[Pkg-swan-devel] Bug#884650: strongswan-nm: requesting inner IP is IPv4-only

brian m. carlson sandals at crustytoothpaste.net
Mon Dec 18 03:21:52 UTC 2017 

Package: strongswan-nm
Version: 5.6.1-2
Severity: important
Tags: ipv6

When using the NetworkManager plugin, when the "Request inner IP" option
is set, this requests only an IPv4 address.  I believe if an IPv6
address were requested, the CPRQ line would include an "ADDR6" entry:

  Dec 18 02:44:40 genre charon-nm: 07[IKE] establishing CHILD_SA vpn-remote{9}
  Dec 18 02:44:40 genre charon-nm: 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

Since the remote side is also strongSwan, no IPv6 address is issued if
the client doesn't request one.

If the VPN plugin has IPv6 enabled, then strongSwan should request both
an IPv4 and an IPv6 address.  Not doing so causes IPv6 traffic to leak
if the client has other IPv6 connectivity.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages strongswan-nm depends on:
ii  libc6                 2.25-4
ii  libdbus-glib-1-2      0.108-3
ii  libglib2.0-0          2.54.2-1
ii  libnm-glib-vpn1       1.10.2-1
ii  libnm-util2           1.10.2-1
ii  libstrongswan         5.6.1-2
ii  strongswan-libcharon  5.6.1-2

Versions of packages strongswan-nm recommends:
ii  network-manager-strongswan  1.4.2-1

strongswan-nm suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 867 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20171218/a85e5cad/attachment.sig>

More information about the Pkg-swan-devel mailing list