[strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Adrian Milanoski amilanoski at blackberry.com
Sat Nov 16 00:53:47 CET 2013 

Martin,

Here are some commands

      * Have you enabled IPv6 forwarding? (sysctl
        net.ipv6.conf.all.forwarding)

cat /proc/sys/net/ipv6/conf/eth1/forwarding
1

* As your rightsourceip addresses are part of leftsubnet, how does
        routing work? 
leftsubnet=fc00::/64
rightsourceip=fc00::2:0/64

From the GW I can ping everything within the internal network while the tunnel is established.

Do LAN hosts know they have to forward rightsourceip addresses over the gateway? (the farp plugin works for IPv4 only)

Unsure how to address this. I see my client doing ARP requests, but I never see anything come to my GW.



After tunnel is up.... I find it odd that my addressed assigned (FC00::2:0/64 to my client) but on the gateway I see the following below.

route -6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
fc00::2:0/128                  ::                         U    1024 0     0 eth0
::/0                           ::                         !n   -1  1   506 lo
fc00::/64                      ::                         U    256 0     1 eth1
fe80::/64                      ::                         U    256 0     0 eth1
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           fc00::1                    UG   1024 0     0 eth1
::/0                           fe80::209:b7ff:fee0:c29e   UGDAe 1024 0     0 eth0
::/0                           ::                         !n   -1  1   506 lo
::1/128                        ::                         Un   0   1     5 lo
fc00::a/128                    ::                         Un   0   1   153 lo
fe80::250:56ff:fe9a:4262/128   ::                         Un   0   1     0 lo
fe80::250:56ff:fe9a:71f5/128   ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 0     0 eth1
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1   506 lo




Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801
Email  amilanoski at blackberry.com







-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Friday, November 15, 2013 4:15 AM
To: Adrian Milanoski
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Adrian,

> I can ping my GW private side via IPV6, but no packets are seen trying 
> to leave any interface when I ping another system on the internal 
> network.

>       leftsubnet=fc00::/16
>       rightsourceip=fc00::2:1/112

Sounds like a routing/forwarding issue.

      * Have you enabled IPv6 forwarding? (sysctl
        net.ipv6.conf.all.forwarding)
      * As your rightsourceip addresses are part of leftsubnet, how does
        routing work? Do LAN hosts know they have to forward
        rightsourceip addresses over the gateway? (the farp plugin works
        for IPv4 only)

Regards
Martin

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

More information about the Users mailing list