Project

General

Profile

Issue #2354

Approval from apple regarding an application using strongswan VPN

Added by augustine champara over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libipsec
Affected version:
5.4.0
Resolution:
No feedback

Description

Hi,

We have developed a VPN app using strongswan and while Apple tested the application they told that the app doesn't work on IPv6 network.

As of now we have set the client end in conf like this "leftsubnet=0.0.0.0/0" and also in sysctl.conf added only "net.ipv4.ip_forward = 1". Please help me to resolve this case


Related issues

Related to Issue #939: UDP Encapsulation for IPv6 Traffic on LinuxClosed

History

#1 Updated by Noel Kuntze over 3 years ago

  • Category set to libipsec
  • Status changed from New to Feedback
  • Assignee set to Noel Kuntze
  • Priority changed from Immediate to Normal

libipsec does not support UDP encapsulation over IPv6 yet and the app only connects to DNS A records or IPv4 addresses. That is, because the Linux kernel's IPsec implementation does not support UDP encapsulation over IPv6, so to make sure that the tunnel always works when IPv4 is available, only connections over IPv4 are made.
This obviously doesn't work anymore when only IPv6 (not IPv4) connectivity is provided. Local 6to4 can cause problems. To tunnel IPv6 traffic, your TS must allow IPv6 traffic. A TS of 0.0.0.0/0 == something doesn't support IPv6, only IPv4.

BTW: I don't approve of your usage of the issue tracker for questions that you can easily resolve yourself. You're not entitled to receive support from us. The HelpRequests page exists so you can help yourself instead of wasting other people's time with simple questions.

#2 Updated by Noel Kuntze over 3 years ago

  • Related to Issue #939: UDP Encapsulation for IPv6 Traffic on Linux added

#3 Updated by Tobias Brunner over 3 years ago

libipsec does not support UDP encapsulation over IPv6 yet and the app only connects to DNS A records or IPv4 addresses.

libipsec works fine with IPv6. That is, the client could use IPv6 as outer tunnel address. But since most server's run on Linux they won't be able to use UDP encapsulation for these SAs (so they can't even install them). Which is why IPv6 is disabled in the socket, by default.

#4 Updated by Tobias Brunner over 2 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF