[strongSwan] Roadwarrior ipv6-over-ipv4 tunnel

[Michel Wilson]

Hi,

Martin Willi wrote:
> Hi,
> 
>> I'm trying to setup a roadwarrior v6-over-v4 tunnel, but I cannot get it 
>> to work, also, I can't seem to find any examples of such a 
>> configuration. Is this a supported configuration of strongswan?
> 
> Yes, this should work with a recent kernel. We have some v6-in-v4
> scenarios [1], without virtual IP assignement, though.

I received an offlist reply from Andreas Steffen indicating that this 
wouldn't work due to ipv6 source routing not being supported by the 
Linux kernel. He referred me to 
http://www.strongswan.org/uml/testresults43/ipv6/rw-ikev2/ which uses 
static road warrior addresses. But I don't really see how to use this 
example, this looks like an ipv6-over-ipv6 tunnel. Also, the road 
warriors do not get a local address in this scenario.
> 
>> conn vela 
>>      left=%defaultroute 
>>      leftsubnet=2001:610:6f9::/64 
>>      leftcert=aeon.public.pem 
>>      right=%any 
>>      rightcert=vela.public.pem 
>>      rightsourceip=2001:610:6f9:2::/64 
>>      auto=add
> 
>> conn aeon
>>      left=aeon.hgd.crondor.net
>>      leftcert=aeon.public.pem
>>      leftsubnet=2001:610:6f9::/64
>>      right=%defaultroute
>>      rightsourceip=2001:610:6f9:2::1
>>      rightcert=vela.public.pem
>>      auto=start
>>      keyexchange=ikev2
> 
> I'd recommend to always use "left" for the local peer, and "right" for
> the remote peer. The daemon might not know who is "left" or "right"
> under some circumstances, and defaults "left" to local.

Ok. Sometime during all the things I tried, I swapped left/right, to 
make the configurations identical on both end, since I vaguely 
remembered some other ipsec solutions depending on this.

> 
>> charon: 09[AUD] no acceptable traffic selectors found
> 
>> charon: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
> 
> Your left/rightsubnet definitions do not match. If you're using a pool
> of addresses for your clients, I'd define rightsourceip=%config to avoid
> any problems if the requested address is not available anymore in your
> pool.
> The leftsubnet definition looks OK, but I'd try to switch left/right as
> suggested.

Of course the subnets are different. I have a local subnet 
2001:610:6f9:0::/64, the roadwarrior must be in a different ip range, 
for which I took 2001:610:6f9:2::/64. Or will strongswan perform some 
kind of proxy arp if the rw is in the ..:0::/64 subnet?

Anyway, I tried using leftsubnet=2001:610:6f9:2::/64 and 
rightsourceip=%config on the server, and leftsourceip=2001:610:6f9:2::1 
and rightsubnet=2001:610:6f9:2::/64 on the client, and it still doesn't 
work:

charon: 09[IKE] peer requested virtual IP 2001:610:6f9:2::1
charon: 09[IKE] assigning virtual IP 2001:610:6f9:2::1 to peer
charon: 09[AUD] no acceptable traffic selectors found

Another thing I tried was to do a net-net type of connection. I added 
2001:610:6f9:2::1/64 to the loopback device, and I used 
leftsubnet=2001:610:6f9:0::/64, rightsubnet=2001:610:6f9:2::/64 on the 
server, and the reverse on the client. The connection comes up ok, but 
some errors are reported. The client says "no local address found in 
traffic selector 2001:610:6f9:2::/64", but I do not understand why it 
thinks so. It has 2001:610:6f9:2::2/64 on lo, so that's a local address 
in that range. And the server complains as well:
charon: 09[KNL] received netlink error: Numerical result out of range (34)
charon: 09[KNL] unable to install source route for 2001:610:6f9::1
That's probably the issue wihch Adreas Steffen referred to.

> 
> Regards
> Martin
> 
> [1]http://www.strongswan.org/uml/testresults43/ipv6/index.html
> 
> 

Regards,

Michel.