[strongSwan] IPv6 Remote Access: traffic selectors fec1::/64 === ::/0 inacceptable, failed to establish CHILD_SA

Martin Willi martin at strongswan.org
Fri Aug 3 10:06:41 CEST 2012


> conn rw-carol
>         leftsubnet=2002:c023:9c17:21c::/64
>         rightsourceip=fec1::1/64

> conn home
>         leftsourceip=%config
>         rightsubnet=fec1::/64

> 11[IKE] traffic selectors fec1::/64 === ::/0  inacceptable

Your subnet definitions don't match. The subnet behind carol is
dynamically selected from the sourceip. For the subnet behind moon,
carol proposes, fec1::/64, but moon expects 2002:c023:9c17:21c::/64.
This doesn't yield a result during narrowing, hence your CHILD_SA fails.

> why the assigned IPv6 address on Carol is having the full 128-bit
> fec1::1/128 instead of the configured fec1::1/64?

strongSwan currently does not assign prefixes, but just a single IPv6
address. This might be a little confusing when thinking the IPv6 way,
but it prevents the inclusion of whole "subnets" where you only want to
attach a single client using this tunnel.

The /64 does not define a /64 prefix, but a pool of (/128) addresses as
with IPv4. Your configured pool of addresses starts at fec1:: and
includes 2^64 addresses.


More information about the Users mailing list