[Bug 663] Postrouting + IPsec + IPv6
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Jul 26 02:12:20 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=663
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-07-26 02:12:18 CEST ---
After spending many hours getting strongswan setup to match your config, I am
not able to reproduce the issue on a 3.10 kernel. The IPv6 logs look normal:
Jul 25 16:53:15 f19_main kernel: [ 1274.377650] IN= OUT=eth2
SRC=5857:0000:0000:0000:0000:0000:0000:0129
DST=fe80:0000:0000:0000:020c:29ff:fe5e:71b2
LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
But what you are doing (default DROP policy in the POSTROUTING chain of the
mangle table) is NOT recommended. For instance, I can see from your rules that
you don't permit ICMPv6 packets from the link-local addresses. How exactly do
you expect the VPN gateway to find its neighbors? I'm surprised this setup
works at all.
Please utilize the FORWARD chain of the filter table for filtering packets
being routed through your gateway.
Closing.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list