Hi folks, I have seen failures in charon.log, if the peer is on IPv6 behind a NAT. Both peers are using Debian 10 and strongswan 5.8.2.
: May 13 14:00:56 25[CFG] <IPSec-IKEv2|627> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> received netlink error: Invalid argument (22) May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> unable to add SAD entry with SPI cde447ff (FAILED) May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> received netlink error: Invalid argument (22) May 13 14:00:56 25[KNL] <IPSec-IKEv2|627> unable to add SAD entry with SPI cd656ddf (FAILED) May 13 14:00:56 25[IKE] <IPSec-IKEv2|627> unable to install inbound and outbound IPsec SA (SAD) in kernel May 13 14:00:56 25[IKE] <IPSec-IKEv2|627> failed to establish CHILD_SA, keeping IKE_SA : If the peer turns off NAT and uses a routable IPv6 address instead, then there is no problem. There is no problem for IPv4 behind NAT, either. I don't have access to the remote network, nor can I upgrade to 5.8.4 immediately, so I wonder if it would be possible to derive a regular IPv6 NAT test case from the IPv4 NAT test mentioned on https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples ? Regards Harri
