22.7.2021
Our corporate network has been built on IPv6 for a long time. We used this protocol at a time when Hobrasoft did not yet exist and we worked as a freelancers. Within a corporate network, IPv6 is a very convenient protocol. Each device is set automatically when connected to network, there is no need to set the devices individually. Sometimes it is just a little complicated to find out what IP address the device got.
In our case, the corporate network is not only the network in our Rožnov office, but it includes servers (many of them virtual) in the Prague and Brno. Thanks to the public IP addresses for each device among all servers, computers, thermometers, LED lights, cameras, security and other gadgets connected to our network can see each other. It doesn't matter where the device is located - if the device has its own IPv6 address, individual devices can communicate with each other without restriction. No private addresses nor NAT are used. Also, no random address collisions in different networks occure. Of course, some limitations are necessary. We do not want uninvented strangers in our network. So, the restrictions are enforced with firewall rules.
Because the corporate network is distributed over different locations, the individual parts communicate with each other via the internet, so the encryption is needed for safety. I intentionally do not mention the term VPN here, even if it is a network secured using IPSEC, the traditional tool used to create VPNs. All our devices could communicate with each other without problems even without a VPN. IPSEC is only used here to encrypt traffic between the two network points (usually between an Internet server and an office firewall).
When using IPv6, I don't care where the device is located. That's why I'm always very frustrated when I come to a customer, but I can't connect to the device in my office because of IPv4 limitation.
So I was looking for a way to get a normal IPv6 connection anywhere. I found a simple solution based on IPSEC and IKEv2. An IPv4 connection is established with the VPN server and an IPv6 tunnel is created inside the encrypted channel. Connected devices (laptop, android tablet, etc.) thus obtain public IPv6 address from the address space of the VPN server (it is necessary to have /48 or /56 available).
We have the VPN server located in Prague sittin jon a gigabit network. This makes the IPv6 network fast and does not burden the internet connection in the Rožnov office. Access to the office is between VPN and office secured with encryption. Because VPN clients always get an IPV6 address from the same range, it can be granted the clients to access the Rožnov office without restrictions.
With one VPN, we got two things: 1) access to IPv6 from anywhere, 2) secure access to the network in the office. The absence of IPv4 is not a problem, all devices are available without restriction via IPv6.
The whole structure is evident from the picture. Secured parts of the connection are drawn in green color. parts of the connection (tunnels). The connection between the laptop and the office network is fully encrypted. Unwanted traffic to office or to client is restricted with firewall rules. When accessing IPv4, no VPN is used, the client access the IPv4 servers directly.
Windows, Linux or Android are used as a client.
In Windows, the VPN client is part of the operating system and the setting is really simple. The only problem is setting the default gateway for IPv6. That must be set manually via the Windows command prompt.
For Android, the "StrongSwan VPN Client" application exists. Its setting is trivial and unlike the IKEv2 client in Windows it works without additional settings.
Linux has the most complicated setup. The StrongSwan application is configured in configuration files and certainly cannot be described as trivial.
We run the VPN server on a virtual Linux machine. Although several different applications implementing IPSEC and IKEv2 can be used on the server side, only one worked properly: StrongSwan.
StrongSwan also encrypts traffic to the office.
In the office, we use the older Racoon application for IPSEC. Its setup is little more complicated. Unlike StrongSwan, Racoon only supports IKEv1, it lacks IKEv2 support. We use the application for historical reasons.
Extremely important part of IPv6 is a proper DNS configuration. The IPv6 protocol is completely unusable withou DNS. Lots of people can remember the address in form 192.168.1.x. But no one can remember the address in format 2001:0db8:124f:1fe:5604:a6ff:fe32:34dd. With the IPv6, it's a common practice to use a separate IP address for each service. One server can have several different IPv6 addresses. It is not in human power to remember them.
It just works. I can connect via mobile phone, or over the network at any customer, after starting the VPN I have immediately available the entire Internet, not just the IPv4 part. As a bonus, I have a full access to my Rožnov office.
Even though I've been using IPv6 for about a decade, it still fascinates me, how easy and elegant it is to handle different situations thanks to the sufficient number of IP addresses. The use of IPv4 leads to complex and confusing bastles and sometimes it cannot be solved at all.
