Project

General

Profile

Feature #2138

Updated by Tobias Brunner about 4 years ago

I have a strongswan server and strongswan road warrior client with the following configuration:

Server: global+local IPv6 addresses, global+local IPv4 addresses, DNS A record for openwrt.myorg.org points to global v4 address, DNS AAAA record for openwrt.myorg.org points to global v6 address
Client: global+local IPv6 addresses, local IPv4 address, no DNS records

ipsec.conf on the client has (sanitized):
<pre>
conn %default
ikelifetime=3h
lifetime=1h
margintime=9m
keyingtries=%forever
keyexchange=ikev2
left=%any
leftauth=pubkey
leftcert=mobile-pi3Cert.der
leftid="C=DE, O=myorg, CN=mobile-pi3"
leftsourceip=192.168.3.5
leftfirewall=yes
lefthostaccess=yes

conn openwrt
auto=start
#dpdaction=restart should only be set at a client, not at the central server
dpdaction=restart
closeaction=restart
right=%openwrt.myorg.org
rightsubnet=0.0.0.0/0
rightauth=pubkey
rightcert=openwrtCert.der
rightid="C=DE, O=myorg, CN=openwrt"
rightdns=192.168.2.1
</pre>


Given that openwrt.myorg.org has an A and AAAA record, sometimes the IKEv2 happens via IPv4, sometimes via IPv6. IPv4 always works fine, but the IKEv2 source address selection for IPv6 seems to be somewhat random.

Performing IKEv2 from client global IPv6 address to server global IPv6 address works fine, but sometimes the client attempts to use its unique local address (in the range fc00::/7) as source address for IKEv2. That obviously can't work over the public internet unless some IPv6 NAT is involved.

Suggestion: For IKEv2 IPv6 source address selection (initial connection as well as MOBIKE associated reconnect), the source address selection algorithm should check if the IPv6 destination address is a global address, and prefer an IPv6 global address as source address as well. If the IPv6 destination address is unique local, the source address selection algorithm should prefer an unique local address as well.

Back