[strongSwan] IPv6 / IPv4 dual stack?

Karl Denninger karl at denninger.net
Thu Oct 10 20:50:57 CEST 2019

Hi folks;

I've long used Strongswan as an IPv4 based VPN for both my Windows
laptop and Android phone, with IPv4 on the gateway.  Said gateway has
(for quite a while now) also received an IPv6 address which I then
distribute internally, since I can do that reasonably-easily given the
prefix I'm given by the upstream.

Recently my mobile provider (T-Mobile) has started supporting dual-stack
when /tethering.  /This originally resulted in the gateway, which was
listening on IPv6 as well, connecting that way but /not /on IPv4, with
no resulting routing at all.

I removed the IPv6 address from the DNS entries for the gateway and
normal operation was restored; while StrongSwan is still listening the
client won't try to talk to it since the DNS name only resolves to the
IPv4 address.

But.... I'd really like to be able to have dual-stack and tethering with
IPv6 working.  There are a couple of things I can think of that could be

1. I don't know if the clients (Android's StrongSwan client and the
Win10 built-in VPN client) will negotiate BOTH IPv4 and IPv6 tunnels. 
If so, then all is well.  But if either or both will not then....

2. How reasonable is it to get IPv6 to come up and implement 6-to-4 in
the gateway?  Am I now screwing around in a form and fashion that
perhaps I shouldn't bother with?

I don't actually *need* IPv6 VPN capability today -- it's more of a
future-proofing thing at the moment.  One of my primary "use cases" for
the VPN is to make the network shares and such on the parent network
safely usable and visible while on the road, and as such right now those
services do not advertise on IPv6 even though the "inside" hosts in
question DO get an IPv6 address distributed via rtadvd.

Does anyone have practical experience with this situation?  I've not
found anything particularly useful in the Wiki on configuring this up.

If it matters the VPN host running StrongSwan on the server side is

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191010/02e6b9c7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191010/02e6b9c7/attachment.bin>

More information about the Users mailing list