Hi, There is another issue now. I have a Windows 7 client which has both IPv4 and IPv6 enabled in its configuration. The server's ipsec.conf defines two profiles, one for IPv4 and one for IPv6. If I disable the IPv6 profile, the IPv4 profile is chosen, but, because the Windows 7 client already had an IPv6 address once, it is requesting that one again. The log shows the following error :
Apr 12 16:03:42 vpn6-test charon: 16[IKE] peer requested virtual IP fec0:a18:2341:3440::1 Apr 12 16:03:42 vpn6-test charon: 16[CFG] IP pool address family mismatch Apr 12 16:03:42 vpn6-test charon: 16[LIB] acquiring address from pool 'ipv4.test' failed Apr 12 16:03:42 vpn6-test charon: 16[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Is there any workaround for this issue ? Or is there any way to tell Windows not to make any proposals ? best regards Claude Tompers On Monday 12 April 2010 14:33:46 Claude Tompers wrote: > Hi, > > Sorry, I must have done something wrong in my configuration. > It now works with an /112 subnet. > > Thanks a lot for the help anyway. > > regards > Claude Tompers > > > On Monday 12 April 2010 13:34:10 Jan Engelhardt wrote: > > > > On Monday 2010-04-12 13:06, Andreas Steffen wrote: > > > > >The real problem is that the Linux kernel does not support > > >routing table entries with the src parameter being an IPv6 > > >address, > > > > I would not call it a problem. If I understand right, the src addr, > > if it has not been explicitly been set or specified using bind(2) or > > sendto(2), is not determined by looking at the "src" attribute in > > IPv6, but at the address list of an interface, and picking one that > > has an appropriate lifetime. Since reproducing the same lookup logic > > in strongswan would be sort of an unwanted fork, the kernel does have > > a way to calculate the routing entry src address, by using `ip route > > get` or the respective netlink calls. Does that help? > > > > >so that virtual IPv6 addresses can be checked out > > >by a VPN gateway and are transported via the IKEv2 configuration > > >payload or the IKEv1 Mode Config payload but cannot be > > >installed in the kernel. Thus we cannot force IPv6 packets > > >to leave via a physical interface but assuming a different > > >source address. > > > > -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users