19.3.2020
Along with coronavirus, a number of requests for remote access to corporate networks have emerged. Some of our clients have IPv6 in their network, so we are deploying a VPN built on IPv6. On Windows workstations — the VPN clients, only IPv4 is needed.
Some time ago I wrote an article how we access the corporate network from the Internet. Our network works primarily on IPv6, almost no computer in the office is available externally on IPv4. Only computers with explicit need of IPv4 has one. All other computers have only IPv6 address. Because we have IPv6 deployed with many customers, the natural step was to deploy our tested solution.
If you want to connect two different IPv6 networks, you have to have that networks. ISPs often provides a single prefix with the /64 mask to end users. This does not comply with recommendations in RFC6177. It is imposible to configure IPv6 VPN in such network.
The IPv6 network addresses are created automatically. Every computer creates a few IP addresses:
On the server with havy using of IPv6 you can usually find a lot of IPv6 address. The addresses are set by system adnimistrator because sometimes it is usefull to have standalone IPv6 address for every service running on the server.
Some network administrators uses only IPv4 addresses to identify his computers. Clients in such network connect to 192.168.x.x or other local IP. Cliens open the samba shares for example like this:
\\192.168.1.10
That is impossible with IPv6. The computer's name must be used.
My computer is named petr.hobrasoft.cz for example. Everywhere in internet (with IPv6) I can write ping petr.hobrasoft.cz on the command line and the IPv6 should be displayed. If the firewall does not rejects ping requests then the computer should reply:
petr@pc~ $ ping -n petr.hobrasoft.cz PING petr.hobrasoft.cz(2001:db8:1000:1000:f407:ff:fe9b:360d) 56 data bytes 64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=1 ttl=64 time=0.829 ms 64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=2 ttl=64 time=0.467 ms 64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=3 ttl=64 time=0.270 ms ^C --- petr.hobrasoft.cz ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2073ms rtt min/avg/max/mdev = 0.270/0.522/0.829/0.231 ms
If you want to access shared network disks on your server from your windows computer, you can find your server using its full name, for example:
\\petr.hobrasoft.cz
This must work in your local network without VPN. It is impossible to write an IPv6 address to address field in Windows Explorer.
All my servers which run the IPv6 VPN have the Debian 10 or Ubuntu 18 distribution installed. These packages are requested:
You may also need DNS server and radvd (Router Advertisement Daemon).
All my servers with VPN work as a pure firewall with no other important services. Network shares and other services are hosted on other servers. We use this computer often: Pidimidi router s megasuperukulele výkonem. One of our IKEv2 VPN servers runs as a virtual server located somewhere deep in internet (briefly described here: IPv6 prostřednictvím IKEv2 VPN).
Linux server (firewall) must have public IPv4 address or UDP ports 4500 and 500 must be NATed to the public IPv4 address, eventually. Choose wisely your DNS name. I use vpn.roznov.hobrasoft.cz instead of real computer's name. The vpn.roznov.hobrasoft.cz is the service's name, not computer's one. A real computer can host a lot of services with their own names (pop3.hobrasoft.cz, smtp.hobrasoft.cz, www.hobrasoft.cz...) Do not set the CNAME for the VPN's name, use A record instead. It is not desired to have the IPv6 name of your VPN service accessible. In pure IPv6 environment the VPN should be configured differently.
The client connects to a service (computer) with vpn.roznov.hobrasoft.cz name. The certificate is a way to secure the route between the client and the server.
If your VPN works on address vpn.roznov.hobrasoft.cz, you need certificate issued to this name. We use Let's Encrypt certificates and acme.sh utility.
Of course, you can use your own certificates, too. But this brings a lot of administrations: You have to install your CA certificates to each client and you have to remember to renew certificates periodically. If you want to use the certificates for your clients, probably you will not want to change client's certificates every few months and you will set the expiration date to a distant future. Then you will have to revoke compromited certificates when the client's notebook is lost or stolen. In current situation (coronavirus + quarantine) all must be set via a phone call. Some users are not able to fill a simple form. Do you really want to install a CA's or client's certificate to his computer via the phone call?
VPN needs it's own IPv6 network. That is the reason, why the described solution cannot work with /64 mask. You need /56 or /48 mask, for example 2001:db8:1000::/48 or 2001:db8:1000:1000::/56. Then you can have different networks for VPN and for corporate network, for example:
The VPN server inside your internal network has for example 2001:db8:1000:1000::1 (default router in your internal network) and 2001:db8:1000:1000::1 (default router in your VPN network). The clients will have addresses in range 2001:db8:1000:1010:8000::/65. The IPv6 forwarding should be enabled in the firewall.
You have to change two configuration files: /etc/ipsec.conf and /etc/ipsec.secrets. Other configuration files should stay untouched.
config setup
charondebug = "ike 2, net 0"
uniqueids = no
plutostart = no
conn %default
keyexchange = ikev2
dpdaction = restart
dpddelay = 300s
rekey = yes
eap_identity = %any
auto = start
forceencaps = no
compress = no
fragmentation = yes
ikelifetime = 3600s
lifetime = 3600s
# If you have only Windows client, you can use this:
ike = aes256-aes192-aes128-sha384-sha256-sha1-modp4096-modp3072-modp2048-modp1536-modp1024!
esp = aes256-aes192-aes128-sha384-sha256-sha1!
# If you have also Mac OS X, use this:
# ike = aes128-aes256-sha512-modp4096!
# esp = aes128-aes256-aes128-sha512-modp4096!
conn officevpn
# Server side
left = vpn.roznov.hobrasoft.cz
lefid = @vpn.roznov.hobrasoft.cz
leftsubnet = ::/0
leftauth = pubkey
leftcert = /etc/ipsec.d/certs/vpn.roznov.hobrasoft.cz.cer
leftsendcert = always
# Client side
right = %any
rightid = %any
rightauth = eap-mschapv2
rightsourceip = 2001:db8:1000:1010:8000::/65
rightsendcert = never
rightdns = 2a0a:1c01:0:1404::1
# Server's private key : RSA /etc/ipsec.d/private/vpn.roznov.hobrasoft.cz.key # User's passwords bravenec : EAP "JednoHeslo" hofman : EAP "DruheHeslo"
Do not use tabs in the file!
The IPv4 setting is simple: IPSec communicates on port 4500 or 500 UDP using IPv4. IPv6 is not as simple as IPv4. The unencrypted packets from your VPN go from your external network device. You have to recognize the packets by it's addresses.
Also, it is a good idea to enable IPv6 traffic from your clients to internet. The clients using VPN has the IPv6 world opened and if theirs ISP does not support IPv6, the clients try to access the IPv6 world using the VPN line. Disabling the IPv6 traffic in client-world direction the internet access becomes very slow for your clients.
Do not forget to disable traffic from IPv6 internet to your clients. Remember — all clients connected to VPN has public IPv6 address!
Hint: If you do not want to set the IPv6 firewall, you can run your IPSec server inside your network. On your firewall forward the IPv4 4500 and 500 UDP ports to your IPSec server. The IPSec server must have two different IPv6 addresses: one address from your inner network and the second one from the VPN network. All servers have to have the route set to your VPN network statically or with radvd server on your IPsec server. (I never used such configuration with IPv6 but I use it many years with IPv4).
Basic setting is simple:
But Windows always requires something special — you have to set default route manually:
Start the VPN. It's connected but not working yet. Search for command line — the cmd — and run it as an administrator. List all network devices and set the default route for the VPN device. Then you can start the VPN. Quick access to start the VPN is under the dock Wifi icon.
netsh interface ipv6 show interfaces
Look for VPN device and set the default route:
netsh interface ipv6 add route ::/0 interface="VPN Roznov"
The same in the pictures:
Note: Images in PNG format with JPEG artefacts were created with program Problem Steps Recorder in Microsoft Windows.
Apple settings is little more sensitive. You can find the description here: https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX.
You have to fill also the remote ID. In the example it is vpn.roznov.hobrasoft.cz. The ID should correspond to server's name set in the certificate.
Each VPN type has its own pros and cons. IPSec over IPv6 eliminates some fundamental troubles:
For me personally the greatest advantage is the IPv6 protocol. In contrast to IPv4, the IPv6 is different world. The world which our ancestors have in their minds, when they created The Internet. Things are made simple, a lot of IP addresses exists and there is no need to invent a stop-gap solution.