Hi.
I'm trying to establish an IPv6 IPSec tunnel using IKEv2. I'm seeing the
Strongswan host firing the policy but the remote peer never receives the ISAKMP
packet. Looking at the trace it reveals that the IPv6 neighbor discovery is
failing. I suspect that the Ubuntu host might be treating the ICMP6 request as
part of the default allow all policy. To test this theory I disable IPSec on
the Strongswan host and the remote peer. When I do this, each host can ping
each other fine. I then quickly enable IPSec and I can get the IPSec tunnel up
between the two hosts (which ishould validate the config entries). At least
until the arp entry expires. And then I'm back to no longer establishing IPSec
between the peers.
I've done some research indicating that I should accommodate the discovery in
IPTables but I'm not using the firewall. Which explains why it works when
IPSec is disabled. Is there a bit in ipsec.conf that can account for neighbor
discovery outside of the IPSec policy (assuming this is what is really going
on)? There is some urgency behind this question so anything anybody could do
to help would be greatly appreciated. Thanks in advance.
Strongswan log entries with IPSec enabled:
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 01[KNL] creating acquire job for
policy fc00:2518::221:9bff:fe98:854b/128[udp/60525] ===
fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[IKE] initiating IKE_SA
ubuntu-gamera9_ipv6_wka[1] to fc00:2518::10:125:56:9
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[NET] sending packet: from
fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]
Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[IKE] retransmit 1 of request
with message ID 0
Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[NET] sending packet: from
fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]
Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[IKE] retransmit 2 of request
with message ID 0
Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[NET] sending packet: from
fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]
# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
