[strongSwan] Ipv6 routing problem

Kevin Maziere kevin at kbrwadventure.com
Thu Dec 11 17:50:09 CET 2014 

echo 1 > /proc/sys/net/ipv6/conf/private/forwarding and then iit works ...



2014-12-11 17:26 GMT+01:00 Kevin Maziere <kevin at kbrwadventure.com>:

> Hello
>
> I've setup VPN for both ipv4 and ipv6 traffic.
> My config doesn't work for site-to-site or RW configuration.
> Problem : can't access to IPV6 behind the GATEWAY
> Ipv4 is working fine with the same configuration
>
> *Architecture :*
>
> *RW client <-> VPN GW <-> SERVER*
> *SERVER A <->VPN GWA <->VPN GWB <-> SERVER B*
>
> The RW client can ping the ipv6 of the VPN GW trough the tunnel, but can't
> access the SERVER, a tcpdump on the client show nothing.
> No ip6tables rules, and route are correctly set for the Ipv6 network on
> the SERVER to go to VPN GATEWAY, and tcpdump on VPN GATEWAY show that
> packet to RW client are correctly routed over VPN GW from SERVER
>
> The VPN GWA can ping the Ipv6 on the VPN GWB, and vice-versa. SERVER A and
> SERVER B, with correct routes, can't reach each others.
>
>
> *Strongswan conf for RW *
>
> (ipv6 has been replace with fake)
>
> *RW side*
>
>
>
>
>
>
>
>
> *conn base    right=vpn.domain
> rightsubnet=172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64
> <http://172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64>
> leftsubnet=10.0.255.0/24,001:41a9:d4:cccc::/64
> <http://10.0.255.0/24,001:41a9:d4:cccc::/64>
> leftsourceip=%config,%config6
> esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
> ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096    fragmentation=yes
> auto=add*
>
> *SERVER side :*
>
>
>
>
>
>
>
>
>
>
>
> *conn
> base left=%any leftid=vpn.domain leftsubnet=172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64
> <http://172.16.0.0/12,2001:41a9:d4:aaaa::/64,2001:41a9:d4:bbbb::/64> #leftfirewall=yes right=%any rightsourceip=10.0.255.0/24,2001:41a9:d4:cccc::/64
> <http://10.0.255.0/24,2001:41a9:d4:cccc::/64> rightdns=8.8.8.8,8.8.4.4 esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096 ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096 fragmentation=yes auto=add*
>
> On both fragment size is set to 1440
>
> *Server side*
>
>
> *ip -6 route list table 2202001:419a:d4:cccc:1 via
> public.ipv6.gw.of.the.provder dev public  proto static  src
> ipv6.of.the.server  metric 1024 *
> Note that ipv6 I used is routed ipv6, but I don't think it is related.
>
> *Client side: *
>
> *ip -6 route list table 220*
> *2001:419a:d4:aaaa::/64 via fe80::2695:4ff:fe7a:9968 dev eth0  proto
> static  src 2001:419a:d4:cccc::1  metric 1024 *
>
> I've tried to set server side routing table 220 without the *ipv6.gw.of.the.provde,
> *it doesn't change anything.
> On the client side I'm pretty sur that the packet flow goes into the
> tunnel, on the VPN GATEWAY I don't know ...
>
> If someone can help
>
> Kévin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141211/5a176b84/attachment.html>

More information about the Users mailing list