[Bug 663] Postrouting + IPsec + IPv6

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jul 26 02:12:20 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=663

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-07-26 02:12:18 CEST ---
After spending many hours getting strongswan setup to match your config, I am
not able to reproduce the issue on a 3.10 kernel.  The IPv6 logs look normal:

Jul 25 16:53:15 f19_main kernel: [ 1274.377650] IN= OUT=eth2 
SRC=5857:0000:0000:0000:0000:0000:0000:0129 
DST=fe80:0000:0000:0000:020c:29ff:fe5e:71b2 
LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0 

But what you are doing (default DROP policy in the POSTROUTING chain of the
mangle table) is NOT recommended.  For instance, I can see from your rules that
you don't permit ICMPv6 packets from the link-local addresses.  How exactly do
you expect the VPN gateway to find its neighbors?  I'm surprised this setup
works at all.  

Please utilize the FORWARD chain of the filter table for filtering packets
being routed through your gateway.  

Closing.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list