[strongSwan] No IPv6 packets arriving with ESP tunnel over IPv4 on FreeBSD
Thomas ROBERT
thomas.robertdelettre at outlook.com
Sat Apr 10 19:01:09 CEST 2021
Hello,
I set up an IPv6 tunnel with strongSwan 5.9.2 on FreeBSD 12.2-RELEASE-p5 (built from source in ports tree), with the following config in swanctl.conf:
connections {
ipsec-ikev2-vpn {
version = 2
local_addrs = %any
remote_addrs = %any
proposals = aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384
dpd_delay = 300s
fragmentation = yes
pools = vpnpool4,vpnpool6
local {
certs = /usr/local/etc/ipsec.d/certs/server.cert.pem
auth = pubkey
id = box
}
remote {
id = %any
cacerts = /usr/local/etc/ipsec.d/cacerts/ca.cert.pem
auth = pubkey
}
children {
saconfig {
esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp384
local_ts = 0.0.0.0/0,::/0
life_time = 0
life_bytes = 0
life_packets = 0
mode = tunnel
policies = yes
policies_fwd_out = yes
dpd_action = clear
ipcomp = no
hw_offload = yes
}
}
}
pools {
vpnpool4 {
addrs = 192.168.2.0/24
}
vpnpool6 {
addrs = 2a01:e34:abcd:effe::/64 # routed to me by my ISP, /64 will be dedicated to VPN
}
}
No errors or warnings appear in logs on the Android client or on the server, yet even with pf disabled on the server, I can't even seem to ping the IPv6 address of the router (2a01:e34:abcd:effd::), which I can do just fine on the local network. Same for the other way around - no packets from the server seems to arrive on the client.
IPv4 works just fine, with NAT I can access all subnets of my LAN and the Internet.
Any idea what could cause this?
Thank you,
Best regards
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210410/482a5e80/attachment.html>
More information about the Users
mailing list