Rocky 9 packaged RPMs don't go beyond libreswan 4.15 so I downloaded 5.3 as a tarball and compiled from source.
After bringing up the connection, ipsec showroute returns an error: # ipsec showroute 2404:9400:3:0:216:3eff:fee8:a03 ipsec showroute: 2404:9400:3:0:216:3eff:fee8:a03: source failed So I hacked the _updown script to dump the relevant variables passed in: PLUTO_CFG_CLIENT=0 PLUTO_CFG_SERVER=0 PLUTO_CLIENT_FAMILY=ipv6 PLUTO_CONN_ADDRFAMILY=ipv6 PLUTO_CONNECTION=test PLUTO_CONNECTION_TYPE=tunnel PLUTO_CONN_KIND=CK_PERMANENT PLUTO_CONN_POLICY=IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES PLUTO_INTERFACE=eth0 PLUTO_IS_PEER_CISCO=0 PLUTO_ME=2403:5805:3555::2 PLUTO_MY_CLIENT=2403:5805:3555:10::/64 PLUTO_MY_CLIENT_MASK=ffff:ffff:ffff:ffff:: PLUTO_MY_CLIENT_NET=2403:5805:3555:10:: PLUTO_MY_ID='C=AU, ST=Victoria, L=Skye, O=Aardvark, CN=neo.skye.au' PLUTO_MY_PORT=0 PLUTO_MY_PROTOCOL=0 PLUTO_MY_SOURCEIP=2403:5805:3555:10::1 PLUTO_NEXT_HOP=fe80::a691:b1ff:fed4:dc56 PLUTO_NM_CONFIGURED=0 PLUTO_PEER_BANNER= PLUTO_PEER_CA= PLUTO_PEER_CLIENT=2404:9400:3:0:216:3eff:fee8:a03/128 PLUTO_PEER_CLIENT_NET=2404:9400:3:0:216:3eff:fee8:a03 PLUTO_PEER_CLIENT_MASK=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff PLUTO_PEER_DNS_INFO= PLUTO_PEER_DOMAIN_INFO= PLUTO_PEER_ID='C=AU, ST=Victoria, L=Skye, O=Aardvark, CN=trinity.skye.au' PLUTO_PEER=2404:9400:3:0:216:3eff:fee8:a03 PLUTO_PEER_PORT=0 PLUTO_PEER_PROTOCOL=0 PLUTO_SA_REQID=16401 PLUTO_SA_TYPE=ESP PLUTO_STACK=xfrm PLUTO_VIRT_INTERFACE=NJLL PLUTO_XFRMI_ROUTE= VTI_IFACE= VTI_ROUTING=no VTI_SHARED=no XAUTH_FAILED=0 If I hard code 'left' and 'leftnexttop' into the conn description in lieu of %defaultroute (which works okay), the only difference to above variables is PLUTO_NEXT_HOP=2403:5805:3555::1 which is the global routable IP through outbound interface eth0 It seems that with %defaultroute, PLUTO_NEXT_HOP is being correctly determined as fe80::a691:b1ff:fed4:dc56 (link-local IP of the outbound interface eth0) but the source device is being forced to eth1 (internal) #ip -6 ro li 2404:9400:3:0:216:3eff:fee8:a03 via fe80::a691:b1ff:fed4:dc56 dev eth1 src 2403:5805:3555:10::1 metric 1024 pref medium If I manually delete that incorrect route and create the same except using dev eth0 then everything works happily. > Would you be able to install a more recent version of libreswan > (either mainline or 5.3 and then run > > ipsec showroute 2404:9400:3:0:216:3eff:fee8:a03 > > it will print what libreswan thinks is the IP address for the > interface, gateway, and dest helping us narrow down the problem. > These values are then passed to the updown script. > > On Wed, 29 Oct 2025 at 01:11, Skye Dobson <[email protected]> wrote: >> >> Having an issue with IPv6 subnet-to-host connection selecting the wrong >> interface when routing using %defaultroute. >> >> (The same config with IPv4 works properly) >> >> Running libreswan 4.15 under Rocky 9 Linux using the out-of-box_updown >> script. >> >> --- >> >> Network topology: >> >> Internal interface >> eth1 >> 2403:5805:3555:10::1/64 >> 172.21.1.1/24 >> ^ >> | >> Internal router >> (Running libreswan) >> | >> V >> DMZ interface >> default route >> eth0 >> 2403:5805:3555::2 >> 172.21.0.2/24 >> ^ >> | >> V >> Internet gateway >> Internal interface >> 2403:5705:3555::1 >> fe80::a691:b1ff:fed4:dc56 >> 172.21.0.1 >> ^ >> | >> Internet >> | >> V >> Remote host >> 2404:9400:3:0:216:3eff:fee8:a03 >> 103.249.236.138 >> >> --- >> >> libreswan config: >> >> conn test >> hostaddrfamily=ipv6 >> clientaddrfamily=ipv6 >> >> type=tunnel >> ikev2=yes >> authby=rsasig >> dpddelay=30 >> dpdtimeout=90 >> dpdaction=clear >> >> left=%defaultroute >> leftrsasigkey=%cert >> leftcert=neo >> leftid=%fromcert >> leftsubnet=2403:5805:3555:10::/64 >> leftsourceip=2403:5805:3555:10::1 >> >> right=2404:9400:3:0:216:3eff:fee8:a03 >> rightrsasigkey=%cert >> rightca=%same >> >> --- >> >> After establishment of the connection, routing table is: >> >> #ip -6 ro li >> ::1 dev lo proto kernel metric 256 pref medium >> 2403:5805:3555::/64 dev eth0 proto kernel metric 102 pref medium >> 2403:5805:3555:10::/64 dev eth1 proto kernel metric 101 pref medium >> 2404:9400:3:0:216:3eff:fee8:a03 via fe80::a691:b1ff:fed4:dc56 dev eth1 >> src >> 2403:5805:3555:10::1 metric 1024 pref medium >> fe80::/64 dev eth1 proto kernel metric 1024 pref medium >> fe80::/64 dev eth0 proto kernel metric 1024 pref medium >> default via fe80::a691:b1ff:fed4:dc56 dev eth0 metric 1024 pref medium >> >> i.e. route to the remote host is established specifying eth1 but using >> link-local address of the default eth0 interface >> >> --- >> >> The same connection but replacing %defaultroute with: >> >> conn test >> left=2403:5805:3555::2 >> leftnexthop=2403:5805:3555::1 >> >> works nicely: >> >> #ip -6 ro li >> ... >> 2404:9400:3:0:216:3eff:fee8:a03 via 2403:5805:3555::1 dev eth0 src >> 2403:5805:3555:10::1 metric 1024 pref medium >> >> --- _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
