[strongSwan] strongSwan and IPv6?

Conrad Kostecki ck at conrad-kostecki.de
Sun Oct 26 15:25:49 CET 2014 

Hi,
I am trying to setup ipsec with strongSwan, in order to get VPN working on my Windows Phone 8.1.
Currently, ipsec I a new world for me, as I was using OpenVPN previously with my old Android phone.

I've emerged using Gentoo the current strongSwan:
net-misc/strongswan-5.2.0-r1  USE="caps curl dhcp eap gmp non-root openssl pkcs11"

The server itself is a dedicated one with a public IPv4 and IPv6/64 subnet. The Windows Phone is behind an IPv4 NAT and native IPv6.

CLIENT (dynamic IPv4 and/or dynamic native IPv6) <-> INTERNET <-> DEDICATED SERVER (static native IPv4, static native IPv6) <-> INTERNET

Currently, I've created a configuration, which is working for IPv4 fine. My Windows Phone can connect and is being tunnelled fine. The connection itself connects both via IPv4 or IPv6.

conn %default
        dpdaction=clear
        dpddelay=60s
        ike=aes256-sha512-modp4096
        keyexchange=ikev2

conn roadwarrior
        auto=add
        eap_identity=%any
        left=%any
        leftauth=pubkey
        leftcert=server.crt
        leftsubnet=0.0.0.0/0,::/0
        leftid=@vpn.domain.tld
        right=%any
        rightauth=eap-mschapv2
        rightsourceip=192.168.164.0/24

After I am being connected, I can only reach IPv4 stuff, which would be normal, as I don't have configured any IPv6 with strongSwan? But I've some troubles to understand how I can configure IPv6.

My first try was, to change rightsourceip=192.168.164.0/24 to rightsourceip=192.168.164.0/24, 2a01:XXX:YYY:ZZZ:1::/64.
2a01:XXX:YYY:ZZZ:1::/64 is my native IPv6 subnet on the dedicated server. After connecting, one IPv6 is being pushed, but obviously that is not enough. I still can only reach ipv4 sites. I am missing maybe some routing?

I am not sure, if that even can work. Can someone help me with setting ipv6 up? With OpenVPN, I was only pushing RA via TAP and the client was connected via IPv6 and could reach those sites.

I've also found some ipv6 examples on the strongSwan site, but there are used some fec1 addresses, which I don't understand. Those seems not to be public ipv6 addresses?

Cheers
Conrad

More information about the Users mailing list