[strongSwan] Trouble mixing ipv4 and ipv6 configuration within a single connection

Martin Willi martin at strongswan.org
Mon Dec 15 11:34:12 CET 2014


Hi Rob,

> On the server I used rightsoureip=%dhcp,%config6.

> The ipv6 address was explicitly defined on the laptop.

How did you define leftsourceip on the laptop? You'll need to request
both an IPv4 and an IPv6 address, for example by using something like:

  leftsourceip=%config,fec2::10

Also, you may try to consider requesting any IPv6 address using
%config4,%config6 on the client and then use a pool on the responder,
such as %dhcp,fec2::10:/120.

I assume you are using the farp plugin for IPv4 to fake ARP responses on
your local LAN. strongSwan responds to ARP requests on behalf of its
IPsec clients and forward traffic accordingly. For IPv6, you'd need
something similar and handle Neighbor Discovery; strongSwan currently
does not provide a solution for that.

> When I tested my configuration I found that the ipv6 address was indeed
> set on the laptop but no tunnel was created for either ipv4 or ipv6.

Did you adjust your traffic selectors to include IPv6 as well as IPv4?
On the server, you'd need something like:

  leftsubnet=0.0.0.0/0,::/0

Also you'll need to request traffic selectors for both families on the
client.

Regards
Martin



More information about the Users mailing list