My company is setting up a routeros VPN gateway, our ambision is to serve Roadwarrior-client via both openvpn, wireguard and IPSec, IKEv2 via Radius/EAP. We need truly universal conectivity via both IPv4 and IPv6. That means that the clients can connect via a pure IPv6 connection or a pure IPv4 connection, snd access both IPv4 and IPv6 servers on the internal network.
Wireguard is already testet thorughly and work like a charm on both IP-stacks.
Ipsec+IKEv2 however is mostly working, we are using letsencrypt certifcates and are able to tunnel clients both via both the IPv4-Internet and the IPV6-internet, but we are struggeling with providing IPv6-connectivity to the internal IPv6-resources.
IPv4-addresses are being provided via modeconfig and a IPv4-pool, or via the Framed IPv4-radius attribute, but we have not found a way to give internal IPv6 addresses to our clients. It doesen’t seem like it is possible to create a IPv6 address pool, only prefix pools are configurable, but if there are other workarounds like specify IPv6 addresses manually, we are interested.
Openvpn, have not yet been testet, so I was hoping the fourm could share some experiences there, we want to use both UDP and TCP on the server/vpn-gateway, to get through more firewalls. But is there any limitations we should be aware of?
What do you suggest? A strongswan-container in router os? It might be doable. Not certain how that things will be with hardware crypto-support, though.
But anyway, we’d really want to run everything on mikrotik. I know things can move slowly with them, and have been festering support about at least updating the documentation regarding this.
It should be fixable for them, it is a shame that in 2024, Ipv6 support for IPv6-clients is a struggle, opnsense/pfsense does this out of the box. But to Mikrotik’s deffence, Windows 10 at least, require a cli-command to force IPv6 trafic through the tunnel in the bult-in ipsec implimentation.
I was vondering if it is posible to somehow specify an IPv6 address on the client config, similar to how Wireguard work. If it is doable at least strongswan-clients could, that could be temporary solution, but I haven’t done any research.
There seems to be a possible workaround, but I have just started to experiment with it following the same config-outline as when one configures wireguard.
The basic idea would be to instead of using mode-config, define an identity connected to each user:
Then the client need to set an virtual [Roadwarrior IPv4-address]/32 and [Roadwarrior IPv6-address]/128 either in the ipsec-client/config or on a local interface (virtual or real). I just experimented somewhat with strongswan, and was able to send IPv6-traffic into the local nettwork over IPsec, but I could only get the client (strongswan/Mikrotik) to create one P2-entry. So I need to look at this more closely.