[strongSwan] strongSwan and IPv6?

Martin Willi martin at strongswan.org
Tue Oct 28 13:26:55 CET 2014

> Running " tcpdump icmp6" on the IPSec gateway shows, that the ping
> never arrives. But I am able to ping the real ipv6 of my IPSec gateway
> (2a01:XXX:YYY:ZZZZ:2). I am also able to ping from the IPSec gateway my
> connected client with the assigned IP (2a01:XXX:YYY:ZZZZ:1::1)

Which ping never arrives? To any IPv6 host on the Internet?

For that ping that works, does the traffic go over the IPsec tunnel?

>          roadwarrior{1}: ::/0 === 2a01:XXX:YYY:ZZZZ:1::1/128

I think that looks fine so far; seems that both a virtual IP for v4 and
v6 has been assigned, and tunneling to all destinations is allowed.

> 2003:56:AAAA:BBBB::/64 (my own ipv6 subnet locally at home)
> 2a01:XXX:YYY:ZZZZ::/64 (my ipv6 subnet on the dedicated, from which one ip is assigned via IPSec.)

If pinging the gateway works over your tunnel, I'd guess that route
works fine. Other hosts might not work because your IPv6 default route
does not go over the tunnel. Check the default route in your routing

In your RAS connection setting, under Networking -> IPv6 -> Advanced ->
IP Settings, check that "Use default gateway on remote network" is set.

> Thanks! But do I have to use site-local? Can't I use my IPv6 subnet
> directly?

Using your subnet should work, no need for Site-Local addresses.


More information about the Users mailing list