[strongSwan] Client issues with ipv6
Robert Senger
rs-ssw at microscopium.de
Sun Feb 1 15:17:36 CET 2015
Hi all,
I am quit new to ipsec, just started yesterday setting up strongswan
based ipsec in a dedicated test environment. The test environment
consist of a VPN gateway, which runs on ipv4/ipv6 dual stack on both WAN
and LAN interface, and provides three different WLANs (ipv4 only, dual
stack, ipv6 only). The local LAN network is not accessible from the
internet and from all the WLAN subnets. The goal is to use ipsec VPN for
roadwarriors and local WLAN clients to allow full dual stack access to
the local LAN, regardless in which environment (ipv4 or ipv6 only, or
dual stack) they are.
All works fine with OpenVPN, with some minor ipv6 client issues (openvpn
clients are unable to accept ipv6 dns addresses, on android ipv6 pseudo
default route must be set manually or by a up/down script).
With strongswan ipsec, I get nearly the same working configuration,
except of some ipv6 issues on nearly all clients. I wonder if I could
change anything on the gateway's configuration to solve these problems.
Here's the gateway's configuration:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=mydomain.de
leftsubnet=0.0.0.0/0,::/0
leftcert=mydomain_de_crt.pem
right=%any
rightdns=192.168.0.200,2001:a:b:c:1:2:3:200
rightsourceip=10.8.10.0/24,2001:a:b:e::/120
#rightsubnet=0.0.0.0/0,::/0
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
keyexchange=ikev2
auto=add
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
Now, the client problems...
1. Linux, ipsec command line client
No issues, works just perfect!
Configuration:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn MYDOMAIN_IPSEC
eap_identity=itsme
leftauth=eap-mschapv2
left=%defaultroute
leftcert=itsme_crt.pem
leftid=itsme
#leftfirewall=yes
leftsourceip=%config4,%config6
right=mydomain.de
rightid=mydomain.de
rightsubnet=0.0.0.0/0,::/0
#rightfirewall=yes
keyexchange=ikev2
auto=add
2. Linux, strongswan network-manager plugin
The Gnome NetworkManager pluging seems to not support ipv6 at all, is
that right? Are there plans to add ipv6 to this plugin?
3. Windows 7 Professional, native client
No ipv6 connectivity.
The Win7 client connects to the VPN gateway, and ipv4 connectivity is
established. But ipv6 fails, although the tun interface gets the correct
ipv6 address assigned. This results in a broken ipv6 configuration.
Applications need to fall back to ipv4 if they prefer ipv6 (as it is
recommended), but fail to connect via ipv6. Any suggestions, maybe other
client software?
4. Android strongswan client, on 4.4.4 kitkat
No ipv6 connectivity.
It seems that the client supports ipv6, the interface gets a correct
ipv6 address assigned. ipv4 works, but ipv6 fails. I need to manually
add an ipv6 default route with "ip -6 r a default dev tun0" on a root
terminal. After that, dual stack works fine. Is that a known issue that
will be fixed?
Maybe this is actually an Android bug rather that a strongswan bug, as
with OpenVPN I see exactly the same problem, but the OpenVPN client
offers hooks to run up/down scripts that I use to add/remove ipv6
(pseudo) default route "2000::/3 dev tun0".
However, ipv4 connectivity works like a charm with all tested clients!
Cheers,
Robert
--
Robert Senger <robert.senger at microscopium.de>
PGP/GPG Public Key ID: 24E78B5E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150201/f26ec656/attachment.pgp>
More information about the Users
mailing list