[strongSwan] Client issues with ipv6
rs-ssw at microscopium.de
Sun Feb 1 15:17:36 CET 2015
I am quit new to ipsec, just started yesterday setting up strongswan
based ipsec in a dedicated test environment. The test environment
consist of a VPN gateway, which runs on ipv4/ipv6 dual stack on both WAN
and LAN interface, and provides three different WLANs (ipv4 only, dual
stack, ipv6 only). The local LAN network is not accessible from the
internet and from all the WLAN subnets. The goal is to use ipsec VPN for
roadwarriors and local WLAN clients to allow full dual stack access to
the local LAN, regardless in which environment (ipv4 or ipv6 only, or
dual stack) they are.
All works fine with OpenVPN, with some minor ipv6 client issues (openvpn
clients are unable to accept ipv6 dns addresses, on android ipv6 pseudo
default route must be set manually or by a up/down script).
With strongswan ipsec, I get nearly the same working configuration,
except of some ipv6 issues on nearly all clients. I wonder if I could
change anything on the gateway's configuration to solve these problems.
Here's the gateway's configuration:
charondebug="cfg 2, dmn 2, ike 2, net 2"
Now, the client problems...
1. Linux, ipsec command line client
No issues, works just perfect!
2. Linux, strongswan network-manager plugin
The Gnome NetworkManager pluging seems to not support ipv6 at all, is
that right? Are there plans to add ipv6 to this plugin?
3. Windows 7 Professional, native client
No ipv6 connectivity.
The Win7 client connects to the VPN gateway, and ipv4 connectivity is
established. But ipv6 fails, although the tun interface gets the correct
ipv6 address assigned. This results in a broken ipv6 configuration.
Applications need to fall back to ipv4 if they prefer ipv6 (as it is
recommended), but fail to connect via ipv6. Any suggestions, maybe other
4. Android strongswan client, on 4.4.4 kitkat
No ipv6 connectivity.
It seems that the client supports ipv6, the interface gets a correct
ipv6 address assigned. ipv4 works, but ipv6 fails. I need to manually
add an ipv6 default route with "ip -6 r a default dev tun0" on a root
terminal. After that, dual stack works fine. Is that a known issue that
will be fixed?
Maybe this is actually an Android bug rather that a strongswan bug, as
with OpenVPN I see exactly the same problem, but the OpenVPN client
offers hooks to run up/down scripts that I use to add/remove ipv6
(pseudo) default route "2000::/3 dev tun0".
However, ipv4 connectivity works like a charm with all tested clients!
Robert Senger <robert.senger at microscopium.de>
PGP/GPG Public Key ID: 24E78B5E
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the Users