[strongSwan] IPv6 Addresses

Claude Tompers claude.tompers at restena.lu
Mon Apr 12 16:10:44 CEST 2010


There is another issue now.
I have a Windows 7 client which has both IPv4 and IPv6 enabled in its configuration.
The server's ipsec.conf defines two profiles, one for IPv4 and one for IPv6.
If I disable the IPv6 profile, the IPv4 profile is chosen, but, because the Windows 7 client already had an IPv6 address once, it is requesting that one again.
The log shows the following error :

Apr 12 16:03:42 vpn6-test charon: 16[IKE] peer requested virtual IP fec0:a18:2341:3440::1
Apr 12 16:03:42 vpn6-test charon: 16[CFG] IP pool address family mismatch
Apr 12 16:03:42 vpn6-test charon: 16[LIB] acquiring address from pool 'ipv4.test' failed
Apr 12 16:03:42 vpn6-test charon: 16[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

Is there any workaround for this issue ?
Or is there any way to tell Windows not to make any proposals ?

best regards
Claude Tompers

On Monday 12 April 2010 14:33:46 Claude Tompers wrote:
> Hi,
> Sorry, I must have done something wrong in my configuration.
> It now works with an /112 subnet.
> Thanks a lot for the help anyway.
> regards
> Claude Tompers
> On Monday 12 April 2010 13:34:10 Jan Engelhardt wrote:
> > 
> > On Monday 2010-04-12 13:06, Andreas Steffen wrote:
> > 
> > >The real problem is that the Linux kernel does not support
> > >routing table entries with the src parameter being an IPv6
> > >address,
> > 
> > I would not call it a problem. If I understand right, the src addr,
> > if it has not been explicitly been set or specified using bind(2) or
> > sendto(2), is not determined by looking at the "src" attribute in
> > IPv6, but at the address list of an interface, and picking one that
> > has an appropriate lifetime. Since reproducing the same lookup logic
> > in strongswan would be sort of an unwanted fork, the kernel does have
> > a way to calculate the routing entry src address, by using `ip route
> > get` or the respective netlink calls. Does that help?
> > 
> > >so that virtual IPv6 addresses can be checked out
> > >by a VPN gateway and are transported via the IKEv2 configuration
> > >payload or the IKEv1 Mode Config payload but cannot be
> > >installed in the kernel. Thus we cannot force IPv6 packets
> > >to leave via a physical interface but assuming a different
> > >source address.
> > 

Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100412/03707699/attachment.pgp>

More information about the Users mailing list