[strongSwan] ICMP discovery fails with IPv6 and IKEv2

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Thu Jan 26 16:32:58 CET 2012

Hi Martin.

I have v4.5.2.  Will the passthrough option insist on manual keying?  Not sure what this option does in conjunction with Charon?  Could you give me the 2 sec summary?

-----Original Message-----
From: users-bounces+eric_c_johnson=dell.com at lists.strongswan.org [mailto:users-bounces+eric_c_johnson=dell.com at lists.strongswan.org] On Behalf Of Martin Willi
Sent: Wednesday, January 25, 2012 3:38 AM
To: Johnson, Eric C
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] ICMP discovery fails with IPv6 and IKEv2

Hello Eric,

> 01[KNL] creating acquire job for policy 
> fc00:2518::221:9bff:fe98:854b/128[udp/60525] === 
> fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}

If your policy triggering the tunnel covers all traffic, of course any ICMP messages are covered by this policy, too. So the name resolution won't work, and the tunnel can't be established.

Try to install a passthrough policy using the "type" ipsec.conf option (requires strongSwan 4.5.3 if you want to do this with charon). You can limit this policy to ICMPv6 and the required types using left/rightprotoport options.


Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list