It is currently Tue, 17 May 2022 03:01:10 GMT



 
Author Message
 IPv6 + IPsec + ipsec-tools 0.6.[4567] + scope:link = no SA established
In IPv4 this works.  In IPv6 things work w/o IPsec.  With IPsec, there are
no security association setups established and attempts to communicate
between hosts defined by policy to require IPsec does not work.  Running
the racoon daemon in the foreground shows a DEBUG message that indicates
a problem:

2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

This comes from a loop that checks the address to be used against one that
is being listened on.  If the address is not one listened on, then it is
not usable in making the security association (or so implied by the code
comments).

Actually it is listening on the source address.  So I modified the source
code to add new diagnostics that dump out more detail about what is being
compared when this test is taking place:

2007-07-25 16:30:09: DEBUG: get pfkey ACQUIRE message
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
                                 to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
                                 to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
                                 to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000:0000:0000:0000:0000:0000:0000:0001 (sin6_addr)
                                 to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
                                 to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
                                 to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 00000003 (sin6_scope_id)
                                 to 00000000 (sin6_scope_id)
2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

All the compare messages (2 lines each) are what I added with new C code.

The first 2 compare fails are because it was testing the 2 IPv4 addresses
in the list (IPsec works over IPv4 when I use that).  Compares 3 and 4 are
a fail because the address mismatches (this was the "lo" entry for IPv6).
Compares 5 and 6 and 7 are the issue.  The first 2 of these matches the
address family and address OK.  It's the scope id that mismatches.

Is the scope ID really relevant here?

Is the scope ID really correct?

Is the kernel supposed to supply this to the racoon daemon?

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org)  /  Do not send to the address below |
| first name lower case at ipal.net   /  spamtrap-2007-07-25-1...@ipal.net |
|------------------------------------/-------------------------------------|



 Mon, 11 Jan 2010 05:01:35 GMT   
 
   [ 1 post ] 

Similar Threads

1. IPSEC SA established - but no routing

2. freeswan report IPsec SA established , but can not ping

3. IPSEC SA established - but no routing

4. IPv6 Extension headers (Re: [PATCH] IPv6 IPsec support)

5. IPsec: selection of correct SA

6. IPsec: selection of correct SA - again

7. IPSEC link in Ad-Hoc WIFI link very slow

8. To IPsec or not to IPsec

9. Can linux establish IPSec VPN connection to CheckPoint?

10. Need help to establish ipsec tunnel to etdvpn.sabre.com


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software