IPv6 over IPv4 IPSec tunnel communication error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager-strongswan (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hello guys,
I tried with the network-
My goal is a dual-stack connection via IPv4. Therefore I'm trying to setup CHILD_SA for IPv4 and IPv6.
It faild with the network-
For example, we get this kind of error:
13[KNL] received netlink error: Invalid argument (22)
13[KNL] unable to install source route for X:X::2
13[IKE] installed bypass policy for X:X::2/128
Soloution via CLI-Strongswan:
swanctl.conf
connections {
ipsec-ikev2-psk {
dpd_delay = 30s
dpd_timeout = 150s
version = 2
remote_addrs = ikev2.ipsec.host
vips = 0.0.0.0,::
rekey_time = 1800s
fragmentation = no
proposals = aes256-
mobike = no
encap = yes
unique = replace
local-1 {
auth = psk
id = "IPSecID"
}
remote {
auth = psk
id = %any
}
children {
ikev16-ikev2-psk {
remote_ts = ::/0
esp_proposals = aes256-
close_action = start
start_action = start
}
}
children {
ipsecv4-
remote_ts = 0.0.0.0/0
esp_proposals = aes256-
close_action = start
start_action = start
}
}
}
}
It seems the network-
That error doesn't seem related (looks more like something the bypass-lan plugin would log). So please post the complete log.
Also, your manual config creates two CHILD_SAs, one for each family. That's not how the NM plugin operates. It assumes the responder is able to narrow the traffic selectors of a single CHILD_SA appropriately (it proposes 0.0.0.0/0 AND ::/0 as remote traffic selectors). If the device you connect to is unable to do that and requires two CHILD_SAs, you won't be able to use both address families with the NM plugin.