The new problem: A machine has a 6to4 access to IPv6 (2002:xxxx:xxxx::/48 etc.) and wants to use IPSec only when talking to a specific IPv6 subnet (say 2a01:yyyy:yyyy:yyyy::/64), connecting without IPSec anywhere outside that subnet. (I think this is called "split tunnel mode" or the like.) The problem is that the virtual IPv6 address obtained to access the tunnel has preferred_lft set to forever, which is wrong for this particular case. Consequently, exactly as mentioned in bug #598, the virtual IPv6 address is preferred over the 6to4 address for outbound connections, perhaps because "native IPv6" addresses are preferred over 6to4. This limits the capability to initiate IPv6 connections solely to the small subnet behind the tunnel, though Pv6 connections can be accepted from anywhere (both via IPSec and via 6to4).Presumably, marking the tunnel address as deprecated resolves this problem (for a short time): ip -6 addr change "${tunnel_virtual_address}" dev "${device}" preferred_lft 0
Just FTR, this will most likely circumvent the secure tunnel completely, defeating its sole purpose. ;-) So this is a completely wrong "solution". Cheers, Andrej
smime.p7s
Description: Elektronicky podpis S/MIME
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users