On Thu, 20 Oct 2022 08:55:43 +0200 Mirsad Todorovac <[email protected]> wrote:
> On 10/5/2022 4:18 PM, Mirsad Goran Todorovac wrote: > > > > P.S. > > > > Forgot to mention, the VPN client is Windows 10 Professional > > version 21H2: > > > > Kind regards, > > > > mt > > > > On 5.10.2022. 15:58, Mirsad Goran Todorovac wrote: > >> Hi all, > >> > >> Our VPN worked well until we moved to IPv6, and now it works only > >> with IPv6 disabled, > >> which is not practical (change of network settings resets all > >> Putty terminal and all ssh connections > >> among others ... ). > >> > >> The configuration is as follows: > >> > >> conn MYCONN-ikev2-ipv6-cp > >> # The server's actual IP goes here - not elastic IPs > >> left=2001:b68:2:2600::3 > >> leftcert=magrf.grf.hr > >> [email protected] > >> leftsendcert=always > >> leftsubnet=0::/0 > >> leftrsasigkey=%cert > >> # Clients > >> right=%any > >> # your addresspool to use - you might need NAT rules if > >> providing full internet to clients > >> rightaddresspool=fd00:2600:1000:0000/64 Your addresspool is too big. If I remember correctly, maximum size is 96 bits. > >> # optional rightid with restrictions > >> # rightid="O=GRF-UNIZG,CN=win7client.grf.hr" > >> rightca=%same > >> rightrsasigkey=%cert > >> # > >> # connection configuration > >> # DNS servers for clients to use > >> modecfgdns=2001:b68:2:2600::3,2606:4700:4700::1001 > >> narrowing=yes > >> # recommended dpd/liveness to cleanup vanished clients > >> dpddelay=30 > >> dpdtimeout=120 dpdtimeout is not valid with ikev2. > >> dpdaction=clear > >> auto=add > >> ikev2=insist > >> rekey=no > >> # Set ikelifetime and keylife to same defaults windows has > >> # ikelifetime=8h > >> # keylife=2h > >> ms-dh-downgrade=yes This is not needed any more, Windows 10+ have been fixed to allow dh14 or dh19 without downgrade on rekey. And I must say I haven't tested windows 10 with ipv6 yet so there might unseen issues. With libreswan I've been using dual stack IPsec for some years, with ipv4 over ipv4 + ipv6 over ipv6. That works, but windows wants ipv4 + ipv6 over ipv6 or ipv4 which is not yet supported. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
