Something is very broken at the intersection of IPv6, NDP, and IPsec
in -current.
Two hosts in the same LAN; all static addresses; yes I use iked -6.
Here are the respective, trivial iked.conf files:
--------------------
ikev2 \
from 2001:6f8:124a::2 to 2001:6f8:124a::6 \
childsa enc aes-128-gcm psk "mekmitasdigoat"
--------------------
ikev2 active \
from 2001:6f8:124a::6 to 2001:6f8:124a::2 \
childsa enc aes-128-gcm psk "mekmitasdigoat"
--------------------
The ikeds successfully negotiate, and flows and SAs are set up.
Then both hosts forget each others neighbor address. When they
want to pass traffic to each other (a ping for testing, or IKE
informational messages after a while),
- a neighbor solicitation is sent to the multicast address,
- the reply goes through the IPsec tunnel and is visible on the
other side's enc0 interface,
- but the reply is never entered into the NDP cache.
Neighbor solicitations and replies fly back and forth for a while,
to no avail. Eventually the ikeds notice that the other one is
gone, give up, and remove the flows and SAs. When they try again,
they successfully renegotiate, and the cycle repeats.
netstat -s -picmp6 shows increasing counters for "bad neighbor
solicitation messages" and "bad neighbor advertisement messages".
Enabling nd6_debug shows that the reason is "packet from non-neighbor".
Oct 5 17:08:01 bardioc /bsd: nd6_na_input: ND packet from non-neighbor
Oct 5 17:08:03 bardioc last message repeated 2 times
Oct 5 17:08:06 bardioc /bsd: nd6_ns_input: NS packet from non-neighbor
Oct 5 17:08:06 bardioc /bsd: nd6_ns_input: src=2001:6f8:124a::6
Oct 5 17:08:06 bardioc /bsd: nd6_ns_input: dst=2001:6f8:124a::2
Oct 5 17:08:06 bardioc /bsd: nd6_ns_input: tgt=2001:6f8:124a::2
--
Christian "naddy" Weisgerber [email protected]
