[eduVPN-deploy] NDP problems using public IPv6
Pascal Panneels
pascal.panneels at belnet.be
Thu Sep 15 12:00:12 CEST 2022
Hi François,
Well, I've once again passed a few hours scratching my head on it, and
defitively, it cannot work as is even using source routing.
My situation as compared to the one described in your document is a bit
different : there is no NAT implied anymore in the setup.
I've suppressed NAT because our customer had a lot of problem to have
VoIP working (it is a well known fact that VoIP doesn't work well on
NAT, and a workaround such as STUN was not possible for him). I was
using NAT before and it worked perfectly well indeed till the VoIP
problems pop up.
It is impossible in my setup that the VPN clients will be able to
answer any IPv6 sollicitation coming from the customer networks,
without ndp proxy on the server itself.
But I've finally found a solution using a couple of bash scripts :
- one launched by the hook "connectScriptPath" that will pass the IPv6
address to next one;
- one launched as a daemon with root privileges to be able to add/del
IPv6 address as neigh proxy for the eth1 connection.
I'm using a netcat 'service' to glue both.
It works now perfectly well.
I've attached both scripts to the mail for people that could be
interested reusing it.
With kind regards,
Pascal
Le Tuesday 13 September 2022 à 12:34 +0000, François Kooman a écrit :
> On 13.09.22 12:23, Pascal Panneels wrote:
> > Hi François,
>
> Hi Pascal,
>
> > hmm, I'm still not convinced how it could help me.
>
> Where do the VPN client traffic come from go to? I assume all through
> eth1.
>
> So you need two default gateways, one for eth0 (the VPN server
> itself)
> and one for eth1 for all VPN client traffic. This is only possible if
> you use source/policy routing.
>
> See the SOURCE_ROUTING.md file for how to do this manually to try it
> out
> and see if that works.
>
> I think ARP/NDP proxy should not be used at all, seems very much
> unnecessary as this is a quite simple scenario, solvable with just
> routing.
>
> Regards,
> François
--
Pascal Panneels
System Architect
Belnet - Services
WTC III
Simon Bolivarlaan 30 Boulevard Simon Bolivar
Brussel 1000 Bruxelles
België - Belgique
T: +32 2 790 33 33
https://www.belnet.be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220915/ab2a8610/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipv6proxy.tgz
Type: application/x-compressed-tar
Size: 1162 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220915/ab2a8610/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5842 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20220915/ab2a8610/attachment.p7s>
More information about the eduVPN-deploy
mailing list