left=%defaultroute and right=my.dns.name does not work.

[boerichsen]

Hi guys ipsec version: Linux Libreswan 3.23 (netkey) on 4.15.0-64-generic

I get the following issue when i have the following configuration file:

 conn FortigateIPSEC
     keyexchange=ike
     ike="aes256-sha256-modp2048"
     esp="aes256-sha256-modp2048"
     leftcert="<removed>"
     leftsendcert=always
     leftrsasigkey=%cert     
     leftid=%fromcert
     left=%defaultroute
     leftnexthop=%defaultroute
     type=tunnel
     pfs=yes
     aggressive=yes
     ikev2=yes
     right=domain-name-of-my-firewall
     rightsubnet=x.x.x.x/x
     rightid=%fromcert
     rightrsasigkey=%cert
     auto = start
     salifetime = 43200

left=%defaultroute right=the-real-domain-name-of-my-firewall

Sep 30 10:07:19 gns3 pluto[24775]: "FortigateIPSEC": We cannot identify ourselves with either end of this conne ction. 2xx.1xx.2xx.1xx or 0.0.0.0 are not usable I obscured the ip address for privacy

It works if i replace the domain name with the ipv4 address. The domain name resolves correctly.

[bleve]

We know the issue and we are working on a fix. But with your old version you need to use ip address.

[letoams]

On Wed, 30 Sep 2020, bleve wrote:

We know the issue and we are working on fix. But with your old version you need to use ip address.

Could a work around be to have a DNS entry that only has an IPv4 A record without an IPv6 record? Eg if you have something like:

vpn.nohats.ca IN A 193.110.157.148 vpn.nohats.ca IN AAAA 2a03:6000:1004:1::148

To add:

vpn4.nohats.ca IN A 193.110.157.148

And then use vpn4.nohats.ca in your configuration for now ?

[boerichsen]

Issue is that there is no AAAA record. Only an ipv4 a record for the domain.

Den 30. sep. 2020 kl. 16.38 skrev Paul Wouters (libreswan) notifications@github.com:

 On Wed, 30 Sep 2020, bleve wrote:

We know the issue and we are working on fix. But with your old version you need to use ip address.

Could a work around be to have a DNS entry that only has an IPv4 A record without an IPv6 record? Eg if you have something like:

vpn.nohats.ca IN A 193.110.157.148 vpn.nohats.ca IN AAAA 2a03:6000:1004:1::148

To add:

vpn4.nohats.ca IN A 193.110.157.148

And then use vpn4.nohats.ca in your configuration for now ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[letoams]

On Wed, 30 Sep 2020, Bo Erichsen wrote:

Issue is that there is no AAAA record. Only an ipv4 a record for the domain.

Oh, that is good to know. I have also replicated the issue.

Paul

[bleve]

@boerichsen Can you plase try with selinux in permissive mode?

setenforce 0 systemctl restart ipsec.service check if vpn works. grep denied /var/log/audit/audit.log setenforce 1

I just got notified about selinux issue which prevents dns resolving, I'd like to get verification from you.

[letoams]

please show us the content of /etc/resolv.conf. If this is pointing to 127.0.0.53, then you are using systemd-resolved. There are known DNS problems with this DNS server stripping DNSSEC data, which can prevent all resolving. Even if your domain itself does not use DNSSEC.

If this is the case for you, please change it to 8.8.8.8 or something and then restart libreswan and see if it works properly then ?

[letoams]

This issue was fixed in libreswan 4.1 - please upgrade