[strongSwan] mixing ipv4 and ipv6 subnets does not work

[Tobias Brunner]

Hi Niccolò,

>> # bad subnet: leftsubnet=a:b:c:0300::/56,1.2.3.4/28 [non-ipv6 address
>> may not contain `:']
>>     bad argument value in conn 'linode-linuxsystems'
>> ### 1 parsing error (0 fatal) ###
>>
>> while if I add the ipv4 subnet first I get not errors but it doesn't
>> tunnel the traffic toward 1.2.3.4/28
> 
> Noone?

Well, what did you expect?  You provided neither a full configuration
file nor any logs to support what you are claiming is true.

Now, the first part of what you are saying above *is* correct.  There is
a bug in starter that makes it parse left|rightsubnet incorrectly in
that case.  It first checks the whole string for dots to detect the
address family and when it parses the first subnet its family doesn't
match.  Switching the two subnets obviously works around this bug.

The other part I can't confirm, as I did a quick test with IKEv2 and it
works here.  Unless you are using IKEv1 (which I can't know) I see no
reason why it shouldn't work for you too.  It won't work for IKEv1
because the pluto daemon only supports single subnets for
left|rightsubnet (which the man page for ipsec.conf would tell you),
you'd have to add separate conn sections for each subnet in that case.

Regards,
Tobias