Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hi all, I progressed much further. I had to manually load additional modules for IPV6 operation (For IPv4 type, ipsec automatically loads 'ah4, esp4, tunnel4, xfrm4_tunnel') modprobe ah6 modprobe esp6 modprobe tunnel6 modprobe xfrm6_tunnel Are there any other modules that I need to load for IPV6? Yong Choo wrote: > Hi, > I'm getting the following errors on my linux 2.6.21 based using > strongswan 4.3.3 version: > Any Help would be appreciated! (The host that I'm communicating with has > 2.6.27 and it has no problem) > > I configured/checked all required IPV6 kernel protocols in linux 2.6.21 > as defined in the installation document url also. > > eCCM-root-/etc> ipsec up enb12v6 > initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from fd00::410:172:21:10:12[500] to > fd00::410:172:21:10:181[500] > received packet: from fd00::410:172:21:10:181[500] to > fd00::410:172:21:10:12[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(MULT_AUTH) ] > authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key > establishing CHILD_SA enb12v6 > generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ] > sending packet: from fd00::410:172:21:10:12[500] to > fd00::410:172:21:10:181[500] > received packet: from fd00::410:172:21:10:181[500] to > fd00::410:172:21:10:12[500] > parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] > authentication of 'fd00::410:172:21:10:181' with pre-shared key successful > scheduling rekeying in 50s > maximum IKE_SA lifetime 370s > IKE_SA enb12v6[1] established between > fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181] > received netlink error: Protocol not supported (93) > unable to add SAD entry with SPI c05a60aa > received netlink error: Protocol not supported (93) > unable to add SAD entry with SPI c48cd085 > unable to install inbound and outbound IPsec SA (SAD) in kernel > > > The ipsec.conf has the following entries: > > config setup > plutostart=no > > conn %default > auth=esp > dpdaction=restart > dpddelay=50s > esp=aes128-sha1-modp1024,3des-sha1-modp1024 > forceencaps=no > ike=aes128-sha-modp1024,3des-sha-modp1024 > ikelifetime=500s > installpolicy=yes > keyexchange=ikev2 > keyingtries=%forever > keylife=400s > mobike=no > pfs=yes > reauth=no > rekey=yes > rekeymargin=320s > type=tunnel > leftauth=psk > rightauth=psk > > config setup > plutostart=no > > conn %default > auth=esp > dpdaction=restart > dpddelay=50s > esp=aes128-sha1-modp1024,3des-sha1-modp1024 > forceencaps=no > ike=aes128-sha-modp1024,3des-sha-modp1024 > ikelifetime=500s > installpolicy=yes > keyexchange=ikev2 > keyingtries=%forever > keylife=400s > mobike=no > pfs=yes > reauth=no > rekey=yes > rekeymargin=320s > type=tunnel > leftauth=psk > rightauth=psk > > conn enb12v4 > left=135.112.41.22 > right=135.112.40.181 > auto=add > conn enb12v6 > left=fd00:::410:172:21:10:12 > #leftsourceip=fd00:::410:172:21:10:12 > leftsubnet=fd00::12/64 > right=fd00:::410:172:21:10:181 > rightsubnet=fd00::181/64 > auto=add > > conn enb12v6 > left=fd00:::410:172:21:10:12 > #leftsourceip=fd00:::410:172:21:10:12 > leftsubnet=fd00::12/64 > right=fd00:::410:172:21:10:181 > rightsubnet=fd00::181/64 > > auto=add > > > > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hello, I'm not the very specialist on 2.6.21, but when I see the following, it makes me some trouble: On Wednesday 24 March 2010 16:35:40 Yong Choo wrote: > conn enb12v6 > left=fd00:::410:172:21:10:12 > leftsubnet=fd00::12/64 > right=fd00:::410:172:21:10:181 > rightsubnet=fd00::181/64 > auto=add Please f.e, if you use expanded IPv6-Adresses, then you can see immediately: You have the same /64 on both ends. Hmm. You probably will have other trouble after the kernel accepts th IKE SAs. From my experience using IPv4, leftsubnet and rightsubnet better are disjunct. Did you mean /128 ? (for left- and rightsubnet) Greetings, Johannes signature.asc Description: This is a digitally signed message part. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Hi, I'm getting the following errors on my linux 2.6.21 based using strongswan 4.3.3 version: Any Help would be appreciated! (The host that I'm communicating with has 2.6.27 and it has no problem) I configured/checked all required IPV6 kernel protocols in linux 2.6.21 as defined in the installation document url also. eCCM-root-/etc> ipsec up enb12v6 initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key establishing CHILD_SA enb12v6 generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ] sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500] received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] authentication of 'fd00::410:172:21:10:181' with pre-shared key successful scheduling rekeying in 50s maximum IKE_SA lifetime 370s IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181] received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c05a60aa received netlink error: Protocol not supported (93) unable to add SAD entry with SPI c48cd085 unable to install inbound and outbound IPsec SA (SAD) in kernel The ipsec.conf has the following entries: config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk config setup plutostart=no conn %default auth=esp dpdaction=restart dpddelay=50s esp=aes128-sha1-modp1024,3des-sha1-modp1024 forceencaps=no ike=aes128-sha-modp1024,3des-sha-modp1024 ikelifetime=500s installpolicy=yes keyexchange=ikev2 keyingtries=%forever keylife=400s mobike=no pfs=yes reauth=no rekey=yes rekeymargin=320s type=tunnel leftauth=psk rightauth=psk conn enb12v4 left=135.112.41.22 right=135.112.40.181 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add conn enb12v6 left=fd00:::410:172:21:10:12 #leftsourceip=fd00:::410:172:21:10:12 leftsubnet=fd00::12/64 right=fd00:::410:172:21:10:181 rightsubnet=fd00::181/64 auto=add ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
