19.3.2020

foto Petr Bravenec

Petr Bravenec
+420 777 566 384
petr.bravenec@hobrasoft.cz

Along with coronavirus, a number of requests for remote access to corporate networks have emerged. Some of our clients have IPv6 in their network, so we are deploying a VPN built on IPv6. On Windows workstations — the VPN clients, only IPv4 is needed.

Some time ago I wrote an article how we access the corporate network from the Internet. Our network works primarily on IPv6, almost no computer in the office is available externally on IPv4. Only computers with explicit need of IPv4 has one. All other computers have only IPv6 address. Because we have IPv6 deployed with many customers, the natural step was to deploy our tested solution.

Requirements

IPv6, mask /56 or /48

If you want to connect two different IPv6 networks, you have to have that networks. ISPs often provides a single prefix with the /64 mask to end users. This does not comply with recommendations in RFC6177. It is imposible to configure IPv6 VPN in such network.

Static IPV6 for your internal servers

The IPv6 network addresses are created automatically. Every computer creates a few IP addresses:

  • Link address, it begins with fe80:: prefix. Such address is unuseable with VPN. The address is derived from MAC address, for example: fe80::fe80::f407:ff:fe9b:360d. You can find this address everywhere, even in the networks where the IPv6 is not configured.
  • Internet address based on prefix provided by ISP and MAC. The last four parts are usually the same as in the link address, for example: 2001:db8:1000:1000:f407:ff:fe9b:360d. This is the address you should be interested in.
  • Internet address based on prefix provided by ISP created by privacy extension mechanism. This address si changed very often and it useless for VPN.

On the server with havy using of IPv6 you can usually find a lot of IPv6 address. The addresses are set by system adnimistrator because sometimes it is usefull to have standalone IPv6 address for every service running on the server.

Working DNS

Some network administrators uses only IPv4 addresses to identify his computers. Clients in such network connect to 192.168.x.x or other local IP. Cliens open the samba shares for example like this:

\\192.168.1.10

That is impossible with IPv6. The computer's name must be used.

My computer is named petr.hobrasoft.cz for example. Everywhere in internet (with IPv6) I can write ping petr.hobrasoft.cz on the command line and the IPv6 should be displayed. If the firewall does not rejects ping requests then the computer should reply:

petr@pc~ $ ping -n petr.hobrasoft.cz
PING petr.hobrasoft.cz(2001:db8:1000:1000:f407:ff:fe9b:360d) 56 data bytes
64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=1 ttl=64 time=0.829 ms
64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=2 ttl=64 time=0.467 ms
64 bytes from 2001:db8:1000:1000:f407:ff:fe9b:360d icmp_seq=3 ttl=64 time=0.270 ms
^C
--- petr.hobrasoft.cz ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2073ms
rtt min/avg/max/mdev = 0.270/0.522/0.829/0.231 ms

If you want to access shared network disks on your server from your windows computer, you can find your server using its full name, for example:

\\petr.hobrasoft.cz

This must work in your local network without VPN. It is impossible to write an IPv6 address to address field in Windows Explorer.

Linux server with public IPv4 address

All my servers which run the IPv6 VPN have the Debian 10 or Ubuntu 18 distribution installed. These packages are requested:

  • strongswan (version 5.6 in Ubuntu or version 5.7 in Debian)
  • libcharon-extra-plugins

You may also need DNS server and radvd (Router Advertisement Daemon).

All my servers with VPN work as a pure firewall with no other important services. Network shares and other services are hosted on other servers. We use this computer often: Pidimidi router s megasuperukulele výkonem. One of our IKEv2 VPN servers runs as a virtual server located somewhere deep in internet (briefly described here: IPv6 prostřednictvím IKEv2 VPN).

Linux server (firewall) must have public IPv4 address or UDP ports 4500 and 500 must be NATed to the public IPv4 address, eventually. Choose wisely your DNS name. I use vpn.roznov.hobrasoft.cz instead of real computer's name. The vpn.roznov.hobrasoft.cz is the service's name, not computer's one. A real computer can host a lot of services with their own names (pop3.hobrasoft.cz, smtp.hobrasoft.cz, www.hobrasoft.cz...) Do not set the CNAME for the VPN's name, use A record instead. It is not desired to have the IPv6 name of your VPN service accessible. In pure IPv6 environment the VPN should be configured differently.

Certificate issued to your VPN's service name

The client connects to a service (computer) with vpn.roznov.hobrasoft.cz name. The certificate is a way to secure the route between the client and the server.

If your VPN works on address vpn.roznov.hobrasoft.cz, you need certificate issued to this name. We use Let's Encrypt certificates and acme.sh utility.

Of course, you can use your own certificates, too. But this brings a lot of administrations: You have to install your CA certificates to each client and you have to remember to renew certificates periodically. If you want to use the certificates for your clients, probably you will not want to change client's certificates every few months and you will set the expiration date to a distant future. Then you will have to revoke compromited certificates when the client's notebook is lost or stolen. In current situation (coronavirus + quarantine) all must be set via a phone call. Some users are not able to fill a simple form. Do you really want to install a CA's or client's certificate to his computer via the phone call?

IPv6 network plan

VPN needs it's own IPv6 network. That is the reason, why the described solution cannot work with /64 mask. You need /56 or /48 mask, for example 2001:db8:1000::/48 or 2001:db8:1000:1000::/56. Then you can have different networks for VPN and for corporate network, for example:

  • 2001:db8:1000:1000::/64 internal network
  • 2001:db8:1000:1010::/64 VPN network

The VPN server inside your internal network has for example 2001:db8:1000:1000::1 (default router in your internal network) and 2001:db8:1000:1000::1 (default router in your VPN network). The clients will have addresses in range 2001:db8:1000:1010:8000::/65. The IPv6 forwarding should be enabled in the firewall.

StrongSwan settings

You have to change two configuration files: /etc/ipsec.conf and /etc/ipsec.secrets. Other configuration files should stay untouched.

/etc/ipsec.conf

config setup
    charondebug = "ike 2, net 0"
    uniqueids = no
    plutostart = no

conn %default 
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 300s
    rekey = yes
    eap_identity = %any
    auto = start
    forceencaps = no
    compress = no
    fragmentation = yes
    ikelifetime = 3600s
    lifetime = 3600s
    # If you have only Windows client, you can use this:
    ike = aes256-aes192-aes128-sha384-sha256-sha1-modp4096-modp3072-modp2048-modp1536-modp1024!
    esp = aes256-aes192-aes128-sha384-sha256-sha1!
    # If you have also Mac OS X, use this:
    # ike = aes128-aes256-sha512-modp4096!
    # esp = aes128-aes256-aes128-sha512-modp4096!

conn officevpn
    # Server side
    left = vpn.roznov.hobrasoft.cz
    lefid = @vpn.roznov.hobrasoft.cz
    leftsubnet = ::/0
    leftauth = pubkey
    leftcert = /etc/ipsec.d/certs/vpn.roznov.hobrasoft.cz.cer
    leftsendcert = always

    # Client side
    right = %any
    rightid = %any
    rightauth = eap-mschapv2
    rightsourceip = 2001:db8:1000:1010:8000::/65
    rightsendcert = never
    rightdns = 2a0a:1c01:0:1404::1

/etc/ipsec.secrets

# Server's private key
: RSA /etc/ipsec.d/private/vpn.roznov.hobrasoft.cz.key

# User's passwords
bravenec : EAP "JednoHeslo"
hofman   : EAP "DruheHeslo"

Do not use tabs in the file!

Firewall rules on server

The IPv4 setting is simple: IPSec communicates on port 4500 or 500 UDP using IPv4. IPv6 is not as simple as IPv4. The unencrypted packets from your VPN go from your external network device. You have to recognize the packets by it's addresses.

Also, it is a good idea to enable IPv6 traffic from your clients to internet. The clients using VPN has the IPv6 world opened and if theirs ISP does not support IPv6, the clients try to access the IPv6 world using the VPN line. Disabling the IPv6 traffic in client-world direction the internet access becomes very slow for your clients.

Do not forget to disable traffic from IPv6 internet to your clients. Remember — all clients connected to VPN has public IPv6 address!

Hint: If you do not want to set the IPv6 firewall, you can run your IPSec server inside your network. On your firewall forward the IPv4 4500 and 500 UDP ports to your IPSec server. The IPSec server must have two different IPv6 addresses: one address from your inner network and the second one from the VPN network. All servers have to have the route set to your VPN network statically or with radvd server on your IPsec server. (I never used such configuration with IPv6 but I use it many years with IPv4).

Client settings — Windows 10

Basic setting is simple:

But Windows always requires something special — you have to set default route manually:

Start the VPN. It's connected but not working yet. Search for command line — the cmd — and run it as an administrator. List all network devices and set the default route for the VPN device. Then you can start the VPN. Quick access to start the VPN is under the dock Wifi icon.

netsh interface ipv6 show interfaces

Look for VPN device and set the default route:

netsh interface ipv6 add route ::/0 interface="VPN Roznov"

The same in the pictures:

Note: Images in PNG format with JPEG artefacts were created with program Problem Steps Recorder in Microsoft Windows.

Mac OS X

Apple settings is little more sensitive. You can find the description here: https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX.

You have to fill also the remote ID. In the example it is vpn.roznov.hobrasoft.cz. The ID should correspond to server's name set in the certificate.

Conclusion

Each VPN type has its own pros and cons. IPSec over IPv6 eliminates some fundamental troubles:

  • It does not use TCP procotol which can lead to TCP meltdown.
  • It does not use GRE protocol which can be blocked by some routers.
  • There is absolutelly no risk of IP addresses collision between corporate and home network.

For me personally the greatest advantage is the IPv6 protocol. In contrast to IPv4, the IPv6 is different world. The world which our ancestors have in their minds, when they created The Internet. Things are made simple, a lot of IP addresses exists and there is no need to invent a stop-gap solution.

Hobrasoft s.r.o. | Contact