[strongSwan] Problems with configuration of IPv4/IPv6 dual-stack network

[Colbert Yang]

Dear community,


I have a Debian 9 VPS assigned an IPv6 /64 address via SLAAC, running strongSwan, and would like to make clients able to access IPv6 websites.


Here is the IPv6 setting in /etc/network/interfaces:
iface ens3 inet6 static

        address 2001:19f0:6001:e4d:AAAA:BBBB:CCCC:1
        netmask 64
        dns-nameservers 2001:19f0:300:1704::6

/etc/ipsec.conf
conn %default
        auto = add
        keyexchange = ikev2
        leftsubnet = 0.0.0.0/0,::/0
        rightdns = 8.8.8.8,2001:4860:4860::8888
        rightsourceip = 10.10.10.0/24,2001:19f0:6001:e4d::/112
conn EAP-MSCHAPv2
        eap_identity = %identity
        leftauth = pubkey
        leftcert = fullchain.pem
        leftid = example.com
        leftsendcert = always
        rightauth = eap-mschapv2
        rightid = %any
        rightsendcert = never

$ iptables -t nat -A POSTROUTING -j MASQUERADE
$ systctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.accept_ra = 2

With configuration above, the VPS and strongSwan seem working well with IPv4 network that clients like iOS 10 are able to access to the IPv4 websites via IPSec.  Clients assigned an IPv6 address 2001:19f0:6001:e4d::1 and the VPS can ping each other, however, clients cannot access to any IPv6 websites. I know that I disable net.ipv6.conf.all.forwarding so IPv6 packages are not able to be forwarded, but if it is enabled, clients still have no IPv6 connectivity and the VPS is unreachable via IPv6.

Honestly, I am not quite familiar with IPv6 network and really stuck into this problem even search tons of information from Google. So is there someone running a strongSwan server with IPv6 successfully? Could you offer some help, please?

Thanks in advance for helping,
Colbert Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/19fde099/attachment.html>