[strongSwan] ICMP discovery fails with IPv6 and IKEv2

Martin Willi martin at strongswan.org
Wed Jan 25 09:37:55 CET 2012

Hello Eric,

> 01[KNL] creating acquire job for policy
> fc00:2518::221:9bff:fe98:854b/128[udp/60525] ===
> fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}

If your policy triggering the tunnel covers all traffic, of course any
ICMP messages are covered by this policy, too. So the name resolution
won't work, and the tunnel can't be established.

Try to install a passthrough policy using the "type" ipsec.conf option
(requires strongSwan 4.5.3 if you want to do this with charon). You can
limit this policy to ICMPv6 and the required types using
left/rightprotoport options.


More information about the Users mailing list