[strongSwan] route based IPSec with VTI and IPv6
me at volshop.ru
Wed Dec 7 14:58:04 CET 2016
I want to ask a question about route based IPSec with VTI in tunneled
mode. Traffic selectors for left and rigth subnets are defined as
0.0.0.0/0, ::0/0 they are the same on left and right routers. SA is up
over ipv4 internet. IPv4 addresses assigned to VTI on both routers(left
and right) are in one /30 subnet. IPv6 addresses are fe80::1/64 and
fe80::2/64(tested with addresses from other scopes too). According to
wiki net.ipv4.conf.[*].disable_policy=1 is set for all interfaces in
system, disable_xfrm=1 is set for all interfaces except VTI associated
with SA. install_routes=no. OK.
IPv4 works fine. bird daemon for ipv4 see the neighbours and ipv4 works
IPv6 is not worked. tcpdump show that icmp ping6 arrived other side of
tunnel but overall ping6 not working. ip*tables allow all.
In my opinion problem is located in disable_policy=1. For IPv6 this
option has no effect.
Important fact that approving my opinion: when SA with such traffice
selectors is UP ipv6 on both routers stops working according routing
table. No ping6 to internet or locally connected networks. After SA
stops IPv6 connectivity became to work properly.
ip route list table 220 empty (v4 & v6).
I can't set traffic selectors for any specific network because dynamic
routing(IGP) will work in my configuration.
OS: gentoo stable with current updates
Is any ideas about IPv6 to became to work properly in tunnel?
More information about the Users