[strongSwan] Trouble mixing ipv4 and ipv6 configuration within a single connection

Robert Dyck rob.dyck at telus.net
Mon Dec 15 20:12:40 CET 2014

The main point I was trying to get across was that adding %config6 parameter on 
the server resulted in the server being unable contact any ipv4 host on the 
LAN other than the road warrior. As I said I deconstructed my experimental 
configuration until I narrowed it to that single parameter.

As luck would have it, I had a power outage and of course the server booted 
when the power was restored. After the server was restored I was unable 
replicate the problem. I assume that my various experiments had left something 
in the routing tables which was the root cause of my difficulties.

What I was wanting on ipv4 was for the RW to be assigned an address on my 
existing LAN's subnet. I did not want the RW to have its own subnet. I was 
successful in doing that. Then I wanted to essentially duplicate that with 
ipv6 with the exception that my ipv6 prefix on the LAN  was globally routable.

If I am understanding the documentation the rightsourceip can be used to 
create a pool of potential addresses. If I specify my ipv6 prefix here the 
server does indeed assign an address to the RW. Unfortunately the address it 
assigns ( my-prefix::1 ) is already in use. If I explicitly request my-prefix::2 
the server overrides it with my-prefix::1 anyway. Is there a way to achieve my 
objective without creating an external pool?

On December 15, 2014 11:34:12 AM Martin Willi wrote:
> Hi Rob,
> > On the server I used rightsoureip=%dhcp,%config6.
> > 
> > The ipv6 address was explicitly defined on the laptop.
> How did you define leftsourceip on the laptop? You'll need to request
> both an IPv4 and an IPv6 address, for example by using something like:
>   leftsourceip=%config,fec2::10
> Also, you may try to consider requesting any IPv6 address using
> %config4,%config6 on the client and then use a pool on the responder,
> such as %dhcp,fec2::10:/120.
> I assume you are using the farp plugin for IPv4 to fake ARP responses on
> your local LAN. strongSwan responds to ARP requests on behalf of its
> IPsec clients and forward traffic accordingly. For IPv6, you'd need
> something similar and handle Neighbor Discovery; strongSwan currently
> does not provide a solution for that.
> > When I tested my configuration I found that the ipv6 address was indeed
> > set on the laptop but no tunnel was created for either ipv4 or ipv6.
> Did you adjust your traffic selectors to include IPv6 as well as IPv4?
> On the server, you'd need something like:
>   leftsubnet=,::/0
> Also you'll need to request traffic selectors for both families on the
> client.
> Regards
> Martin

More information about the Users mailing list