Package: strongswan-nm Version: 5.6.1-2 Severity: important Tags: ipv6 When using the NetworkManager plugin, when the "Request inner IP" option is set, this requests only an IPv4 address. I believe if an IPv6 address were requested, the CPRQ line would include an "ADDR6" entry:
Dec 18 02:44:40 genre charon-nm: 07[IKE] establishing CHILD_SA vpn-remote{9} Dec 18 02:44:40 genre charon-nm: 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Since the remote side is also strongSwan, no IPv6 address is issued if the client doesn't request one. If the VPN plugin has IPv6 enabled, then strongSwan should request both an IPv4 and an IPv6 address. Not doing so causes IPv6 traffic to leak if the client has other IPv6 connectivity. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages strongswan-nm depends on: ii libc6 2.25-4 ii libdbus-glib-1-2 0.108-3 ii libglib2.0-0 2.54.2-1 ii libnm-glib-vpn1 1.10.2-1 ii libnm-util2 1.10.2-1 ii libstrongswan 5.6.1-2 ii strongswan-libcharon 5.6.1-2 Versions of packages strongswan-nm recommends: ii network-manager-strongswan 1.4.2-1 strongswan-nm suggests no packages. -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature