left=<ipv6_addr> not allowed when gw has both v4 & v6 address

This is happening for both openswan and strongswan drivers, and only when the public external network has both ipv4 and ipv6 subnets(i.e router gateway port has both ipv4 and ipv6 address.)

Based on the description of this problem it is possible these is also a problem for the the case that no external subnet is defined. This can occur for IPv6 as the neutron router and the upstream gateway router can use LLA to pass packets. https://review.openstack.org/#/c/156283/43 describes the case and added the changes to allow this scenario to work for general IPv6 traffic. It would be interesting to check if it is possible to set up the IPv6 tunnel when no external IPv6 subnet is defined.

Thanks John Joyce for the important info.

This is from strongswan wiki https://wiki.strongswan.org/projects/strongswan/wiki/IPv6Examples4
"Please be aware that the strongSwan pluto and charon IKE daemons cannot listen on IPv6 link-local addresses (fe80:..). You must assign a site-local, unique-local, or global IPv6 address to the physical network interface first"

So strongswan won't work with linklocal address assigned to gateway.

From the https://review.openstack.org/#/c/156283/43 I see 3 scenarios
1) Link local address for the neutron gateway and upstream router(i.e ipv6_gateway) . Adding default route in router with upstream router LLA.
As strongswan won't work with linklocal address assigned to router gateway, user can't use this approach(i.e depending only on LLA to connect to external network) for ipsec

2)router gateway autoconfigures GUA from the prefix recieved trough RA from upstream router.
In this case neutron is unaware of this GUA as it is assigned externally. This may change as prefix from upsteam router may be periodically changing.
So can't have ipsec vpn in this scenario also.

3)external network will have ipv6 subnet. This is the normal use case and we can we have GUA to router gateway, which neutron is aware of. VPN ipsec can be supported in this scenario.

So to support ipsec vpn with ipv6, we can say to the user that, external network must have ipv6 subnet.
Please correct me if I am wrong.

Fix proposed to branch: master
Review: https://review.openstack.org/181842

Reviewed: https://review.openstack.org/181842
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=0003f936b040a16ee9c1f72de7702cb083d41d9d
Submitter: Jenkins
Branch: master

commit 0003f936b040a16ee9c1f72de7702cb083d41d9d
Author: venkata anil <email address hidden>
Date: Mon May 18 14:14:15 2015 +0000

    Assign external_ip based on ip version of peer_address

    In the same ipsec site connection, external_ip and peer_address
    should be of same ip version for *Swan.
    So external_ip should be assigned from router gateway addresses
    based on ip version of peer_address.

    Ipsec won't work with IPv6 LLA and neutron unaware GUA.
    So to support vpnaas with ipv6, external network must have ipv6 subnet.

    DocImpact
    a, In the same ipsec site connection, external_ip and peer_address
       should be of same ip version for *Swan.
    b, To support vpnaas with ipv6, external network must have ipv6 subnet,
       as ipsec won't work with IPv6 LLA and neutron unaware GUA.
    Change-Id: Id6ce9939d448d7d009af491ae3d49ba5e1efb9cf
    Closes-bug: #1450479