[strongSwan] route based IPSec with VTI and IPv6

Андрей Б. me at volshop.ru
Wed Dec 7 14:58:04 CET 2016

I want to ask a question about route based IPSec with VTI in tunneled 
mode. Traffic selectors for left and rigth subnets are defined as, ::0/0 they are the same on left and right routers. SA is up 
over ipv4 internet. IPv4 addresses assigned to VTI on both routers(left 
and right) are in one /30 subnet. IPv6 addresses are fe80::1/64 and 
fe80::2/64(tested with addresses from other scopes too). According to 
wiki net.ipv4.conf.[*].disable_policy=1 is set for all interfaces in 
system, disable_xfrm=1 is set for all interfaces except VTI associated 
with SA. install_routes=no. OK.
IPv4 works fine. bird daemon for ipv4 see the neighbours and ipv4 works 
in all.
IPv6 is not worked. tcpdump show that icmp ping6 arrived other side of 
tunnel but overall ping6 not working. ip*tables allow all.
In my opinion problem is located in disable_policy=1. For IPv6 this 
option has no effect.
Important fact that approving my opinion: when SA with such traffice 
selectors is UP ipv6 on both routers stops working according routing 
table. No ping6 to internet or locally connected networks. After SA 
stops IPv6 connectivity became to work properly.
ip route list table 220  empty (v4 & v6).

I can't set traffic selectors for any specific network because dynamic 
routing(IGP) will work in my configuration.

OS: gentoo stable with current updates
Strongswan: 5.3.4
Kernel: 4.4.26-gentoo

Is any ideas about IPv6 to became  to work properly in tunnel?

Thank you.

More information about the Users mailing list