[strongSwan] Neighbor discovery on ipv6 tunnel

Robert Dyck rob.dyck at telus.net
Tue Dec 30 20:31:05 CET 2014


I will give it a try.

Is ipv6 neighbor discovery on the strongswan road map?

On December 30, 2014 08:21:40 PM Noel Kuntze wrote:
> Hello Robert,
> 
> Neither.
> I think this needs more explanation, so I'll provide some. Read on.
> 
> First, let me talk about the farp plugin and the analogies to IPv6.
> What farp does is reply to arp queries for the client's IP address with his
> own MAC address on the interface where the arp query arrives on. You can do
> the same for IPv6. Simply enable proxy arp on the interface (sysctl
> net.ipv4.conf.$interface.proxy_arp=1)  and add a proxy entry for that
> interface (ip -6 neigh add proxy $IPv6Address dev $interface). The
> interface here is the physical layer two device, _on which arp queries
> should be replied to_. It is NOT the VPN interface (tun/tap/ipsec device).
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 30.12.2014 um 19:57 schrieb Robert Dyck:
> > Ip neighbor needs a device. Strongswan  normally doesn't create a device
> > for the tunnel. Do I need to set up a VTI or use the non-kernel
> > implementation?> 
> > On December 30, 2014 07:38:41 PM Noel Kuntze wrote:
> >> Hello Robert,
> >> 
> >> The farp plugin only handles arp at the moment, not IPv6 neighbor
> >> discovery. You need to set up proxy arp manually using iproute2.
> >> Look at "ip neigh help".
> >> 
> >> Mit freundlichen Grüßen/Regards,
> >> Noel Kuntze
> >> 
> >> GPG Key ID: 0x63EC6658
> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >> 
> >> Am 30.12.2014 um 01:46 schrieb Robert Dyck:
> >>> I had success setting up an ipv4 road warrior tunnel using strongswan at
> >>> either end. My goal was for the RW to become just another host on my
> >>> home
> >>> LAN. This means that the RW can ping any host on the LAN in addition to
> >>> the server.
> >>> 
> >>> I then wanted achieve a similar goal over ipv6 with difference being
> >>> that
> >>> instead of private IPs I would use my global ipv6 prefix. I am able to
> >>> establish the tunnel between the RW and the server and I can ping6
> >>> between
> >>> them in either direction. However when I try the ping6 tests between the
> >>> RW
> >>> and a host other than the server, the test fails. The believe that
> >>> neighbor
> >>> discovery ( ND ) is at the root of the problem.
> >>> 
> >>> Ip6tables were set to accept everything for testing purposes. Also for
> >>> testing purposes I used the ndisc6 command in addition to ping6. I will
> >>> summarize the results of my testing.
> >>> 
> >>> At the RW
> >>> ping6 to server - success
> >>> ndisc6  query any address - network unreachable
> >>> ping6 to host other than server - 100% packet loss
> >>> 
> >>> From the LAN
> >>> ping6 to RW - address unreachable
> >>> ndisc6 query RW IP - timeout, I see the query reaching the server but it
> >>> does not respond.
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
> >> 
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users



More information about the Users mailing list