[strongSwan] Neighbor discovery on ipv6 tunnel

Noel Kuntze noel at familie-kuntze.de
Tue Dec 30 20:34:55 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Robert,

The road map [1] that is visible to me (as to everyone else) does not contain such a change.

[1] https://wiki.strongswan.org/projects/strongswan/roadmap

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 30.12.2014 um 20:31 schrieb Robert Dyck:
> I will give it a try.
>
> Is ipv6 neighbor discovery on the strongswan road map?
>
> On December 30, 2014 08:21:40 PM Noel Kuntze wrote:
>> Hello Robert,
>>
>> Neither.
>> I think this needs more explanation, so I'll provide some. Read on.
>>
>> First, let me talk about the farp plugin and the analogies to IPv6.
>> What farp does is reply to arp queries for the client's IP address with his
>> own MAC address on the interface where the arp query arrives on. You can do
>> the same for IPv6. Simply enable proxy arp on the interface (sysctl
>> net.ipv4.conf.$interface.proxy_arp=1)  and add a proxy entry for that
>> interface (ip -6 neigh add proxy $IPv6Address dev $interface). The
>> interface here is the physical layer two device, _on which arp queries
>> should be replied to_. It is NOT the VPN interface (tun/tap/ipsec device).
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 30.12.2014 um 19:57 schrieb Robert Dyck:
>>> Ip neighbor needs a device. Strongswan  normally doesn't create a device
>>> for the tunnel. Do I need to set up a VTI or use the non-kernel
>>> implementation?>
>>> On December 30, 2014 07:38:41 PM Noel Kuntze wrote:
>>>> Hello Robert,
>>>>
>>>> The farp plugin only handles arp at the moment, not IPv6 neighbor
>>>> discovery. You need to set up proxy arp manually using iproute2.
>>>> Look at "ip neigh help".
>>>>
>>>> Mit freundlichen Grüßen/Regards,
>>>> Noel Kuntze
>>>>
>>>> GPG Key ID: 0x63EC6658
>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>
>>>> Am 30.12.2014 um 01:46 schrieb Robert Dyck:
>>>>> I had success setting up an ipv4 road warrior tunnel using strongswan at
>>>>> either end. My goal was for the RW to become just another host on my
>>>>> home
>>>>> LAN. This means that the RW can ping any host on the LAN in addition to
>>>>> the server.
>>>>>
>>>>> I then wanted achieve a similar goal over ipv6 with difference being
>>>>> that
>>>>> instead of private IPs I would use my global ipv6 prefix. I am able to
>>>>> establish the tunnel between the RW and the server and I can ping6
>>>>> between
>>>>> them in either direction. However when I try the ping6 tests between the
>>>>> RW
>>>>> and a host other than the server, the test fails. The believe that
>>>>> neighbor
>>>>> discovery ( ND ) is at the root of the problem.
>>>>>
>>>>> Ip6tables were set to accept everything for testing purposes. Also for
>>>>> testing purposes I used the ndisc6 command in addition to ping6. I will
>>>>> summarize the results of my testing.
>>>>>
>>>>> At the RW
>>>>> ping6 to server - success
>>>>> ndisc6  query any address - network unreachable
>>>>> ping6 to host other than server - 100% packet loss
>>>>>
>>>>> From the LAN
>>>>> ping6 to RW - address unreachable
>>>>> ndisc6 query RW IP - timeout, I see the query reaching the server but it
>>>>> does not respond.
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUov5eAAoJEDg5KY9j7GZYDZwQAJFLs8Kyj8BWHEBHTL3gtrnb
OtCFfZJWzLsAxLIAQITiGwNmR9V7QSc1DAxTsOlgPxrlLuE34w+9Ic6gQInV6MAF
0W785F3joR1feBphOhBjePQ2GVSexrfA/0pYOk98yPV8NQJ2p7TMhqeJ9/3pxFj8
YT5X0p3w+oH+dUU1shSmW4UupZybZ34keTIeU5BPmOe6bV3KWAZCjbtnNfeiWS/r
+LvSZJkKWjheYSND0Ko5huGA/8w0GcURl5Zr/RurFaqVxm0snzkjSaLfCFD5DzhJ
KWj1qvbaNUqCTNX7Esc6mzESaVMAqaaoi5oR11Fo/EZ3O3ThtMLlofWKjPEU+Bou
tszXW38gus8sMJlQyT6K3CTXGwZKeBIR2WlqdmGWAaDyhzfgxKXvrfyS/Cr+4f0l
6d5Q+8P5tnajBP2EWn122cIGsViUdF7sBejt7SUfb/Z6XgcSNqq55YTB3LLLKc+f
6ZUakal4tK30C+vHmhPo1ORnJLB9cpV56CHRE26are27Pe+PM6pQ1X5Xw8uaQo9r
wz3BtBRRkjyTKOrxl9I5Pv6mKlNlPwJ8XnAl6z3gzmIPey2k9wXT4Itcv8z6pReW
Lg51O4Muj9S5Dl2Lb7epbLni/Wronfd0sHRqUSva3HWoL8ob/gZlbLGvuH66gO9e
vVdIYAR05pSoPJelBUpD
=2dIb
-----END PGP SIGNATURE-----



More information about the Users mailing list