Hello Martin, *, we came to notice, that -- if for any reason -- a child_sa for IPv6 addresses has the encap flag set, the kernel rejects the insertion of the state with error code 22 (invalid argument). This is due to the fact that IPv6 does not support NAT (yet?). Please consider the little patch for upstream inclusion.
Cheers, Thomas
>From 387662e17c0f46ebfb21300b8f93d6dc34e0ff0b Mon Sep 17 00:00:00 2001 From: Thomas Egerer <[email protected]> Date: Thu, 1 Jul 2010 11:45:18 +0200 Subject: [PATCH] Do not honor encapsulation flag for IPv6 connections --- src/libcharon/sa/child_sa.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index fb1ed34..e278f50 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -595,7 +595,7 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, lifetime_cfg_t *lifetime; host_t *src, *dst; status_t status; - bool update = FALSE; + bool encap = FALSE, update = FALSE; /* now we have to decide which spi to use. Use self allocated, if "in", * or the one in the proposal, if not "in" (others). Additionally, @@ -619,6 +619,11 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, this->other_cpi = cpi; } + if (this->encap && src->get_family(src) != AF_INET6) + { + encap = TRUE; + } + DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound", protocol_id_names, this->protocol); @@ -667,7 +672,7 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, status = charon->kernel_interface->add_sa(charon->kernel_interface, src, dst, spi, this->protocol, this->reqid, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, - this->encap, update, src_ts, dst_ts); + cpi, encap, update); free(lifetime); -- 1.7.1
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
