[strongSwan] ICMP discovery fails with IPv6 and IKEv2

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Thu Jan 26 17:44:15 CET 2012

Hi Martin.

Thanks for hanging with me on this.  One more question.  Once I get to 4.5.3 you're saying I need to define the type as passthrough and then use the left/rightprotoport options.  Are the protoport options defining traffic exceptions to NOT send over the tunnel?  For example would I list icmp6 134-6 to make sure the neighbor discovery works before the tunnel attempt is made?  And can I still define an 'allow all' policy on the remote peer by doing this?

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Thursday, January 26, 2012 10:39 AM
To: Johnson, Eric C
Cc: users at lists.strongswan.org
Subject: RE: [strongSwan] ICMP discovery fails with IPv6 and IKEv2


> I have v4.5.2.  Will the passthrough option insist on manual keying?

Passthrough policies are not supported with charon before 4.5.3. You can install them manually using other tools (setkey or iproute2), but it might be a little tricky to get it right. Probably simpler to update to a recent strongSwan version.


More information about the Users mailing list