Issue #1261
ipv6 on Android
Description
Using the strongswan app on android it is possible get an ipv6 virtual IP with the appropriate configuration on the server. However no default ipv6 route is added. If a default route is added manually then it is possible to access global ipv6 addresses. The ipv4 default route is added automatically. Is there some limitation in Android that prevents strongswan from adding an ipv6 default route?
Strongswan 1.5.0
History
#1 Updated by Darko Kraus over 9 years ago
Hi,
My experience working with Linux and IPv6 is that sometimes instead ::/0 a default route would be 2000::/3. I would also assume that you configured:
leftsubnet = 2000::/3 or ::/0
You also need to have tunneled access to the IPv6 network from the VPN server. A good place to obtain an IPv6 address is www.tunnelbroker.net. I have been using them since 2003 and they prove to be very reliable provider!
#2 Updated by Robert Dyck over 9 years ago
The server has native ipv6. There is very little one can do on Android Strongswan in the way of configuration. You need to identify the server and specify the method used for authentication. There is an optional item that relates to split tunneling. With ipv4 the default route is added automatically, not so with ipv6. Do you know of anything on the server side that could induce Android to add a default route?
#3 Updated by Darko Kraus over 9 years ago
If you set the configuration on the server:
leftsubnet = 2000::/3 or ::/0
Try using 2000::/3 instead of ::/0.
the android client will automatically set the default route or route to network ::/0 (2000::/3) to go through the VPN. I have tried that with IPv4, but cannot confirm with IPv6 but I am sure it is the same setup.
Make sure the IPv6 address assigned to your android client is a global unicast IPv6 address.
So your whole configuration on the SERVER would be something like:
conn rw_Cert
keyexchange = ikev2
left = <gateway's IPv6 address>
leftcert = gatewayCert.pem
leftid = @gateway.domain.net
leftsubnet = 2000::/3
leftfirewall = no
right = %any
rightsourceip = 2001:4a:4a:f0ca::ba-2001:4a:4a:f0ca::be
auto = add
In the case above the VPN server would issue IPv6 address in the range specified above to the android client. Note that the IPs I used are global addresses, but you have to you the addresses assigned to you by your provider. Those above are just made up.
This is for a whole IPv6 setup. I am not sure if your provider is full IPv6 and if you can use your device (phone?) to communicate fully over IPv6 network.
Hope this helps.
#4 Updated by Robert Dyck over 9 years ago
The address assigned is globally valid. The left subnet on the server is leftsubnet=0.0.0.0/0,::/0. I combine the ipv4 and ipv6 configuration. Ipv4 works well. The only difference between ipv4 and ipv6 configurations is that with ipv4 the source address is assigned through DHCP and with ipv6 the address comes from my own pool. One the server side another connection configuration for a Linux road warrior is virtually identical and works well with both protocol families.
#5 Updated by Darko Kraus over 9 years ago
Here is what I discovered yesterday. If you use IPv6 address for the server field on the android client, it will not work. I have created only AAAA record gateway.ip6.domain.net for the host, and the client complains with DNS lookup failure. On the other hand the phone will ping any IPv6 address including if I use tools to ping from android phone to my gateway by name "gateway.ip6.domain.net". So this appears to be limitation with the client as of now. Hopefully coders will be able to see this and resolve this issue in the next release.
#6 Updated by Darko Kraus over 9 years ago
Darko Kraus wrote:
Here is what I discovered yesterday. If you use IPv6 address for the server field on the android client, it will not work. I have created only AAAA record gateway.ip6.domain.net for the host, and the client complains with DNS lookup failure. On the other hand the phone will ping any IPv6 address including if I use tools to ping from android phone to my gateway by name "gateway.ip6.domain.net". So this appears to be limitation with the client as of now. Hopefully coders will be able to see this and resolve this issue in the next release.
Using IPv4 address of the gateway to connect and adding on the VPN server 'leftsubnet = 2000::/3' worked well.
#7 Updated by Tobias Brunner over 9 years ago
- Status changed from New to Closed
- Resolution set to No change required
Hopefully coders will be able to see this and resolve this issue in the next release.
Not until the Linux kernel supports UDP encapsulation of ESP for IPv6.
#8 Updated by Robert Dyck over 9 years ago
The initial query has not been addressed here. The SA is setup over ipv4 and an ipv4 address and ipv6 address assigned on the road warrior. The problem is that no ipv6 default route is created by the app. I have a rooted phone so I can manually create the default route and access ipv6 globally.
#9 Updated by Tobias Brunner over 9 years ago
The initial query has not been addressed here.
If you configured leftsubnet=::/0 and a virtual IPv6 address/pool on the server and that does not work then its most likely a problem with your Android image (about which you provided no details, not even the version). The app uses Android's standard VpnService API. Check the Android issue tracker for problems with IPv6 and VPNs.