FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14235 questions

16883 answers

27771 comments

54477 members

0 votes
158 views 4 comments
by
Hi All:

We make use of two cell providers in India, Airtel and Vodafone.

Airtel, where there is coverage, works as expected.

Vodafone gives us the following issues:

1. It can take upto 3 minutes for a connection to come up, so strongswan fails as the name lookup fails for our IPSec responder,

2. When the connection finally does come up, from another ssh console I can ping our IPSec responder but watching the log, using logread -f, I see strongswan trying to connect to the IPSec responder using an IPV6 address.

Why is it doing that? We have disabled IPV6 but nslookup is returning an IPv4 and IPV6 address for the responder.

We never have this issue with airtel.

Why is Vodafone doing this and how can we force strongswan to use only the IPV4 address?

Cheers,

John
by
Hello:

This gets even more strange....

If I setup the ipsec.conf (/etc/config/strongwan) as:

right       TheFullyQualifiedDomainName

and then I do this:

nslookup TheFullyQualifiedDomainName

I will get an IPv4 and IPv6 address and strongswan will use the IPv6 address.....there is no vpn setup on the IPv6 address.

If I setup ipsec.conf (/etc/config/strongswan) like this:

right       A.B.C.D

and then I do this:

nslookup TheFullyQualifiedDomainName

I will get only the IPv4 address A.B.C.D and strongswan will use this for the connection and it works.

But if we use airtel, it works either way.

Can anyone make sense of this?

Cheers,

john

1 Answer

0 votes
by
Hello,

It looks interesting situation, I would like to see what is happening at my end.
Can you suggest me steps to reproduce same setup at my end.

I need below inputs from you.
Which Teltonika router/gateway you are using with VI or Airtel SIM.
What is the responder / VPN HUB and whether it is using DDNS or a public IP.
Are you using main mode or aggressive mode.
And last thing is what is FW version in Teltonika device ?
by
Duplicating the fault is simple.

1. Setup your strongswan config using a URL,

2. Put in a Vodafone SIM,

3. Try and connect while watching logread -f,

4. You will see it failing to connect to your IPV4 IPSec responder because its trying to connect to IPv6 address.

Even with all the IpV6 setting switched to off it does this. Airtel does not, BNSL does not, only Vodafone.

If you adjust the strongswan config to using an IPv4 IP address rather than a URL, then it works as expected.

Cheers,

John
by
Hey,

Thanks for input.
I need to arrange a VI sim which I will do till Monday.
May be early.
From your response it looks like you are using URL (DDNS may be at responder side) is it correct?
And also you have not mentioned the device which you are using.

A small request, can you share ts file from router/gateway which you are using.
Navigate to below path and download file and share with me.
System>administration>troubleshoot file
by
Hello,

I have observed the same issue.
When DDNS is used no matter which DDNS I use VI is takin mw to ipv6 and due to which the VPN i not getting established.
 

Thu Oct 21 13:10:39 2021 daemon.err insmod: module is already loaded - xt_length                        

Thu Oct 21 13:10:46 2021 daemon.info syslog: 09[IKE] retransmit 2 of request with message ID 0          

Thu Oct 21 13:10:46 2021 daemon.info syslog: 09[NET] sending packet: from ::[500] to fd00:0:b:33::75e6:f

055[500] (594 bytes)                                                                                    

Thu Oct 21 13:10:46 2021 daemon.info syslog: 04[NET] error writing to socket: Permission denied         

Thu Oct 21 13:10:59 2021 daemon.info syslog: 10[IKE] retransmit 3 of request with message ID 0          

Thu Oct 21 13:10:59 2021 daemon.info syslog: 10[NET] sending packet: from ::[500] to fd00:0:b:33::75e6:f