[strongSwan] Forward IPv6 traffic

Robert Senger robert.senger at lists.microscopium.de
Wed Jul 1 23:27:44 CEST 2015 

It's quite a while ago when I've set up Android strongSwan client on
KitKat 4.4.4, but I remember that I had the same issue as you have.

The only possibility I found was setting the ipv6 default route manually
on the Android device, in a root terminal. After doing this, ipv6
connectivity through the tunnel was fine.

Be warned, there are a lot of issues with ipv6 on Android, this OS is
definitely _not_ ready for ipv6. 

Try around, and good luck! 

Robert



Am Mittwoch, den 01.07.2015, 12:39 +0200 schrieb Carl Hörberg:
> I've setup strongswan on a vps from digitalocean on a ubuntu 14.04 box.
> It works great with the android client for ipv4 traffic but ipv6 traffic
> does not seems to go through.
> 
> Server's ipsec.conf:
> 
> config setup
> conn %default
>   left=%any
>   leftid=vpn.mydomain.com
>   leftsubnet=0.0.0.0/0,::/0
>   leftfirewall=yes
>   right=%any
>   rightsourceip=192.168.211.0/24,2a03:b0c0:2:d0::4b4:9001/64
>   rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
> conn ikev2
>   keyexchange=ikev2
>   dpdaction=clear
>   dpddelay=300s
>   rekey=no
>   leftcert=vpn.mydomain.com.pem
>   leftauth=pubkey
>   rightauth=eap-gtc
>   eap_identity=%any
>   auto=add
> 
> 2a03:b0c0:2:d0::4b4:9001/64 is the subnet the vps is assigned by
> digitalocean.
> 
> The server log when the Android client connects:
> 
> Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP %any
> Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
> Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
> 192.168.211.1 to peer 'carl'
> Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP %any6
> Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
> Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
> 2a03:b0c0:2:d0::4b4:9002 to peer 'carl'
> Jul  1 10:28:11 mail-ams3 charon: 03[IKE] CHILD_SA ikev2{1} established
> with SPIs c36bd0ef_i 3501ed85_o and TS 0.0.0.0/0 ::/0 ===
> 192.168.211.1/32 2a03:b0c0:2:d0::4b4:9002/128
> Jul  1 10:28:11 mail-ams3 vpn: + carl 192.168.211.1/32 == 77.218.252.176
> -- 188.166.89.56 == %any/0
> Jul  1 10:28:11 mail-ams3 vpn: + carl 2a03:b0c0:2:d0::4b4:9002/128 ==
> 77.218.252.176 -- 188.166.89.56 == %any6/0
> Jul  1 10:28:11 mail-ams3 charon: 03[ENC] generating IKE_AUTH response 4
> [ AUTH CPRP(ADDR ADDR6 DNS DNS DNS6 DNS6) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) ]
> Jul  1 10:28:11 mail-ams3 charon: 03[NET] sending packet: from
> 188.166.89.56[4500] to 77.218.252.176[1813] (396 bytes)
> 
> I've enabled ipv6 forwarding:
> 
> # cat /proc/sys/net/ipv6/conf/all/forwarding
> 1
> 
> Am I missing something? Is it correct to set the VPS's IPv6 subnet as
> rightsourceip?
> Do I have to add any ip6tables rules for forwarding ipv6 traffic?
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Robert Senger

More information about the Users mailing list