[strongSwan] Roadwarrior ipv6-over-ipv4 tunnel

Martin Willi martin at strongswan.org
Tue Mar 9 08:39:30 CET 2010


> I'm trying to setup a roadwarrior v6-over-v4 tunnel, but I cannot get it 
> to work, also, I can't seem to find any examples of such a 
> configuration. Is this a supported configuration of strongswan?

Yes, this should work with a recent kernel. We have some v6-in-v4
scenarios [1], without virtual IP assignement, though.

> conn vela 
>      left=%defaultroute 
>      leftsubnet=2001:610:6f9::/64 
>      leftcert=aeon.public.pem 
>      right=%any 
>      rightcert=vela.public.pem 
>      rightsourceip=2001:610:6f9:2::/64 
>      auto=add

> conn aeon
>      left=aeon.hgd.crondor.net
>      leftcert=aeon.public.pem
>      leftsubnet=2001:610:6f9::/64
>      right=%defaultroute
>      rightsourceip=2001:610:6f9:2::1
>      rightcert=vela.public.pem
>      auto=start
>      keyexchange=ikev2

I'd recommend to always use "left" for the local peer, and "right" for
the remote peer. The daemon might not know who is "left" or "right"
under some circumstances, and defaults "left" to local.

> charon: 09[AUD] no acceptable traffic selectors found

> charon: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built

Your left/rightsubnet definitions do not match. If you're using a pool
of addresses for your clients, I'd define rightsourceip=%config to avoid
any problems if the requested address is not available anymore in your
The leftsubnet definition looks OK, but I'd try to switch left/right as



More information about the Users mailing list