[strongSwan] IPv6 Remote Access

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon May 29 00:16:20 CEST 2017

Hello Dusan,

On 28.05.2017 19:24, Dusan Ilic wrote:
> Hi Noel,
> The IPv6 prefix is on link so I've tried adding static NDP record, when pinging from a local host before adding the static record it says "destination host unreacable", but after adding it it says "request timed out".
> When i try pinging the client from the strongswan host i get the following error?
> ping6: sendto: Address family not supported by protocol

What command are you trying to use?

> Strongswan now added a route for the IPv6 adress out the correct WAN-interface, and I have added an input and forward rule in ip6tables accepting traffic. I can see in "ipsec statusall" that the incoming packet counter are increasing, but not the outgoing.

Provide `ip6tables-save`, your ipsec.conf, `ipsec statusall` and  `sysctl -A | grep net.ipv6.conf.*forwarding`.

Kind regards


> Den 2017-05-26 kl. 17:47, skrev Noel Kuntze:
>> Hello Dusan,
>> On 26.05.2017 16:52, Dusan Ilic wrote:
>>> Hi everyone,
>>> My ISP have just recently enabled IPv6 in their network (well, 6RD aactually) and I have it confiogured and working at the site.
>>> I would now also like to enable it on my remote access VPN in Strongswan too, so I made a try with the following config however it doesnt seem work. According to Strongswan log the client asks for ipv6 (Android in this case) and get's assigned one (global from my public prefix).
>>> leftsubnet=,2000::/3 (also tried with ::/0)
>>> rightsourceip=%dhcp,2001:2002:5ae1:c206:4466:d122:xxx:xxx
>>> This is a test, so that's why Im only assigning one single IPv6 adress for the time being. IPv4 works as expected, but I can't neither reach an IPv6 internet site nor ping the gateway or the Android client from the gateway/clients behind the gateway.
>> Check if the IPv6 packets make it to the strongSwan host. And then make sure those IPv6 addresses are routed over the strongSwan host. If the subnet they're from is on the link,
>> you'll need to create do proxy NDP on the strongSwan host with either static records in the NDP table on the strongSwan host or by using and configuring ndppd[1] on the strongSwan host.
>>> What I'm reacting on is that a route gets created for the IPv4 adress in my routing table, but none for the IPv6 adress. Also checked with "ip -6 route".
>>> Is this a routing problem possibly, or maybe an firewall (iptables) problem?
>> The latter maybe. IPv6 traffic goes through ip6tables, not iptables.
>>> Just to be clear, the client is connecting to the Strongswan server with IPv4, should receive an IPv6 global adress inside the tunnel and then my Strongswan server should route it out on the internet (through the 6RD-tunnel).
>> Read the FAQ[2], too.
>> Kind regards
>> Noel
>> [1] https://github.com/DanielAdolfsson/ndppd
>> [2] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#IPsec-and-iptablesnftables

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170529/8496c620/attachment.sig>

More information about the Users mailing list