[strongSwan-dev] [PATCH] Do not honor encapsulation flag for IPv6 connections

Martin Willi martin at strongswan.org
Thu Jul 1 13:54:32 CEST 2010

Hi Thomas,

> a child_sa for IPv6 addresses has the encap flag set, the kernel
> rejects the insertion of the state with error code 22 (invalid
> argument). This is due to the fact that IPv6 does not support NAT
> (yet?).


> Please consider the little patch for upstream inclusion.

> +	if (this->encap && src->get_family(src) != AF_INET6)
> +	{
> +		encap = TRUE;
> +	}

I'm a little skeptic about just disabling the encapsulation flag. The
flag gets set for specific reasons (i.e. NAT has been detected), and
just disabling it does not help. Even worse, the SA gets established
without error, but your traffic won't flow over the NAT device. 

In my opinion, it makes more sense to throw this error and let the
negotiation fail. Unless the kernel gains IPv6 NAT support (if ever),
the patch won't help in situations where encapsulation is required.

Or is there a specific scenario where encap is set, but the tunnel would
work without?


More information about the Dev mailing list