[strongSwan] IPv6 source addresses marked as deprecated (preferred_lft == 0)

Andrej Podzimek andrej at podzimek.org
Sun Nov 16 20:19:51 CET 2014


> The new problem:
> A machine has a 6to4 access to IPv6 (2002:xxxx:xxxx::/48 etc.) and wants to use IPSec only when talking to a specific IPv6 subnet (say 2a01:yyyy:yyyy:yyyy::/64), connecting without IPSec anywhere outside that subnet. (I think this is called "split tunnel mode" or the like.) The problem is that the virtual IPv6 address obtained to access the tunnel has preferred_lft set to forever, which is wrong for this particular case. Consequently, exactly as mentioned in bug #598, the virtual IPv6 address is preferred over the 6to4 address for outbound connections, perhaps because "native IPv6" addresses are preferred over 6to4. This limits the capability to initiate IPv6 connections solely to the small subnet behind the tunnel, though Pv6 connections can be accepted from anywhere (both via IPSec and via 6to4).
>
> Presumably, marking the tunnel address as deprecated resolves this problem (for a short time):
>      ip -6 addr change "${tunnel_virtual_address}" dev "${device}" preferred_lft 0

Just FTR, this will most likely circumvent the secure tunnel completely, defeating its sole purpose. ;-) So this is a completely wrong "solution".

Cheers,
Andrej

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4266 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141116/23aa324f/attachment.bin>


More information about the Users mailing list