Strongswan and Fortigate IPv6 over IPv4
maybe can anybody help me to solve the issue. I tested this with Strongswan version 5.7.2 as Debian Buster
offers and backported version 5.8.2 from Debian Testing too.
I trying to connect as road warrior with strongswan to fortigate, with cisco unity is enabled:
- IPv4 works without any issues. I got address 220.127.116.11/32
- IPv6 over IPv4 tunnel doesn't work properly. I got the address 2001:1:101d:8002::/128
In my case, I got an IPv6 address, but there is no route assigned for IPv6, like IPv4 with table 220,
please see attachment routing_table.txt
On the responder (fortigate) I don't see, if the phase 2 for IPv6 ever respond there. Therefore the
route isn't pushed to the initiator (strongswan).
Please see attachment 20200429_diag_deb_app_ike_-1_Debian10Client.txt
Just as info, with Forticlient for Windows, I get the IPv6 address and the IPv6 routes. The VPN works
also properly. Please see attachment windows_ipsec.txt
The question: can you please tell me a hint, maybe I overlooked something and how can I get the IPv6 run?
N.B.: If you need the log of responder side for forticlient, please tell me, because I don't have Windows
at the moment and have to organize it first.
Thank you for your help.
#1 Updated by Tobias Brunner 2 months ago
- Category changed from swanctl to ikev1
- Status changed from New to Feedback
The unity plugin has no support for IPv6, and I don't think our IKEv1 implementation supports multiple virtual IPs (since only one traffic selector can be negotiated per CHILD_SA unless the proprietary Unity extension is used). Just stop using IKEv1.
#5 Updated by Daniel Sugondo 2 months ago
- File 20200505_strongswan.log 20200505_strongswan.log added
- File 20200505_routing_table.txt 20200505_routing_table.txt added
- File 20200505_diag_deb_app_ike_-1_Debian10Client.txt 20200505_diag_deb_app_ike_-1_Debian10Client.txt added
just want to give some feedback.
Fortigate (FortiOS 6.2.3) and IKEv2, it works with some limitations, IPv4 and IPv6 addresses are assigned automatically, like IKEv1.
1. At the moment I don't get the splitted route information from the responder, I've to set up the splitted route on the initiator side.
Btw. with Forticlient on Windows I don't get IPv6 information, IPv4 address and splitted route information was assigned.
2. I've to search further information about EAP Authentication, how it should be set up.