[strongSwan] Neighbor discovery on ipv6 tunnel
Robert Dyck
rob.dyck at telus.net
Tue Dec 30 21:32:12 CET 2014
I got it working although in sysctl I set net.ipv6.conf.em1.proxy_ndp=1.
Proxy_arp didn't seem quite right.
On December 30, 2014 08:21:40 PM Noel Kuntze wrote:
> Hello Robert,
>
> Neither.
> I think this needs more explanation, so I'll provide some. Read on.
>
> First, let me talk about the farp plugin and the analogies to IPv6.
> What farp does is reply to arp queries for the client's IP address with his
> own MAC address on the interface where the arp query arrives on. You can do
> the same for IPv6. Simply enable proxy arp on the interface (sysctl
> net.ipv4.conf.$interface.proxy_arp=1) and add a proxy entry for that
> interface (ip -6 neigh add proxy $IPv6Address dev $interface). The
> interface here is the physical layer two device, _on which arp queries
> should be replied to_. It is NOT the VPN interface (tun/tap/ipsec device).
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 30.12.2014 um 19:57 schrieb Robert Dyck:
> > Ip neighbor needs a device. Strongswan normally doesn't create a device
> > for the tunnel. Do I need to set up a VTI or use the non-kernel
> > implementation?>
> > On December 30, 2014 07:38:41 PM Noel Kuntze wrote:
> >> Hello Robert,
> >>
> >> The farp plugin only handles arp at the moment, not IPv6 neighbor
> >> discovery. You need to set up proxy arp manually using iproute2.
> >> Look at "ip neigh help".
> >>
> >> Mit freundlichen Grüßen/Regards,
> >> Noel Kuntze
> >>
> >> GPG Key ID: 0x63EC6658
> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >>
> >> Am 30.12.2014 um 01:46 schrieb Robert Dyck:
> >>> I had success setting up an ipv4 road warrior tunnel using strongswan at
> >>> either end. My goal was for the RW to become just another host on my
> >>> home
> >>> LAN. This means that the RW can ping any host on the LAN in addition to
> >>> the server.
> >>>
> >>> I then wanted achieve a similar goal over ipv6 with difference being
> >>> that
> >>> instead of private IPs I would use my global ipv6 prefix. I am able to
> >>> establish the tunnel between the RW and the server and I can ping6
> >>> between
> >>> them in either direction. However when I try the ping6 tests between the
> >>> RW
> >>> and a host other than the server, the test fails. The believe that
> >>> neighbor
> >>> discovery ( ND ) is at the root of the problem.
> >>>
> >>> Ip6tables were set to accept everything for testing purposes. Also for
> >>> testing purposes I used the ndisc6 command in addition to ping6. I will
> >>> summarize the results of my testing.
> >>>
> >>> At the RW
> >>> ping6 to server - success
> >>> ndisc6 query any address - network unreachable
> >>> ping6 to host other than server - 100% packet loss
> >>>
> >>> From the LAN
> >>> ping6 to RW - address unreachable
> >>> ndisc6 query RW IP - timeout, I see the query reaching the server but it
> >>> does not respond.
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list