[strongSwan] IPv6 / IPv4 dual stack?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Oct 11 23:45:23 CEST 2019 

Hello Karl,


> Recently my mobile provider (T-Mobile) has started supporting dual-stack when /tethering.  /This originally resulted in the gateway, which was listening on IPv6 as well, connecting that way but /not /on IPv4, with no resulting routing at all.

What significance does that have for you? Are your clients connecting via tethering and IPv6 NAT? If that is the case, then I guess I need to continue working on this IPv6 UDP encapsulation patch. :(

1. Yes.
2. Depends on how much you are willing to suffer. You don't need it though if you just provide IPv4 and IPv6 over the tunnel.

Kind regards

Noel

Am 10.10.19 um 20:50 schrieb Karl Denninger:
> Hi folks;
> 
> I've long used Strongswan as an IPv4 based VPN for both my Windows laptop and Android phone, with IPv4 on the gateway.  Said gateway has (for quite a while now) also received an IPv6 address which I then distribute internally, since I can do that reasonably-easily given the prefix I'm given by the upstream.
> 
> Recently my mobile provider (T-Mobile) has started supporting dual-stack when /tethering.  /This originally resulted in the gateway, which was listening on IPv6 as well, connecting that way but /not /on IPv4, with no resulting routing at all.
> 
> I removed the IPv6 address from the DNS entries for the gateway and normal operation was restored; while StrongSwan is still listening the client won't try to talk to it since the DNS name only resolves to the IPv4 address.
> 
> But.... I'd really like to be able to have dual-stack and tethering with IPv6 working.  There are a couple of things I can think of that could be trouble:
> 
> 1. I don't know if the clients (Android's StrongSwan client and the Win10 built-in VPN client) will negotiate BOTH IPv4 and IPv6 tunnels.  If so, then all is well.  But if either or both will not then....
> 
> 2. How reasonable is it to get IPv6 to come up and implement 6-to-4 in the gateway?  Am I now screwing around in a form and fashion that perhaps I shouldn't bother with?
> 
> I don't actually *need* IPv6 VPN capability today -- it's more of a future-proofing thing at the moment.  One of my primary "use cases" for the VPN is to make the network shares and such on the parent network safely usable and visible while on the road, and as such right now those services do not advertise on IPv6 even though the "inside" hosts in question DO get an IPv6 address distributed via rtadvd.
> 
> Does anyone have practical experience with this situation?  I've not found anything particularly useful in the Wiki on configuring this up.
> 
> If it matters the VPN host running StrongSwan on the server side is FreeBSD 12-STABLE.
> 
> -- 
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> /The Market Ticker/
> /[S/MIME encrypted email preferred]/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191011/38c1bdec/attachment.sig>

More information about the Users mailing list