Approval from apple regarding an application using strongswan VPN
We have developed a VPN app using strongswan and while Apple tested the application they told that the app doesn't work on IPv6 network.
As of now we have set the client end in conf like this "leftsubnet=0.0.0.0/0" and also in sysctl.conf added only "net.ipv4.ip_forward = 1". Please help me to resolve this case
#1 Updated by Noel Kuntze over 5 years ago
- Category set to libipsec
- Status changed from New to Feedback
- Assignee set to Noel Kuntze
- Priority changed from Immediate to Normal
libipsec does not support UDP encapsulation over IPv6 yet and the app only connects to DNS A records or IPv4 addresses. That is, because the Linux kernel's IPsec implementation does not support UDP encapsulation over IPv6, so to make sure that the tunnel always works when IPv4 is available, only connections over IPv4 are made.
This obviously doesn't work anymore when only IPv6 (not IPv4) connectivity is provided. Local 6to4 can cause problems. To tunnel IPv6 traffic, your TS must allow IPv6 traffic. A TS of 0.0.0.0/0 == something doesn't support IPv6, only IPv4.
BTW: I don't approve of your usage of the issue tracker for questions that you can easily resolve yourself. You're not entitled to receive support from us. The HelpRequests page exists so you can help yourself instead of wasting other people's time with simple questions.
#3 Updated by Tobias Brunner over 5 years ago
libipsec does not support UDP encapsulation over IPv6 yet and the app only connects to DNS A records or IPv4 addresses.
libipsec works fine with IPv6. That is, the client could use IPv6 as outer tunnel address. But since most server's run on Linux they won't be able to use UDP encapsulation for these SAs (so they can't even install them). Which is why IPv6 is disabled in the socket, by default.