0
I have a VPS with an IPv4 (/32) and an IPv6 (/128).
I've set up Strongswan and my IPv4 IPSec server works just fine - I'm using it all the time.
I'm trying to get it to work with IPv6 and so far it's not working at all. Since I only have a /128 IPv6 address and no prefix, I need to use NAT. My server is listening on IPv6, and it is possible to connect using IPv6 exclusively. I'm assigning a Unique Local Address (ULA) to my clients, and they receive it properly.
I've configured NAT to translate my ULA prefix into my server's address - exactly like I did in IPv4. But it doesn't work, and the NAT rule has 0 hit.
I believe there is a routing problem. For my IPv4 IPSec network, a routing rule is added like this in table 220 by Charon:
ip route show table 220
172.28.0.3 dev eth0 proto static
... but for my IPv6 ULA network, it shows like this:
ip route show table all
fd00:dead:dead:dead::1 via 2001:29da:405:5f00::1 dev eth0 table 220 proto static metric 1024
with 2001:29da:405:5f00::1 being the IPv6 default gateway of my server.
Here is what I have in IPSec.conf:
leftauth=pubkey
leftcert=X.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
rightsourceip=172.28.0.0/23, fd00:DEAD:DEAD:DEAD:0:0:0:0/64
rightdns=208.67.220.220,208.67.222.222,2606:4700:4700:0:0:0:0:1111,2001:4860:4860:0:0:0:0:8888
Has anybody got any idea ? Where should I look at ?
You only have a /128?! Yell at your VPS provider very loudly, or switch to some provider which isn't doing insane things. – Michael Hampton – 2019-04-14T17:10:35.433
Can you provide more information about the involved client. Are ESP packets sent if you address them to the virtual IP (check traffic counters or capture traffic)? – ecdsa – 2019-04-15T08:27:00.780