Project

General

Profile

Issue #880

Windows port - "installing virtual ip [ipv6] failed"

Added by Anders Svensson over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Low
Assignee:
Martin Willi
Category:
windows
Affected version:
5.2.2
Resolution:
Duplicate

Description

Hi

I have crosscompiled the windows port and I am trying to get it to work on Windows 8.1
Some patches have been made to disable some constraints checking, but I am hoping they are not relevant.
(same codebase&config but configured&compiled for Centos 7 works like a charm)

I am almost home free, but stuck on the last part.

Some information below has been obfuscated to protect the innocent

[IKE] IKE_SA 5734 established between 192.168.0.100[]...66.77.34.3[mybogusfqdn.tld]
[IKE] scheduling rekeying in 1159s
[IKE] scheduling reauthentication in 3493s
[IKE] maximum IKE_SA lifetime 1519s
[IKE] installing new virtual IP 2001:1938:e00b:5c00:cc66:afda:591b:ea1c
[IKE] installing virtual IP 2001:1938:e00b:5c00:cc66:afda:591b:ea1c failed
[IKE] no acceptable traffic selectors found
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[IKE] sending DELETE for ESP CHILD_SA with SPI c120a228

swanctl.conf

connections {
573 {
      local_addrs  = %any
      remote_addrs = mybogusfqdn.tld
      vips = ::

      local {
         auth = eap
         id = prefixfoo@bar.com
         eap_id = "/C=country/ST=state/L=location/O=organization/OU=org unit/CN=foo@bar.com" 
         aaa_id = "/C=country/L=location/O=organization/CN=aaa.mybogusfqdn.tld" 
      }
      remote {
         auth = eap-tls
         id = foo.baz
      }
      children {
         573 {
            rekey_time = 10m
            esp_proposals = aes128-modp2048
         }
      }

      version = 2
      reauth_time = 60m
      rekey_time =  20m
      proposals = aes128-sha1-modp2048
      mobike = no
   }
}

charon-svc.exe:
00[DMN] Starting IKE service charon-svc (strongSwan 5.2.2-patched, Windows Client 6.2.9200 (SP 0.0)
00[LIB] plugin 'nonce': loaded successfully
00[LIB] plugin 'x509': loaded successfully
00[LIB] plugin 'pubkey': loaded successfully
00[LIB] plugin 'pkcs1': loaded successfully
00[LIB] plugin 'pem': loaded successfully
00[LIB] plugin 'openssl': loaded successfully
00[LIB] plugin 'kernel-wfp': loaded successfully
00[LIB] plugin 'kernel-iph': loaded successfully
00[LIB] plugin 'socket-win': loaded successfully
00[LIB] plugin 'vici': loaded successfully
00[LIB] plugin 'eap-tls': loaded successfully
00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
00[LIB] feature CERT_DECODE:PGP in plugin 'pem' has unmet dependency: CERT_DECODE:PGP
00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUEST
00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wfp kernel-iph socket-win vici eap-tls
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads

I am not very good with windows, let me know if I can capture any OS logs that are needed or more strongswan logs are needed.

Thanks you for the effort and this excellent piece of software!

Related issues

Is duplicate of Feature #641: kernel-iph virtual IP support and IKE routing lookups ignoring IPsec routesNew10.07.2014

History

#1 Updated by Martin Willi over 10 years ago

Hi,

[IKE] installing new virtual IP 2001:1938:e00b:5c00:cc66:afda:591b:ea1c
[IKE] installing virtual IP 2001:1938:e00b:5c00:cc66:afda:591b:ea1c failed

As documented on the kernel-iph wiki page, unfortunately installing virtual IPs is not yet supported on the Windows platform. This is non-trivial to implement, and we have no immediate plans of doing so.

Regards
Martin

#2 Updated by Martin Willi over 10 years ago

  • Is duplicate of Feature #641: kernel-iph virtual IP support and IKE routing lookups ignoring IPsec routes added

#3 Updated by Anders Svensson over 10 years ago

Thanks for the response Martin!
Sorry about that, I should have read and understood the wiki.
There is no way it is possible to make a hack and add the vip with a netsh.exe-command or similar?

#4 Updated by Martin Willi over 10 years ago

There is no way it is possible to make a hack and add the vip with a netsh.exe-command or similar?

No, unfortunately not. The problem is more complex, installing the IP is the trivial part.

You may have a look at the win-vip branch for some experiments I did, and what the difficulties are. Most likely we need some kind of virtual IPsec interface to make this work.

Regards
Martin

#5 Updated by Martin Willi over 10 years ago

  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Resolution set to Duplicate

I'm closing this issue for now, as it is actually a duplicate of #641.

#6 Updated by Anders Svensson over 10 years ago

Thank you Martin!
Let me know if I can help with any testing or such in the future.