Would you be able to install a more recent version of libreswan (either mainline or 5.3 and then run
ipsec showroute 2404:9400:3:0:216:3eff:fee8:a03 it will print what libreswan thinks is the IP address for the interface, gateway, and dest helping us narrow down the problem. These values are then passed to the updown script. On Wed, 29 Oct 2025 at 01:11, Skye Dobson <[email protected]> wrote: > > Having an issue with IPv6 subnet-to-host connection selecting the wrong > interface when routing using %defaultroute. > > (The same config with IPv4 works properly) > > Running libreswan 4.15 under Rocky 9 Linux using the out-of-box_updown > script. > > --- > > Network topology: > > Internal interface > eth1 > 2403:5805:3555:10::1/64 > 172.21.1.1/24 > ^ > | > V > DMZ interface > default route > eth0 > 2403:5805:3555::2 > 172.21.0.2/24 > ^ > | > V > Internet gateway > 2403:5705:3555::1 > fe80::a691:b1ff:fed4:dc56 > 172.21.0.1 > ^ > | > V > Remote host > 2404:9400:3:0:216:3eff:fee8:a03 > 103.249.236.138 > > --- > > libreswan config: > > conn test > hostaddrfamily=ipv6 > clientaddrfamily=ipv6 > > type=tunnel > ikev2=yes > authby=rsasig > dpddelay=30 > dpdtimeout=90 > dpdaction=clear > > left=%defaultroute > leftrsasigkey=%cert > leftcert=neo > leftid=%fromcert > leftsubnet=2403:5805:3555:10::/64 > leftsourceip=2403:5805:3555:10::1 > > right=2404:9400:3:0:216:3eff:fee8:a03 > rightrsasigkey=%cert > rightca=%same > > --- > > After establishment of the connection, routing table is: > > #ip -6 ro li > ::1 dev lo proto kernel metric 256 pref medium > 2403:5805:3555::/64 dev eth0 proto kernel metric 102 pref medium > 2403:5805:3555:10::/64 dev eth1 proto kernel metric 101 pref medium > 2404:9400:3:0:216:3eff:fee8:a03 via fe80::a691:b1ff:fed4:dc56 dev eth1 src > 2403:5805:3555:10::1 metric 1024 pref medium > fe80::/64 dev eth1 proto kernel metric 1024 pref medium > fe80::/64 dev eth0 proto kernel metric 1024 pref medium > default via fe80::a691:b1ff:fed4:dc56 dev eth0 metric 1024 pref medium > > i.e. route to the remote host is established specifying eth1 but using > link-local address of the default eth0 interface > > --- > > The same connection but replacing %defaultroute with: > > conn test > left=2403:5805:3555::2 > leftnexthop=2403:5805:3555::1 > > works nicely: > > #ip -6 ro li > ... > 2404:9400:3:0:216:3eff:fee8:a03 via 2403:5805:3555::1 dev eth0 src > 2403:5805:3555:10::1 metric 1024 pref medium > > --- > > > _______________________________________________ > Swan mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
