1

I have 2 systems A and B linked together using a Strongswan IPv4 IKEv2 VPN. A client (C) connected to A can access the public IPv4 internet via B using the VPN. I am trying to enable C to access the public internet using IPv6 via B i.e. IPv6 packets originating at C are encapsulated by A and sent to B for decapsulation and forwarding.

I believe this is working correctly up to the point where the packet should enter the FORWARD table - but they don't.

On B IPv6 forwarding is enabled

sysctl net.ipv6.conf.default.forwarding
net.ipv6.conf.default.forwarding = 1

When I ping from C

ping -6 -c1 -I fd00::1000 2a00:...:2377

...
1 packets transmitted, 0 received, 100% packet loss, time 0ms

on B using tcpdump I see

14:02:00.014233 IP6 fd00::1000 > 2a00:...:2377: ICMP6, echo request, seq 1, length 64

and on B when using the ip6tables TRACE target I see

Sep 15 14:02:00 host kernel: TRACE: raw:PREROUTING:policy:3 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1 
Sep 15 14:02:00 host kernel: TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1 
Sep 15 14:02:00 host kernel: TRACE: nat:PREROUTING:policy:1 IN=eth0 OUT= MAC=52:54:00:0e:e3:c4:52:54:00:fd:ed:24:08:00 SRC=fd00:0000:0000:0000:0000:0000:0000:1000 DST=2a00:...:2377 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=24923 SEQ=1

Using a netfilter flow diagram it appears that packets are getting to the 'routing decision' but no further.

Other than the rules to enable tracing the IPv6 firewall is empty and set to ACCEPT everything.

The system B can ping the target system OK the routing table looks like this

ip -6 r g 2a00:...:2377
2a00:...:2377 via 2a00:..:0:3:1 dev eth0 proto static src fe80::5054:ff:fe0e:e3c4 metric 100 pref medium

Can anyone point me in the right direction to figure out what is (not) going on ?

user432917
  • 11
  • 1
  • What is this `fd00::1000` bit? That's not a proper ULA address. And where are your global addresses? You need one to access the Internet. – Michael Hampton Sep 17 '20 at 12:26
  • It does not matter if I use fd34:76df:65a1:2867::1000 or fd00::1000 I get the same result packets get no further than nat:PREROUTING. The address `2a00:..:0:3:2` would be the global on B. It can ping the `2a00:...:2377` address. – user432917 Sep 17 '20 at 14:31
  • ULA addresses are not routable to the Internet. That's the whole point! Why hasn't your machine got a global address assigned? – Michael Hampton Sep 17 '20 at 14:33
  • The site at A does not have native IPv6. – user432917 Sep 17 '20 at 18:42
  • 1
    Then the first thing to do is to route some IPv6 subnets over the VPN from B. – Michael Hampton Sep 17 '20 at 18:53
  • The Linux kernel does support IPv6 NAT. If I give a client behind B a ULA it can use it to talk to the IPv6 internet via B because packets get into the nat:POSTROUTING. – user432917 Sep 18 '20 at 07:02
  • 1
    Yes, and that was a horrible mistake because people might actually try to use it. Don't NAT IPv6. It's not necessary, a bad design, and probably won't work. – Michael Hampton Sep 18 '20 at 16:42

0 Answers0