Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Strongwan + Windows VPN IKEv2 + IPv6
Problem Statement
-----------------
The Windows native VPN client does not configure the default IPv6 route through the tunnel, even if the negociated remote traffic selector is ::/0.
Causes
------
Windows sends router solicitations and awaits router advertisement from the other side. To this end, it uses link-local unicast and multicast addresses, just like a machine would on a broadcast-capable link (e.g. Ethernet).
If you only configured a Virtual IP (rightsourceip) in Strongswan, the traffic selectors negociated would not allow traffic coming from Windows having a source address of fe80::/10 through the tunnel, and sniffing the protected traffic would not reveal Windows attemps at router discovery.
Solution
--------
- Enable the libipsec plugin in Strongswan (this creates a ipsec0 interface in your system) to allow radvd to work
- Configure a static link-local address on ipsec0
# ip a a fe80::1/64 dev ipsec0
- Use the radvd daemon to advertise the /64 prefix containing your rightsourceip + the MTU (e.g. 1400) on the ipsec0 interface
- Add fe80::/64 to remote traffic selectors in your connection in ipsec.conf (in addition to rightsourceip)
rightsubnet=fe80::/64
Caveats
-------
- The configured link-local address on ipsec0 is not persistent through Strongswan restarts. Maybe use an up_down script ?
- radvd should be (re-)started only when the ipsec0 interface exists (when Strongswan has started) and the link-local address is configured
- I haven't tested communication between two Windows client connected to the same Strongswan server when both have a Virtual IP in the same /64. Windows seems to use Neighbor Discory over IPsec (for DAD only?) and the RA sent by a Windows VPN server says the /64 prefix is on-link...
@sam0737

This comment has been minimized.

Copy link

@sam0737 sam0737 commented Jan 10, 2015

Can you please share the ipsec.conf, radvd.conf and ipsec statusall?
After connection establishment, I can't even get both side pinging each other with link-local address.
I see traffic coming from the remote side (by tcpdump on ipsec0), but I guess packets are not reaching the other end - right I have already put the rightsubnet=fe80::/64,%dynamic

@ValdikSS

This comment has been minimized.

Copy link

@ValdikSS ValdikSS commented Oct 19, 2015

@jice, can you please provide configs that work for you? I didn't manage to configure it to make it work. Windows sends router solicitations, radvd answers with router advertisements, but it still doesn't work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment