[strongSwan] %defaultroute resolves to link-local address
Volker Rümelin
vr_strongswan at t-online.de
Fri Jul 5 19:45:02 CEST 2013
Am 04.07.2013 23:58, schrieb Daniel Pocock:
>
>
> On 04/07/13 22:02, Volker Rümelin wrote:
>> Hello Daniel,
>>
>>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>>> 4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
>>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>>> in-transit (reassembly), length 1240
>> this is most likely a firewall problem with your Debian machine. Only
>> the first fragment is accepted by your netfilter rules and the second
>> fragment is dropped, leading to a reassembly timeout after 60s.
>>
>
> I'm trying Shorewall firewall, is there a recommended set of parameters
> for configuring Shorewall with StrongSwan?
>
I upgraded my kernel to version 3.7 where the ip6tables filter rules
started to work as expected.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4cdd34084d539c758d00c5dc7bf95db2e4f2bc70
This is just an untested idea, but as an alternative to a kernel upgrade
you can try to set mobike=no in your ipsec.conf connections. This
ensures IKEv2 packet exchange only happens on port 500. Because the
first packet is getting through, all following packets to port 500 will
be accepted. You also need a rule similar to this one in your netfilter
table
ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Shorewall probably already installs a rule like this.
More information about the Users
mailing list