[strongSwan] IPv6 Remote Access

Dusan Ilic dusan at comhem.se
Sun May 28 19:34:09 CEST 2017

I can also see the forward rule packet count increasing when pinging 
from a host behind the Strongswan host, but not the other way around 
(from the VPN client).

Den 2017-05-28 kl. 19:24, skrev Dusan Ilic:
> Hi Noel,
> The IPv6 prefix is on link so I've tried adding static NDP record, 
> when pinging from a local host before adding the static record it says 
> "destination host unreacable", but after adding it it says "request 
> timed out".
> When i try pinging the client from the strongswan host i get the 
> following error?
> ping6: sendto: Address family not supported by protocol
> Strongswan now added a route for the IPv6 adress out the correct 
> WAN-interface, and I have added an input and forward rule in ip6tables 
> accepting traffic. I can see in "ipsec statusall" that the incoming 
> packet counter are increasing, but not the outgoing.
> Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
>> Hello Dusan,
>> On 26.05.2017 16:52, Dusan Ilic wrote:
>>> Hi everyone,
>>> My ISP have just recently enabled IPv6 in their network (well, 6RD 
>>> aactually) and I have it confiogured and working at the site.
>>> I would now also like to enable it on my remote access VPN in 
>>> Strongswan too, so I made a try with the following config however it 
>>> doesnt seem work. According to Strongswan log the client asks for 
>>> ipv6 (Android in this case) and get's assigned one (global from my 
>>> public prefix).
>>> leftsubnet=,2000::/3 (also tried with ::/0)
>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>>> This is a test, so that's why Im only assigning one single IPv6 
>>> adress for the time being. IPv4 works as expected, but I can't 
>>> neither reach an IPv6 internet site nor ping the gateway or the 
>>> Android client from the gateway/clients behind the gateway.
>> Check if the IPv6 packets make it to the strongSwan host. And then 
>> make sure those IPv6 addresses are routed over the strongSwan host. 
>> If the subnet they're from is on the link,
>> you'll need to create do proxy NDP on the strongSwan host with either 
>> static records in the NDP table on the strongSwan host or by using 
>> and configuring ndppd[1] on the strongSwan host.
>>> What I'm reacting on is that a route gets created for the IPv4 
>>> adress in my routing table, but none for the IPv6 adress. Also 
>>> checked with "ip -6 route".
>>> Is this a routing problem possibly, or maybe an firewall (iptables) 
>>> problem?
>> The latter maybe. IPv6 traffic goes through ip6tables, not iptables.
>>> Just to be clear, the client is connecting to the Strongswan server 
>>> with IPv4, should receive an IPv6 global adress inside the tunnel 
>>> and then my Strongswan server should route it out on the internet 
>>> (through the 6RD-tunnel).
>> Read the FAQ[2], too.
>> Kind regards
>> Noel
>> [1] https://github.com/DanielAdolfsson/ndppd
>> [2] 
>> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables

More information about the Users mailing list