Last active
May 15, 2019 17:21
-
-
Save jice/188f18ab361d03bb9058 to your computer and use it in GitHub Desktop.
Strongwan + Windows VPN IKEv2 + IPv6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Problem Statement | |
----------------- | |
The Windows native VPN client does not configure the default IPv6 route through the tunnel, even if the negociated remote traffic selector is ::/0. | |
Causes | |
------ | |
Windows sends router solicitations and awaits router advertisement from the other side. To this end, it uses link-local unicast and multicast addresses, just like a machine would on a broadcast-capable link (e.g. Ethernet). | |
If you only configured a Virtual IP (rightsourceip) in Strongswan, the traffic selectors negociated would not allow traffic coming from Windows having a source address of fe80::/10 through the tunnel, and sniffing the protected traffic would not reveal Windows attemps at router discovery. | |
Solution | |
-------- | |
- Enable the libipsec plugin in Strongswan (this creates a ipsec0 interface in your system) to allow radvd to work | |
- Configure a static link-local address on ipsec0 | |
# ip a a fe80::1/64 dev ipsec0 | |
- Use the radvd daemon to advertise the /64 prefix containing your rightsourceip + the MTU (e.g. 1400) on the ipsec0 interface | |
- Add fe80::/64 to remote traffic selectors in your connection in ipsec.conf (in addition to rightsourceip) | |
rightsubnet=fe80::/64 | |
Caveats | |
------- | |
- The configured link-local address on ipsec0 is not persistent through Strongswan restarts. Maybe use an up_down script ? | |
- radvd should be (re-)started only when the ipsec0 interface exists (when Strongswan has started) and the link-local address is configured | |
- I haven't tested communication between two Windows client connected to the same Strongswan server when both have a Virtual IP in the same /64. Windows seems to use Neighbor Discory over IPsec (for DAD only?) and the RA sent by a Windows VPN server says the /64 prefix is on-link... | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jice, can you please provide configs that work for you? I didn't manage to configure it to make it work. Windows sends router solicitations, radvd answers with router advertisements, but it still doesn't work.