[strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Adrian Milanoski amilanoski at blackberry.com
Mon Nov 18 20:14:54 CET 2013


HI,

Changed forwarding to 1 on all interfaces now.



Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801
Email  amilanoski at blackberry.com


rightsourceip=fc00::2:0/64

Subnet on the private side is
FCc00::/64

This should be fine. Should it not?

Is there any other parameter I need to adjust?




-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Monday, November 18, 2013 5:02 AM
To: Adrian Milanoski
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2 PSK IPv4 to IPv6 not Routing

Hi,

> cat /proc/sys/net/ipv6/conf/eth1/forwarding

And this is true for all involved interfaces?

> > Do LAN hosts know they have to forward rightsourceip addresses over 
> > the gateway? (the farp plugin works for IPv4 only)
> 
> Unsure how to address this. I see my client doing ARP requests, but I 
> never see anything come to my GW.

I assume you are talking about ICMPv6 Neighbor Discovery here?

Your LAN hosts most likely assume that the addresses you hand out to the road warrior are on the local LAN, while they are not. You'll need to allocate the rightsourceip addresses from a dedicated subnet, and make sure that the LAN hosts have a route for them over the IPsec gateway.
This can be an explicit route, or a port of the default route.

Regards
Martin

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.


More information about the Users mailing list