FritzBox: Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetz bekanntgeben --> AUS

FritzBox: Keine statischen Routen definieren, nicht für IPv4 und nicht für IPv6

Windows 10 braucht das CA-Zertifikat in Zertifikate->Lokaler Computer->Vertrauenswürde Stammzertifizierungsstellen.

connections {

   win-vpn {
      local_addrs  = 192.168.0.253
      remote_addrs = %any
      proposals = 3des-sha-prfsha1-modp1024,aes256-sha2_384-prfsha384-modp1024,default
      pools = v4pool,v6pool
      
      local {
         auth = pubkey
	 certs = darkrealm.crt
	 }
      remote {
         auth = eap-mschapv2
	 id = 192.168.122.24
	 eap_id = %any
	     }
      children {
         win-vpn {
	    local_ts  = 192.168.0.0/22,fd00:ffff:aaaa::/64,224.0.0.0/4,ff00::/8
            remote_ts = dynamic,224.0.0.0/4
            #mark_in  = %unique
            #mark_out = %unique
	    ipcomp = yes
         }
      }
   }
}

pools {
    v4pool {
        addrs = 192.168.4.0/24
        dns = 192.168.1.240
	dhcp = 192.168.1.240
	}
    v6pool {
        addrs = fd00:ffff:aaaa::/64
        dns = fd00:ffff:aaaa::ffff
	dhcp = fd00:ffff:aaaa::ffff
    	   }
}

secrets {
	eap-chris {
	id = chris
	secret = punkd
	}
	}

Somehow working:

forecast {

    # Multicast groups to join locally, allowing forwarding of them.
    groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250

    # Local interface to listen for broadcasts to forward.
    interface = BRIDGE_LAN

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # CHILD_SA configurations names to perform multi/broadcast reinjection.
    # reinject = mobile,linux

}

connections {

   linux {
      local_addrs  = 192.168.3.253
      remote_addrs = darkrealm.dyndns.org
      keyingtries = 0
      
      local {
         auth = pubkey
         certs = neorealm.crt
      }
      remote {
         auth = pubkey
	 certs = darkrealm.crt
      }
      children {
         linux {
            local_ts  = 192.168.2.0/24,192.168.3.0/24,224.0.0.0/4,fd00:ffff:bbbb::/64,ff00::/8 
            remote_ts = 192.168.0.0/24,192.168.1.0/24,224.0.0.0/4,fd00:ffff:aaaa::/64,ff00::/8 
            mark_in  = %unique
            mark_out = %unique
	    ipcomp = yes
	    start_action = trap
	    close_action = trap
	    dpd_action = trap
	    
	    }
      		}
      }
}

/etc/swanctl/conf.d/linux-site2site.conf

connections {

   linux-site2site {
      #local_addrs  = neorealm.dyndns.org
      local_addrs = 192.168.3.253
      remote_addrs = darkrealm.dyndns.org

      local {
         auth = pubkey
	 certs = neorealm-vpn.crt
	 id = neorealm.dyndns.org
      }
      remote {
         auth = pubkey
         certs = darkrealm-vpn.crt
	 id = darkrealm.dyndns.org
      }
      children {
         linux-route {
	    local_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48
	    remote_ts  = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48
	    ipcomp = no
	    mark_in = %unique
	    mark_out = %unique
	    	    }
	       }
		     }
	       }

/etc/strongswan.d/charon/forecast.conf:

forecast {

    # Multicast groups to join locally, allowing forwarding of them.
    #groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
    groups = 239.255.255.250
    # Local interface to listen for broadcasts to forward.
    interface = BRIDGE_LAN

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # CHILD_SA configurations names to perform multi/broadcast reinjection.
    reinject = linux-route

}

/etc/swanctl/conf.d/linux-site2site.conf:

connections {

   linux-site2site {
      		   #local_addrs  = darkrealm.dyndns.org
		   local_addrs = 192.168.0.253
		   remote_addrs = neorealm.dyndns.org
      		   keyingtries = 0
      local {
            auth = pubkey
            certs = darkrealm-vpn.crt
	    id = darkrealm.dyndns.org
      	    }
      remote {
             auth = pubkey
	     certs = neorealm-vpn.crt
	     id = neorealm.dyndns.org
      	     }
      children {
               linux-route {
	       		   local_ts  = 192.168.0.0/23,239.255.255.250/32,fd00:ffff:aaaa::/48
	    		   remote_ts = 192.168.2.0/23,239.255.255.250/32,fd00:ffff:bbbb::/48
	    		   ipcomp = no
	    		   start_action = trap
    	    		   close_action = start
	    		   dpd_action = restart
	    	    	   }
	       }
		
		   }

   	    }

/etc/strongswan.d/charon/forecast.conf:

forecast {

    # Multicast groups to join locally, allowing forwarding of them.
    # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
    groups = 239.255.255.250
    # Local interface to listen for broadcasts to forward.
    interface = BRIDGE_LAN
    
    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no

    # CHILD_SA configurations names to perform multi/broadcast reinjection.
    reinject = linux-route
    
}

• IKE Connection had to be established via IPv4 -- IPv6 had not found any DLNA servers.
• IPv6 pings shodan<->nexus gave "no route to host", IPv4 pings working fine.
  • The moment "mark=%unique" was commented out, IPv6 pings worked again
• install_routes in /etc/strongswan.d/charon.conf is set to "yes"
• no XFRM interface
• only one side needs to have forecast enabled