[strongSwan] %defaultroute resolves to link-local address

Volker Rümelin vr_strongswan at t-online.de
Fri Jul 5 19:45:02 CEST 2013

Am 04.07.2013 23:58, schrieb Daniel Pocock:
> On 04/07/13 22:02, Volker Rümelin wrote:
>> Hello Daniel,
>>> 14:09:53.069743 IP6 SOURCENET::2 > DESTNET::6: frag (0|1400) 4500 >
>>> 4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>>> 14:09:53.070185 IP6 SOURCENET::2 > DESTNET::6: frag (1400|352)
>>> 14:10:06.802214 IP6 DESTNET::6 > SOURCENET::2: ICMP6, time exceeded
>>> in-transit (reassembly), length 1240
>> this is most likely a firewall problem with your Debian machine. Only
>> the first fragment is accepted by your netfilter rules and the second
>> fragment is dropped, leading to a reassembly timeout after 60s.
> I'm trying Shorewall firewall, is there a recommended set of parameters
> for configuring Shorewall with StrongSwan?

I upgraded my kernel to version 3.7 where the ip6tables filter rules 
started to work as expected.


This is just an untested idea, but as an alternative to a kernel upgrade 
you can try to set mobike=no in your ipsec.conf connections. This 
ensures IKEv2 packet exchange only happens on port 500. Because the 
first packet is getting through, all following packets to port 500 will 
be accepted. You also need a rule similar to this one in your netfilter 

ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Shorewall probably already installs a rule like this.

More information about the Users mailing list