Issue #694
Updated by Tobias Brunner about 11 years ago
Hi all
I am using StrongSwan 5.2.0 on Gentoo Linux amd64 (kenel 3.16.0) against an OpenBSD 5.6 gateway with iked (IKEv2 daemon) to tunnel all IPv6 traffic from the client to the IPv6 internet via the gateway. While the connection succeeds without problems and the tunnel receives an "inner" ("virtual") IPv6 address, that interface is set to "deprecated", with a preferred life time of 0 sec.
Thus, the interface is only used when IPv6 connections are requested explicitly (ssh -6 $hostname or ping6 $hostname). But if $hostname has both A and AAAA records in DNS, the system (getaddrinfo) always prefers IPv4 (eg. with ssh $hostname), heedless of what I put into /etc/gai.conf.
Only after manually running "ip -6 addr change $ClientIPv6 dev wlan0 valid_lft 0xffffffff preferred_lft 0xffffffff" does the interface become fully usable.
Here's a quick setup overview:
<pre>
/etc/ipsec.conf
strictcrlpolicy=no
charondebug="ike 4, enc 4, knl 4, cfg 2" #useful debugs
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyexchange=ikev1
compress=no
mobike=yes
conn mytunnel
type=tunnel
compress=no
mobike=yes
left=%defaultroute
leftcert=client.crt
leftid=client@my.domain
leftauth=pubkey
leftsourceip=%config
right=$GatewayIPv4
rightid=$GatewayFQDN
rightauth=pubkey
rightsubnet=::/0
keyexchange=ikev2
auto=add
</pre>
Authentication, SA setup and IKEv2 CPREQ all work fine, but the interface results in:
<pre>
ip addr show wlan0
wlan0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 $ClientIPv6/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::aabb:ccdd:eeff/64 scope link
valid_lft forever preferred_lft forever
</pre>
After which the above command is required to make the client OS consider IPv6 when calling getaddrinfo.
Is there a particular reason why the interface is set to deprecated? Or is this some interoperability issue? Or a bug?
Krgds /markus
PS: I found the same issue reported here, but with no reply:
http://article.gmane.org/gmane.network.vpn.strongswan.user/8209
I am using StrongSwan 5.2.0 on Gentoo Linux amd64 (kenel 3.16.0) against an OpenBSD 5.6 gateway with iked (IKEv2 daemon) to tunnel all IPv6 traffic from the client to the IPv6 internet via the gateway. While the connection succeeds without problems and the tunnel receives an "inner" ("virtual") IPv6 address, that interface is set to "deprecated", with a preferred life time of 0 sec.
Thus, the interface is only used when IPv6 connections are requested explicitly (ssh -6 $hostname or ping6 $hostname). But if $hostname has both A and AAAA records in DNS, the system (getaddrinfo) always prefers IPv4 (eg. with ssh $hostname), heedless of what I put into /etc/gai.conf.
Only after manually running "ip -6 addr change $ClientIPv6 dev wlan0 valid_lft 0xffffffff preferred_lft 0xffffffff" does the interface become fully usable.
Here's a quick setup overview:
<pre>
/etc/ipsec.conf
strictcrlpolicy=no
charondebug="ike 4, enc 4, knl 4, cfg 2" #useful debugs
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyexchange=ikev1
compress=no
mobike=yes
conn mytunnel
type=tunnel
compress=no
mobike=yes
left=%defaultroute
leftcert=client.crt
leftid=client@my.domain
leftauth=pubkey
leftsourceip=%config
right=$GatewayIPv4
rightid=$GatewayFQDN
rightauth=pubkey
rightsubnet=::/0
keyexchange=ikev2
auto=add
</pre>
Authentication, SA setup and IKEv2 CPREQ all work fine, but the interface results in:
<pre>
ip addr show wlan0
wlan0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 $ClientIPv6/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 fe80::aabb:ccdd:eeff/64 scope link
valid_lft forever preferred_lft forever
</pre>
After which the above command is required to make the client OS consider IPv6 when calling getaddrinfo.
Is there a particular reason why the interface is set to deprecated? Or is this some interoperability issue? Or a bug?
Krgds /markus
PS: I found the same issue reported here, but with no reply:
http://article.gmane.org/gmane.network.vpn.strongswan.user/8209