Bug #1905565 “IPv6 over IPv4 IPSec tunnel communication error” : Bugs : network-manager-strongswan package : Ubuntu

Revision history for this message

Tobias Brunner (tobias-strongswan) wrote on 2020-11-25:

#1

That error doesn't seem related (looks more like something the bypass-lan plugin would log). So please post the complete log.

Also, your manual config creates two CHILD_SAs, one for each family. That's not how the NM plugin operates. It assumes the responder is able to narrow the traffic selectors of a single CHILD_SA appropriately (it proposes 0.0.0.0/0 AND ::/0 as remote traffic selectors). If the device you connect to is unable to do that and requires two CHILD_SAs, you won't be able to use both address families with the NM plugin.

Revision history for this message

Thomas Knobbe (yoloknight) wrote on 2020-11-30:

#2

Download full text (14.6 KiB)

Hi Tobias,

sorry for the late replay we ask Fortigate about this topic. (the exchange with Fortigate is ongoing)

Here the log:

XXXXX@XXXXXX-ThinkPad-T500:~$ journalctl -f
-- Logs begin at Tue 2020-11-10 16:41:50 CET. --
Nov 20 14:31:40 XXXXXX-ThinkPad-T500 systemd[1383]: Started Tracker metadata extractor.
Nov 20 14:31:50 XXXXXX-ThinkPad-T500 systemd[1383]: tracker-extract.service: Succeed.
Nov 20 14:31:52 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Activating service name='org.gnome.gedit' requested by ':1.176' (uid=1000 pid=72296 XXXm="/usr/bin/nautilus --gapplication-service " label="unconfined")
Nov 20 14:31:52 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Successfully activated service 'org.gnome.gedit'
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Activating via systemd: service name='org.freeXXsktop.Tracker1.Miner.Extract' unit='tracker-extract.service' requested by ':1.1' (uid=1000 pid=1394 XXXm="/usr/libexec/tracker-miner-fs " label="unconfined")
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 systemd[1383]: Starting Tracker metadata extractor...
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 tracker-extract[72449]: Set scheduler policy to SCHED_IDLE
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 tracker-extract[72449]: Setting priority nice level to 19
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Successfully activated service 'org.freeXXsktop.Tracker1.Miner.Extract'
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 systemd[1383]: Started Tracker metadata extractor.
Nov 20 14:32:06 XXXXXX-ThinkPad-T500 systemd[1383]: tracker-extract.service: Succeed.
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info> [1605879130.5454] audit: op="connection-activate" uuid="24fa5f62-b070-48c9-99f1-40db15d466a9" name="VPN 1" pid=2587 uid=1000 result="success"
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info> [1605879130.5558] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Saw the service appear; activating connection
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info> [1605879130.5937] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (ConnectInteractive) reply received
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[CFG] using gateway certificate, iXXntity 'C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, <email address hidden>'
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[IKE] initiating IKE_SA VPN 1[3] to X.X.79.8
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[NET] sending packet: from X.X.43.5[34693] to X.X.79.8[500] (768 bytes)
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info> [1605879130.6137] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN plugin: stat...

Hi Tobias,

sorry for the late replay we ask Fortigate about this topic. (the exchange with Fortigate is ongoing)

Here the log:

XXXXX@XXXXXX-ThinkPad-T500:~$ journalctl -f
-- Logs begin at Tue 2020-11-10 16:41:50 CET. --
Nov 20 14:31:40 XXXXXX-ThinkPad-T500 systemd[1383]: Started Tracker metadata extractor.
Nov 20 14:31:50 XXXXXX-ThinkPad-T500 systemd[1383]: tracker-extract.service: Succeed.
Nov 20 14:31:52 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Activating service name='org.gnome.gedit' requested by ':1.176' (uid=1000 pid=72296 XXXm="/usr/bin/nautilus --gapplication-service " label="unconfined")
Nov 20 14:31:52 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Successfully activated service 'org.gnome.gedit'
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Activating via systemd: service name='org.freeXXsktop.Tracker1.Miner.Extract' unit='tracker-extract.service' requested by ':1.1' (uid=1000 pid=1394 XXXm="/usr/libexec/tracker-miner-fs " label="unconfined")
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 systemd[1383]: Starting Tracker metadata extractor...
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 tracker-extract[72449]: Set scheduler policy to SCHED_IDLE
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 tracker-extract[72449]: Setting priority nice level to 19
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 dbus-daemon[1397]: [session uid=1000 pid=1397] Successfully activated service 'org.freeXXsktop.Tracker1.Miner.Extract'
Nov 20 14:31:56 XXXXXX-ThinkPad-T500 systemd[1383]: Started Tracker metadata extractor.
Nov 20 14:32:06 XXXXXX-ThinkPad-T500 systemd[1383]: tracker-extract.service: Succeed.
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879130.5454] audit: op="connection-activate" uuid="24fa5f62-b070-48c9-99f1-40db15d466a9" name="VPN 1" pid=2587 uid=1000 result="success"
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879130.5558] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Saw the service appear; activating connection
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879130.5937] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (ConnectInteractive) reply received
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[CFG] received initiate for NetworkManager connection VPN 1
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[CFG] using gateway certificate, iXXntity 'C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX'
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[IKE] initiating IKE_SA VPN 1[3] to X.X.79.8
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 charon-nm[2427]: 05[NET] sending packet: from X.X.43.5[34693] to X.X.79.8[500] (768 bytes)
Nov 20 14:32:10 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879130.6137] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN plugin: state changed: starting (3)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[NET] received packet: from X.X.79.8[500] to X.X.43.5[34693] (38 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[IKE] initiating IKE_SA VPN 1[3] to X.X.79.8
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 11[NET] sending packet: from X.X.43.5[34693] to X.X.79.8[500] (960 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[NET] received packet: from X.X.79.8[500] to X.X.43.5[34693] (449 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[IKE] local host is behind NAT, sending keep alives
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[IKE] received cert request for "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[IKE] authentication of 'C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Client_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX' (myself) with RSA signature successful
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[IKE] sending end entity cert "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Client_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[IKE] establishing CHILD_SA VPN 1{3}
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[ENC] splitting IKE message (2064 bytes) into 2 fragments
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[NET] sending packet: from X.X.43.5[52640] to X.X.79.8[4500] (1236 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 07[NET] sending packet: from X.X.43.5[52640] to X.X.79.8[4500] (916 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[NET] received packet: from X.X.79.8[4500] to X.X.43.5[52640] (1124 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[ENC] received fragment #1 of 3, waiting for complete IKE message
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 10[NET] received packet: from X.X.79.8[4500] to X.X.43.5[52640] (1124 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 10[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 10[ENC] received fragment #2 of 3, waiting for complete IKE message
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[NET] received packet: from X.X.79.8[4500] to X.X.43.5[52640] (740 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2848 bytes)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH CPRP(ADDR ADDR6) N(MSG_ID_SYN_SUP) SA TSi TSr ]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] received end entity cert "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] received issuer cert "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXXX_CA, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX, CN=XXXXXXXX_CA"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG]   using untrusted intermediate certificate "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXXX_CA, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX, CN=XXXXXXXX_CA"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG] checking certificate status of "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG] certificate status is not available
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG]   reached self-signed root ca with a path length of 0
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG]   using trusted certificate "C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX"
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] authentication of 'C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX' with RSA signature successful
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] IKE_SA VPN 1[3] established between X.X.43.5[C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Client_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX]...X.X.79.8[C=XX, ST=XXXXXXX, L=XXX, O=XXXXXXX, OU=XXXXXXX, CN=XXXXXXX_Server_v2, E=XXXXXXX.XXXXXXX@XXXXXXX.XXX]
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] scheduling rekeying in 35730s
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] maximum IKE_SA lifetime 36330s
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new virtual IP X.X.88.100
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon[954]: 12[KNL] X.X.88.100 appeared on wlp3s0
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 avahi-daemon[632]: Registering new address record for X.X.88.100 on wlp3s0.IPv4.
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new virtual IP XXXX::XXXX:2
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon[954]: 04[KNL] XXXX::XXXX:2 appeared on wlp3s0
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] CHILD_SA VPN 1{3} established with SPIs c2f6d125_i 2b492941_o and TS X.X.88.100/32 === 0.0.0.0/0
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3123] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (IP Config Get) reply received.
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3154] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN plugin: state changed: started (4)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3155] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (IP4 Config Get) reply received
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3166] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (IP6 Config Get) reply received
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3171] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data: VPN Gateway: X.X.79.8
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3171] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data: Tunnel XXvice: (null)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3171] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data: IPv4 configuration:
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3171] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Address: X.X.88.100
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3172] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Prefix: 32
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3172] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Point-to-Point Address: X.X.88.100
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3172] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   DNS Domain: '(none)'
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3172] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data: IPv6 configuration:
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3173] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Address: XXXX::XXXX:2
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3173] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Prefix: 128
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3173] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Internal Point-to-Point Address: ::
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3173] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   Static Route: XXXX::XXXX:2/128   Next Hop: ::
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3173] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: Data:   DNS Domain: '(none)'
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 avahi-daemon[632]: Registering new address record for XXXX::XXXX:2 on wlp3s0.*.
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 NetworkManager[4602]: <info>  [1605879131.3306] vpn-connection[0x55f97a8e0150,24fa5f62-b070-48c9-99f1-40db15d466a9,"VPN 1",0]: VPN connection: (IP Config Get) complete
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 dbus-daemon[635]: [system] Activating via systemd: service name='org.freeXXsktop.nm_dispatcher' unit='dbus-org.freeXXsktop.nm-dispatcher.service' requested by ':1.122' (uid=0 pid=4602 XXXm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 systemd[1]: Starting Network Manager Script Dispatcher Service...
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 dbus-daemon[635]: [system] Successfully activated service 'org.freeXXsktop.nm_dispatcher'
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 systemd[1]: Started Network Manager Script Dispatcher Service.
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[KNL] received netlink error: Invalid argument (22)
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[KNL] unable to install source route for XXXX::XXXX:2
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 13[IKE] installed bypass policy for XXXX::XXXX:2/128
Nov 20 14:32:22 XXXXXX-ThinkPad-T500 systemd[1]: NetworkManager-dispatcher.service: Succeed.
Nov 20 14:32:26 XXXXXX-ThinkPad-T500 tracker-store[72389]: OK
Nov 20 14:32:26 XXXXXX-ThinkPad-T500 systemd[1383]: tracker-store.service: Succeed.
Nov 20 14:32:35 XXXXXX-ThinkPad-T500 charon-nm[2427]: 06[IKE] sending keep alive to X.X.79.8[4500]

Revision history for this message

Tobias Brunner (tobias-strongswan) wrote on 2020-11-30:

#3

As you can see in the log, you receive two IP addresses, but the remote traffic selector is IPv4 only:

Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new virtual IP X.X.88.100
...
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new virtual IP XXXX::XXXX:2
...
Nov 20 14:32:11 XXXXXX-ThinkPad-T500 charon-nm[2427]: 14[IKE] CHILD_SA VPN 1{3} established with SPIs c2f6d125_i 2b492941_o and TS X.X.88.100/32 === 0.0.0.0/0

So the remote box either has no IPv6 traffic selectors configured, or it does not support multiple subnets/families per CHILD_SA. Unless Fortinet added support for the latter recently, that might actually be the case, considering users reported this before on our wiki (https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet).

Ubuntu
network-manager-strongswan package

IPv6 over IPv4 IPSec tunnel communication error

Bug Description

Other bug subscribers

Remote bug watches

Ubuntunetwork-manager-strongswan package

IPv6 over IPv4 IPSec tunnel communication error

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
network-manager-strongswan package