Hello,

I know this may not be the forum to ask this question, but I am haivng
no luck on finding out if there is a solution to the problem stated
below.  I am looking to see if anyone from this group has seen this
issue:


Running ipsec-tools-0.6.7 on a Linux client and host.
I use Racoon with pre-shared keys and Security Policies with ESP/AHs
configured for IPv4 and IPv6.

There is no problem with IPv4.

I see a chicken and the egg problem with IPv6.

An ICMPv6 Neighbor Solicitation goes from Host A to Host B.  This is
o.k. because it is not subject to IPsec.
The ICMPv6 Neighbor Discovery from Host B is not o.k. because since
there exists a SP that requires ESP/AH, it triggers an SA negotiation.
So, it looks like a loop is created and the result is that it does not
work.

I have tried adding in:
spdadd ::/0 ::/0 icmp6 -P out none;
spdadd ::/0 ::/0 icmp6 -P in none;

And although the icmps are now not subject to IPsec, I still get the
"phase1 negotiation" failure  in Racoon.

The only way (besides not using Racoon and manually adding keyed SA's)
is the following:
1.  Stop the Racoon daemons flush/spdflush all the SAs and SPDs
2.  Issue a ping6.
3.  Re-issue the SPDs.
4.  Start Racoon.

Does anyone know of a permanent solution to this issue?

Thanks,
Phil Bellino


============================ 
Phil Bellino 
MRV Communications, Inc. 
Boston Product Division 
295 Foster St. 
Littleton,MA 01460 
Tel: (978)952-4807 
Email: [EMAIL PROTECTED] 
============================ 

_______________________________________________
Users mailing list
Users@ipv6.org
https://lists.ipv6.org/mailman/listinfo/users

Reply via email to