[strongSwan] XFRM for IPv6 ND/NA bypass
Mike Spengler
mks at foobox.com
Tue Mar 1 04:43:26 CET 2011
Martin,
Martin Willi wrote:
> Hi Mike,
>
>> I have these policies installed but the NA always seems to hit the
>> strongswan-installed policy rather than my manual ones.
>
>> src ::/0 dst ::/0 proto ipv6-icmp type 135 code 0
>> dir in priority 1073741824 ptype main
>> src ::/0 dst ::/0 proto ipv6-icmp type 136 code 0
>> dir in priority 1073741824 ptype main
>
>> src ::/0 dst ::/0 proto ipv6-icmp type 135 code 0
>> dir out priority 1073741824 ptype main
>> src ::/0 dst ::/0 proto ipv6-icmp type 136 code 0
>> dir out priority 1073741824 ptype main
>
> The priority value you set is higher than any policy installed by
> strongSwan, but a higher priority value actually means a lower
> priority ;-).
>
> Have you tried to install with "prio 1"? I don't have a full IPv6
> network for testing, but at least for ICMP pings it works.
>
> Regards
> Martin
>
>
I could have sworn I tried using a small prio number, but obviously I didn't as
it's now working perfectly!
Thanks!
-mike
More information about the Users
mailing list