[strongSwan] strongSwan and IPv6?

Martin Willi martin at strongswan.org
Mon Oct 27 11:56:42 CET 2014

> My first try was, to change rightsourceip= to
> rightsourceip=, 2a01:XXX:YYY:ZZZ:1::/64.
> 2a01:XXX:YYY:ZZZ:1::/64 is my native IPv6 subnet on the dedicated
> server. After connecting, one IPv6 is being pushed, but obviously that
> is not enough.

Not sure how well Windows Phone handles dual-stack tunnels; it must
support requesting both an IPv4 and IPv6 address, and then negotiate the
traffic selectors accordingly. Your configuration looks fine so far, but
you won't need a /64 pool for your full prefix, a smaller pool for
addresses somewhere in your prefix is probably sufficient.

> I still can only reach ipv4 sites. I am missing maybe
> some routing?

      * Check "ipsec statusall" if you get properly negotiated traffic
        selectors including both IPv4 and IPv6
      * Check if IPv6 forwarding is enabled on your IPsec gateway
      * Make sure routing from your network to your virtual IP address
        works; please be aware that the farp plugin does not work for
      * If IPv6 still does not work, try to attach a network sniffer to
        see where packets get lost.

> I've also found some ipv6 examples on the strongSwan site, but there
> are used some fec1 addresses, which I don't understand. Those seems not
> to be public ipv6 addresses?

Those fec1 addresses are (now deprecated) Site-Local addresses. Our test
suite still uses them, very similar to the Private Network IPv4 10.x and
192.168.x addresses.


More information about the Users mailing list