IPv6 Windows client IPSec/IKEv2 VPN in IPv4 network

hook.ua · February 11, 2025, 8:09am

Hi there,

In order to allow users work remotely we many years utilized various VPN schemes.
at the moment main problem is the pure IPv6 networks implemented by mobile operators.

L2TP/IPSEC VPN access was excelent and stable but we can’t solve the problem of access from mobile IPv6 network.
problem was descibed there but looks like nobody cares.

Later i’ve implemented IPsec/IKEv2 VPN access and everything looks fine and even tunnel created but no internet access from client computer.

Both Windows 10 and 11 tested in IPv4 network and everything works fine.
BTW, much better than L2TP/IPSEC VPN, x2 tunnel speed achived.

i could provide both configuration and charon log but it is a big bunch of information, and I don’t sure i would help at the beginning.

So I have few simple question at first -
a) is it really possible at all?
b) is there anybody who really did the same?

Any feedback/suggetion/direction will be highly appreciated.

PS here is obviouse solution to fix IPv6 issue - connect windows client over mobile phone internet share, but it’s not very good and is not perfect

Thanks

hook.ua · February 11, 2025, 9:44am

Hi, many thanks for your exhaustive reply.
Simply put, we are using VYOS 1.5 IPsec/IKEv2 VPN implementation on server side + RADIUS Authentication.

Actual configuration looks like below

set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm64'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256gcm64'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 30 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-RW proposal 30 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 40 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 40 hash 'sha256'
set vpn ipsec ike-group IKE-RW close-action 'none'
set vpn ipsec ike-group IKE-RW dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-RW dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-RW dead-peer-detection timeout '60'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha256'
set vpn ipsec ike-group IKE-RW proposal 30 dh-group '22'
set vpn ipsec ike-group IKE-RW proposal 30 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 30 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec log level '2'
set vpn ipsec log subsystem 'any'
set vpn ipsec log subsystem 'cfg'
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection rw authentication local-id 'repka.xxxxx.yy'
set vpn ipsec remote-access connection rw authentication pre-shared-secret xxxxxx
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'AUTOCHAIN_repka'
set vpn ipsec remote-access connection rw authentication x509 certificate 'repka'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address 'xxx.xxx.59.46'
set vpn ipsec remote-access connection rw pool 'dhcp'
set vpn ipsec remote-access dhcp interface 'eth0'
set vpn ipsec remote-access dhcp server 'xxx.xxx.0.7'
set vpn ipsec remote-access radius server xxxxx.tld key xxxxxx

On Windows standard VPN Сlient used and as i told in pure IPv4 network everything is working fine.

==== <snip> ====
Remove-VpnConnection -Name "VyOS IKEv2 VPN" -Force -PassThru

Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "repka.xxxxx.yy" -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
==== </snip> ====

Firewall is configured only for IPv4 as well as network adapters have only IPv4 addresses.

Mobile operator definitely not blocking VPN becase, as I said, i could share internet access from mobile phone and everything is wourking fine - Windows client obtained IPv4 address from phone and IPv6 exists somewhere in between mobile operator and wire ISP.

Below is the normal log using mobile operator as internet source and mobile phone as access point

Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[NET] <184> received packet: from 94.153.31.178[24624] to XX.YY.59.46[500] (632 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[ENC] <184> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[IKE] <184> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[IKE] <184> received MS-Negotiation Discovery Capable vendor ID
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[IKE] <184> received Vid-Initial-Contact vendor ID
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[ENC] <184> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[IKE] <184> 94.153.31.178 is initiating an IKE_SA
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[CFG] <184> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[IKE] <184> remote host is behind NAT
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[ENC] <184> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 16[NET] <184> sending packet: from XX.YY.59.46[500] to 94.153.31.178[24624] (456 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 05[NET] <184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (580 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 05[ENC] <184> parsed IKE_AUTH request 1 [ EF(1/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 05[ENC] <184> received fragment #1 of 3, waiting for complete IKE message
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 08[NET] <184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (580 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 08[ENC] <184> parsed IKE_AUTH request 1 [ EF(2/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 08[ENC] <184> received fragment #2 of 3, waiting for complete IKE message
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[NET] <184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (388 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <184> parsed IKE_AUTH request 1 [ EF(3/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <184> received fragment #3 of 3, reassembled fragmented IKE message (1376 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <184> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <184> received 54 cert requests for an unknown ca
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[CFG] <184> looking for peer configs matching XX.YY.59.46[%any]...94.153.31.178[192.168.26.125]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[CFG] <ra-rw|184> selected peer config 'ra-rw'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <ra-rw|184> initiating EAP_IDENTITY method (id 0x00)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <ra-rw|184> peer supports MOBIKE
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <ra-rw|184> authentication of 'repka.SERVER.TLD' (myself) with RSA signature successful
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <ra-rw|184> sending end entity cert "CN=repka.SERVER.TLD"
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[IKE] <ra-rw|184> sending issuer cert "C=US, O=Let's Encrypt, CN=R10"
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <ra-rw|184> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <ra-rw|184> splitting IKE message (2928 bytes) into 3 fragments
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <ra-rw|184> generating IKE_AUTH response 1 [ EF(1/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <ra-rw|184> generating IKE_AUTH response 1 [ EF(2/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[ENC] <ra-rw|184> generating IKE_AUTH response 1 [ EF(3/3) ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (1236 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (1236 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 11[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (596 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[NET] <ra-rw|184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (96 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[ENC] <ra-rw|184> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[IKE] <ra-rw|184> received EAP identity '[email protected]'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[CFG] <ra-rw|184> sending RADIUS Access-Request to server 'PP-PP-PP-50'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[CFG] <ra-rw|184> received RADIUS Access-Challenge from server 'PP-PP-PP-50'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[IKE] <ra-rw|184> initiating EAP_MSCHAPV2 method (id 0x01)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[ENC] <ra-rw|184> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 04[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (112 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[NET] <ra-rw|184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (160 bytes)
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[ENC] <ra-rw|184> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[CFG] <ra-rw|184> sending RADIUS Access-Request to server 'PP-PP-PP-50'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[CFG] <ra-rw|184> received RADIUS Access-Challenge from server 'PP-PP-PP-50'
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[ENC] <ra-rw|184> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Feb 11 11:40:27 SERVER-VFW046 charon[4960]: 09[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (128 bytes)
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[NET] <ra-rw|184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (80 bytes)
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[ENC] <ra-rw|184> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[CFG] <ra-rw|184> sending RADIUS Access-Request to server 'PP-PP-PP-50'
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[CFG] <ra-rw|184> received RADIUS Access-Accept from server 'PP-PP-PP-50'
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[IKE] <ra-rw|184> RADIUS authentication of '[email protected]' successful
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[IKE] <ra-rw|184> EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[ENC] <ra-rw|184> generating IKE_AUTH response 4 [ EAP/SUCC ]
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 03[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (80 bytes)
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[NET] <ra-rw|184> received packet: from 94.153.31.178[24786] to XX.YY.59.46[4500] (112 bytes)
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[ENC] <ra-rw|184> parsed IKE_AUTH request 5 [ AUTH ]
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> authentication of '192.168.26.125' with EAP successful
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> authentication of 'repka.SERVER.TLD' (myself) with EAP
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> peer requested virtual IP %any
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[CFG] <ra-rw|184> sending DHCP DISCOVER for 7a:a7:a1:f1:b7:a1 to 10.1.0.7
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[CFG] <ra-rw|184> received DHCP OFFER 10.1.0.203 from 10.1.0.7
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[CFG] <ra-rw|184> sending DHCP REQUEST for 10.1.0.203 to 10.1.0.7
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[CFG] <ra-rw|184> received DHCP ACK for 10.1.0.203
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> assigning virtual IP 10.1.0.203 to peer '[email protected]'
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> peer requested virtual IP %any6
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> no virtual IP found for %any6 requested by '[email protected]'
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> IKE_SA ra-rw[184] established between XX.YY.59.46[repka.SERVER.TLD]...94.153.31.178[192.168.26.125]
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> scheduling rekeying in 6842s
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> maximum IKE_SA lifetime 7562s
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[CFG] <ra-rw|184> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[IKE] <ra-rw|184> CHILD_SA rw-client{973} established with SPIs cc427af0_i b50d21e8_o and TS 0.0.0.0/0 ::/0 === 10.1.0.203/32
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[ENC] <ra-rw|184> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Feb 11 11:40:28 SERVER-VFW046 charon[4960]: 15[NET] <ra-rw|184> sending packet: from XX.YY.59.46[4500] to 94.153.31.178[24786] (272 bytes)

Viacheslav · February 11, 2025, 10:07am

Compare config that generated VyOS for the strongswan.conf with examples of config for Strongswan IPv6 Configuration Examples :: strongSwan Documentation

hook.ua · February 11, 2025, 11:48am

thanks for direction.
looks like there is no exact case in strongswan examples

IPv6 in IPv4 tunnel mode with virtual IP
it is opposite model, but i would try to check overall idea.

Just want to check that is /etc/strongswan.conf correct start point?

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Viacheslav · February 11, 2025, 2:35pm

swanctl

cat /etc/swanctl/swanctl.conf

hook.ua · February 14, 2025, 3:38pm

Hi,

Looks like the problem not in server part but in Windows 10/11 Client.
After few days spent on variouse drum beating, stadying configurations and reading about IPv6 staff, i’ve created test VPN on latest android (samsung S24) and everything is working fine both from WiFi and LTE connection.

Looks like Windows Client has some problem with IPv6/IPv4 dual stack configuration.
SplitTunneling option is OFF.

Looking forward for miracle and googling…

system · March 16, 2025, 3:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.