[strongSwan] Trouble mixing ipv4 and ipv6 configuration within a single connection
Robert Dyck
rob.dyck at telus.net
Mon Dec 15 20:12:40 CET 2014
The main point I was trying to get across was that adding %config6 parameter on
the server resulted in the server being unable contact any ipv4 host on the
LAN other than the road warrior. As I said I deconstructed my experimental
configuration until I narrowed it to that single parameter.
As luck would have it, I had a power outage and of course the server booted
when the power was restored. After the server was restored I was unable
replicate the problem. I assume that my various experiments had left something
in the routing tables which was the root cause of my difficulties.
What I was wanting on ipv4 was for the RW to be assigned an address on my
existing LAN's subnet. I did not want the RW to have its own subnet. I was
successful in doing that. Then I wanted to essentially duplicate that with
ipv6 with the exception that my ipv6 prefix on the LAN was globally routable.
If I am understanding the documentation the rightsourceip can be used to
create a pool of potential addresses. If I specify my ipv6 prefix here the
server does indeed assign an address to the RW. Unfortunately the address it
assigns ( my-prefix::1 ) is already in use. If I explicitly request my-prefix::2
the server overrides it with my-prefix::1 anyway. Is there a way to achieve my
objective without creating an external pool?
On December 15, 2014 11:34:12 AM Martin Willi wrote:
> Hi Rob,
>
> > On the server I used rightsoureip=%dhcp,%config6.
> >
> > The ipv6 address was explicitly defined on the laptop.
>
> How did you define leftsourceip on the laptop? You'll need to request
> both an IPv4 and an IPv6 address, for example by using something like:
>
> leftsourceip=%config,fec2::10
>
> Also, you may try to consider requesting any IPv6 address using
> %config4,%config6 on the client and then use a pool on the responder,
> such as %dhcp,fec2::10:/120.
>
> I assume you are using the farp plugin for IPv4 to fake ARP responses on
> your local LAN. strongSwan responds to ARP requests on behalf of its
> IPsec clients and forward traffic accordingly. For IPv6, you'd need
> something similar and handle Neighbor Discovery; strongSwan currently
> does not provide a solution for that.
>
> > When I tested my configuration I found that the ipv6 address was indeed
> > set on the laptop but no tunnel was created for either ipv4 or ipv6.
>
> Did you adjust your traffic selectors to include IPv6 as well as IPv4?
> On the server, you'd need something like:
>
> leftsubnet=0.0.0.0/0,::/0
>
> Also you'll need to request traffic selectors for both families on the
> client.
>
> Regards
> Martin
More information about the Users
mailing list