3

I'm setting up Server 2012 R2 RRAS to be a SSTP VPN. I've got IPv4 working perfectly. My environment is dual stack (v4 and v6). When I enable IPv6 on the VPN my client gets a valid address but is unable to communicate to anything over the VPN using IPv6. If I ping a computer name it gets the ipv6 address but times out where if I ping it with -4 it gets the v4 address and pings perfectly fine. I've been banging my head on this for a few days now and nothings I've tried or any web searches have pointed me to a solution. I'm starting to wonder if maybe the VPN needs another port open for the IPv6 to tunnel through?

I've got the IPv6 Router (LAN and demand-dial) and IPv6 Remove access server options enabled on the general tab in RRAS as well as specified a prefix on the IPv6 tab. I've tried the prefix being it's own private prefix and using the same prefix as is in use on the network.

Does anyone else have this working? I have a feeling that it's probably a little thing somewhere that I've missed. Or does it not send the ipv6 traffic over the ipv4 vpn and you need to be on a client machine that has both ipv4 and ipv6 for ipv6 to work over the vpn?

kasperd
  • 29,894
  • 16
  • 72
  • 122
David
  • 321
  • 2
  • 16
  • When I do a tracert it always stops at the RRAS ipv6 address and won't go further. It looks like RRAS isn't passing the traffic for some reason. – David May 13 '15 at 13:33

2 Answers2

3

I thought I'd provide a more generic Linux router scenario for users not using pfSense but a Linux based router (in my case DD-WRT).

ip -6 route add xxxx:xxx:xxxx:xxxx::/64 via xxxx:xxx:xxxx:xx::x dev br0
  • The configured IPv6 prefix in RRAS IPv6 tab needs to be added after the add
  • The IPv6 LAN IP address of the RRAS box is the via (essentially the gateway)
  • br0 is LAN interface of your router is. This is usually the default on DD-WRT, for other routers it could be another interface like eth0

The only problem I've discovered is while this static route allows IPv6 traffic to flow through to the outside, it doesn't provide access to other LAN IPv6 addresses within the IPv6 subnet of the LAN IP address of the server. Likely because the subnet is a different /64. To solve this, you need to add IPv6 static routes on the RRAS box itself to allow this connectivity.

James White
  • 654
  • 3
  • 17
  • 32
1

Turns out it was a little thing and it took looking at the problem in a completely different way to figure it out.

The problem wasn't with RRAS it was with my router software setup (in this case pfSense). When on a VPN connected client I was getting an IPv6 address and name resolution was working but nothing would respond over IPv6. The problem was that my v6 packets would get into my network fine but that local machines didn't have any route information on how to get back to the VPN connected machine. I had to setup a static route in my router for the prefix used in RRAS to route that prefix on my network back to the RRAS box. Now when the internal box tried to talk back it would see a different prefix and send it to my router then my router would forward it to RRAS which would then send it to the VPN connected client.

Sure took a long time to track this down but it is finally working.

David
  • 321
  • 2
  • 16