[strongSwan] IPv6 tunnel and routing problems

Jason White jason at jasonjgw.net
Sat Jul 30 08:42:40 CEST 2011

I am experimenting with Strongswan 4.5.2 under Debian GNU/Linux, IKEv2
(Charon) only.

My primary machine serves as a router, with an ADSL connection via ppp0 which
receives a native IPv6 address from my ISP. DHCPv6 is then used to assign a
(static) block of addresses to me, which can be used on the local network by
way of radvd and a suitable configuration of the eth0 interface.

I also have a virtual machine running on the same host which serves as the
router (it's a desktop workstation, actually).

I note the following:

virtual machine -> remote IPv6 host: I can establish a working tunnel with
x.509 certificates on both sides.

Virtual machine -> laptop on local LAN: also works.

workstation/router -> anywhere: I can establish a tunnel, but as far as I can
tell from packet monitoring, no packets are ever sent out over the tunnel. The
output of "ipsec xfrm policy show" and "ip xfrm state show" looks fine on both

In the kernel logs of the workstation/router, messages such as the following
appear whenever I try to ping the remote end of such a tunnel: 

Jul 30 15:12:26 jdc kernel: [23751.548077] pmtu discovery on SA ESP/c0cb33bc/2607:f2f8:2340:0000:0000:0000:0000:0002

Any suggestions on where to look next would be helpful.

Note that it even fails in this manner with a local tunnel between the
workstation/router and the virtual machine running on the same host.

More information about the Users mailing list