Hi all, I noticed strange behaviour with an IPSec tunnel set up with strongswan. Discussing the issue on IRC, a strongswan developer suggested the issue is due to a kernel bug and I should ask here.
The client connects to the server and is assigned an IPv6 address from a pool. The remote traffic selector of the tunnel includes this virtual IP so that multiple clients can communicate. However, when the client tries to ping its own virtual IP, traffic goes over the tunnel instead of via the loopback adapter (this shows in the TTL of the packet, latency > 1ms and strongswan's traffic counters). If the virtual IP addresses are IPv4, this issue does not occur. I'm running kernel 5.4.41 and strongswan 5.8.1. The output of relevant commands is included below (IPs snipped), with more information including strongswan and kernel config at [1]. On suggestion of strongswan developers, I tried to set `net.ipv6.conf.lo.disable_policy=1`, this made no visible difference. Is this a kernel bug, or other issue? I'm happy to help debug or test other configurations. Many thanks, Kai [1]: https://gist.github.com/kwohlfahrt/6db96db25e44ae208178335b2cdb9523/0d14b393d659c9adce6a8c925656dd6b90dc65e0 $ ip -6 addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fd01::3/128 scope global nodad valid_lft forever preferred_lft forever inet6 2a00::e4df/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 315359984sec preferred_lft 315359984sec inet6 fdaa::e4df/64 scope global mngtmpaddr noprefixroute valid_lft forever preferred_lft forever inet6 fe80::e4df/64 scope link valid_lft forever preferred_lft forever $ ping -c3 fd01::3 PING fd01::3(fd01::3) 56 data bytes 64 bytes from fd01:: icmp_seq=1 ttl=63 time=306 ms 64 bytes from fd01:: icmp_seq=2 ttl=63 time=6.64 ms 64 bytes from fd01:: icmp_seq=3 ttl=63 time=8.02 ms --- fd01::3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 6.636/106.842/305.875/140.738 ms $ ip -6 route show table all fd01::/64 via 2a00::280e dev wlp3s0 table 220 proto static src fd01::3 metric 1024 pref medium fdaa:::/64 via 2a00::280e dev wlp3s0 table 220 proto static src fd01::3 metric 1024 pref medium ::1 dev lo proto kernel metric 256 pref medium 2a00:::/64 dev wlp3s0 proto ra metric 303 mtu 1488 pref medium fd01::3 dev wlp3s0 proto kernel metric 256 pref medium fdaa:::/64 dev wlp3s0 proto ra metric 303 mtu 1488 pref medium fe80::/64 dev wlp3s0 proto kernel metric 256 pref medium default via fe80::44af dev wlp3s0 proto ra metric 303 mtu 1488 pref medium local ::1 dev lo table local proto kernel metric 0 pref medium local 2a00::e4df dev wlp3s0 table local proto kernel metric 0 pref medium local fd01::3 dev wlp3s0 table local proto kernel metric 0 pref medium local fdaa::e4df dev wlp3s0 table local proto kernel metric 0 pref medium local fe80::e4df dev wlp3s0 table local proto kernel metric 0 pref medium ff00::/8 dev wlp3s0 table local metric 256 pref medium ff00::/8 dev enp4s0 table local metric 256 linkdown pref medium $ ip -6 xfrm policy src fd01::3/128 dst fdaa:::/64 dir out priority 301695 tmpl src 2a00::e4df dst 2a00::280e proto esp spi 0xc0a4e6ee reqid 3 mode tunnel src fd01::3/128 dst fd01::/64 dir out priority 301695 tmpl src 2a00::e4df dst 2a00::280e proto esp spi 0xc0a4e6ee reqid 3 mode tunnel src fdaa:::/64 dst fd01::3/128 dir fwd priority 301695 tmpl src 2a00::280e dst 2a00::e4df proto esp reqid 3 mode tunnel src fdaa:::/64 dst fd01::3/128 dir in priority 301695 tmpl src 2a00::280e dst 2a00::e4df proto esp reqid 3 mode tunnel src fd01::/64 dst fd01::3/128 dir fwd priority 301695 tmpl src 2a00::280e dst 2a00::e4df proto esp reqid 3 mode tunnel src fd01::/64 dst fd01::3/128 dir in priority 301695 tmpl src 2a00::280e dst 2a00::e4df proto esp reqid 3 mode tunnel src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0
