Hi Martin, Thank you for pointing out the misconfiguration. After the change, it now works! Thanks a lot!
Zhiheng -----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Friday, August 03, 2012 1:07 AM To: Mao, Zhiheng Cc: [email protected] Subject: Re: [strongSwan] IPv6 Remote Access: traffic selectors fec1::/64 === ::/0 inacceptable, failed to establish CHILD_SA Hi, > conn rw-carol > leftsubnet=2002:c023:9c17:21c::/64 > rightsourceip=fec1::1/64 > conn home > leftsourceip=%config > rightsubnet=fec1::/64 > 11[IKE] traffic selectors fec1::/64 === ::/0 inacceptable Your subnet definitions don't match. The subnet behind carol is dynamically selected from the sourceip. For the subnet behind moon, carol proposes, fec1::/64, but moon expects 2002:c023:9c17:21c::/64. This doesn't yield a result during narrowing, hence your CHILD_SA fails. > why the assigned IPv6 address on Carol is having the full 128-bit > fec1::1/128 instead of the configured fec1::1/64? strongSwan currently does not assign prefixes, but just a single IPv6 address. This might be a little confusing when thinking the IPv6 way, but it prevents the inclusion of whole "subnets" where you only want to attach a single client using this tunnel. The /64 does not define a /64 prefix, but a pool of (/128) addresses as with IPv4. Your configured pool of addresses starts at fec1:: and includes 2^64 addresses. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
