8317 questions

9780 answers

15562 comments

13905 members

0 votes
19 views 1 comments
by
Hi All:

I have already checked with the strongswan mailing list on this and it is not a strongswan issue. Storngswan simply uses the local lookup, whatever that might be.

We use two cell phone providers Airtel and Vodafone. Airtel works fine, no issues.

With Vodafone about 30% of the time, we get this:

root@CORS144:~# nslookup cors.surveyofindia.gov.in

Server:    127.0.0.1

Address 1: 127.0.0.1 localhost

Name:      cors.surveyofindia.gov.in

Address 1: 64:ff9b::67cd:f46a

Address 2: 103.205.244.106

Why is nslookup returning an IPv6 IP address?

IPv6 is disabled:

root@CORS114:~# cat  /proc/sys/net/ipv6/conf/all/disable_ipv6

1

root@CORS114:~# cat  /proc/sys/net/ipv6/conf/default/disable_ipv6

1

So what is going on? I am using a FQDN in the strongswan connection profile in case we change ISPs. The issue goes away if I use an IP address but I don't want to do that.

I have tried creating this file:

root@CORS144:~# cat /etc/gai.conf

precedence ::ffff:0:0/96 100

scopev4 ::ffff:169.254.0.0/112 2

scopev4 ::ffff:127.0.0.0/104 2

scopev4 ::ffff:0.0.0.0/96 14

To force precedence of IPv4 over IPv6 but its not working.

Why is the RUT-950 using IPv6 when it is clearly disabled?

How can I FORCE IT to not use IPv6?

Cheers,

john

1 Answer

0 votes
by
Hello,

Could you post screenshots of your IPsec configuration? (you can blur out sensitive information, such as IP's and etc.)

Regards.
by
root@CORSmine:~# cat /etc/config/strongswan

config conn 'SOICC'

        option enabled '1'

        option keyexchange 'ikev2'

        option ipsec_type 'tunnel'

        option leftfirewall 'yes'

        option forceencaps 'no'

        option dpdaction 'restart'

        option right 'cors.surveyofindia.gov.in'

#       option right '103.205.244.106'

        option keep_enabled '1'

        option ping_ipaddr '192.168.48.1'

        option ping_period '15'

        option allow_webui '1'

        option ike_encryption_algorithm 'my encryption'

        option ike_authentication_algorithm 'my authentication'

        option ike_dh_group 'my dh group'

        option esp_encryption_algorithm 'my encryption'

        option esp_hash_algorithm 'my hash'

        option esp_pfs_group 'my pfs'

        option keylife '4h'

        option my_identifier 'keyid:CORSmine'

        option rightid 'keyid:CCthem'

        option rightfirewall 'no'

        option dpddelay '30'

        option dpdtimeout '30'

        option ikelifetime '5h'

        option auto 'start'

        option auth 'psk'

        list leftsubnet '2.2.2.144/32'

        list rightsubnet '1.1.1.10/32'

        option aggressive 'no'

config preshared_keys

        option psk_key 'The CC router psk'

        list id_selector 'keyid:CCthem keyid:CORSmine'

config preshared_keys

        option psk_key 'The remote router psk'

        list id_selector 'keyid:CORSmine keyid:CCthem'

config preshared_keys