[strongSwan] IPv6 src address selection w/ kernel 3.14 broken

Matthias Dahl ml-strongswan at binary-island.eu
Thu Apr 3 20:44:29 CEST 2014

Hello @all...

I've noticed the strangest thing and for the life of me, I cannot figure
out the cause behind it. All w/ Strongswan 5.1.2 on an up2date Gentoo
machine, by the way.

If I start a tunnel to a IPv6 remote machine, with kernel 3.14 the first
time I invoke "ipsec up ...", packets are sent from "::1" which is all
naturally wrong. Canceling that ("ipsec down...") and immediately trying
again, a proper IPv6 address is selected. There also seems to be some
sort for TTL / caching involved since if you wait a bit (a few minutes)
before you try again, ::1 will be selected again, no matter what. Only
if you immediately try again, the right address is set.

Same system, just w/ kernel 3.13.6 booted, and I am absolutely unable to
reproduce this-- even after trying very hard. On the other hand, with
kernel 3.14, it's 100% reproducible.

I confirmed w/ Wireshark that the packets are actually sent w/ ::1 as
source. Also setting charon.plugins.socket-default.set_source=no makes
no difference either.

The policy table shows nothing out of the ordinary as well-- especially
since it is naturally the same for both kernels (ip addrlabel):

prefix ::1/128 label 0
prefix ::/96 label 3
prefix ::ffff: label 4
prefix 2001::/32 label 6
prefix 2001:10::/28 label 7
prefix 3ffe::/16 label 12
prefix 2002::/16 label 2
prefix fec0::/10 label 11
prefix fc00::/7 label 5
prefix ::/0 label 1

Both kernels share nearly the same config, w/ those diffs in IP/NET from
3.13.6 to 3.14.0:

-# CONFIG_NET_IPIP is not set

I'm at wit's end here, so if someone could give me a nudge into the
right direction or even knows what the root cause of this is, I'd be
greatly thankful. :)

Thanks a lot in advance.

So long,

Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration

More information about the Users mailing list