Skip to main content
yoloknight
yoloknight
New Member
November 18, 2020
Question

IPSec Dual Stack cant handle IPv4 and IPv6 at the same time

  • November 18, 2020
  • 1 reply
  • 12925 views

Hi Guys,

 

I have a problem that my IPSec VPN cant handle IPv4 and IPv6 at the same time. In my Phase 2 Selectors I have this information in there: IPv6:   Remote Address: "::/0" Local Address: "::/0" IPv4: Remote Address: "0.0.0.0" Local Address: "0.0.0.0" From my Strongswan client I have a stable IPSec Tunnel and get both IP addresses from Phase 1. (Example: 192.168.1.1 and fd00::1) Now with both entries IPv4 and IPv6, I can only ping the IPv4 192.168.1.1 address. If I delete this entry of phase two and only "::/0" is there, then I can ping the fd00::1. And if I delete the IPv6 entry, I can ping Ipv4. Ping: Only IPv4 entry -> ping works Only Ipv6 entry -> ping works Both (IPv4 and IPv6) -> ping to IPv4 works and IPv6 is unreachable For me it seems the IPSec tunnel cant handle both, the IPv4 and the IPv6 addresses and I can only choose one. Is this right or do I have overlooked something? (perhaps a special routing entry for this???)

1 reply

emnoc
emnoc
New Member
November 18, 2020

Q:

[ul]
  • Did you run "diag vpn tunnel list"
  • did you run debug on fortigate for ike [/ul][ul]
  • Did you run ipsec statusall & looked at the logs on Strongswan host[/ul][ul]
  • Did you try with specific Phase2 in both fgt and strongswan[/ul]

     

    And no, you can run dual stacked fortios for ipsec tunnels

     

    Ken Felix

     

    • yoloknight
    yoloknightAuthor
    New Member
    November 23, 2020

    Hi Emnoc, to your questions. Did you run "diag vpn tunnel list" -> Jup, the tunnel is shown stable and nothing unusal

    did you run debug on fortigate for ike

    -> Jup, the tunnel is established and no error signs

     

    Did you run ipsec statusall & looked at the logs on Strongswan host

    -> Jup, also i had done this, but strongswan gets no response from the fortigate and the ip (seen with "journalctl -f" on linux); the fortigate logs shows nothing

     

    Did you try with specific Phase2 in both fgt and strongswan

    -> I tried, for example to set in particular "compress=no", but nothing works. In the end I only use the default configuration of strongswan For me it looks like that Fortigate dont support a dual-stack client-to-client roadwarrior vpn.

    emnoc
    emnoc
    New Member
    November 25, 2020

    Drop your configuration  ( fgt and strongswan  ) not sure what your doing but ipsec ipv4/6 dual stack is supported and works. 

     

    Ken Felix

    Terms & ConditionsAccessibility statement