[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

Tobias Brunner tobias at strongswan.org
Mon Jul 6 12:12:19 CEST 2020

Hi Houman,

> I could disable *forceencaps=no* but having it enabled helps overcoming
> restrictive firewalls.Ā  So maybe it's better for my users if I
> disabledĀ IPv6 instead. Do you agree?
> Or is forcing it not such a big deal after all?

Depends on the clients.  Many will be behind a NAT anyway, others (e.g.
our Android client) will also force UDP encapsulation.  Only for
unnatted clients behind restrictive firewalls that can't force it
themselves, will forcing it on the server make a difference.

> What is strange is that I thought I had disabled ipv6, like this:
> ...
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1

I don't think that affects interfaces that are already up, so you might
have to explicitly set it for the specific interface too.

> Where do I disable it then?

You may disable charon.plugins.socket-default.use_ipv6 so the plugin
won't open an IPv6 socket.


More information about the Users mailing list