[strongSwan] Roadwarrior ipv6-over-ipv4 tunnel
Martin Willi
martin at strongswan.org
Tue Mar 9 08:39:30 CET 2010
Hi,
> I'm trying to setup a roadwarrior v6-over-v4 tunnel, but I cannot get it
> to work, also, I can't seem to find any examples of such a
> configuration. Is this a supported configuration of strongswan?
Yes, this should work with a recent kernel. We have some v6-in-v4
scenarios [1], without virtual IP assignement, though.
> conn vela
> left=%defaultroute
> leftsubnet=2001:610:6f9::/64
> leftcert=aeon.public.pem
> right=%any
> rightcert=vela.public.pem
> rightsourceip=2001:610:6f9:2::/64
> auto=add
> conn aeon
> left=aeon.hgd.crondor.net
> leftcert=aeon.public.pem
> leftsubnet=2001:610:6f9::/64
> right=%defaultroute
> rightsourceip=2001:610:6f9:2::1
> rightcert=vela.public.pem
> auto=start
> keyexchange=ikev2
I'd recommend to always use "left" for the local peer, and "right" for
the remote peer. The daemon might not know who is "left" or "right"
under some circumstances, and defaults "left" to local.
> charon: 09[AUD] no acceptable traffic selectors found
> charon: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
Your left/rightsubnet definitions do not match. If you're using a pool
of addresses for your clients, I'd define rightsourceip=%config to avoid
any problems if the requested address is not available anymore in your
pool.
The leftsubnet definition looks OK, but I'd try to switch left/right as
suggested.
Regards
Martin
[1]http://www.strongswan.org/uml/testresults43/ipv6/index.html
More information about the Users
mailing list