[strongSwan] configuring strongSwan 5.0.1rc1 to do IPv4 and IPv6 routings over the same single tunnel

Robert Lee rleeatgm at gmail.com
Wed Oct 3 07:50:21 CEST 2012 

Hi,



I am using the sample configurations [1] to setup the
ikev2/ip-two-pools-v4v6 and notice one thing related to the routing:

If Carol sets up the connection with Moon using the IPv4 interfaces as the
tunnel endpoints, both IP v4 and v6 VPN addresses are assigned to Carol,
IPv4 routing is working fine between Moon and Carol, but IPv6 routing is
not working from Moon to Carol.

But, if Carol sets up the connection with Moon using the IPv6 interfaces as
the tunnel endpoints, both IP v4 and v6 VPN addresses are assigned to
Carol, IPv6 routing is working fine between Moon and Carol, but
IPv4routing is not working from Moon to Carol.



I notice that Moon sets up both IPv4 and IPv6 routing to the same single
source address (endpoint) of Carol, i.e.

If tunnel endpoints are IPv4, Moon sets up both IPv4 and IPv6 routings to
the IPv4 endpoint address of Carol, thus the IPv6 routing failed.

If tunnel endpoints are IPv6, Moon sets up both IPv4 and IPv6 routings to
the IPv6 endpoint address of Caro, thus the IPv4 routing failed.



In the single IP case, I guess that server is based its routing decision on
the single source address (endpoint) of the client. But in the dual IP
case, how does Carol convey her IPv4 and IPv6 endpoint addresses as the
source addresses to the Moon? Is there a way to do that?



How could Moon be configured such that it should expect both IPv4 and IPv6
endpoint addresses from Carol in case of the dual IP single tunnel setup?
Would this make it establish both the IPv4 and the IPv6 routings properly
over the same tunnel?


Thank you!

Robert



[1] http://www.strongswan.org/uml/testresults5rc/ikev2/ip-two-pools-v4v6/



============  Moon config remains the same ===========**

Moon ipsec.conf

        left=%defaultroute

        leftsubnet=10.9.8.0/24,fec1::/64

        right=%any

        rightsourceip=fec1::1/64,10.9.8.1



============  tunnel endpoints are IPv4 addresses ===========**

Carol ipsec.conf

        right=10.41.73.71

        rightsubnet=10.9.8.0/24,fec1::/64

        left=%defaultroute
        leftsourceip=%config4,%config6


Log:

Oct  2 22:20:54 04[IKE] 10.41.73.234 is initiating an IKE_SA

Oct  2 22:20:54 07[KNL] getting a local address in traffic selector
10.9.8.0/24

Oct  2 22:20:54 07[KNL] using host 10.9.8.2

Oct  2 22:20:54 07[KNL] using 10.41.73.234 as nexthop to reach 10.41.73.234

Oct  2 22:20:54 07[KNL] 10.41.73.71 is on interface eth0

Oct  2 22:20:54 07[KNL] installing route: 10.9.8.1/32 via 10.41.73.234 src
10.9.8.2 dev eth0

Oct  2 22:20:54 07[KNL] getting a local address in traffic selector
fec1::/64

Oct  2 22:20:54 07[KNL] using host fec1::2

Oct  2 22:20:54 07[KNL] using 10.41.73.234 as nexthop to reach 10.41.73.234

Oct  2 22:20:54 07[KNL] 10.41.73.71 is on interface eth0
Oct  2 22:20:54 07[KNL] installing route: fec1::1/128 via 10.41.73.234 src
fec1::2 dev eth0

ping6 fec1::1 from Moon to Carol failed:

Oct  2 22:21:05 12[KNL] creating acquire job for policy
fec1::2/128[udp/47216] === fec1::1/128[udp/1025] with reqid {1}

Oct  2 22:21:05 08[CFG] trap not found, unable to acquire reqid 1



============  tunnel endpoints are IPv6 addresses ===========

Carol ipsec.conf

        right=2002:c023:9c17:21c::a29:4947

        rightsubnet=10.9.8.0/24,fec1::/64

        left=%defaultroute

        leftsourceip=%config4,%config6

Log:

Oct  2 22:18:16 07[IKE] 2002:c023:9c17:21c:21b:78ff:fee0:dbfc is initiating
an IKE_SA

Oct  2 22:18:16 10[KNL] getting a local address in traffic selector
10.9.8.0/24

Oct  2 22:18:16 10[KNL] using host 10.9.8.2

Oct  2 22:18:16 10[KNL] using 2002:c023:9c17:21c:21b:78ff:fee0:dbfc as
nexthop to reach 2002:c023:9c17:21c:21b:78ff:fee0:dbfc

Oct  2 22:18:16 10[KNL] 2002:c023:9c17:21c::a29:4947 is on interface eth0

Oct  2 22:18:16 10[KNL] installing route: 10.9.8.1/32 via
2002:c023:9c17:21c:21b:78ff:fee0:dbfc src 10.9.8.2 dev eth0

Oct  2 22:18:16 10[KNL] getting a local address in traffic selector
fec1::/64

Oct  2 22:18:16 10[KNL] using host fec1::2

Oct  2 22:18:16 10[KNL] using 2002:c023:9c17:21c:21b:78ff:fee0:dbfc as
nexthop to reach 2002:c023:9c17:21c:21b:78ff:fee0:dbfc

Oct  2 22:18:16 10[KNL] 2002:c023:9c17:21c::a29:4947 is on interface eth0
Oct  2 22:18:16 10[KNL] installing route: fec1::1/128 via
2002:c023:9c17:21c:21b:78ff:fee0:dbfc src fec1::2 dev eth0

 ping 10.9.8.1 from Moon to Carol failed

Oct  2 22:18:29 15[KNL] creating acquire job for policy
10.9.8.2/32[udp/42668] === 10.9.8.1/32[udp/1025] with reqid {1}

Oct  2 22:18:29 11[CFG] trap not found, unable to acquire reqid 1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121002/65316879/attachment.html>

More information about the Users mailing list