Project

General

Profile

Issue #3432

Strongswan and Fortigate IPv6 over IPv4

Added by Daniel Sugondo 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
ikev1
Affected version:
5.7.2
Resolution:

Description

Hi all,

maybe can anybody help me to solve the issue. I tested this with Strongswan version 5.7.2 as Debian Buster
offers and backported version 5.8.2 from Debian Testing too.

I trying to connect as road warrior with strongswan to fortigate, with cisco unity is enabled:
- IPv4 works without any issues. I got address 1.2.15.232/32
- IPv6 over IPv4 tunnel doesn't work properly. I got the address 2001:1:101d:8002::/128

In my case, I got an IPv6 address, but there is no route assigned for IPv6, like IPv4 with table 220,
please see attachment routing_table.txt

On the responder (fortigate) I don't see, if the phase 2 for IPv6 ever respond there. Therefore the
route isn't pushed to the initiator (strongswan).
Please see attachment 20200429_diag_deb_app_ike_-1_Debian10Client.txt

Just as info, with Forticlient for Windows, I get the IPv6 address and the IPv6 routes. The VPN works
also properly. Please see attachment windows_ipsec.txt

The question: can you please tell me a hint, maybe I overlooked something and how can I get the IPv6 run?

N.B.: If you need the log of responder side for forticlient, please tell me, because I don't have Windows
at the moment and have to organize it first.

Thank you for your help.

20200429_strongswan.log (23.6 KB) 20200429_strongswan.log Initiator log Daniel Sugondo, 30.04.2020 10:19
20200429_swanctl.conf (861 Bytes) 20200429_swanctl.conf Initiator config Daniel Sugondo, 30.04.2020 10:19
20200429_fortigate.cfg (1.62 KB) 20200429_fortigate.cfg Responder config Daniel Sugondo, 30.04.2020 10:19
routing_table.txt (3.98 KB) routing_table.txt Routing table initiator Daniel Sugondo, 30.04.2020 10:19
windows_ipsec.txt (14.6 KB) windows_ipsec.txt Conserved info on Windows 10 as initiator (Forticlient) Daniel Sugondo, 30.04.2020 10:19
20200429_diag_deb_app_ike_-1_Debian10Client.txt (87.1 KB) 20200429_diag_deb_app_ike_-1_Debian10Client.txt Responder log Daniel Sugondo, 30.04.2020 10:19
20200505_routing_table.txt (2.66 KB) 20200505_routing_table.txt Routing table on initiator Daniel Sugondo, 06.05.2020 08:55
20200505_strongswan.log (6.44 KB) 20200505_strongswan.log Initiator log Daniel Sugondo, 06.05.2020 08:55
20200505_diag_deb_app_ike_-1_Debian10Client.txt (58.2 KB) 20200505_diag_deb_app_ike_-1_Debian10Client.txt Responder log Daniel Sugondo, 06.05.2020 08:55
split-tunnel-ikev2.txt (3.18 KB) split-tunnel-ikev2.txt Responder and Initiator Configuration/Outputs Daniel Sugondo, 20.05.2020 18:45

History

#1 Updated by Tobias Brunner 2 months ago

  • Category changed from swanctl to ikev1
  • Status changed from New to Feedback

The unity plugin has no support for IPv6, and I don't think our IKEv1 implementation supports multiple virtual IPs (since only one traffic selector can be negotiated per CHILD_SA unless the proprietary Unity extension is used). Just stop using IKEv1.

#2 Updated by Daniel Sugondo 2 months ago

Did you mean, ikev2 would solve this problem, because there is no unity support needed for ikev2?

#3 Updated by Tobias Brunner 2 months ago

Did you mean, ikev2 would solve this problem

I guess that depends on how well Fortigate supports IKEv2. But the protocol supports multiple traffic selectors (subnets) and virtual IPs out of the box.

#4 Updated by Daniel Sugondo 2 months ago

OK, I'll give it a test.

Thank you!

#5 Updated by Daniel Sugondo 2 months ago

Hi,

just want to give some feedback.

Fortigate (FortiOS 6.2.3) and IKEv2, it works with some limitations, IPv4 and IPv6 addresses are assigned automatically, like IKEv1.
The Limitations:
1. At the moment I don't get the splitted route information from the responder, I've to set up the splitted route on the initiator side.
Btw. with Forticlient on Windows I don't get IPv6 information, IPv4 address and splitted route information was assigned.
2. I've to search further information about EAP Authentication, how it should be set up.

#6 Updated by Daniel Sugondo about 2 months ago

Hi,

just want to give a little update.

The problem with split tunneling is solved now. See attachment split-tunnel-ikev2.txt.
Not solved yet is the EAP auth.

Also available in: Atom PDF