[strongSwan] Neighbor discovery on ipv6 tunnel

Noel Kuntze noel at familie-kuntze.de
Tue Dec 30 20:21:40 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Robert,

Neither.
I think this needs more explanation, so I'll provide some. Read on.

First, let me talk about the farp plugin and the analogies to IPv6.
What farp does is reply to arp queries for the client's IP address with his own MAC address on the
interface where the arp query arrives on. You can do the same for IPv6. Simply enable proxy arp on the interface
(sysctl net.ipv4.conf.$interface.proxy_arp=1)  and add a proxy entry for that interface (ip -6 neigh add proxy $IPv6Address dev $interface).
The interface here is the physical layer two device, _on which arp queries should be replied to_. It is NOT the VPN interface (tun/tap/ipsec device).

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 30.12.2014 um 19:57 schrieb Robert Dyck:
> Ip neighbor needs a device. Strongswan  normally doesn't create a device for
> the tunnel. Do I need to set up a VTI or use the non-kernel implementation?
>
> On December 30, 2014 07:38:41 PM Noel Kuntze wrote:
>> Hello Robert,
>>
>> The farp plugin only handles arp at the moment, not IPv6 neighbor discovery.
>> You need to set up proxy arp manually using iproute2.
>> Look at "ip neigh help".
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 30.12.2014 um 01:46 schrieb Robert Dyck:
>>> I had success setting up an ipv4 road warrior tunnel using strongswan at
>>> either end. My goal was for the RW to become just another host on my home
>>> LAN. This means that the RW can ping any host on the LAN in addition to
>>> the server.
>>>
>>> I then wanted achieve a similar goal over ipv6 with difference being that
>>> instead of private IPs I would use my global ipv6 prefix. I am able to
>>> establish the tunnel between the RW and the server and I can ping6 between
>>> them in either direction. However when I try the ping6 tests between the
>>> RW
>>> and a host other than the server, the test fails. The believe that
>>> neighbor
>>> discovery ( ND ) is at the root of the problem.
>>>
>>> Ip6tables were set to accept everything for testing purposes. Also for
>>> testing purposes I used the ndisc6 command in addition to ping6. I will
>>> summarize the results of my testing.
>>>
>>> At the RW
>>> ping6 to server - success
>>> ndisc6  query any address - network unreachable
>>> ping6 to host other than server - 100% packet loss
>>>
>>> From the LAN
>>> ping6 to RW - address unreachable
>>> ndisc6 query RW IP - timeout, I see the query reaching the server but it
>>> does not respond.
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUovtCAAoJEDg5KY9j7GZY2IQP+wRJVLhgXxTfYvLzBpl/3thg
UVbL8eFIJ5kwrikmKlvScF/dODCaNy/H21JW6phHPLEKIiKE05WY6WomQ+e32tPP
+xwEig5O//1xoNBz+ysj2Sxn64LPniyUkMtZ8B59LGjxgSKtfnBiCXhsspIdWK/T
xlQqnUzhvndBecCdsH1NwvuqaSXYa1G8kwUL+vB//PbeYvqdDFvQWPAgdsdKrUAU
kqAs9jVO2cr8lrSok+Pb+ZVDWFHTc5ObBVqMHZvsaHduYWaZWz1zVxFpMs3l4GL8
QSYDmip3JwFy0yLlFW552/BsVYNNYqg1w+4FN91K3Xft1WTmvRr1/JSULftfZs4t
dfECe9dKkU/T1hjZABKTaWA9YXuzGn+hHmW02LOJHm0vX7vTjONK0B7VY8ShuYOz
i2ioOOz4/KtBMaapfOoegQnO+5K3iy32nnyLGTDNEc4jxTcz9s9hf4MblHoG05cT
s/MIVS9xybY2b3ng3mc0JXRZ64wJFZKljs+UHHY1EhvHgababHrgUOkvlAbqcK/y
ixkXva5frMEYs5sc7trtc5AYN/5RT4uuUaR3g3ZqPdJUbg3fLzOBGL0tGAcOayzU
qH/N/oURYec8jZI8uZXdA02tK6DKqx2zedyvXe3JHyyelzIg+ivqDkBH+M3AmQsR
6dIBLmpUeDaqWYx0QTE/
=wFeE
-----END PGP SIGNATURE-----




More information about the Users mailing list