[strongSwan] IPv6 src address selection w/ kernel 3.14 broken

Thu Apr 3 20:44:29 CEST 2014

Hello @all...

I've noticed the strangest thing and for the life of me, I cannot figure
out the cause behind it. All w/ Strongswan 5.1.2 on an up2date Gentoo
machine, by the way.

If I start a tunnel to a IPv6 remote machine, with kernel 3.14 the first
time I invoke "ipsec up ...", packets are sent from "::1" which is all
naturally wrong. Canceling that ("ipsec down...") and immediately trying
again, a proper IPv6 address is selected. There also seems to be some
sort for TTL / caching involved since if you wait a bit (a few minutes)
before you try again, ::1 will be selected again, no matter what. Only
if you immediately try again, the right address is set.

Same system, just w/ kernel 3.13.6 booted, and I am absolutely unable to
reproduce this-- even after trying very hard. On the other hand, with
kernel 3.14, it's 100% reproducible.

I confirmed w/ Wireshark that the packets are actually sent w/ ::1 as
source. Also setting charon.plugins.socket-default.set_source=no makes
no difference either.

The policy table shows nothing out of the ordinary as well-- especially
since it is naturally the same for both kernels (ip addrlabel):

prefix ::1/128 label 0
prefix ::/96 label 3
prefix ::ffff:0.0.0.0/96 label 4
prefix 2001::/32 label 6
prefix 2001:10::/28 label 7
prefix 3ffe::/16 label 12
prefix 2002::/16 label 2
prefix fec0::/10 label 11
prefix fc00::/7 label 5
prefix ::/0 label 1

Both kernels share nearly the same config, w/ those diffs in IP/NET from
3.13.6 to 3.14.0:

-# CONFIG_NET_IPIP is not set
+CONFIG_NET_IPIP=y
-# CONFIG_IPV6_MULTIPLE_TABLES is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+CONFIG_NF_TABLES_INET=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NETFILTER_XT_MATCH_CGROUP=m
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
+CONFIG_NETFILTER_XT_MATCH_L2TP=m
-# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
+CONFIG_IP_NF_TARGET_CLUSTERIP=m
+CONFIG_NFT_REJECT_IPV6=m
-CONFIG_NETPRIO_CGROUP=y
+CONFIG_CGROUP_NET_PRIO=m
+CONFIG_CGROUP_NET_CLASSID=y

I'm at wit's end here, so if someone could give me a nudge into the
right direction or even knows what the root cause of this is, I'd be
greatly thankful. :)

Thanks a lot in advance.

So long,
Matthias

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration