[strongSwan] strongSwan and IPv6?
martin at strongswan.org
Mon Oct 27 11:56:42 CET 2014
> My first try was, to change rightsourceip=192.168.164.0/24 to
> rightsourceip=192.168.164.0/24, 2a01:XXX:YYY:ZZZ:1::/64.
> 2a01:XXX:YYY:ZZZ:1::/64 is my native IPv6 subnet on the dedicated
> server. After connecting, one IPv6 is being pushed, but obviously that
> is not enough.
Not sure how well Windows Phone handles dual-stack tunnels; it must
support requesting both an IPv4 and IPv6 address, and then negotiate the
traffic selectors accordingly. Your configuration looks fine so far, but
you won't need a /64 pool for your full prefix, a smaller pool for
addresses somewhere in your prefix is probably sufficient.
> I still can only reach ipv4 sites. I am missing maybe
> some routing?
* Check "ipsec statusall" if you get properly negotiated traffic
selectors including both IPv4 and IPv6
* Check if IPv6 forwarding is enabled on your IPsec gateway
* Make sure routing from your network to your virtual IP address
works; please be aware that the farp plugin does not work for
* If IPv6 still does not work, try to attach a network sniffer to
see where packets get lost.
> I've also found some ipv6 examples on the strongSwan site, but there
> are used some fec1 addresses, which I don't understand. Those seems not
> to be public ipv6 addresses?
Those fec1 addresses are (now deprecated) Site-Local addresses. Our test
suite still uses them, very similar to the Private Network IPv4 10.x and
More information about the Users