You'll need to play DNS games if the VPN server if IPv4-only (or if your VPN config gives you a server IPv4 address to connect to). In that case you'll need to query the DNS64 server for the NAT64 prefix. Apple's IKEv2 client uses an OS-provided API to synthesize an IPv6 address from the configured IPv4 address. This allows our client to work even if the VPN server does not speak IPv6 at all. It's always better, simpler, and more efficient to support IPv6 server-side, but if you don't control the server this can be made to work client-side.
David > On Dec 9, 2016, at 14:35, Yoav Nir <ynir.i...@gmail.com> wrote: > >> >> On 9 Dec 2016, at 23:43, Michael Richardson <mcr+i...@sandelman.ca> wrote: >> >> >> Yoav Nir <ynir.i...@gmail.com> wrote: >>> To get this working, the DNS64 should be on the remote tunnel endpoint >>> or behind it. And this will require that it has an IPv6 address and >>> knows to do the NAT64 translation in cooperation with the tunnel >>> endpoint. I guess this vendor’s IPsec implementation doesn’t do all >>> that. Neither does my employer’s. >> >> So, I think that you are saying that if the client does DNS through the >> tunnel, then the HQ's DNS servers have to do DNS64 synthesis? I guess people >> need to do DNS through the tunnel because of needing to resolv internal >> addresses. It's the whole MIF/split-horizon DNS problem, and I think it's >> all a bad IPv4-specific idea, and we should be trying to kill it. > > That was what I said, but then I realized Tommy is right. It doesn’t really > matter that the ISP / Wifi / whatever is providing me with only IPv6 access. > Most IPsec clients have their own virtual interface (with IKEv2’s CFG, > Cisco’s IKEv1 extension or (gasp!) L2TP) so that has no issue being > dual-stack or even IPv4-only. The IPv4 packets never make it onto the access > network - they get encapsulated in ESP/IPv6, or TLS/TCP/IPv6. > > So with IPsec you can get IPv4 connectivity even when the access network > doesn’t give it to you. And you don’t need any DNS games to do it. > > Yoav > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org <mailto:IPsec@ietf.org> > https://www.ietf.org/mailman/listinfo/ipsec > <https://www.ietf.org/mailman/listinfo/ipsec>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
