Hi everyone!
I noticed a problem with my Strongswan VPN running on my OpenWRT router (server): when I visit an IPv6-only website sometimes it does not load (connection timeout). This depends on the website, on the client device (e.g. Android phone loads site1 but not site2 while Windows PC loads site 2 but not site1) and it's also a bit random (sometimes it happens that if Windows couldn't load one specific website now it can).
My iPad seemed to correctly load all websites, but actually it doesn't use the VPN IPv6 if it has another IPv6 assigned (I don't know why).
I think this is a problem of MTU, in fact if I go to test-ipv6.com it says:
Danger! IPv6 sorta works - however, large packets appear to fail, giving the appearance of a broken website. If a publisher publishes to IPv6, you will believe their web site to be broken. Ask your ISP about MTU issues; possibly with your tunnel. Check your firewall to make sure that ICMPv6 messages are allowed (in particular, Type 2 or Packet Too Big).
If I do the test on the router's lan (without VPN) it passes with all green marks, no warnings.
I tried to set Strongswan's MTU to 1280 and MSS to 1220 (in kernel-netlink.conf) but it didn't help.
Setting MTU to 1280 on the client also didn't work.
Setting
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
didn't help too.
I really don't know what to do more.
Here are my config files:
/etc/ipsec.conf
config setup
uniqueids=yes
charondebug="cfg 2, dmn 2, ike 2, net 2, knl 2"
conn VPN
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
leftfirewall=yes
mobike=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=dns:********
leftsendcert=always
leftauth=pubkey
leftsubnet=0.0.0.0/0,::/0
right=%any
rightauth=eap-tls
eap_identity=%any
rightsourceip=10.10.10.0/24,****:****:****:****:****:****::/96
rightdns=192.168.1.254,fd69:beef:cafe::1
rightsendcert=yes
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd69:beef:cafe::/48'
option default_ps '0'
config interface 'lan'
option ifname 'eth0 eth1 eth2 eth3'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.254'
option ip6assign '64'
option force_link '0'
option ip6class '6rd local'
option ipv6 '1'
option ip6hint '0'
option ip6weight '1'
option stp '1'
option rpfilter '1'
list pppoerelay ''
list dns '127.0.0.1'
list dns '::1'
config switch 'bcmsw'
option reset '1'
option enable_vlan '0'
option qosimppauseenable '0'
option jumbo '0'
config interface 'wan'
option proto 'dhcp'
option reqopts '1 3 6 15 33 42 43 51 121 249 212'
option vendorid '*******'
option authfail '0'
option iface6rd '6rd'
option zone6rd 'wan'
option mtu '1500'
option initboot '1'
option ipv6 '0'
option notused '**:**:**:**:**:**'
option auto '1'
option password '********'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option peerdns '0'
option ifname '@vlan_wan'
config interface 'mgmt'
option vendorid '*******'
config device 'vlan_ptm0'
option type '8021q'
option ifname 'ptm0'
option mtu '1500'
option name 'vlan_ptm0'
option vid '100'
config interface 'wantag'
option proto 'dhcp'
option reqopts '1 3 6 15 33 42 51 121 249 212'
option vendorid '*******'
option authfail '0'
option iface6rd '6rd'
option zone6rd 'wan'
option mtu '1500'
option initboot '1'
option ipv6 '0'
option ifname '@vlan_wan'
option auto '0'
config interface 'wwan'
option proto 'mobiled'
option session_id '0'
option profile '1'
option iface_464xlat '0'
option auto '1'
option enabled '1'
config interface 'vlan_wan'
option ifname 'vlan_ptm0'
config device 'if0atm'
option enable '1'
option name 'atm0'
option macaddr '**:**:**:**:**:**'
config device 'if1atm'
option enable '1'
option name 'atm1'
option macaddr '**:**:**:**:**:**'
config device 'vlan_eth4'
option type '8021q'
option ifname 'eth4'
option mtu '1500'
option name 'vlan_eth4'
option vid '835'
config interface 'vlan_wan_eth4'
option ifname 'vlan_eth4'
config interface 'sfp'
option proto 'static'
option ifname 'eth4'
option ipaddr '169.0.0.2'
option netmask '255.255.255.0'
config config 'config'
option wan_mode 'dhcp'
config interface 'ipoe'
option proto 'dhcp'
option metric '1'
option reqopts '1 3 6 43 51 58 59'
option release '1'
option neighreachabletime '1200000'
option neighgcstaletime '2400'
option ipv6 '1'
config device 'waneth4'
option enabled '1'
option type '8021q'
option name 'waneth4'
option vid '835'
config device 'wanptm0'
option enabled '1'
option type '8021q'
option name 'wanptm0'
option vid '835'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option wan '0'
config zone 'mgmt'
option name 'mgmt'
list network 'mgmt'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
option wan '1'
config zone 'wan'
option name 'wan'
list network 'wan'
list network '6rd'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list masq_src 'lan'
option mtu_fix '1'
option wan '1'
config zone 'wwan'
option name 'wwan'
list network 'wwan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
option wan '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config forwarding 'lan_wwan'
option src 'lan'
option dest 'wwan'
config rule 'Allow_DHCP_Renew_mgmt'
option name 'Allow-DHCP-Renew-mgmt'
option src 'mgmt'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule 'Allow_DHCP_Renew_wan'
option name 'Allow-DHCP-Renew-wan'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule 'Allow_Ping_mgmt'
option name 'Allow-Ping-mgmt'
option src 'mgmt'
option proto 'icmp'
list icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule 'Allow_Ping_wan'
option name 'Allow-Ping-wan'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
option limit '100/sec'
option family 'ipv4'
option target 'ACCEPT'
config rule 'Allow_DHCPv6'
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule 'Allow_Encapsulated_IPv6'
option name 'Allow-Encapsulated-IPv6'
option src 'wan'
option proto '41'
option target 'ACCEPT'
config rule 'Allow_ICMPv6_Input'
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '100/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule 'Allow_ICMPv6_Forward'
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '100/sec'
option family 'ipv6'
option target 'ACCEPT'
(...)
config include
option path '/etc/firewall.user'
option reload '1'
(...)
config rule
option name 'IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'IPSec-IKE'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-NAT-T'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-Auth-Header'
option src 'wan'
option proto 'ah'
option target 'ACCEPT'
/etc/firewall.user
iptables -t mangle -D PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
ip6tables -t mangle -D PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
ip6tables -t mangle -A PREROUTING -j CONNMARK --save-mark --nfmask 0xf0000000 --ctmask 0xf0000000
iptables -t filter -D output_rule -p icmp --icmp-type redirect -j ACCEPT
iptables -t filter -A output_rule -p icmp --icmp-type redirect -j ACCEPT
ip6tables -t filter -D output_rule -p icmpv6 --icmpv6-type redirect -j ACCEPT
ip6tables -t filter -A output_rule -p icmpv6 --icmpv6-type redirect -j ACCEPT
iptables -t nat -I zone_wan_prerouting -p tcp -m multiport --dports 8888,8889,7548 -m comment --comment "DMZ_Exception_speedtest_Conn_Reqs" -j ACCEPT
ip6tables -t mangle -I FORWARD -o 464-wan6_4 -j SKIPLOG
ip6tables -t mangle -I FORWARD -i 464-wan6_4 -j SKIPLOG
ip6tables -t mangle -I FORWARD -o map-mapt -j SKIPLOG
ip6tables -t mangle -I FORWARD -i map-mapt -j SKIPLOG
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -j SNAT --to ***.***.***.***
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
ip6tables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
ip6tables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/etc/sysctl.conf
kernel.panic=3
kernel.core_pattern=|/sbin/core-handler %e.%p.%s.%t.core %P
kernel.core_pipe_limit=10
fs.suid_dumpable=2
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
Any hint would be appreciated
EDIT: I forgot to say that my IPv6 connection is a 6rd tunnel.
EDIT2: If I do this test with the IPv6 of a device connected via VPN (e.g. my Android phone) there's no fragmentation all the way up to 1536 bytes, so now I'm not even sure about a MTU problem