Wrong source IPv6 address selection for virtual address and split-tunnel
When rw receives address to install, that address is appended to the interface with global scope and indefinite lifetime.
This causes the address to be used by non-ipsec traffic - which definitely fails.
To mitigate this an address should be marked as invalid for rfc sort. For ipsec traffic source is assigned explicitly by rule so address validity is irrelevant.
Proposed patch sets preferred lifetime for an address to 0 which immediately deprecates the address. This exempts the address from normal src selection by IPv6 stack implementation.
#1 Updated by Tobias Brunner about 6 years ago
- Tracker changed from Issue to Bug
- Category set to libhydra
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.2.0
- Resolution set to Fixed
Thanks for the report. I pushed a modified version of your patch to our repository (see associated commit).
As a workaround you could try to set charon.install_virtual_ip_on in strongswan.conf to e.g. lo (by default virtual IPs are installed on the outbound interface), which should also prevent the kernel from choosing these addresses.