[strongSwan] %defaultroute resolves to link-local address

Thu Jul 4 16:30:51 CEST 2013

I have v5.0.0 on OpenWRT (using the binary packages) and v4.5.2 on Debian

It works fine for IPv4

Then I tried to make OpenWRT connect to the Debian server on IPv6

The OpenWRT router initiating the connection has a PPPoE connection with
only a link-local address.

There is a routable IPv6 address on the internal ethernet though. 
left=%defaultroute tries to use the link-local address as source address
and consequently it fails to bring up the connection.

If I manually put an extra routable address on the PPPoE interface,
strongSwan uses that instead.

However, it doesn't get much further, tcpdump shows it retrying.  This
was captured on the VPN gateway receiving connection, so I know that the
packets are getting through:

14:09:28.263105 IP6 SOURCENET::2.500 > DESTNET::6.500: isakmp: parent_sa
ikev2_init[I]
14:09:28.297420 IP6 DESTNET::6.500 > SOURCENET::2.500: isakmp: parent_sa
ikev2_init[R]
14:09:28.907202 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:09:28.907442 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
14:09:32.908541 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:09:32.908793 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
14:09:40.108915 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:09:40.109216 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
in-transit (reassembly), length 1240

OpenWRT logread show messages like this:

generating IKE_AUTH request 1
sending packet:    4500
retransmit 1 of request with message ID 1
...
retransmit 5 of request with message ID 1