[strongSwan] Roadwarrior ipv6-over-ipv4 tunnel
michel at crondor.net
Tue Mar 9 09:38:17 CET 2010
Martin Willi wrote:
>> I'm trying to setup a roadwarrior v6-over-v4 tunnel, but I cannot get it
>> to work, also, I can't seem to find any examples of such a
>> configuration. Is this a supported configuration of strongswan?
> Yes, this should work with a recent kernel. We have some v6-in-v4
> scenarios , without virtual IP assignement, though.
I received an offlist reply from Andreas Steffen indicating that this
wouldn't work due to ipv6 source routing not being supported by the
Linux kernel. He referred me to
http://www.strongswan.org/uml/testresults43/ipv6/rw-ikev2/ which uses
static road warrior addresses. But I don't really see how to use this
example, this looks like an ipv6-over-ipv6 tunnel. Also, the road
warriors do not get a local address in this scenario.
>> conn vela
>> conn aeon
> I'd recommend to always use "left" for the local peer, and "right" for
> the remote peer. The daemon might not know who is "left" or "right"
> under some circumstances, and defaults "left" to local.
Ok. Sometime during all the things I tried, I swapped left/right, to
make the configurations identical on both end, since I vaguely
remembered some other ipsec solutions depending on this.
>> charon: 09[AUD] no acceptable traffic selectors found
>> charon: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
> Your left/rightsubnet definitions do not match. If you're using a pool
> of addresses for your clients, I'd define rightsourceip=%config to avoid
> any problems if the requested address is not available anymore in your
> The leftsubnet definition looks OK, but I'd try to switch left/right as
Of course the subnets are different. I have a local subnet
2001:610:6f9:0::/64, the roadwarrior must be in a different ip range,
for which I took 2001:610:6f9:2::/64. Or will strongswan perform some
kind of proxy arp if the rw is in the ..:0::/64 subnet?
Anyway, I tried using leftsubnet=2001:610:6f9:2::/64 and
rightsourceip=%config on the server, and leftsourceip=2001:610:6f9:2::1
and rightsubnet=2001:610:6f9:2::/64 on the client, and it still doesn't
charon: 09[IKE] peer requested virtual IP 2001:610:6f9:2::1
charon: 09[IKE] assigning virtual IP 2001:610:6f9:2::1 to peer
charon: 09[AUD] no acceptable traffic selectors found
Another thing I tried was to do a net-net type of connection. I added
2001:610:6f9:2::1/64 to the loopback device, and I used
leftsubnet=2001:610:6f9:0::/64, rightsubnet=2001:610:6f9:2::/64 on the
server, and the reverse on the client. The connection comes up ok, but
some errors are reported. The client says "no local address found in
traffic selector 2001:610:6f9:2::/64", but I do not understand why it
thinks so. It has 2001:610:6f9:2::2/64 on lo, so that's a local address
in that range. And the server complains as well:
charon: 09[KNL] received netlink error: Numerical result out of range (34)
charon: 09[KNL] unable to install source route for 2001:610:6f9::1
That's probably the issue wihch Adreas Steffen referred to.
More information about the Users