Dear friends, I would really appreciate some input here…
Situation: I’m going to deploy a network in a location in a small city, couple of regional ISPs only, and I need remote access to this location (IKEv2 IPsec VPN) from various different devices (PCs, android phones, apple phones).
The issue: Both of the ISPs simply refuse to provide me a public IP. They only give out private IPs to clients, which means that the router would be behind a NAT, which means a potential problem for incoming connections.
One of the ISPs said that they are already handing out valid IPv6s (with a /64 prefix I think he said).
The question: Can I initiate a VPN connection to this location if said location only have a valid (public) IPv6?
Hello,
I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible.
Regards.
Thanks for the input. That’s good to know.
But in my case it would be connections made FROM various IPv4 devices (PCs and phones) TO a router that sits behind a NATTED IPv4 and only has public IPv6 visible to the internet… Don’t know how that would work (I remember reading that the new IP CLOUD already has IPv6 support, so maybe it could work).
Going to see if I can somehow reproduce this and test this out.
IPv4 only clients cannot communicate directly with an IPv6 only host. There are transition technologies like NAT64 and DNS64 that are targeted at providing IPv6 only clients access to IPv4 only resources. For inbound services it’s possible in theory but with MikroTik. They are years and years behind other competing router brands in this area; they’ve choose to invest in consumer technology like parental controls instead.
A final hiccup is a lack of urgency around even enabling IPv6 for critical features. I haven’t tried an IKEv2 RA VPN but I know a traditional L2TP/IPSEC does not work on IPv6 in RouterOS. The device simply is incapable of “listening” on IPv6 for a very large number of services.
You could use a static tunnel like the other user mentioned with GRE wrapped in IPSEC back to a main office as an alternative. That works today.
Thanks! That is exactly what I came to find out during a few hours of testing here…
Yeah, I’m not even going to pursuit this line any further (IPv6)… It’s just not pratical.
This whole IPv6 thing seems like a stillborn solution: until adoption is 100% (meaning every single device on the internet today), it just seems like a solution that is unpractical (at best) and unusable (at worst).
Anyway, I’ve been talking to one ISP here, and they are willing to provide me with a public IP(v4)… if I pay for a static IP! That’s 20 bucks more a month. But it’s either that or a VPS to act as a VPN concentrator (which is going to cost somewhat similar, and even more, with the starting cost of a CHR license).
So, I think I’m definitely going to go the static IP route on this one.
So, if I’m running already a VPN Server with L2TP + IPSec with IPv4, and just add IPv6 on a loopback (with world connectivity) and add this IPv6 as AAAA on my server FQDN, would not work at all ?
For IPv6 only clients to be able to reach IPv4 NAT-PT is needed, which currently is not supported on RouterOS. Such setup can be used only if some other device along the path can do translation.
It is possible - assuming both routers having public IPv6 addresses are running MikrotikOS. In that case you can configure the routers as IPsec Peers with their IPv6 addresses, then you create IPsec Policies (tunnel mode) with IPv4 pointing them over the peer. On both locations you need to have IPv4 subnets in order for the devices be able to communicate.