[strongSwan] Ipv6 routing problem

Kevin Maziere kevin at kbrwadventure.com
Thu Dec 11 17:26:53 CET 2014 

Hello

I've setup VPN for both ipv4 and ipv6 traffic.
My config doesn't work for site-to-site or RW configuration.
Problem : can't access to IPV6 behind the GATEWAY
Ipv4 is working fine with the same configuration

*Architecture :*

*RW client <-> VPN GW <-> SERVER*
*SERVER A <->VPN GWA <->VPN GWB <-> SERVER B*

The RW client can ping the ipv6 of the VPN GW trough the tunnel, but can't
access the SERVER, a tcpdump on the client show nothing.
No ip6tables rules, and route are correctly set for the Ipv6 network on the
SERVER to go to VPN GATEWAY, and tcpdump on VPN GATEWAY show that packet to
RW client are correctly routed over VPN GW from SERVER

The VPN GWA can ping the Ipv6 on the VPN GWB, and vice-versa. SERVER A and
SERVER B, with correct routes, can't reach each others.


*Strongswan conf for RW *

(ipv6 has been replace with fake)

*RW side*








*conn base    right=vpn.domain
rightsubnet=172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64
<http://172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64>
leftsubnet=10.0.255.0/24,001:41a9:d4:cccc::/64
<http://10.0.255.0/24,001:41a9:d4:cccc::/64>
leftsourceip=%config,%config6
esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096    fragmentation=yes
auto=add*

*SERVER side :*











*conn
base left=%any leftid=vpn.domain
leftsubnet=172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64
<http://172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64>
#leftfirewall=yes right=%any
rightsourceip=10.0.255.0/24,2001:41a9:d4:cccc::/64
<http://10.0.255.0/24,2001:41a9:d4:cccc::/64> rightdns=8.8.8.8,8.8.4.4
esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096 fragmentation=yes
auto=add*

On both fragment size is set to 1440

*Server side*


*ip -6 route list table 2202001:419a:d4:cccc:1 via
public.ipv6.gw.of.the.provder dev public  proto static  src
ipv6.of.the.server  metric 1024 *
Note that ipv6 I used is routed ipv6, but I don't think it is related.

*Client side: *

*ip -6 route list table 220*
*2001:419a:d4:aaaa::/64 via fe80::2695:4ff:fe7a:9968 dev eth0  proto
static  src 2001:419a:d4:cccc::1  metric 1024 *

I've tried to set server side routing table 220 without the
*ipv6.gw.of.the.provde,
*it doesn't change anything.
On the client side I'm pretty sur that the packet flow goes into the
tunnel, on the VPN GATEWAY I don't know ...

If someone can help

Kévin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141211/25d3d9e8/attachment.html>

More information about the Users mailing list