strongswan 配置IPV6

ikev2配置一粒：

conn all_platform_ikev2
    keyexchange=ikev2
    rekey=no
    left=%defaultroute
    leftid=v.xxx.com
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0
    leftcert=server.cert.pem
    leftfirewall=yes
    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.31.2.0/24,fec3::/120
    rightsendcert=never
    eap_identity=%any
    fragmentation=yes
    auto=add
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

rightsourceip=10.31.2.0/24,fec3::/120   为出口源地址 逗号分隔v4和v6

leftsubnet=0.0.0.0/0,::/0  为入口子网地址 逗号分隔v4和v6

至于ip4和ip6 forward 开启就可以

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.forwarding=1

ipv4路由转发地址隐藏或SNAT

iptables -t nat -A POSTROUTING -s 10.31.2.0/24 -o eth0 -j MASQUERADE

ipv6不需要配置iptables路由转发，因为不是很需要nat,但是还是配置一下，做地址隐藏

ip6tables -t nat -A POSTROUTING -s fec3::/120 -o eth0 -j MASQUERADE

配合letsencrypt(certbot)

cd cacerts 
ln -s /etc/letsencrypt/live/v.xxx.com/fullchain.pem  ca.cert.pem
cd ../certs
ln -s /etc/letsencrypt/live/v.xxx.com/cert.pem  server.cert.pem
cd ../private
ln -s /etc/letsencrypt/live/v.xxx.com/cert.pem  client.pem
ln -s /etc/letsencrypt/live/v.xxx.com/private.pem  server.pem