[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] IPv6 source addresses marked as deprecated (preferred_lft == 0)
From: Andrej Podzimek <andrej () podzimek ! org>
Date: 2014-11-16 19:19:51
Message-ID: 5468F8D7.3080302 () podzimek ! org
[Download RAW message or body]
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
[Attachment #2 (multipart/signed)]
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
> The new problem:
> A machine has a 6to4 access to IPv6 (2002:xxxx:xxxx::/48 etc.) and want=
s to use IPSec only when talking to a specific IPv6 subnet (say 2a01:yyyy=
:yyyy:yyyy::/64), connecting without IPSec anywhere outside that subnet. =
(I think this is called "split tunnel mode" or the like.) The problem is =
that the virtual IPv6 address obtained to access the tunnel has preferred=
_lft set to forever, which is wrong for this particular case. Consequentl=
y, exactly as mentioned in bug #598, the virtual IPv6 address is preferre=
d over the 6to4 address for outbound connections, perhaps because "native=
IPv6" addresses are preferred over 6to4. This limits the capability to i=
nitiate IPv6 connections solely to the small subnet behind the tunnel, th=
ough Pv6 connections can be accepted from anywhere (both via IPSec and vi=
a 6to4).
>
> Presumably, marking the tunnel address as deprecated resolves this prob=
lem (for a short time):
> ip -6 addr change "${tunnel_virtual_address}" dev "${device}" pref=
erred_lft 0
Just FTR, this will most likely circumvent the secure tunnel completely, =
defeating its sole purpose. ;-) So this is a completely wrong "solution".=
Cheers,
Andrej
["smime.p7s" (application/pkcs7-signature)]
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic