[strongSwan] Strongswan - Problems to set up IPv4 + IPv6 with StrongSwan 5.1.2 on Ubuntu 14

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Aug 25 12:18:02 CEST 2017 

Hi Dirk,

On 24.08.2017 10:59, Dirk Hoelscher wrote:
> Strongswan - Problems to set up IPv4 + IPv6 with StrongSwan 5.1.2 on Ubuntu 14
>
> Thanks for your incredible support. IPv4 is now working as intended.
>
>
> Now I've got some issues regarding IPv4/IPv6 dual stack:
>
>
> My /etc/network/interfaces states following
>
> ---------------------------------------------
>
> iface eth0 inet dhcp
>
>
> iface eth0:1 inet static
>
>     address 10.1.1.1
>
>     netmask 255.255.255.0
>
>
> iface eth0 inet6 static
>
>   address (public IP)
>
>   netmask 64
>
>   gateway (gateway)
>
>   up /sbin/ifconfig eth0 add fdea::1/64
>
> ---------------------------------------------
>

Aaaaah, please stop using aliases. :(

>
> I want to use both 10.1.1.x and fdea::x addresses for my connections, to be sure that ANY traffic is routed through my VPN
>
>
> I added
>
> rightsourceip=10.1.1.20/24,fdea::20/64
>
> to my ipsec.conf file, and the remote device will get an IPv6 address on connection.
>
>
> With IPv4, I am able to ping any participiants from any side.
>
> With IPv6, I can just ping the local address (e.g. fdea::21 on my smartphone), but not any remote address.
>
>
> I added
>
> rightsubnet=10.1.1.1/24, fdea::1/64
>
> to my ipsec.conf, but this didn't change a thing.
>
>
> My smartphone tells following on connection:
>
> Aug 24 10:55:50 11[IKE] installing DNS server 8.8.8.8
> Aug 24 10:55:50 11[IKE] installing DNS server 8.8.4.4
> Aug 24 10:55:50 11[IKE] installing DNS server 2001:4860:4660::8888
> Aug 24 10:55:50 11[IKE] installing DNS server 2001:4860:4860::8844
> Aug 24 10:55:50 11[IKE] installing new virtual IP 10.1.1.21
> Aug 24 10:55:50 11[IKE] installing new virtual IP fdea::21
> Aug 24 10:55:50 11[IKE] CHILD_SA android{17} established with SPIs f25c4080_i ca1658c5_o and TS 10.1.1.0/24 fdea::/64 === 0.0.0.0/0
>
> Aug 24 10:55:50 11[DMN] setting up TUN device for CHILD_SA android{17}
> Aug 24 10:55:50 11[DMN] successfully created TUN device
> Aug 24 10:55:50 11[IKE] peer supports MOBIKE
> Aug 24 10:55:51 13[IKE] sending address list update using MOBIKE
> Aug 24 10:55:51 13[ENC] generating INFORMATIONAL request 2 [ N(NO_ADD_ADDR) ]
>
>
> Can anybody tell me why I am not able to ping between client<->server on IPv6?
>

The reason is explained here[1] and the solution is to use NDP proxying[2] (assuming that IP address is actually part of the LAN the responder is connected to).
Otherwise, you need to use IPv6 NAT in iptables.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN
[2] https://wiki.strongswan.org/issues/1008

Kind regards

Noel
>
>
> Best regards,
>
> Dirk
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170825/8daf92de/attachment.sig>

More information about the Users mailing list