[strongSwan] %defaultroute resolves to link-local address

Simon Deziel simon.deziel at gmail.com
Thu Jul 4 20:48:20 CEST 2013 

Hi Daniel

On 13-07-04 10:30 AM, Daniel Pocock wrote:
> 
> I have v5.0.0 on OpenWRT (using the binary packages) and v4.5.2 on Debian
> 
> It works fine for IPv4
> 
> Then I tried to make OpenWRT connect to the Debian server on IPv6
> 
> The OpenWRT router initiating the connection has a PPPoE connection with
> only a link-local address.
> 
> There is a routable IPv6 address on the internal ethernet though. 
> left=%defaultroute tries to use the link-local address as source address
> and consequently it fails to bring up the connection.
> 
> If I manually put an extra routable address on the PPPoE interface,
> strongSwan uses that instead.
> 
> However, it doesn't get much further, tcpdump shows it retrying.  This
> was captured on the VPN gateway receiving connection, so I know that the
> packets are getting through:
> 
> 14:09:28.263105 IP6 SOURCENET::2.500 > DESTNET::6.500: isakmp: parent_sa
> ikev2_init[I]
> 14:09:28.297420 IP6 DESTNET::6.500 > SOURCENET::2.500: isakmp: parent_sa
> ikev2_init[R]
> 14:09:28.907202 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 14:09:28.907442 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
> 14:09:32.908541 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 14:09:32.908793 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
> 14:09:40.108915 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 14:09:40.109216 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
> in-transit (reassembly), length 1240

I ran into the same issue when moving from PSK to certificates. This
made the packets too big to avoid fragmentation. I managed to workaround
this by installing all the certs on both sides and using this in my conn
stanza:

conn foo
  # Sending cert leads to too big packets requiring
  # fragmentation (not optimal in IPv6).
  leftsendcert=never
  rightsendcert=never


HTH,
Simon

More information about the Users mailing list