[strongSwan] IPv6 tunnel and routing problems

[Jason White]

Jason White  <jason at jasonjgw.net> wrote:

>workstation/router -> anywhere: I can establish a tunnel, but as far as I can
>tell from packet monitoring, no packets are ever sent out over the tunnel. The
>output of "ipsec xfrm policy show" and "ip xfrm state show" looks fine on both
>sides.
>
>In the kernel logs of the workstation/router, messages such as the following
>appear whenever I try to ping the remote end of such a tunnel: 
>
>Jul 30 15:12:26 jdc kernel: [23751.548077] pmtu discovery on SA ESP/c0cb33bc/2607:f2f8:2340:0000:0000:0000:0000:0002

Just to add to the above, packet capture shows that after establishing the
tunnel, if I then try to ping the remote peer, no packets are sent out the
ppp0 interface, but many neighbour solicitations are suddenly sent to the eth0
interface. Obviously, that's the wrong interface - the packets need to be
encapsulated with ESP and routed via ppp0 to the destination.

I am suspecting at this point that the tunnel is established properly, but
something in the kernel's IPSec configuration as set up by Strongswan is
amiss, or perhaps there's a bug somewhere.

I can post whatever details would be helpful.

Suggestions are welcome.