<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Dear community, </p>
<p><br>
</p>
<p>I have a Debian 9 VPS assigned an IPv6 /64 address via SLAAC, running strongSwan, and would like to make clients able to access IPv6 websites.</p>
<p><br>
</p>
Here is the IPv6 setting in /etc/network/interfaces:
<div>
<div><span>iface ens3 inet6 static</span><br>
<p></p>
<div></div>
<div> address 2001:19f0:6001:e4d:AAAA:BBBB:CCCC:1</div>
<div> netmask 64</div>
<div> dns-nameservers 2001:19f0:300:1704::6</div>
</div>
</div>
<div><br>
</div>
<div>/etc/ipsec.conf</div>
<div>
<div>conn %default</div>
<div> auto = add</div>
<div> keyexchange = ikev2</div>
<div> leftsubnet = 0.0.0.0/0,::/0</div>
<div> rightdns = 8.8.8.8,2001:4860:4860::8888</div>
<div> rightsourceip = 10.10.10.0/24,2001:19f0:6001:e4d::/112</div>
<div>conn EAP-MSCHAPv2</div>
<div> eap_identity = %identity</div>
<div> leftauth = pubkey</div>
<div> leftcert = fullchain.pem</div>
<div> leftid = example.com</div>
<div> leftsendcert = always</div>
<div> rightauth = eap-mschapv2</div>
<div> rightid = %any</div>
<div> rightsendcert = never</div>
<br>
</div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">$ </span><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">iptables
-t nat -A POSTROUTING -j MASQUERADE</span><br>
</div>
<div>$ systctl -p</div>
<div>
<div>net.ipv4.ip_forward = 1</div>
<div>net.ipv6.conf.all.accept_ra = 2</div>
<div><span></span></div>
<div><br>
</div>
<div>With configuration above, the VPS and strongSwan seem working well with IPv4 network that clients like iOS 10 are able to access to the IPv4 websites via IPSec. Clients assigned an IPv6 address <span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">2001:19f0:6001:e4d::1
and the VPS can ping each other, however, clients cannot access to any IPv6 websites. I know that I disable
<span>net.ipv6.conf.all.forwarding so IPv6 packages are not able to be forwarded, but if it is enabled, clients still have no IPv6 connectivity and the VPS is unreachable via IPv6.</span></span></div>
</div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span><br>
</span></span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span>Honestly, I am not quite familiar with IPv6 network and
really stuck into this problem even search tons of information from Google. So is there someone running a strongSwan server with IPv6 successfully? Could you offer some help, please?</span></span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span><br>
</span></span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span><span>Thanks in advance for helping,</span><br>
</span></span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><span><span>Colbert Yang</span></span></span></div>
</div>
</body>
</html>