[strongSwan-dev] IPv6 behind NAT?

Harald Dunkel harald.dunkel at aixigo.com
Wed May 13 15:40:58 CEST 2020


Hi folks,

I have seen failures in charon.log, if the peer is on IPv6 behind a
NAT. Both peers are using Debian 10 and strongswan 5.8.2.

:
May 13 14:00:56 25[CFG] <IPSec-IKEv2|627> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> received netlink error: Invalid argument (22)
May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> unable to add SAD entry with SPI cde447ff (FAILED)
May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> received netlink error: Invalid argument (22)
May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> unable to add SAD entry with SPI cd656ddf (FAILED)
May 13 14:00:56 25[IKE] <IPSec-IKEv2|627> unable to install inbound and outbound IPsec SA (SAD) in kernel
May 13 14:00:56 25[IKE] <IPSec-IKEv2|627> failed to establish CHILD_SA, keeping IKE_SA
:

If the peer turns off NAT and uses a routable IPv6 address instead,
then there is no problem. There is no problem for IPv4 behind NAT,
either.

I don't have access to the remote network, nor can I upgrade to 5.8.4
immediately, so I wonder if it would be possible to derive a regular
IPv6 NAT test case from the IPv4 NAT test mentioned on
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples ?


Regards
Harri


More information about the Dev mailing list