[strongSwan] IPv6 Remote Access

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 26 17:47:15 CEST 2017

Hello Dusan,

On 26.05.2017 16:52, Dusan Ilic wrote:
> Hi everyone,
> My ISP have just recently enabled IPv6 in their network (well, 6RD aactually) and I have it confiogured and working at the site.
> I would now also like to enable it on my remote access VPN in Strongswan too, so I made a try with the following config however it doesnt seem work. According to Strongswan log the client asks for ipv6 (Android in this case) and get's assigned one (global from my public prefix).
> leftsubnet=,2000::/3 (also tried with ::/0)
> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
> This is a test, so that's why Im only assigning one single IPv6 adress for the time being. IPv4 works as expected, but I can't neither reach an IPv6 internet site nor ping the gateway or the Android client from the gateway/clients behind the gateway.

Check if the IPv6 packets make it to the strongSwan host. And then make sure those IPv6 addresses are routed over the strongSwan host. If the subnet they're from is on the link,
you'll need to create do proxy NDP on the strongSwan host with either static records in the NDP table on the strongSwan host or by using and configuring ndppd[1] on the strongSwan host.
> What I'm reacting on is that a route gets created for the IPv4 adress in my routing table, but none for the IPv6 adress. Also checked with "ip -6 route".
> Is this a routing problem possibly, or maybe an firewall (iptables) problem?
The latter maybe. IPv6 traffic goes through ip6tables, not iptables.

> Just to be clear, the client is connecting to the Strongswan server with IPv4, should receive an IPv6 global adress inside the tunnel and then my Strongswan server should route it out on the internet (through the 6RD-tunnel).
Read the FAQ[2], too.

Kind regards


[1] https://github.com/DanielAdolfsson/ndppd
[2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170526/3d41ef81/attachment.sig>

More information about the Users mailing list