Community discussions

MikroTik App
 
edcore
just joined
Topic Author
Posts: 9
Joined: Thu Jun 21, 2018 5:11 pm

IKEv2 IPsec VPN and IPv6

Thu Jan 24, 2019 1:13 pm

Dear friends, I would really appreciate some input here...

Situation: I'm going to deploy a network in a location in a small city, couple of regional ISPs only, and I need remote access to this location (IKEv2 IPsec VPN) from various different devices (PCs, android phones, apple phones).

The issue: Both of the ISPs simply refuse to provide me a public IP. They only give out private IPs to clients, which means that the router would be behind a NAT, which means a potential problem for incoming connections.

One of the ISPs said that they are already handing out valid IPv6s (with a /64 prefix I think he said).

The question: Can I initiate a VPN connection to this location if said location only have a valid (public) IPv6?
 
edcore
just joined
Topic Author
Posts: 9
Joined: Thu Jun 21, 2018 5:11 pm

Re: IKEv2 IPsec VPN and IPv6

Fri Jan 25, 2019 1:19 pm

Anybody? Anyone knows if IPsec works with a public IPv6 only?
 
wimpy
just joined
Posts: 16
Joined: Thu Jan 07, 2016 7:23 am

Re: IKEv2 IPsec VPN and IPv6

Fri Jan 25, 2019 2:33 pm

Hello,
I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible.
Regards.
 
edcore
just joined
Topic Author
Posts: 9
Joined: Thu Jun 21, 2018 5:11 pm

Re: IKEv2 IPsec VPN and IPv6

Fri Jan 25, 2019 3:08 pm

Hello,
I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible.
Regards.
Hi,

Thanks for the input. That's good to know.
But in my case it would be connections made FROM various IPv4 devices (PCs and phones) TO a router that sits behind a NATTED IPv4 and only has public IPv6 visible to the internet... Don't know how that would work (I remember reading that the new IP CLOUD already has IPv6 support, so maybe it could work).
Going to see if I can somehow reproduce this and test this out.

If anybody can chime in, I would appreciate.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IKEv2 IPsec VPN and IPv6

Sat Jan 26, 2019 4:36 pm

Hello,
I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible.
Regards.
Hi,

Thanks for the input. That's good to know.
But in my case it would be connections made FROM various IPv4 devices (PCs and phones) TO a router that sits behind a NATTED IPv4 and only has public IPv6 visible to the internet... Don't know how that would work (I remember reading that the new IP CLOUD already has IPv6 support, so maybe it could work).
Going to see if I can somehow reproduce this and test this out.

If anybody can chime in, I would appreciate.
IPv4 only clients cannot communicate directly with an IPv6 only host. There are transition technologies like NAT64 and DNS64 that are targeted at providing IPv6 only clients access to IPv4 only resources. For inbound services it's possible in theory but with MikroTik. They are years and years behind other competing router brands in this area; they've choose to invest in consumer technology like parental controls instead.

A final hiccup is a lack of urgency around even enabling IPv6 for critical features. I haven't tried an IKEv2 RA VPN but I know a traditional L2TP/IPSEC does not work on IPv6 in RouterOS. The device simply is incapable of "listening" on IPv6 for a very large number of services.

You could use a static tunnel like the other user mentioned with GRE wrapped in IPSEC back to a main office as an alternative. That works today.
 
edcore
just joined
Topic Author
Posts: 9
Joined: Thu Jun 21, 2018 5:11 pm

Re: IKEv2 IPsec VPN and IPv6

Sun Jan 27, 2019 4:11 pm

IPv4 only clients cannot communicate directly with an IPv6 only host.
A final hiccup is a lack of urgency around even enabling IPv6 for critical features. I haven't tried an IKEv2 RA VPN but I know a traditional L2TP/IPSEC does not work on IPv6 in RouterOS. The device simply is incapable of "listening" on IPv6 for a very large number of services.
Thanks! That is exactly what I came to find out during a few hours of testing here...

Yeah, I'm not even going to pursuit this line any further (IPv6)... It's just not pratical.
This whole IPv6 thing seems like a stillborn solution: until adoption is 100% (meaning every single device on the internet today), it just seems like a solution that is unpractical (at best) and unusable (at worst).

Anyway, I've been talking to one ISP here, and they are willing to provide me with a public IP(v4)... if I pay for a static IP! That's 20 bucks more a month. But it's either that or a VPS to act as a VPN concentrator (which is going to cost somewhat similar, and even more, with the starting cost of a CHR license).
So, I think I'm definitely going to go the static IP route on this one.
 
User avatar
ploquets
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: IKEv2 IPsec VPN and IPv6

Wed Feb 19, 2020 4:12 pm

but I know a traditional L2TP/IPSEC does not work on IPv6 in RouterOS. The device simply is incapable of "listening" on IPv6 for a very large number of services.

So, if I'm running already a VPN Server with L2TP + IPSec with IPv4, and just add IPv6 on a loopback (with world connectivity) and add this IPv6 as AAAA on my server FQDN, would not work at all ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 IPsec VPN and IPv6

Wed Feb 19, 2020 4:40 pm


But in my case it would be connections made FROM various IPv4 devices (PCs and phones) TO a router that sits behind a NATTED IPv4 and only has public IPv6 visible to the internet... Don't know how that would work (I remember reading that the new IP CLOUD already has IPv6 support, so maybe it could work).
For IPv6 only clients to be able to reach IPv4 NAT-PT is needed, which currently is not supported on RouterOS. Such setup can be used only if some other device along the path can do translation.
 
jakubk2
just joined
Posts: 4
Joined: Mon Jan 04, 2021 10:15 am

Re: IKEv2 IPsec VPN and IPv6

Fri Aug 06, 2021 11:39 pm

Hello,
I successfully operate GRE6 tunnels (i.e. tunnels between two public IPv6 addresses, Mikrotik router on both sides) secured with IPsec. That means IPsec between two IPv6 hosts is possible.
Regards.
Hi,

Thanks for the input. That's good to know.
But in my case it would be connections made FROM various IPv4 devices (PCs and phones) TO a router that sits behind a NATTED IPv4 and only has public IPv6 visible to the internet... Don't know how that would work (I remember reading that the new IP CLOUD already has IPv6 support, so maybe it could work).
Going to see if I can somehow reproduce this and test this out.

If anybody can chime in, I would appreciate.
It is possible - assuming both routers having public IPv6 addresses are running MikrotikOS. In that case you can configure the routers as IPsec Peers with their IPv6 addresses, then you create IPsec Policies (tunnel mode) with IPv4 pointing them over the peer. On both locations you need to have IPv4 subnets in order for the devices be able to communicate.

Who is online

Users browsing this forum: Andrey05, Bing [Bot], Google [Bot] and 93 guests