[strongSwan-dev] IPv6 (Link Local) Router Soliciations over VPN (for Windows 7)

Richard Laager rlaager at wiktel.com
Wed Oct 26 06:19:06 CEST 2016

I would like to see strongSwan support IPv6 VPNs to Windows 7+ using the
default Windows client. This is possible with a plugin I wrote.

Can this plugin be considered for merging?

I posted about this last year:

We have been using this in production flawlessly since then. We've
upgraded from Ubuntu 14.04 to 16.04 (strongSwan 5.1.2 to 5.3.5), and the
patch continues to work.

Here's the relevant bug and wiki link to it, which shows other people
are interested:

The key part is the plugin, as it is compiled. The scripts are easy for
the sysadmin to add.

If there's a concern over the link local traffic selectors possibly
conflicting with link local on physical interfaces, link_local_ts could
be shipped but not loaded by default.

If there are other concerns with this patch, I'm happy to work to
address them.

So, to recap, to provide IPv4 and IPv6, with default routes, to a
Windows 7 system using its built-in VPN client, you need:

B) leftsubnet=,::/0
C) In addition to IPv4, provide an IPv6 block in rightsubnet=.
D) leftupdown=/path/to/the/attached/_updown
   Adapt `service radvd reload` as necessary for your distro.
E) OPTIONAL: If using usernames & passwords, rightauth=eap-mschapv2
F) OPTIONAL: Depending on your iptables setup, leftfirewall=yes
G) Build the link_local_ts plugin from the patch I attached.
H) Install radvd and the attached /etc/radvd.conf.in with eth0 adjusted
   for your system. Run _updown once to generate /etc/radvd.conf.
I) OPTIONAL: If your VPN server needs router announcements for its IPv6
   connectivity, you may need to add some firewall rules or something to
   keep the system from hearing the local radvd.

-------------- next part --------------
interface eth0
   # This is necessary to send RAs at all.
   AdvSendAdvert on;

   # _updown manages the list of clients:
   #clients { };
-------------- next part --------------

use strict;
use warnings;

use File::Temp;

my $standard_updown_script="ipsec _updown";
my $exclude_ip = "";

# We only care about fe80::X/128 addresses.
my $peer_client = $ENV{"PLUTO_PEER_CLIENT"};
if (defined($peer_client))
    unless ($peer_client =~ /^(fe80:[:0-9a-f]+)\/128$/)
    # Save just the IP, not the mask.
    $peer_client = $1;

    my $verb = $ENV{"PLUTO_VERB"};
    if ($verb eq "down-client-v6")
        # This script is called *before* the ip xfrm policy is removed.  On a
        # down-client-v6 action, we take note of the IP address being removed,
        # so we can ignore it later.
        $exclude_ip = $peer_client;
    elsif ($verb ne "up-client-v6")
    # When this script is run directly, we rebuild /etc/radvd.conf, but skip
    # running the standard updown script.
    $standard_updown_script = "true";

my $clients = "";
open my $ip_xfrm, "ip xfrm policy|" or die $!;
while (<$ip_xfrm>)
    if (/ dst (fe80:[:0-9a-f]+)\/128/ &&
        $1 ne $exclude_ip)
        $clients .= "$1; ";

$clients =~ s/ $//;

if (length($clients) > 0)
    $clients = "clients { $clients };"
    # radvd treats an empty clients block as a syntax error.  Without a clients
    # block, we need to specify "UnicastOnly on" to keep radvd from sending
    # multicast RAs.  We can't specify it unconditionally because that breaks
    # sending unsolicited RAs to the clients in the clients block.
    $clients = "UnicastOnly on;";

open my $radvd_conf, "</etc/radvd.conf.in" or die $!;
my $tempfile = File::Temp->new(UNLINK => 0, DIR => "/etc");
while (<$radvd_conf>)
    if (/^( *)#?clients( |$)/)
        print $tempfile "$1$clients\n";
        print $tempfile $_;

if ($tempfile->close() &&
    chmod(0644, $tempfile->filename) &&
    rename($tempfile->filename, "/etc/radvd.conf"))
    system("service radvd reload > /dev/null");

# Run the standard script.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: link_local_ts_plugin.patch
Type: text/x-patch
Size: 11190 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20161025/55830cd9/attachment.bin>

More information about the Dev mailing list