Hi Stephen,<br><br>Thank you for taking time and sharing your thoughts.<br><br>I have no issues with IPV6 adresses in Chrome, only hostnames. However the same hostnames do work in other apps, for example Firefox and a random ping/dns-lookup app on the phone. It seems like Chrome isn't making any AAAA-lookups while connected to an IPv6 enabled VPN, if the underlying network connection isnt. So much for tunneling :)<br><br>I found the following discussion and believe this may very well be the problem. A bug in Chrome.<br><br><a href="https://github.com/schwabe/ics-openvpn/issues/609">https://github.com/schwabe/ics-openvpn/issues/609</a><br><br>---- Stephen Ayotte skrev ----<br><br><div dir="ltr">Chrome uses an internal name resolver, different from Firefox's. Have you tried connecting directly to an IPv6 address in Chrome?<div><br></div><div>e.g. "https://[2607:f8b0:4004:80f::200e]/" <-- this is <a href="https://ipv6.google.com">https://ipv6.google.com</a> as resolved from my location, but please resolve on your own so you know I'm not sending you to a nefarious destination :)</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 6, 2017 at 6:10 AM, Dusan Ilic <span dir="ltr"><<a href="mailto:dusan@comhem.se" target="_blank">dusan@comhem.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello again,<br>
<br>
It seems that the issue actually isn't with either Strongswan nor Android OS. If I'm connected by wifi locally to the LAN, IPv6 works great in every way, however when remotely using Stronswan Android client to connect IPv6 doesn't work in Google Chrome. First I thought it had something to do with DNS-assignment in Strongswan, but, when I try Firefox mobile IPv6 works. I have even ruled out IPv4 by creating a new, separate tunnel with only IPv6 assignment (and enabling block IPv4-traffic in Strongswan client) and IPv6 internet still work in Firefox, but not in Google Chrome (DNS-names). Also I can use other Android apps like ping and ping both IPv6 adresses directly and even domain names only having AAAA-records.<br>
<br>
Any ideas or suggestios why it's behaving like this?<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
Den <a href="tel:2017-05-31">2017-05-31</a> kl. 14:13, skrev Dusan Ilic:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Okey, that's too bad. There isn't any workaround to make IPv6 DNS work on Android Strongswan client? When pushing an IPv6 DNS Strongswan iseem to fail to install any DNSes, and just falls back to the mobile/Wifis-networks configured DNS-servers.<br>
<br>
<br>
Den <a href="tel:2017-05-31">2017-05-31</a> kl. 12:52, skrev Noel Kuntze:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I can access IPv6 here just fine and the IPv4 DNS traffic is NATed to my local DNS server on my VPN server,<br>
but Android doesn't seem to be able to resolve any names, if I push just an IPv6 DNS server to it.<br>
It also doesn't send any DNS requests over IPv6.<br>
<br>
I think this is likely a bug in Android, rather than in the strongSwan app.<br>
<br>
PS: Always send to the list, too (unless it's actually private)<br>
<br>
On <a href="tel:31.05.2017%2010" value="+13105201710" target="_blank">31.05.2017 10</a>:01, Dusan Ilic wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm experiencing a new problem, somehow DNS is not working as it should on IPv6.<br>
I can see in the Strongswan Android app log that both IPv4 and IPv6 DNS-servers are assigned, according to my configuration in <a href="http://ipsec.conf">ipsec.conf</a> (both are my Strongswan host), but only IPv4 hostnames are resolved. I can ping IPv6 addresses only by IP, but cannot access any domain with AAAA-record.<br>
<br>
I have tried replacing the IPv6 DNS-server with Googles public too, but that doesn't make any difference.<br>
Even more strange, when assigning both DNS-servers it seems that the Android client is using the 4G-providers DNS-servers instead (no internal hostnames on the local DNS resolves), when removing the IPv6 from rightdns it starts working again (however, no IPv6 resolving). Also only assigning IPv6 DNS-server doesn't work either.<br>
<br>
<br>
<br>
Could this be a bug?<br>
<br>
<br>
Den <a href="tel:2017-05-30">2017-05-30</a> kl. 11:57, skrev Dusan Ilic:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Okey, I found the issue. The Linux kernel modules for IPsec IPv6 were not loaded as I haven't used them before. Loaded them now and it works.<br>
<br>
<br>
Den <a href="tel:2017-05-29">2017-05-29</a> kl. 08:41, skrev <a href="mailto:dusan@comhem.se" target="_blank">dusan@comhem.se</a>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Noel,<br>
<br>
I have tried both command "ping" and "ping6". I can ping other local hosts and external IPv6-adresses with "ping6".<br>
Unfortunately command "iptables6-save" and " sysctl -A | grep <a href="http://net.ipv6.conf">net.ipv6.conf</a>.*forwarding" doesn't work on my Linux router (not found), but here are "ip6tables -L -v".<br>
<br>
# ip6tables -L -v<br>
Chain INPUT (policy DROP 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source destination<br>
0 0 DROP all any any anywhere anywhere rt type:0 segsleft:0<br>
<a href="tel:80 12467">80 12467</a> ACCEPT all any any anywhere anywhere state RELATED,ESTABLISHED<br>
0 0 ACCEPT ipv6-nonxt any any anywhere anywhere length 40<br>
0 0 shlimit tcp br0 any anywhere anywhere tcp dpt:ssh state NEW<br>
<a href="tel:14952 1175">14952 1175</a>K ACCEPT all br0 any anywhere anywhere<br>
0 0 ACCEPT all lo any anywhere anywhere<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp destination-unreachable<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp packet-too-big<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp time-exceeded<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp parameter-problem<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp echo-reply<br>
<a href="tel:522 37584">522 37584</a> logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 130<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 131<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 132<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp router-solicitation<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp router-advertisement<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-solicitation<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-advertisement<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 141<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 142<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 143<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 148<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 149<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 151<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 152<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmptype 153<br>
0 0 logaccept tcp any any anywhere anywhere tcp dpt:webcache<br>
<br>
Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source destination<br>
0 0 all vlan847 any 2001:2002:5ae1:c206:5076:327e:<wbr>xxx:xxx/128 anywhere<br>
0 0 DROP all any any anywhere anywhere rt type:0 segsleft:0<br>
0 0 ACCEPT all br0 br0 anywhere anywhere<br>
0 0 ACCEPT all br1 br1 anywhere anywhere<br>
0 0 ACCEPT all br2 br2 anywhere anywhere<br>
<a href="tel:410 21787">410 21787</a> DROP all any any anywhere anywhere state INVALID<br>
154K 98M ACCEPT all any any anywhere anywhere state RELATED,ESTABLISHED<br>
0 0 DROP all 6rd 6rd anywhere anywhere<br>
0 0 ACCEPT ipv6-nonxt any any anywhere anywhere length 40<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp destination-unreachable<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp packet-too-big<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp time-exceeded<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp parameter-problem<br>
4620 241K logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request<br>
0 0 logaccept ipv6-icmp any any anywhere anywhere ipv6-icmp echo-reply<br>
0 0 ACCEPT ipv6-crypt 6rd any anywhere anywhere<br>
0 0 ACCEPT udp 6rd any anywhere anywhere udp dpt:500<br>
<a href="tel:6246 1012">6246 1012</a>K wanin all 6rd any anywhere anywhere<br>
5040 646K wanout all any 6rd anywhere anywhere<br>
5040 646K ACCEPT all br0 any anywhere anywhere<br>
0 0 ACCEPT all br1 any anywhere anywhere<br>
0 0 ACCEPT all br2 any anywhere anywhere<br>
0 0 ACCEPT all br0 6rd anywhere anywhere<br>
0 0 ACCEPT all br1 6rd anywhere anywhere<br>
0 0 ACCEPT all br2 6rd anywhere anywhere<br>
<br>
Chain OUTPUT (policy ACCEPT 3 packets, 363 bytes)<br>
pkts bytes target prot opt in out source destination<br>
0 0 DROP all any any anywhere anywhere rt type:0 segsleft:0<br>
<br>
Chain logaccept (30 references)<br>
pkts bytes target prot opt in out source destination<br>
4769 253K LOG all any any anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix "ACCEPT "<br>
5306 292K ACCEPT all any any anywhere anywhere<br>
<br>
Chain logdrop (0 references)<br>
pkts bytes target prot opt in out source destination<br>
0 0 LOG all any any anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix "DROP "<br>
0 0 DROP all any any anywhere anywhere<br>
<br>
Chain logreject (0 references)<br>
pkts bytes target prot opt in out source destination<br>
0 0 LOG all any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix "REJECT "<br>
0 0 REJECT tcp any any anywhere anywhere reject-with tcp-reset<br>
<br>
Chain shlimit (1 references)<br>
pkts bytes target prot opt in out source destination<br>
0 0 all any any anywhere anywhere recent: SET name: shlimit side: source<br>
0 0 DROP all any any anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source<br>
<br>
Chain wanin (1 references)<br>
pkts bytes target prot opt in out source destination<br>
<br>
Chain wanout (1 references)<br>
pkts bytes target prot opt in out source destination<br>
<br>
# ipsec statusall vpn-ipv6<br>
Status of IKE charon daemon (strongSwan <a href="tel:5.5.1">5.5.1</a>, Linux <a href="tel:2.6.36.4">2.6.36.4</a>brcmarm, armv7l):<br>
uptime: 11 hours, since May 28 18:35:<a href="tel:50 2017">50 2017</a><br>
malloc: sbrk <a href="tel:831488">831488</a>, mmap 0, used <a href="tel:416048">416048</a>, free <a href="tel:415440">415440</a><br>
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 13<br>
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity<br>
Listening IP addresses:<br>
<a href="tel:85.24">85.24</a>.<a href="http://xx.xx">xx.xx</a><br>
2001:2002:5ae1:xxx::xx<br>
Connections:<br>
vpn-ipv6: %any...%any IKEv2, dpddelay=300s<br>
vpn-ipv6: local: [<a href="http://vpn.joksi.net" rel="noreferrer" target="_blank">vpn.joksi.net</a>] uses public key authentication<br>
vpn-ipv6: remote: uses EAP_MSCHAPV2 authentication with EAP identity 'dulemis3'<br>
vpn-ipv6: child: 2000::/3 === dynamic TUNNEL, dpdaction=clear<br>
Security Associations (4 up, 0 connecting):<br>
vpn-ipv6[26]: ESTABLISHED 2 minutes ago, <a href="tel:85.24">85.24</a>.<a href="http://xx.xx">xx.xx</a>[x]...<a href="http://94.234.xx.xx">94.234.xx.xx</a>[<wbr>x]<br>
vpn-ipv6[26]: IKEv2 SPIs: a7ac5d658a4a39ac_i 278aaa324f402aaa_r*, public key reauthentication in 2 hours<br>
vpn-ipv6[26]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H<wbr>MAC_SHA1/MODP_3072<br>
vpn-ipv6{1622}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c9edd06c_i 66f8c36e_o<br>
vpn-ipv6{1622}: AES_CBC_128/HMAC_SHA2_256_128, <a href="tel:11600">11600</a> bytes_i, 0 bytes_o, rekeying in 39 minutes<br>
vpn-ipv6{1622}: 2000::/3 === 2001:2002:5ae1:c206:5076:327e:<wbr>xx:xx/128<br>
<br>
conn vpn-ikev2<br>
auto=add<br>
reauth=yes<br>
dpdaction=clear<br>
dpddelay=300s<br>
mobike=yes<br>
<br>
leftid=xxx<br>
leftsubnet=<a href="http://0.0.0.0/0,2000::/3" rel="noreferrer" target="_blank">0.0.0.0/0,2000::/3</a><br>
leftauth=pubkey<br>
<br>
right=%any<br>
rightsubnet=%dynamic<br>
rightsourceip=%dhcp,2001:2002:<wbr>5ae1:c206:5076:327e:xxx:xxx<br>
rightauth=eap-mschapv2<br>
<br>
eap_identity=%any<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
----Ursprungligt meddelande----<br>
Från : <a href="http://noel.kuntze">noel.kuntze</a>+strongswan-users-m<wbr><a href="mailto:l@thermi.consulting">l@thermi.consulting</a><br>
Datum : 29/05/2017 - 00:16 (V)<br>
Till : <a href="mailto:dusan@comhem.se" target="_blank">dusan@comhem.se</a>, <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
Ämne : Re: [strongSwan] IPv6 Remote Access<br>
<br>
Hello Dusan,<br>
<br>
On 28.05.2017 19:24, Dusan Ilic wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Noel,<br>
<br>
The IPv6 prefix is on link so I've tried adding static NDP record, when pinging from a local host before adding the static record it says "destination host unreacable", but after adding it it says "request timed out".<br>
<br>
When i try pinging the client from the strongswan host i get the following error?<br>
ping6: sendto: Address family not supported by protocol<br>
</blockquote>
What command are you trying to use?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Strongswan now added a route for the IPv6 adress out the correct WAN-interface, and I have added an input and forward rule in ip6tables accepting traffic. I can see in "ipsec statusall" that the incoming packet counter are increasing, but not the outgoing.<br>
</blockquote>
Provide `ip6tables-save`, your <a href="http://ipsec.conf">ipsec.conf</a>, `ipsec statusall` and `sysctl -A | grep <a href="http://net.ipv6.conf">net.ipv6.conf</a>.*forwarding`.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Den <a href="tel:2017-05-26">2017-05-26</a> kl. 17:47, skrev Noel Kuntze:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Dusan,<br>
<br>
On <a href="tel:26.05.2017%2016" value="+12605201716" target="_blank">26.05.2017 16</a>:52, Dusan Ilic wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi everyone,<br>
<br>
My ISP have just recently enabled IPv6 in their network (well, 6RD aactually) and I have it confiogured and working at the site.<br>
I would now also like to enable it on my remote access VPN in Strongswan too, so I made a try with the following config however it doesnt seem work. According to Strongswan log the client asks for ipv6 (Android in this case) and get's assigned one (global from my public prefix).<br>
<br>
leftsubnet=<a href="http://0.0.0.0/0,2000::/3" rel="noreferrer" target="_blank">0.0.0.0/0,2000::/3</a> (also tried with ::/0)<br>
rightsourceip=%dhcp,2001:2002:<wbr>5ae1:c206:4466:d122:xxx:xxx<br>
<br>
This is a test, so that's why Im only assigning one single IPv6 adress for the time being. IPv4 works as expected, but I can't neither reach an IPv6 internet site nor ping the gateway or the Android client from the gateway/clients behind the gateway.<br>
</blockquote>
Check if the IPv6 packets make it to the strongSwan host. And then make sure those IPv6 addresses are routed over the strongSwan host. If the subnet they're from is on the link,<br>
you'll need to create do proxy NDP on the strongSwan host with either static records in the NDP table on the strongSwan host or by using and configuring ndppd[1] on the strongSwan host.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What I'm reacting on is that a route gets created for the IPv4 adress in my routing table, but none for the IPv6 adress. Also checked with "ip -6 route".<br>
Is this a routing problem possibly, or maybe an firewall (iptables) problem?<br>
</blockquote>
The latter maybe. IPv6 traffic goes through ip6tables, not iptables.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Just to be clear, the client is connecting to the Strongswan server with IPv4, should receive an IPv6 global adress inside the tunnel and then my Strongswan server should route it out on the internet (through the 6RD-tunnel).<br>
<br>
</blockquote>
Read the FAQ[2], too.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://github.com/DanielAdolfsson/ndppd" rel="noreferrer" target="_blank">https://github.com/DanielAdolf<wbr>sson/ndppd</a><br>
[2] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables" rel="noreferrer" target="_blank">https://wiki.strongswan.org/pr<wbr>ojects/strongswan/wiki/FAQ#IPs<wbr>ec-and-iptablesnftables</a><br>
<br>
<br>
<br>
</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div>