Strongswan VPN IPv6 working only partially

LoHacker · December 7, 2020, 11:53pm

Hi everyone!
I noticed a problem with my Strongswan VPN running on my OpenWRT router (server): when I visit an IPv6-only website sometimes it does not load (connection timeout). This depends on the website, on the client device (e.g. Android phone loads site1 but not site2 while Windows PC loads site 2 but not site1) and it's also a bit random (sometimes it happens that if Windows couldn't load one specific website now it can).
My iPad seemed to correctly load all websites, but actually it doesn't use the VPN IPv6 if it has another IPv6 assigned (I don't know why).
I think this is a problem of MTU, in fact if I go to test-ipv6.com it says:

Danger! IPv6 sorta works - however, large packets appear to fail, giving the appearance of a broken website. If a publisher publishes to IPv6, you will believe their web site to be broken. Ask your ISP about MTU issues; possibly with your tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).

If I do the test on the router's lan (without VPN) it passes with all green marks, no warnings.

I tried to set Strongswan's MTU to 1280 and MSS to 1220 (in kernel-netlink.conf) but it didn't help.
Setting MTU to 1280 on the client also didn't work.
Setting
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
didn't help too.

I really don't know what to do more.

Here are my config files:

/etc/ipsec.conf

config setup
    uniqueids=yes
    charondebug="cfg 2, dmn 2, ike 2, net 2, knl 2"

conn VPN
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=no
    leftfirewall=yes
    mobike=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=dns:********
    leftsendcert=always
    leftauth=pubkey
    leftsubnet=0.0.0.0/0,::/0
    right=%any
    rightauth=eap-tls
    eap_identity=%any
    rightsourceip=10.10.10.0/24,****:****:****:****:****:****::/96
    rightdns=192.168.1.254,fd69:beef:cafe::1
    rightsendcert=yes
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd69:beef:cafe::/48'
	option default_ps '0'

config interface 'lan'
	option ifname 'eth0 eth1 eth2 eth3'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.254'
	option ip6assign '64'
	option force_link '0'
	option ip6class '6rd local'
	option ipv6 '1'
	option ip6hint '0'
	option ip6weight '1'
	option stp '1'
	option rpfilter '1'
	list pppoerelay ''
	list dns '127.0.0.1'
	list dns '::1'

config switch 'bcmsw'
	option reset '1'
	option enable_vlan '0'
	option qosimppauseenable '0'
	option jumbo '0'

config interface 'wan'
	option proto 'dhcp'
	option reqopts '1 3 6 15 33 42 43 51 121 249 212'
	option vendorid '*******'
	option authfail '0'
	option iface6rd '6rd'
	option zone6rd 'wan'
	option mtu '1500'
	option initboot '1'
	option ipv6 '0'
	option notused '**:**:**:**:**:**'
	option auto '1'
	option password '********'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option peerdns '0'
	option ifname '@vlan_wan'

config interface 'mgmt'
	option vendorid '*******'

config device 'vlan_ptm0'
	option type '8021q'
	option ifname 'ptm0'
	option mtu '1500'
	option name 'vlan_ptm0'
	option vid '100'

config interface 'wantag'
	option proto 'dhcp'
	option reqopts '1 3 6 15 33 42 51 121 249 212'
	option vendorid '*******'
	option authfail '0'
	option iface6rd '6rd'
	option zone6rd 'wan'
	option mtu '1500'
	option initboot '1'
	option ipv6 '0'
	option ifname '@vlan_wan'
	option auto '0'

config interface 'wwan'
	option proto 'mobiled'
	option session_id '0'
	option profile '1'
	option iface_464xlat '0'
	option auto '1'
	option enabled '1'

config interface 'vlan_wan'
	option ifname 'vlan_ptm0'

config device 'if0atm'
	option enable '1'
	option name 'atm0'
	option macaddr '**:**:**:**:**:**'

config device 'if1atm'
	option enable '1'
	option name 'atm1'
	option macaddr '**:**:**:**:**:**'

config device 'vlan_eth4'
	option type '8021q'
	option ifname 'eth4'
	option mtu '1500'
	option name 'vlan_eth4'
	option vid '835'

config interface 'vlan_wan_eth4'
	option ifname 'vlan_eth4'

config interface 'sfp'
	option proto 'static'
	option ifname 'eth4'
	option ipaddr '169.0.0.2'
	option netmask '255.255.255.0'

config config 'config'
	option wan_mode 'dhcp'

config interface 'ipoe'
	option proto 'dhcp'
	option metric '1'
	option reqopts '1 3 6 43 51 58 59'
	option release '1'
	option neighreachabletime '1200000'
	option neighgcstaletime '2400'
	option ipv6 '1'

config device 'waneth4'
	option enabled '1'
	option type '8021q'
	option name 'waneth4'
	option vid '835'

config device 'wanptm0'
	option enabled '1'
	option type '8021q'
	option name 'wanptm0'
	option vid '835'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option wan '0'

config zone 'mgmt'
	option name 'mgmt'
	list network 'mgmt'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	option wan '1'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network '6rd'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	list masq_src 'lan'
	option mtu_fix '1'
	option wan '1'

config zone 'wwan'
	option name 'wwan'
	list network 'wwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	option wan '1'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config forwarding 'lan_wwan'
	option src 'lan'
	option dest 'wwan'

config rule 'Allow_DHCP_Renew_mgmt'
	option name 'Allow-DHCP-Renew-mgmt'
	option src 'mgmt'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'Allow_DHCP_Renew_wan'
	option name 'Allow-DHCP-Renew-wan'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'Allow_Ping_mgmt'
	option name 'Allow-Ping-mgmt'
	option src 'mgmt'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'Allow_Ping_wan'
	option name 'Allow-Ping-wan'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	option limit '100/sec'
	option family 'ipv4'
	option target 'ACCEPT'

config rule 'Allow_DHCPv6'
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'Allow_Encapsulated_IPv6'
	option name 'Allow-Encapsulated-IPv6'
	option src 'wan'
	option proto '41'
	option target 'ACCEPT'

config rule 'Allow_ICMPv6_Input'
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '100/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'Allow_ICMPv6_Forward'
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '100/sec'
	option family 'ipv6'
	option target 'ACCEPT'

(...)

config include
	option path '/etc/firewall.user'
	option reload '1'

(...)

config rule
	option name 'IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-IKE'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-NAT-T'
	option src 'wan'
	option dest_port '4500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IPSec-Auth-Header'
	option src 'wan'
	option proto 'ah'
	option target 'ACCEPT'

/etc/firewall.user

iptables -t mangle -D PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
ip6tables -t mangle -D PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
ip6tables -t mangle -A PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
iptables -t filter -D output_rule -p icmp --icmp-type redirect -j ACCEPT
iptables -t filter -A output_rule -p icmp --icmp-type redirect -j ACCEPT
ip6tables -t filter -D output_rule -p icmpv6 --icmpv6-type redirect -j ACCEPT
ip6tables -t filter -A output_rule -p icmpv6 --icmpv6-type redirect -j ACCEPT
iptables -t nat -I zone_wan_prerouting -p tcp -m multiport --dports 8888,8889,7548 -m comment --comment "DMZ_Exception_speedtest_Conn_Reqs" -j ACCEPT

ip6tables -t mangle -I FORWARD -o 464-wan6_4 -j SKIPLOG
ip6tables -t mangle -I FORWARD -i 464-wan6_4 -j SKIPLOG
ip6tables -t mangle -I FORWARD -o map-mapt -j SKIPLOG
ip6tables -t mangle -I FORWARD -i map-mapt -j SKIPLOG

iptables -I INPUT   -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -j SNAT --to ***.***.***.***
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

ip6tables -I INPUT   -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
ip6tables -I OUTPUT  -m policy --dir out --pol ipsec --proto esp -j ACCEPT

/etc/sysctl.conf

kernel.panic=3
kernel.core_pattern=|/sbin/core-handler %e.%p.%s.%t.core %P
kernel.core_pipe_limit=10
fs.suid_dumpable=2

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

Any hint would be appreciated

EDIT: I forgot to say that my IPv6 connection is a 6rd tunnel.

EDIT2: If I do this test with the IPv6 of a device connected via VPN (e.g. my Android phone) there's no fragmentation all the way up to 1536 bytes, so now I'm not even sure about a MTU problem

trendy · December 8, 2020, 10:00am

First of all edit the post above and use preformatted text (the </> button) for the console output.
Also include the output of ubus call system board

LoHacker · December 8, 2020, 10:35am

I'm sorry, it was a typo.

Here it is:

{
        "kernel": "4.1.38",
        "hostname": "********",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "BCM963138",
        "release": {
                "distribution": "OpenWrt",
                "version": "Chaos Calmer",
                "revision": "unknown",
                "codename": "chaos_calmer",
                "target": "brcm63xx-tch\/VBNTJ",
                "description": "OpenWrt Chaos Calmer 15.05.1"
        }
}

It's a modded Italian ISP modem (we can't update firmware because of bootloader signature check).

trendy · December 8, 2020, 11:07am

First of all the 15.05 version is very old and unsupported. It will be very difficult to find someone to help you reproduce the problem.
Second there are some options in your configuration which I have not come across before, which makes me believe this is a modified firmware from your ISP. That is definitely not supported here.

LoHacker · December 8, 2020, 11:28am

Ok no problem, I tought the added options from the ISP were unrelated so maybe we could have come across a solution anyway, but I understand it can be very difficult with so much variables.

trendy · December 8, 2020, 11:36am

If you could upgrade to vanilla OpenWrt or utilize another router for terminating the ipsec tunnel, there would be a chance of helping you.

LoHacker · December 8, 2020, 12:30pm

Ok, I don't have any other router at the moment but in case I'll get back, thank you.
Anyway, if I resolve a non-working website domain and try to ping its IPv6 I get Request timed out., so I guess it's not an MTU problem because normal ping is only 32 bytes, am I right?

vgaetera · December 8, 2020, 1:37pm

To be fair, you may have more than just one problem.
It's best to upgrade the firmware and convert the firewall script to UCI syntax.

LoHacker · December 8, 2020, 2:43pm

I'd do that, but I can't because the bootloader checks the firmware for the ISP's signature, so I can only install official ISP's firmwares.
I think I have to wait until I can get an OpenWRT officially supported router and then put it in cascade with the ISP's modem (as I've seen that OpenWRT can't support 35b VDSL profile).
Anyway, thank you both

LoHacker · December 13, 2020, 6:55pm

For anyone interested, I managed to make it work by switching from my ISP's 6rd tunnel to a 6in4 tunnel (from a known IPv6 tunnel broker), so that now I have a 48 prefix instead of a 64.
I've assigned a subnet for the VPN by setting rightsourceip=xxxx:yyyy:zzzz:abcd::/64 in /etc/ipsec.conf and it works like a charm, even the problem of the iPad not using the IPv6 assigned by the VPN is now solved!

system · December 23, 2020, 6:55pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.