Richard Laager
2016-10-26 04:19:06 UTC
I would like to see strongSwan support IPv6 VPNs to Windows 7+ using the
default Windows client. This is possible with a plugin I wrote.
Can this plugin be considered for merging?
I posted about this last year:
https://lists.strongswan.org/pipermail/users/2015-April/007812.html
We have been using this in production flawlessly since then. We've
upgraded from Ubuntu 14.04 to 16.04 (strongSwan 5.1.2 to 5.3.5), and the
patch continues to work.
Here's the relevant bug and wiki link to it, which shows other people
are interested:
https://wiki.strongswan.org/issues/817
https://wiki.strongswan.org/projects/1/wiki/Windows7#IPv6
The key part is the plugin, as it is compiled. The scripts are easy for
the sysadmin to add.
If there's a concern over the link local traffic selectors possibly
conflicting with link local on physical interfaces, link_local_ts could
be shipped but not loaded by default.
If there are other concerns with this patch, I'm happy to work to
address them.
So, to recap, to provide IPv4 and IPv6, with default routes, to a
Windows 7 system using its built-in VPN client, you need:
A)
https://wiki.strongswan.org/projects/strongswan/wiki/Win7UserMultipleConfig
B) leftsubnet=0.0.0.0/0,::/0
C) In addition to IPv4, provide an IPv6 block in rightsubnet=.
D) leftupdown=/path/to/the/attached/_updown
Adapt `service radvd reload` as necessary for your distro.
E) OPTIONAL: If using usernames & passwords, rightauth=eap-mschapv2
F) OPTIONAL: Depending on your iptables setup, leftfirewall=yes
G) Build the link_local_ts plugin from the patch I attached.
H) Install radvd and the attached /etc/radvd.conf.in with eth0 adjusted
for your system. Run _updown once to generate /etc/radvd.conf.
I) OPTIONAL: If your VPN server needs router announcements for its IPv6
connectivity, you may need to add some firewall rules or something to
keep the system from hearing the local radvd.
default Windows client. This is possible with a plugin I wrote.
Can this plugin be considered for merging?
I posted about this last year:
https://lists.strongswan.org/pipermail/users/2015-April/007812.html
We have been using this in production flawlessly since then. We've
upgraded from Ubuntu 14.04 to 16.04 (strongSwan 5.1.2 to 5.3.5), and the
patch continues to work.
Here's the relevant bug and wiki link to it, which shows other people
are interested:
https://wiki.strongswan.org/issues/817
https://wiki.strongswan.org/projects/1/wiki/Windows7#IPv6
The key part is the plugin, as it is compiled. The scripts are easy for
the sysadmin to add.
If there's a concern over the link local traffic selectors possibly
conflicting with link local on physical interfaces, link_local_ts could
be shipped but not loaded by default.
If there are other concerns with this patch, I'm happy to work to
address them.
So, to recap, to provide IPv4 and IPv6, with default routes, to a
Windows 7 system using its built-in VPN client, you need:
A)
https://wiki.strongswan.org/projects/strongswan/wiki/Win7UserMultipleConfig
B) leftsubnet=0.0.0.0/0,::/0
C) In addition to IPv4, provide an IPv6 block in rightsubnet=.
D) leftupdown=/path/to/the/attached/_updown
Adapt `service radvd reload` as necessary for your distro.
E) OPTIONAL: If using usernames & passwords, rightauth=eap-mschapv2
F) OPTIONAL: Depending on your iptables setup, leftfirewall=yes
G) Build the link_local_ts plugin from the patch I attached.
H) Install radvd and the attached /etc/radvd.conf.in with eth0 adjusted
for your system. Run _updown once to generate /etc/radvd.conf.
I) OPTIONAL: If your VPN server needs router announcements for its IPv6
connectivity, you may need to add some firewall rules or something to
keep the system from hearing the local radvd.
--
Richard
Richard