[strongSwan] %any picks IPv6 link-local address

David Härdeman david at hardeman.nu
Wed Oct 5 15:29:57 CEST 2016

On Tue, Aug 23, 2016 at 12:52:37PM +0200, Tobias Brunner wrote:
>> Then strongSwan will try to initiate a connection using the link-local
>> address of the pppoe-wan interface (which fails), presumably because it
>> is the device used for outgoing IPv6 traffic. But pppoe-wan doesn't have
>> a global IPv6 address assigned.
>Yes, the found route gives us the interface but nothing else as RTA_SRC
>(the `from ...` part) is currently not used by the kernel-netlink
>plugin.  So only that interface is searched for addresses.
>> So, the question is if it'd be possible to take the "from 2001:xxxx/56"
>> part of the default route into consideration when selecting the source
>> IPv6 address?
>I pushed a quick patch to the kernel-netlink-rta-src branch [1].

I've finally gotten around to cross-compile an updated package for
OpenWRT (based on strongswan-5.5.1dr2.tar.bz2 because of how the OpenWRT
build system works) and I'm happy to say that the patch works :)

>An alternative is using the native source lookup by setting
>charon.plugins.kernel-netlink.fwmark [2].

I tried that (both with only fwmark set to !0x42 and with fwmark set to
!0x42 and socket-default set to 0x42). While it did help a bit (the
right source IP address was used and the tunnel negotiation completed),
I ended up getting error messages from netlink about invalid routes


More information about the Users mailing list