET] received packet: from 2001:da8:d800:149:2247:47ff:fee6:49914500 to 2001:da8:d800:95::824500 (92 bytes)
12[ENC] parsed IKE_AUTH request 6 [ AUTH ]
12[IKE] authentication of '2001:da8:d800:149:2247:47ff:fee6:4991' with EAP successful
12[IKE] authentication of 'CN=vpn.lug.ustc.edu.cn' (myself) with EAP
12[IKE] IKE_SA radius-eap1051 established between 2001:da8:d800:95::82[CN=vpn.lug.ustc.edu.cn]...2001:da8:d800:149:2247:47ff:fee6:4991[2001:da8:d800:149:2247:47ff:fee6:4991]

```

#4 Updated by Tobias Brunner about 2 years ago

Because I have successfully tested IPv6 UDP encapsulation of ESP between Windows and Linux.

I very much doubt that. What makes you think any UDP encapsulation is involved? Neither of your peers is behind a NAT.

Or do you mean the Android Linux kernel does not support this?

No Linux kernel does.

#5 Updated by Yang Zhaofeng about 2 years ago

Tobias Brunner wrote:

Because I have successfully tested IPv6 UDP encapsulation of ESP between Windows and Linux.

I very much doubt that. What makes you think any UDP encapsulation is involved? Neither of your peers is behind a NAT.

Or do you mean the Android Linux kernel does not support this?

No Linux kernel does.

I am sorry. I set up an environment with NAT66 and found that windows is unable to connect over ipv6. The previous connection should be using raw esp.

Also available in: Atom PDF