Strongswan + IPv6 over IPv4 Tunnel

edawg · 07-23-2016, 08:10 PM

Hi Guys,

I need a little bit of help at the moment. I have a Cisco ASA (configured for IPSEC L2L and working great). I have multiple sites that I need to connect the VPN to and there is a network overlap.

What we want to do is run IPv4 tunnels and NAT everything to an IPv6 /96 prefix and run Strongswan on linux appliances at the other end. The decision to run IPv6 is based on the HO being converted over in the near future. So right now, it will be NAT'd from the firewall until its converted over.

HO ASA - 192.168.1.1
HO Host behind ASA - 192.168.1.10 / 2520:0:2e0:200::192.168.1.10

Remote Site VPN appliance - 172.16.1.115 - 2520:0:2e0:100::172.255.1.115
Remote Site commuted behind appliance - 172.26.1.116

TAYGA works great for NAT64 in that I can assign a /96 prefix (2520:0:2e0:100:

and just ping the prefix and add an IPv4 address at the end and it works. Eg: ping6 2520:0:2e0:100::172.26.1.115.

My issue is routing over the VPN. Strongswan is connected and I've configured the ASA the exact way I would IPv4. In fact, I had the site configured as IPv4 only to start with to confirm my Strongswan configuration.

TAYGA Configuration
tun-device nat64
ipv4-addr 192.168.255.1
prefix 2620:0:2d0:200::/96
dynamic-pool 192.168.255.0/24
data-dir /var/db/tayga

Strongswan Configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no

conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret

conn HO-Client
left=172.16.1.115
leftsubnet=2520:0:2e0:100::/96
leftid=172.16.1.115
leftfirewall=yes
right=HOPUBLICIP
rightsubnet=2520:0:2e0:200::/96
rightid=HOPUBLICIP
auto=start
ike=aes256-sha1-modp1536
esp=aes256-sha1
keyexchange=ikev2

ifconfig
[root@localhost ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.115 netmask 255.255.255.0 broadcast 172.255.20.255
inet6 fe80::20c:29ff:fec0:485b prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c0:48:5b txqueuelen 1000 (Ethernet)
RX packets 8158 bytes 792440 (773.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5747 bytes 1437409 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 2056 bytes 183398 (179.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2056 bytes 183398 (179.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

nat64: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.255.1 netmask 255.255.255.255 destination 192.168.255.1
inet6 2001:db8:1::1 prefixlen 128 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 77 bytes 6992 (6.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80 bytes 7012 (6.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Thanks in advance

edawg · 07-23-2016, 08:11 PM

In addition:

IPv4 route table

0.0.0.0 172.16.1.1 0.0.0.0 UG 100 0 0 eth0
172.16.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.255.0 0.0.0.0 255.255.255.0 U 0 0 0 nat64

IPv6 route table
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::/0 :: !n -1 1 260 lo
::/96 :: !n 1024 0 0 lo
0.0.0.0/96 :: !n 1024 0 0 lo
2001:db8:1::1/128 :: U 256 0 0 nat64
2002:a00::/24 :: !n 1024 0 0 lo
2002:7f00::/24 :: !n 1024 0 0 lo
2002:a9fe::/32 :: !n 1024 0 0 lo
2002:ac10::/28 :: !n 1024 0 0 lo
2002:c0a8::/32 :: !n 1024 0 0 lo
2002:e000::/19 :: !n 1024 0 0 lo
2520:0:2e0:100::/96 :: U 1024 0 23 nat64
3ffe:ffff::/32 :: !n 1024 0 0 lo
fe80::/64 :: U 256 0 23 eth0
::/0 :: !n -1 1 260 lo
::1/128 :: Un 0 1 289 lo
2001:db8:1::1/128 :: Un 0 1 31 lo
fe80::/128 :: Un 0 1 0 lo
fe80::20c:29ff:fec0:485b/128 :: Un 0 1 3 lo
ff00::/8 :: U 256 0 0 nat64
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 260 lo