[strongSwan] IPv6 (Link Local) Router Soliciations over VPN (for Windows 7)

Richard Laager rlaager at wiktel.com
Sat Mar 28 00:04:41 CET 2015 

On Tue, 2015-03-24 at 10:34 +0100, Martin Willi wrote:
> So you are suggesting to assign a link-lokal virtual IP, allow the
> client to do Router Solicitation to get an Advertisement, for which you
> anticipated the address and included it in your negotiated TS? Or the
> other way round?
> 
> If that works with the Windows client, why not. There is a narrow() hook
> on the listener_t interface [3] that can be used to mangle traffic
> selectors from a plugin in its NARROW_RESPONDER invocation.

At NARROW_RESPONDER time, have the dynamic traffic selectors had
addresses set? If not, what about at NARROW_RESPONDER_POST time?

I'm envisioning running a narrow hook like this, once we know the
virtual IP assigned to the client:

chunk_t ll_chunk;
char *ll_addr = {0xfe, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
enumerator_t enumerator;
traffic_selector_t *ts;

ll_chunk.ptr = ll_addr;
ll_chunk.len = 16;

enumerator = remote->create_enumerator(remote);
while (enumerator->enumerate(enumerator, &ts))
{
    chunk_t *addr_chunk;
    traffic_selector_t *ll_ts;
    enumerator_t enumerator2;
    traffic_selector_t *ts2;

    if (ts->get_type(ts) != TS_IPV6_ADDR_RANGE ||
        ts->is_dynamic(ts) ||
        !ts->is_host(ts, NULL) ||
        !ts->is_any(ts) ||
        ts->get_protocol(ts) != 0)
    {
        continue;
    }

    addr_chunk = ts->get_from_address(ts);
    /* Copy the last 64-bits */
    memcpy(ll_addr + 8, addr_chunk.ptr + 8, addr_chunk.len - 8);

    ll_ts = traffic_selector_create_from_bytes(0, TS_IPV6_ADDR_RANGE, ll_chunk, 0, ll_chunk, 0xffff);

    enumerator2 = remote->create_enumerator(remote);
    while (enumerator2->enumerate(enumerator2, &ts2))
    {
        if (ll_ts->is_contained_in(ll_ts, ts2))
        {
            ll_ts->destroy(ll_ts);
            goto continue_outer_loop;
        }
    }
    enumerator2->destroy(enumerator2);

    remote->insert_first(remote, ll_ts);

continue_outer_loop:
}
enumerator->destroy(enumerator);

This code is completely untested, but here's my idea...

This hook finds any traffic selectors for individual IPv6 addresses, and
combines fe80::/64 with the last 64 bits of the address. Then it adds a
traffic selector for that link-local address, after verifying it would
not be creating a redundant traffic selector.

So, for example, if the client is assigned 2607:f850:CCCC:DDDD::100, we
want to add an additional remote traffic selector for fe80::100.

-- 
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150327/9a7b8173/attachment.pgp>

More information about the Users mailing list