[strongSwan] Forward IPv6 traffic

Carl Hörberg carl.hoerberg at gmail.com
Thu Jul 2 11:58:21 CEST 2015 

Awesome, worked! Thanks! (Android 5.0.2)

For googlers:
1) Set net.ipv6.conf.all.proxy_ndp=1 in sysctl.conf

2) Change in ipsec.conf:
  leftfirewall=no
  leftupdown=/etc/ipsec.d/proxyndp.updown

3) Make /etc/ipsec.d/proxyndp.updown executable and contain:

#!/bin/sh
case $PLUTO_VERB in
        up-client-v6)
        ip -6 neigh add proxy ${PLUTO_PEER_CLIENT%????} dev eth0
        ;;
        down-client-v6)
        ip -6 neigh delete proxy ${PLUTO_PEER_CLIENT%????} dev eth0
        ;;
esac


On 01/07/15 23:26, Noel Kuntze wrote:
>
> Hello Carl,
>
> Take a look at this ticket: https://wiki.strongswan.org/issues/1008
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 01.07.2015 um 12:39 schrieb Carl Hörberg:
> > I've setup strongswan on a vps from digitalocean on a ubuntu 14.04 box.
> > It works great with the android client for ipv4 traffic but ipv6 traffic
> > does not seems to go through.
>
> > Server's ipsec.conf:
>
> > config setup
> > conn %default
> >   left=%any
> >   leftid=vpn.mydomain.com
> >   leftsubnet=0.0.0.0/0,::/0
> >   leftfirewall=yes
> >   right=%any
> >   rightsourceip=192.168.211.0/24,2a03:b0c0:2:d0::4b4:9001/64
> >   rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
> > conn ikev2
> >   keyexchange=ikev2
> >   dpdaction=clear
> >   dpddelay=300s
> >   rekey=no
> >   leftcert=vpn.mydomain.com.pem
> >   leftauth=pubkey
> >   rightauth=eap-gtc
> >   eap_identity=%any
> >   auto=add
>
> > 2a03:b0c0:2:d0::4b4:9001/64 is the subnet the vps is assigned by
> > digitalocean.
>
> > The server log when the Android client connects:
>
> > Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP %any
> > Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
> > Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
> > 192.168.211.1 to peer 'carl'
> > Jul  1 10:28:11 mail-ams3 charon: 03[IKE] peer requested virtual IP
> %any6
> > Jul  1 10:28:11 mail-ams3 charon: 03[CFG] assigning new lease to 'carl'
> > Jul  1 10:28:11 mail-ams3 charon: 03[IKE] assigning virtual IP
> > 2a03:b0c0:2:d0::4b4:9002 to peer 'carl'
> > Jul  1 10:28:11 mail-ams3 charon: 03[IKE] CHILD_SA ikev2{1} established
> > with SPIs c36bd0ef_i 3501ed85_o and TS 0.0.0.0/0 ::/0 ===
> > 192.168.211.1/32 2a03:b0c0:2:d0::4b4:9002/128
> > Jul  1 10:28:11 mail-ams3 vpn: + carl 192.168.211.1/32 == 77.218.252.176
> > -- 188.166.89.56 == %any/0
> > Jul  1 10:28:11 mail-ams3 vpn: + carl 2a03:b0c0:2:d0::4b4:9002/128 ==
> > 77.218.252.176 -- 188.166.89.56 == %any6/0
> > Jul  1 10:28:11 mail-ams3 charon: 03[ENC] generating IKE_AUTH response 4
> > [ AUTH CPRP(ADDR ADDR6 DNS DNS DNS6 DNS6) SA TSi TSr N(MOBIKE_SUP)
> > N(ADD_6_ADDR) ]
> > Jul  1 10:28:11 mail-ams3 charon: 03[NET] sending packet: from
> > 188.166.89.56[4500] to 77.218.252.176[1813] (396 bytes)
>
> > I've enabled ipv6 forwarding:
>
> > # cat /proc/sys/net/ipv6/conf/all/forwarding
> > 1
>
> > Am I missing something? Is it correct to set the VPS's IPv6 subnet as
> > rightsourceip?
> > Do I have to add any ip6tables rules for forwarding ipv6 traffic?
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150702/1d7c09f7/attachment-0001.html>

More information about the Users mailing list