[strongSwan] strongSwan fails to configure IPv6 source routes

Andrej Podzimek andrej at podzimek.org
Mon Jan 30 18:55:18 CET 2017 

>> I suspect that something must have gone wrong with the duplicate address detection (dadfailed), but have no idea what, because strongSwan is the only possible source of 2002:xxxx:yyyy:5::/64 addresses on the network, so there's no way a duplicate address could emerge somewhere.
>
> You need to permit link-local traffic locally. Create a passthrough policy for it on the client
> and/or wait for issue #2183[1] to be solved and upgrade to the release that includes a fix for it.
> But seriously, you should pass through link-local traffic.
>
> [1] https://wiki.strongswan.org/issues/2183

Hi Noel,

Thanks for the clarification. Sadly enough, this doesn't work for me. Or I'm still using incorrect settings. I had no idea what a link-local passthrough should look like, so I took a guess and added this on the *client* (roadwarrior) side:

         conn llpass
                 authby=never
                 type=pass
                 auto=route
                 leftsubnet=fe80::/10
                 rightsubnet=fe80::/10

It shows up in my strongswan status:

         Shunted Connections:
               llpass:  fe80::/10 === fe80::/10 PASS

IPv6 on the client still doesn't work at all. ping 2002:xxxx:yyyy:1::1, which should just work and ping the server, says "network unreachable". And there is (indeed) *no* route entry (neither in table 220 nor elsewhere) that would set the source address of 2002:xxxx:yyyy:5::1 and point at the range(s) on the server side behind the tunnel.

And the roadwarrior, 2002:xxxx:yyyy:5::1, still can't ping -6 itself. (That address is still "tentative deprecated dadfailed" in the output of "ip addr show".)

Is there anything obviously wrong with my passthrough configuration? Should I have a similar passthrough configuration also on the server? Or is this perhaps a completely different issue after all?

Cheers,
Andrej

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4432 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170130/0cdc458f/attachment.bin>

More information about the Users mailing list