[strongSwan] Windows 7 IKEv2 VPN virtual IP issue

Far.Runner far.runner at gmail.com
Thu Apr 18 23:57:19 CEST 2013 

Hi,
I am trying setup an IKEv2 VPN between windows 7 and strongswan, it is
dual-stack over v4 VPN. and strongswan assign virutal v4 and v6
address to windows 7. following is the ipsec.conf, I am using
certificate authentication.

config setup

conn %default
	ikelifetime=600m
	keylife=200m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no
	esp=aes128-sha1
	ike=aes128-sha1-modp1024

conn rw
	left=10.1.1.1
	leftsubnet=172.16.1.0/24,2001:AAAA::0/64
	leftcert=segwcert.pem
	right=%any
	rightsourceip=10.3.0.0/28,2001:BBBB::/120
	auto=add


Tunnel was created successfully, and v4 is also working fine, I can
ping 172.16.1.0 from windows 7. but v6 doesn't work.

C:\Users\test>ipconfig

Windows IP Configuration


PPP adapter ub-x:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:bbbb::1
   Link-local IPv6 Address . . . . . : fe80::1%25
   IPv4 Address. . . . . . . . . . . : 10.3.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::bc1e:daf3:afa9:406b%14
   IPv4 Address. . . . . . . . . . . : 10.1.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :



C:\Users\test>route print -6
===========================================================================
Interface List
 25...........................ub-x
 14...08 00 27 e5 80 23 ......Intel(R) PRO/1000 MT Desktop Adapter #2
 11...08 00 27 3d e0 6f ......Intel(R) PRO/1000 MT Desktop Adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 25    266 2001:bbbb::/64           On-link
 25    266 2001:bbbb::1/128         On-link
 11    266 fe80::/64                On-link
 14    266 fe80::/64                On-link
 25    266 fe80::/64                On-link
 25    266 fe80::1/128              On-link
 14    266 fe80::bc1e:daf3:afa9:406b/128
                                    On-link
 11    266 fe80::bd24:3eb0:86df:e3da/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
 25    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:



As you could see windows 7 has got the virtual v6 address:
2001:bbbb::1, however the v6 route table doesn't have any default
route or route the leftsubnet: 2001:AAAA::/64. so when I tried to ping
2001:AAAA::1, I got this:
C:\Users\test>ping 2001:aaaa::1

Pinging 2001:aaaa::1 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.


My initial thought was this might related to windows 7 doesn't
receives RA from strongswan, but Could strongswan or linux send RA
over an IPsec tunnel? I don't have radvd installed on the linux box,
so can't test it. just wonder has anybody have the successful
experience to make this work?

More information about the Users mailing list