[strongSwan] strongSwan fails to configure IPv6 source routes

[Noel Kuntze]

On 20.01.2017 16:31, Andrej Podzimek wrote:
> Also, I think that the IPv6 address should be configured as /48 or /64, not /128, but even that shouldn't prevent the road warrior from pinging (at least) itself. Plus the road warrior should be able to ping other machines from 2002:xxxx:yyyy::/48 behind the server or (at least) the server itself. But that's not the case. :-(

No, the IP address' CIDR prefix must be as long (IPv4: 32 bit, IPv6: 128 bit) as the protocol's address length, because there are *no* other
hosts from the subnet, where the IP comes from, locally reachable on the roadwarrior. Setting a prefix length that is not the maximum length
implicitely adds a route to the subnet to the main routing table that uses the interface that the IP is installed on and that's obviously not
what anybody wants.

> I suspect that something must have gone wrong with the duplicate address detection (dadfailed), but have no idea what, because strongSwan is the only possible source of 2002:xxxx:yyyy:5::/64 addresses on the network, so there's no way a duplicate address could emerge somewhere. 

You need to permit link-local traffic locally. Create a passthrough policy for it on the client
and/or wait for issue #2183[1] to be solved and upgrade to the release that includes a fix for it.
But seriously, you should pass through link-local traffic.

[1] https://wiki.strongswan.org/issues/2183

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170123/28637dfe/attachment.sig>