Layer 2 VPN between two IPv6 enabled (dual-stack) networks
Posted: Mon Dec 05, 2016 6:13 pm
Hi,
I would like to take full advantage of Layer 2 VPN of SoftetherVPN, especially its ability to transport IPv6 traffic.
Both sites A and B are connected to the Internet with a dual-stack IPv4/IPv6 ISP and receive individual IPv6 prefixes.
I attach a network diagram of this scenario:
[attachment=1]Network layout.jpg[/attachment]
The problem:
All hosts on both sites get assigned the IPv6 prefix of both routers. It is not defined, which IPv6 gateway will be used in each host. Therefore, IPv6 traffic originating from a host in site A might use the IPv6 prefix from site B, which is fine for internal traffic, but not for outgoing internet traffic.
[attachment=0]Packet filtering rule.png[/attachment]
For IPv4, I use a DHCP server on each site with Softether VPN blocking DHCP traffic. This works perfectly fine.
However it is not an option for IPv6, since it is not possible to define a standard gateway for IPv6, even if using an IPv6 DHCP server.
Blocking IPv6 router advertisements in Softether VPN (see attached config), does prevent the assignment of the wrong IPv6 prefix, but also hinders internal IPv6 connectivity.
The reason is that the public IPv6 address will be preferred over other (e.g. site-local) IPv6 addresses and now this kind of traffic does not reach the other site (at least I cannot ping6).
Is there a solution to this problem? I have DHCPv6 servers and DNS servers (Windows Server) on both sites.
One idea would be to block public IPv6 addresses from registering in my private DNS servers, but I have no idea, if and how that would be possible.
Thanks!
Roland
I would like to take full advantage of Layer 2 VPN of SoftetherVPN, especially its ability to transport IPv6 traffic.
Both sites A and B are connected to the Internet with a dual-stack IPv4/IPv6 ISP and receive individual IPv6 prefixes.
I attach a network diagram of this scenario:
[attachment=1]Network layout.jpg[/attachment]
The problem:
All hosts on both sites get assigned the IPv6 prefix of both routers. It is not defined, which IPv6 gateway will be used in each host. Therefore, IPv6 traffic originating from a host in site A might use the IPv6 prefix from site B, which is fine for internal traffic, but not for outgoing internet traffic.
[attachment=0]Packet filtering rule.png[/attachment]
For IPv4, I use a DHCP server on each site with Softether VPN blocking DHCP traffic. This works perfectly fine.
However it is not an option for IPv6, since it is not possible to define a standard gateway for IPv6, even if using an IPv6 DHCP server.
Blocking IPv6 router advertisements in Softether VPN (see attached config), does prevent the assignment of the wrong IPv6 prefix, but also hinders internal IPv6 connectivity.
The reason is that the public IPv6 address will be preferred over other (e.g. site-local) IPv6 addresses and now this kind of traffic does not reach the other site (at least I cannot ping6).
Is there a solution to this problem? I have DHCPv6 servers and DNS servers (Windows Server) on both sites.
One idea would be to block public IPv6 addresses from registering in my private DNS servers, but I have no idea, if and how that would be possible.
Thanks!
Roland