[strongSwan-dev] [PATCH] Do not honor encapsulation flag for IPv6 connections

Thomas Egerer thomas.egerer at secunet.com
Thu Jul 8 11:02:16 CEST 2010

Hello Martin,

Martin Willi schrobtete:
> Hi Thomas,
>> a child_sa for IPv6 addresses has the encap flag set, the kernel
>> rejects the insertion of the state with error code 22 (invalid
>> argument). This is due to the fact that IPv6 does not support NAT
>> (yet?).
> Yes.
>> Please consider the little patch for upstream inclusion.
>> +	if (this->encap && src->get_family(src) != AF_INET6)
>> +	{
>> +		encap = TRUE;
>> +	}
> I'm a little skeptic about just disabling the encapsulation flag. The
> flag gets set for specific reasons (i.e. NAT has been detected), and
> just disabling it does not help. Even worse, the SA gets established
> without error, but your traffic won't flow over the NAT device. 
I've given this some thought and must admit you're right.

> In my opinion, it makes more sense to throw this error and let the
> negotiation fail. Unless the kernel gains IPv6 NAT support (if ever),
> the patch won't help in situations where encapsulation is required.
This is true, but wouldn't telling the user that his/her setup is certain
to fail be way better?

> Or is there a specific scenario where encap is set, but the tunnel would
> work without?
There is indeed. But this would be merely a misconfiguration: Since at
loading time of a forced_encap config it is not tested whether or not
the configured peers are IPv6 hosts such a config will be loaded and not
be discarded.
At the time charon realizes the misconfiguration it might ignore the
force_encap flag or not. This is just a matter of taste.

I amended my first patch and added a second one to address the issue of
the misconfigured SAs.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Ignore-encapsulation-flag-for-IPv6-CHILD_SAs.patch
Type: text/x-patch
Size: 1907 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100708/79454971/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Inhibit-forced-NAT-encapsulation-for-IPv6-connection.patch
Type: text/x-patch
Size: 1203 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100708/79454971/attachment-0001.bin>

More information about the Dev mailing list