Re: OT: IPsec over IPv6 with wwan (qmi/mbim)

From: Bjørn Mork <bjorn mork no>
To: Thomas Schäfer <tschaefer t-online de>
Cc: networkmanager-list gnome org
Subject: Re: OT: IPsec over IPv6 with wwan (qmi/mbim)
Date: Tue, 03 Jul 2018 11:31:39 +0200

Thomas Schäfer <tschaefer t-online de> writes:

Hi,

I am in a discussion with my mobile isp if ipsec over ipv6 is working or not.
Hi says he has it tested with scapy and strongswan.

I used a simple test script from here https://gist.github.com/vi/5628320 based 
on ipsec-tools.

It works as long my mobile isp is not involved. (WiFi and LAN)

(tested between three independent ISPs (telekom dsl, uni campus (lrz) and 
freifunk muc (spacenet).

Ping works every time, ssh/tcp fails sometimes with mtu problems.

My questions are: 
Has somebody experiences with IPsec/IPv6 especially over LTE/UMTS?



Works for me, after using the simplevpn script to set up a tunnel with
default addresses:

PING 192.168.77.2 (192.168.77.2) 56(84) bytes of data.
64 bytes from 192.168.77.2: icmp_seq=1 ttl=64 time=36.6 ms
64 bytes from 192.168.77.2: icmp_seq=2 ttl=64 time=62.8 ms
64 bytes from 192.168.77.2: icmp_seq=3 ttl=64 time=101 ms
64 bytes from 192.168.77.2: icmp_seq=4 ttl=64 time=66.8 ms
64 bytes from 192.168.77.2: icmp_seq=5 ttl=64 time=33.1 ms

--- 192.168.77.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 33.108/60.216/101.685/24.750 ms

Capturing on 'wwan0'
    1 0.000000000  2a02:2121:349:9163:e07c:aaff:fedc:cee2 → 2001:4641::1 ESP (SPI=0x00004444) 206 ESP
    2 0.036410639  2001:4641::1 → 2a02:2121:349:9163:e07c:aaff:fedc:cee2 ESP (SPI=0x00004444) 198 ESP
    3 1.001989442  2a02:2121:349:9163:e07c:aaff:fedc:cee2 → 2001:4641::1 ESP (SPI=0x00004444) 206 ESP
    4 1.064596830  2001:4641::1 → 2a02:2121:349:9163:e07c:aaff:fedc:cee2 ESP (SPI=0x00004444) 198 ESP
    5 2.003043305  2a02:2121:349:9163:e07c:aaff:fedc:cee2 → 2001:4641::1 ESP (SPI=0x00004444) 206 ESP
    6 2.104565066  2001:4641::1 → 2a02:2121:349:9163:e07c:aaff:fedc:cee2 ESP (SPI=0x00004444) 198 ESP
    7 3.005291004  2a02:2121:349:9163:e07c:aaff:fedc:cee2 → 2001:4641::1 ESP (SPI=0x00004444) 206 ESP
    8 3.071902655  2001:4641::1 → 2a02:2121:349:9163:e07c:aaff:fedc:cee2 ESP (SPI=0x00004444) 198 ESP
    9 4.006849168  2a02:2121:349:9163:e07c:aaff:fedc:cee2 → 2001:4641::1 ESP (SPI=0x00004444) 206 ESP
   10 4.039673411  2001:4641::1 → 2a02:2121:349:9163:e07c:aaff:fedc:cee2 ESP (SPI=0x00004444) 198 ESP
^C10 packets captured



$ ip route get  2001:4641::1
2001:4641::1 from :: via 2a02:2121:349:9163:c17a:7dbd:7620:af0 dev wwan0 proto static src 
2a02:2121:349:9163:e07c:aaff:fedc:cee2 metric 700  pref medium
$ ls -l /sys/class/net/wwan0/device/driver
lrwxrwxrwx 1 root root 0 Jul  3 09:03 /sys/class/net/wwan0/device/driver -> 
../../../../../../bus/usb/drivers/cdc_mbim


This is in the Telenor Norway mobile network.

$ traceroute 2001:4641::1
traceroute to 2001:4641::1 (2001:4641::1), 30 hops max, 80 byte packets
 1  2a02:2121:349:9163:: (2a02:2121:349:9163::)  145.502 ms  145.435 ms  145.418 ms
 2  * * *
 3  2a02:2120::5000:0:0:31 (2a02:2120::5000:0:0:31)  145.351 ms  145.337 ms  145.322 ms
 4  ti280839047j370-ae1-20.ti.telenor.net (2001:4600:a:101::972)  145.312 ms  145.293 ms  145.281 ms
 5  ti0300a401-ae17-21.ti.telenor.net (2001:4600:9:500:1::c9)  159.875 ms  159.860 ms  159.842 ms
 6  ti0001c360-lo0-0.ti.telenor.net (2001:4600:0:100::23)  145.220 ms  28.261 ms  28.178 ms
 7  ti0036a400-lo0-0.ti.telenor.net (2001:4600:0:200::5d)  28.134 ms  37.666 ms  37.653 ms
 8  canardo.mork.no (2001:4641::1)  44.968 ms  45.450 ms  45.436 ms

Is it possible that the linux driver(wwan)  blocks/drops such packets?


No, I don't see how that would happen.  None of the drivers care about
the payload.  They never look further than the IP header.  So if IPv6
works, then anything over IPv6 should also work.

But I can easily imagine how this is screwed up in operator networks...
There is usually a firewall between the mobile clients and the Internet
(also so in my case), and this firewall *will* look further into the
packets and do all sorts of ALG magic. If the operator never saw a
reason to support ESP, then it could very well be blocked. They have
explicitly said that they have tested ESP over IPv6?  Maybe they have
fragmentation issues?  Did you try changing the MTU of the tunnel to
something even more "safe", like 1280?

If you still have problems, then maybe they'll listen if you repeat the
test with a phone or Windows PC?  There is a strongswan app for Android.
Never tested it myself, but I assume it works.


Bjørn

Follow-Ups:
- Re: OT: IPsec over IPv6 with wwan (qmi/mbim)
  - From: Thomas Schäfer

References:
- OT: IPsec over IPv6 with wwan (qmi/mbim)
  - From: Thomas Schäfer

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]