[strongSwan] Forward IPv6 traffic

Carl Hörberg carl.hoerberg at gmail.com
Wed Jul 1 12:39:17 CEST 2015 

I've setup strongswan on a vps from digitalocean on a ubuntu 14.04 box.
It works great with the android client for ipv4 traffic but ipv6 traffic
does not seems to go through.

Server's ipsec.conf:

config setup
conn %default
  left=%any
  leftid=vpn.mydomain.com
  leftsubnet=0.0.0.0/0,::/0
  leftfirewall=yes
  right=%any
  rightsourceip=192.168.211.0/24,2a03:b0c0:2:d0::4b4:9001/64
  rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
conn ikev2
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=300s
  rekey=no
  leftcert=vpn.mydomain.com.pem
  leftauth=pubkey
  rightauth=eap-gtc
  eap_identity=%any
  auto=add

2a03:b0c0:2:d0::4b4:9001/64 is the subnet the vps is assigned by
digitalocean.

The server log when the Android client connects:

Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP %any
Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
192.168.211.1 to peer 'carl'
Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP %any6
Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
2a03:b0c0:2:d0::4b4:9002 to peer 'carl'
Jul  1 10:28:11 mail-ams3 charon: 03[IKE] CHILD_SA ikev2{1} established
with SPIs c36bd0ef_i 3501ed85_o and TS 0.0.0.0/0 ::/0 ===
192.168.211.1/32 2a03:b0c0:2:d0::4b4:9002/128
Jul  1 10:28:11 mail-ams3 vpn: + carl 192.168.211.1/32 == 77.218.252.176
-- 188.166.89.56 == %any/0
Jul  1 10:28:11 mail-ams3 vpn: + carl 2a03:b0c0:2:d0::4b4:9002/128 ==
77.218.252.176 -- 188.166.89.56 == %any6/0
Jul  1 10:28:11 mail-ams3 charon: 03[ENC] generating IKE_AUTH response 4
[ AUTH CPRP(ADDR ADDR6 DNS DNS DNS6 DNS6) SA TSi TSr N(MOBIKE_SUP)
N(ADD_6_ADDR) ]
Jul  1 10:28:11 mail-ams3 charon: 03[NET] sending packet: from
188.166.89.56[4500] to 77.218.252.176[1813] (396 bytes)

I've enabled ipv6 forwarding:

# cat /proc/sys/net/ipv6/conf/all/forwarding
1

Am I missing something? Is it correct to set the VPS's IPv6 subnet as
rightsourceip?
Do I have to add any ip6tables rules for forwarding ipv6 traffic?

More information about the Users mailing list