On 05/01/07, Mathieu Sauve-Frankel <[EMAIL PROTECTED]> wrote:
> After recent fixes in the latest snapshot (i386 #1337) it works
> fine... At least when the laptop has only IPv4 network available. In
> my own network, which is IPv6 enabled, only IPv6-in-IPv6 encapsulation
> happens, all IPv4 traffic doesn't enter the tunnel. Is that a bug, or
> a feature?
In the future could you please post the full output of
ipsecctl -nvf /etc/ipsec.conf as well as your ipsec.conf with these reports
to save us some time.
--
Mathieu Sauve-Frankel
Yes,, sorry.
ipsec.conf from both machines is included in the first message in this
thread, and I didn't touch it. For sake of completeness:
Router ipsec.conf:
ike passive esp from any to any \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-ripemd160 enc aes group modp2048 \
srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
Laptop ipsec.conf:
ike dynamic esp from egress to any peer router \
main auth hmac-sha1 enc aes group modp2048 \
quick auth hmac-ripemd160 enc aes group modp2048 \
srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED]
Here's ipsecctl -nvf /etc/ipsec.conf on my laptop.
C set [General]:Check-interval=30 force
C set [General]:DPD-check-interval=5 force
C set [Phase
1]:2a01:b0:11b7:117:20e:2eff:fe8a:2b07=peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Phase=1 force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Address=2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Configuration=mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:EXCHANGE_TYPE=ID_PROT force
C add [mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Transforms=AES-SHA-GRP14-RSA_SIG
force
C set [peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:[EMAIL PROTECTED] force
C set [EMAIL PROTECTED]:ID-type=USER_FQDN force
C set [EMAIL PROTECTED]:[EMAIL PROTECTED] force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Remote-ID=2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID
force
C set [2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID]:ID-type=USER_FQDN force
C set [2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID]:[EMAIL PROTECTED] force
C set [IPsec-ipw0-::/0]:Phase=2 force
C set [IPsec-ipw0-::/0]:ISAKMP-peer=peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [IPsec-ipw0-::/0]:Configuration=qm-ipw0-::/0 force
C set [IPsec-ipw0-::/0]:Local-ID=lid-ipw0 force
C set [IPsec-ipw0-::/0]:Remote-ID=rid-::/0 force
C set [qm-ipw0-::/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-ipw0-::/0]:Suites=QM-ESP-AES-RIPEMD-PFS-GRP14-SUITE force
C set [lid-ipw0]:ID-type=IPV6_ADDR force
C set [lid-ipw0]:Address=ipw0 force
C set [rid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [rid-::/0]:Network=:: force
C set [rid-::/0]:Netmask=:: force
C add [Phase 2]:Connections=IPsec-ipw0-::/0
C set [General]:Check-interval=30 force
C set [General]:DPD-check-interval=5 force
C set [Phase
1]:2a01:b0:11b7:117:20e:2eff:fe8a:2b07=peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Phase=1 force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Address=2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Configuration=mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:EXCHANGE_TYPE=ID_PROT force
C add [mm-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Transforms=AES-SHA-GRP14-RSA_SIG
force
C set [peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:[EMAIL PROTECTED] force
C set [EMAIL PROTECTED]:ID-type=USER_FQDN force
C set [EMAIL PROTECTED]:[EMAIL PROTECTED] force
C set
[peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07]:Remote-ID=2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID
force
C set [2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID]:ID-type=USER_FQDN force
C set [2a01:b0:11b7:117:20e:2eff:fe8a:2b07-ID]:[EMAIL PROTECTED] force
C set [IPsec-ipw0-0.0.0.0/0]:Phase=2 force
C set
[IPsec-ipw0-0.0.0.0/0]:ISAKMP-peer=peer-2a01:b0:11b7:117:20e:2eff:fe8a:2b07
force
C set [IPsec-ipw0-0.0.0.0/0]:Configuration=qm-ipw0-0.0.0.0/0 force
C set [IPsec-ipw0-0.0.0.0/0]:Local-ID=lid-ipw0 force
C set [IPsec-ipw0-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
C set [qm-ipw0-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-ipw0-0.0.0.0/0]:Suites=QM-ESP-AES-RIPEMD-PFS-GRP14-SUITE force
C set [lid-ipw0]:ID-type=IPV4_ADDR force
C set [lid-ipw0]:Address=ipw0 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
C add [Phase 2]:Connections=IPsec-ipw0-0.0.0.0/0
What's more interesting, now it tries only to encapsulate IPv4 traffic
in IPv6 traffic, which would be fine by me if it worked - but it
doesn't. (IPv6 is not touched this time).
ping onet.pl on enc0 looks like this (tcpdump -npvi enc0):
08:48:11.085644 (authentic,confidential): SPI 0x3c87e523:
2a01:b0:11b7:117:204:23ff:fe78:c1da >
2a01:b0:11b7:117:20e:2eff:fe8a:2b07: 192.168.17.62 > 213.180.130.200:
icmp: echo request (id:a57b seq:16) (ttl 255, id 29017, len 84, bad
cksum 0!) (len 84, hlim 64)
08:48:12.095668 (authentic,confidential): SPI 0x3c87e523:
2a01:b0:11b7:117:204:23ff:fe78:c1da >
2a01:b0:11b7:117:20e:2eff:fe8a:2b07: 192.168.17.62 > 213.180.130.200:
icmp: echo request (id:a57b seq:17) (ttl 255, id 27327, len 84, bad
cksum 0!) (len 84, hlim 64)
(no return packets)
while on ipw0:
08:50:37.319348 esp 2a01:b0:11b7:117:204:23ff:fe78:c1da >
2a01:b0:11b7:117:20e:2eff:fe8a:2b07 spi 0x3C87E523 seq 199 len 132
(len 132, hlim 64)
08:50:38.329347 esp 2a01:b0:11b7:117:204:23ff:fe78:c1da >
2a01:b0:11b7:117:20e:2eff:fe8a:2b07 spi 0x3C87E523 seq 200 len 132
(len 132, hlim 64)
ipsecctl -nvf /etc/ipsec.conf on router:
C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=mm-default force
C set [mm-default]:EXCHANGE_TYPE=ID_PROT force
C add [mm-default]:Transforms=AES-SHA-GRP14-RSA_SIG force
C set [peer-default]:[EMAIL PROTECTED] force
C set [EMAIL PROTECTED]:ID-type=USER_FQDN force
C set [EMAIL PROTECTED]:[EMAIL PROTECTED] force
C set [peer-default]:Remote-ID=default-ID force
C set [default-ID]:ID-type=USER_FQDN force
C set [default-ID]:[EMAIL PROTECTED] force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Phase=2 force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:ISAKMP-peer=peer-default force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Configuration=qm-0.0.0.0/0-0.0.0.0/0 force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Local-ID=lid-0.0.0.0/0 force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
C set [qm-0.0.0.0/0-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-0.0.0.0/0-0.0.0.0/0]:Suites=QM-ESP-AES-RIPEMD-PFS-GRP14-SUITE force
C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-0.0.0.0/0]:Network=0.0.0.0 force
C set [lid-0.0.0.0/0]:Netmask=0.0.0.0 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
C add [Phase 2]:Passive-Connections=IPsec-0.0.0.0/0-0.0.0.0/0
C set [Phase 1]:Default=peer-default force
C set [peer-default]:Phase=1 force
C set [peer-default]:Configuration=mm-default force
C set [mm-default]:EXCHANGE_TYPE=ID_PROT force
C add [mm-default]:Transforms=AES-SHA-GRP14-RSA_SIG force
C set [peer-default]:[EMAIL PROTECTED] force
C set [EMAIL PROTECTED]:ID-type=USER_FQDN force
C set [EMAIL PROTECTED]:[EMAIL PROTECTED] force
C set [peer-default]:Remote-ID=default-ID force
C set [default-ID]:ID-type=USER_FQDN force
C set [default-ID]:[EMAIL PROTECTED] force
C set [IPsec-::/0-::/0]:Phase=2 force
C set [IPsec-::/0-::/0]:ISAKMP-peer=peer-default force
C set [IPsec-::/0-::/0]:Configuration=qm-::/0-::/0 force
C set [IPsec-::/0-::/0]:Local-ID=lid-::/0 force
C set [IPsec-::/0-::/0]:Remote-ID=rid-::/0 force
C set [qm-::/0-::/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-::/0-::/0]:Suites=QM-ESP-AES-RIPEMD-PFS-GRP14-SUITE force
C set [lid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [lid-::/0]:Network=:: force
C set [lid-::/0]:Netmask=:: force
C set [rid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [rid-::/0]:Network=:: force
C set [rid-::/0]:Netmask=:: force
C add [Phase 2]:Passive-Connections=IPsec-::/0-::/0
--
viq
