Project

General

Profile

Issue #817

IKEv2 IPv6 Router Advertisement

Added by Sam Wong over 2 years ago. Updated over 1 year ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
libcharon
Affected version:
Resolution:

Description

I have a working IKEv2 server setup on a Linux box 'moon' (Ubuntu 14.04), with one IPv4 address and a globally routable /48 IPv6 subnet.

On Windows 7/8 'roadwarrior', the connection can be established, and all IPv4 Internet traffic goes through 'moon' as planned.
However, IPv6 is not accessible even though an virtual IP has been seen assigned on the interface correctly.

Only if I manually added a route on 'roadwarrior'

route -6 add ::0/0 2001:123:19:d81:1::2  # This is the Virtual IP address

Everythings works - and all IPv4 and v6 traffic goes through the tunnel.

I guess what's missing is the router advertisement.
I tried running radvd on the Linux but it doesn't work.
I tried kernel-libipsec such that there is a ipsec0 TUN for tcpdump/radvd to be configured with - although I can see RA solicit request packet coming from Windows, no v6 traffic seems be able to cross the tunnel though. Even IPv6 pinging from 'moon' to 'roadwarrior' does not work. (I don't know how to wiretap the 'roadwarrior' though)

---
My configurations:

$ ipsec --version
Linux strongSwan U5.1.2/K3.13.0-24-generic
$ uname -a
Linux niceboat 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
config setup
    uniqueids=never

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s

conn win7
    left=%any
    leftsubnet=0.0.0.0/0,::/0
    leftauth=pubkey
    leftcert=niceboatProdCert.der
    leftid=@niceboat.hellosam.net
    right=%any
    rightsourceip=2001:123:19:d81:1::/80,172.31.0.0/21
    rightauth=eap-radius
    eap_identity=%any
    auto=add

History

#1 Updated by Tobias Brunner over 2 years ago

  • Target version deleted (5.3.0)

#2 Updated by Tobias Brunner over 2 years ago

  • Tracker changed from Feature to Issue
  • Status changed from New to Feedback

Only if I manually added a route on 'roadwarrior'
[...]

Hm, this sounds like a Windows bug to me. Shouldn't the native VPN client install such a route automatically?

I guess what's missing is the router advertisement.

I don't really see why NDP would be needed. But have a look at this Gist, looks like at least one other user ran into this issue.

I don't know how to wiretap the 'roadwarrior' though

Wireshark?

#3 Updated by Conrad Kostecki over 2 years ago

I can confirm this Problem.
My Windows 8.1 and Windows Phone 8.1 are showing the same behaviour.
I have to add manually an IPv6 route or IPv6 won't work.

IPv4 is working perfectly fine.

Conrad

#4 Updated by ValdikSS ValdikSS almost 2 years ago

Here is a plugin for strongSwan by Richard Laager which adds remote traffic selector for the corresponding link local IP.
https://www.mail-archive.com/users%40lists.strongswan.org/msg09241.html

To use it, you should:
1) Apply patch and compile strongSwan with --enable-link-local-ts
2) Enable plugin in charon.conf
3) Configure any router advertisement daemon to answer router solicitation, prefix is not needed. Radvd should work.
4) Add fe80::/64 address to the ipsec interface.

I'd like to see this plugin in the mainline. It is possible?

#5 Updated by Kilian Krause over 1 year ago

Any thoughts from upstream on whether or not this will be pulled into any future upstream release (or at least a feature equivalent)?

Also available in: Atom PDF