[strongSwan] IPv6 Remote Access
Dusan Ilic
dusan at comhem.se
Sun May 28 19:24:16 CEST 2017
Hi Noel,
The IPv6 prefix is on link so I've tried adding static NDP record, when
pinging from a local host before adding the static record it says
"destination host unreacable", but after adding it it says "request
timed out".
When i try pinging the client from the strongswan host i get the
following error?
ping6: sendto: Address family not supported by protocol
Strongswan now added a route for the IPv6 adress out the correct
WAN-interface, and I have added an input and forward rule in ip6tables
accepting traffic. I can see in "ipsec statusall" that the incoming
packet counter are increasing, but not the outgoing.
Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
> Hello Dusan,
>
> On 26.05.2017 16:52, Dusan Ilic wrote:
>> Hi everyone,
>>
>> My ISP have just recently enabled IPv6 in their network (well, 6RD aactually) and I have it confiogured and working at the site.
>> I would now also like to enable it on my remote access VPN in Strongswan too, so I made a try with the following config however it doesnt seem work. According to Strongswan log the client asks for ipv6 (Android in this case) and get's assigned one (global from my public prefix).
>>
>> leftsubnet=0.0.0.0/0,2000::/3 (also tried with ::/0)
>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>>
>> This is a test, so that's why Im only assigning one single IPv6 adress for the time being. IPv4 works as expected, but I can't neither reach an IPv6 internet site nor ping the gateway or the Android client from the gateway/clients behind the gateway.
> Check if the IPv6 packets make it to the strongSwan host. And then make sure those IPv6 addresses are routed over the strongSwan host. If the subnet they're from is on the link,
> you'll need to create do proxy NDP on the strongSwan host with either static records in the NDP table on the strongSwan host or by using and configuring ndppd[1] on the strongSwan host.
>> What I'm reacting on is that a route gets created for the IPv4 adress in my routing table, but none for the IPv6 adress. Also checked with "ip -6 route".
>> Is this a routing problem possibly, or maybe an firewall (iptables) problem?
> The latter maybe. IPv6 traffic goes through ip6tables, not iptables.
>
>> Just to be clear, the client is connecting to the Strongswan server with IPv4, should receive an IPv6 global adress inside the tunnel and then my Strongswan server should route it out on the internet (through the 6RD-tunnel).
>>
> Read the FAQ[2], too.
>
> Kind regards
>
> Noel
>
> [1] https://github.com/DanielAdolfsson/ndppd
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables
>
>
>
More information about the Users
mailing list