[strongSwan] IPv6 Remote Access: traffic selectors fec1::/64 === ::/0 inacceptable, failed to establish CHILD_SA
Martin Willi
martin at strongswan.org
Fri Aug 3 10:06:41 CEST 2012
Hi,
> conn rw-carol
> leftsubnet=2002:c023:9c17:21c::/64
> rightsourceip=fec1::1/64
> conn home
> leftsourceip=%config
> rightsubnet=fec1::/64
> 11[IKE] traffic selectors fec1::/64 === ::/0 inacceptable
Your subnet definitions don't match. The subnet behind carol is
dynamically selected from the sourceip. For the subnet behind moon,
carol proposes, fec1::/64, but moon expects 2002:c023:9c17:21c::/64.
This doesn't yield a result during narrowing, hence your CHILD_SA fails.
> why the assigned IPv6 address on Carol is having the full 128-bit
> fec1::1/128 instead of the configured fec1::1/64?
strongSwan currently does not assign prefixes, but just a single IPv6
address. This might be a little confusing when thinking the IPv6 way,
but it prevents the inclusion of whole "subnets" where you only want to
attach a single client using this tunnel.
The /64 does not define a /64 prefix, but a pool of (/128) addresses as
with IPv4. Your configured pool of addresses starts at fec1:: and
includes 2^64 addresses.
Regards
Martin
More information about the Users
mailing list