[strongSwan] strongSwan and IPv6?

Conrad Kostecki ck at conrad-kostecki.de
Mon Oct 27 22:28:36 CET 2014


> Not sure how well Windows Phone handles dual-stack tunnels; it must support requesting both
> an IPv4 and IPv6 address, and then negotiate the traffic selectors accordingly. Your configuration
> looks fine so far, but you won't need a /64 pool for your full prefix, a smaller pool for addresses
> somewhere in your prefix is probably sufficient.

Well. I think, Windows Phone should do it. But I don't know for sure. What about Windows 8.1? I've now installed the IPSec connection on my Windows 8.1 notebook, which showed exactly the same problems.

You are right, that /64 is too big. I've just copied the wrong value. It's not set to /120.

> * Check "ipsec statusall" if you get properly negotiated traffic
> selectors including both IPv4 and IPv6

I am not sure. Maybe you could have a look?
-> http://pastebin.com/wGcafBk2

> * Check if IPv6 forwarding is enabled on your IPsec gateway
/proc/sys/net/ipv6/conf/all/forwarding is set to 1

> * Make sure routing from your network to your virtual IP address works;

I think, that could me my problem. When I try to ping some ipv6 host, I am only getting this:
"PING: Error during transmission. General Error."

Running " tcpdump icmp6" on the IPSec gateway shows, that the ping never arrives. But I am able to ping the real ipv6 of my IPSec gateway (2a01:XXX:YYY:ZZZZ:2). I am also able to ping from the IPSec gateway my connected client with the assigned IP (2a01:XXX:YYY:ZZZZ:1::1)

Maybe some route missing? My connected Windows 8.1 has this routes:
-> http://pastebin.com/LuVfM1UB

2003:56:AAAA:BBBB::/64 (my own ipv6 subnet locally at home)
2a01:XXX:YYY:ZZZZ::/64 (my ipv6 subnet on the dedicated, from which one ip is assigned via IPSec.)

> Those fec1 addresses are (now deprecated) Site-Local addresses. Our test suite still uses them,
> very similar to the Private Network IPv4 10.x and 192.168.x addresses. 

Thanks! But do I have to use site-local? Can't I use my IPv6 subnet directly?

Cheers
Conrad


More information about the Users mailing list