标签 IPv6 下的文章

首先由于 IPv6 VPN 服务器会转发 IPv6 包,需要用 sysctl 开启内核的 IPv6 转发。将以下内容配置到 /etc/sysctl.d 目录下一个 .conf 文件中,并用 sysctl -p xxx.conf 加载或重启服务器。

net.ipv6.conf.all.forwarding = 1

然后我们来安装 strongSwan。 dnf install epel-release 安装上 EPEL 源,然后 dnf install strongswan 就 OK 了。

strongSwan 现已支持 swanctl.conf 新格式的配置文件,文件路径在 /etc/strongswan/swanctl/swanctl.conf,密钥放在 /etc/strongswan/swanctl 对应目录下。下面给出一个示例配置,配置完成后可以通过 systemctl start strongswan.service 启动。

connections {
    ikev2-vpn {
        version=2
        remote_addrs=%any
        local_addrs=%any
        send_cert=always
        pools=pool-subnet-ipv6
        dpd_delay=300s
        children {
            ikev2-vpn {
                local_ts=::/0
                dpd_action=clear
            }

        }
        local-0 {
            certs = cert.pem
            id = @<domain>
        }
        remote-0 {
            auth = eap-mschapv2
            id = %any
        }
    }
}

pools {
    pool-subnet-ipv6 {
        addrs=xxx:8/125
        dns=2001:4860:4860::8888,2001:4860:4860::8844
    }
}

secrets {
    eap-user1 {
        id=user1
        secret="password"
    }
}

authorities {
}

P.S. 带有中间证书的证书文件需要拆分,strongSwan 只会读取证书文件里的第一个 PEM 证书。

IPv6 relay 模式怎么配置网上有一大把教程,就不多说了。重点在于为什么客户端能获取地址却 ping 不通公网,但 ping 一下路由器的 wan IPv6 地址后就可以上网了。通过在客户端设备上抓包和查看 ip neigh(或 ndp -an)可以发现,区别在于 IPv6 的邻居发现过程。

正确方式

IP6 fe80::xxxx > [solicited-node multicast address]: ICMP6, neighbor solicitation, who has [client address], length 32
IP6 fe80::yyyy > fe80::xxxx: ICMP6, neighbor advertisement, tgt is [client address], length 32

错误方式(路由器在 lan 侧找不到客户端 IP)

IP6 fd..:[ULA-prefix address] > [solicited-node multicast address]: ICMP6, neighbor solicitation, who has [target address], length 32

为什么错误方式下邻居发现会失败呢?原因是纯 relay 模式下客户端不会获取到 ULA-prefix1 下的地址/路由/邻居信息,当客户端尝试回复从路由器发出的 ULA-prefix 下地址的 neighbor solicitation 时,匹配不到这个 ULA 地址的路由只好放弃。

那么为什么 ping 一下网又通了呢?这是因为 odhcpd 从 wan 那边获取到了客户端的信息,从而配置上了 NDP 代理和路由。将 odhcpd 的 loglevel 配置成 7(LOG_DEBUG,数字来自syslog(3))后可以看到对应的 proxy 日志。

所以只要去掉路由器 lan 上的 ULA 就可以了,也就是在 network 配置中注释掉 ip6assign。重启路由器后,客户端就可以正常上网了。

另一种可能的方式是同时启用 lan 上 ULA 和 relay 的地址分配,不过 relay 模式下不好实现。

最后剩下一个问题,中继模式下首次请求延迟会比较高,之后就正常了,这部分原理可以参考 https://blog.icpz.dev/articles/notes/odhcpd-relay-mode-discuss/

参考资料

https://openwrt.org/docs/guide-user/network/ipv6/start#ipv6_relay

# cat /etc/config/dhcp
config dhcp lan
    option dhcpv6 relay
    option ra relay
    option ndp relay
    ...
 
config dhcp wan6
    option dhcpv6 relay
    option ra relay
    option ndp relay
    option master 1
    option interface wan6

笔者注:如非必要建议关闭 dhcpv6,原因见 https://issuetracker.google.com/issues/36949085


https://datatracker.ietf.org/doc/html/rfc4291#section-2.7.1

Solicited-Node multicast address are computed as a function of a
node's unicast and anycast addresses. A Solicited-Node multicast
address is formed by taking the low-order 24 bits of an address
(unicast or anycast) and appending those bits to the prefix
FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
range

     FF02:0:0:0:0:1:FF00:0000

to

     FF02:0:0:0:0:1:FFFF:FFFF

https://openwrt.org/docs/guide-user/base-system/basic-networking

network.globals.ula_prefix='fd27:70fa:5c1d::/48'

https://datatracker.ietf.org/doc/html/rfc4861#section-7.2.4

If the source of the solicitation is the unspecified address, the
node MUST set the Solicited flag to zero and multicast the
advertisement to the all-nodes address. Otherwise, the node MUST set
the Solicited flag to one and unicast the advertisement to the Source
Address of the solicitation.


P.S. Hybrid 模式是什么?其实就是智能开启 relay,代码如下,不要误以为是同时开启 relay 和 server 模式。

            /* Resolve hybrid mode */
            if (i->dhcpv6 == MODE_HYBRID)
                i->dhcpv6 = (master && master->dhcpv6 == MODE_RELAY) ?
                        MODE_RELAY : MODE_SERVER;

            if (i->ra == MODE_HYBRID)
                i->ra = (master && master->ra == MODE_RELAY) ?
                        MODE_RELAY : MODE_SERVER;

            if (i->ndp == MODE_HYBRID)
                i->ndp = (master && master->ndp == MODE_RELAY) ?
                        MODE_RELAY : MODE_DISABLED;

odhcpd 的 README 里有这么一段,说明客户端地址在路由器上的路由是它配置的。

4. Proxy for Neighbor Discovery messages (solicitations and advertisements)
   a) support for auto-learning routes to the local routing table
   b) support for marking interfaces "external" not proxying NDP for them
      and only serving NDP for DAD and for traffic to the router itself
      [Warning: you should provide additional firewall rules for security]

https://go6lab.si/current-ipv6-tests/nat64dns64-public-test/

A10 Networks NAT64 implementation: set your DNS to 2001:67c:27e4:15::6411
NAT64 implementation is running on a A10 vThunder virtual appliance.
NAT64 routed prefix: 2001:67c:27e4:642::/64
Quick ping6 test if up&running: ping6 2001:67c:27e4:642::5bef:6015

PaloAlto Networks Firewall NAT64 with BIND9.9 DNS64: set your DNS to 2001:67c:27e4::64
NAT64 implementation is running in PAN500 firewall box.
NAT64 routed prefix: 2001:67c:27e4:64::/64
Quick ping6 test if up&running: ping6 2001:67c:27e4:64::5bef:6015

Jool NAT64 with BIND9 DNS64: set your DNS to 2001:67c:27e4:15::64
Jool NAT64 implementation is running in a virtual container on proxmox server.
NAT64 routed prefix: 2001:67c:27e4:1064::/64
Quick ping6 test if up&running: ping6 2001:67c:27e4:1064::5bef:6015

Cisco ASR1000 NAT64 with BIND9 DNS64: set your DNS to 2001:67c:27e4::60
NAT64 implementation is running in Cisco ASR1001.
NAT64 routed prefix: 2001:67c:27e4:11::/64
Quick ping6 test if up&running: ping6 2001:67c:27e4:11::5bef:6015

http://www.trex.fi/2011/dns64.html

dns64.trex.fi.    IN    AAAA    2001:67c:2b0::4
dns64.trex.fi.    IN    AAAA    2001:67c:2b0::6