Richard Andrews <bflatmaj7th@gmail.com> wrote:
Kernel mode ESP does not create an interface so I would not expect any neighbourhood discovery associated with IPsec. Maybe the IPv6 stack is trying to find a router which knows a path to the peer.
I think so. It's fine without an IPSec tunnel, but, for whatever reason, not when a tunnel is in place.
I use strongswan quite a bit but have no experience using it over IPv6. Do you have a working implementation over IPv4?
No, although I could try it now that I have a static IPv4 address.
I would suggest using forceencaps=yes (NAT-T mode). This will force all the traffic (IKE and ESP) into UDP 4500 (at least it does in IPv4). I find this makes a lot of problems easier to diagnose and solve.
thanks.
Not sure if this is on-topic for luv-main. Should we continue the discussion on- or off-list?
I'm sure it's on topic here, as it's Linux-related.