Re: [strongSwan] IKEv1 doesn't pass ipv6 traffic

yordanos beyene Thu, 06 Jun 2013 13:01:52 -0700

Hi Everyone,

I am resending the message again.


Phase2 negotiation fails with IPv6 traffic. Is this a bug with strongswan
5.0.1 or configuration issue?
The same deployment works with IKEV2 that is why I am suspecting this may
be strongswan bug.


I appreciate any help.


Thanks!

Jordan.


On Fri, May 31, 2013 at 10:24 AM, yordanos beyene <[email protected]>wrote:

> Hi SS Team,
>
> I am running strongswan 5.0.1, and I can not pass icmp6 traffic with
> IKEv1. It creates IKE SA but it fails to create child_SA. The same
> configurations works fine with IKEv2,
>
> I have the configuration and log details below for IKEv1 and IKEv2. Please
> let me know if this is a bug in strongswan code, and any tips to resolve
> the issue.
>
> Here is my deployment:
>
> pc1(2006::2)----(2006::1)strongswan(eth13:2003::2)---(eth13:2003::1)strongswan(2005::1)----(2005::2)pc2
>
> I initiated icmp6 traffic from 2005::2 to 2006::2.
>
> Below is the ipsec statusall output for IKEv1. It fails to create child_sa.
> ...
> Listening IP addresses:
>   10.243.10.142
>   7.1.1.2
>   2005::1
>   192.168.1.1
>   2003::1
>   11.1.1.2
> Connections:
>     ipv6_pol:  2003::1...2003::2  IKEv1
>     ipv6_pol:   local:  [2003::1] uses pre-shared key authentication
>     ipv6_pol:   remote: [2003::2] uses pre-shared key authentication
>     ipv6_pol:   child:  2005::/64 === 2006::/64 TUNNEL
> Routed Connections:
>     ipv6_pol{2}:  ROUTED, TUNNEL
>     ipv6_pol{2}:   2005::/64 === 2006::/64
> Security Associations (1 up, 0 connecting):
>     ipv6_pol[2]: ESTABLISHED 3 minutes ago,
> 2003::1[2003::1]...2003::2[2003::2]
>     ipv6_pol[2]: IKEv1 SPIs: 55de706622696d07_i 3e835d9a72111fcf_r*,
> rekeying in 23 hours
>     ipv6_pol[2]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>
> Below is the  vpn log for IKEv1.
> ...
> 2013-05-31 14:54:54.110  [CHARON-INFO:] "14[NET] sending packet: from
> 2003::1[500] to 2003::2[500]"
> 2013-05-31 14:54:54.115  [CHARON-INFO:] "04[NET] received packet: from
> 2003::2[500] to 2003::1[500]"
> 2013-05-31 14:54:54.115  [CHARON-INFO:] "04[ENC] parsed ID_PROT request 0
> [ KE No NAT-D NAT-D ]"
> 2013-05-31 14:54:54.125 [CHARON-INFO:] "04[ENC] generating ID_PROT
> response 0 [ KE No NAT-D NAT-D ]"
> 2013-05-31 14:54:54.125 [CHARON-INFO:] "04[NET] sending packet: from
> 2003::1[500] to 2003::2[500]"
> 2013-05-31 14:54:54.130 [CHARON-INFO:] "12[NET] received packet: from
> 2003::2[500] to 2003::1[500]"
> 2013-05-31 14:54:54.130 [CHARON-INFO:] "12[ENC] parsed ID_PROT request 0 [
> ID HASH ]"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[CFG] looking for pre-shared
> key peer configs matching 2003::1...2003::2[2003::2]"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[LIB] resolving '7.1.1.2'
> failed: Address family for hostname not supported"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[CFG] selected peer config
> "ipv6_pol""
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2]
> established between 2003::1[2003::1]...2003::2[2003::2]"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2]
> established between 2003::1[2003::1]...2003::2[2003::2]"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] scheduling rekeying in
> 85913s"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] maximum IKE_SA lifetime
> 86273s"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[ENC] generating ID_PROT
> response 0 [ ID HASH ]"
> 2013-05-31 14:54:54.130  [CHARON-INFO:] "12[NET] sending packet: from
> 2003::1[500] to 2003::2[500]"
> 2013-05-31 14:54:54.131  [CHARON-INFO:] "08[NET] received packet: from
> 2003::2[500] to 2003::1[500]"
> 2013-05-31 14:54:54.131  [CHARON-INFO:] "08[ENC] parsed QUICK_MODE request
> 142098601 [ HASH SA No ID ID ]"
> 2013-05-31 14:54:54.131  [CHARON-INFO:] "08[IKE] no matching CHILD_SA
> config found"
> 2013-05-31 14:54:54.131  [CHARON-INFO:] "08[ENC] generating
> INFORMATIONAL_V1 request 335657404 [ HASH N(INVAL_ID) ]"
> 2013-05-31 14:54:54.131  [CHARON-INFO:] "08[NET] sending packet: from
> 2003::1[500] to 2003::2[500]"
>
> ====
>
> The same deployment works fine with IKEv2. Below is the configuration and
> log details with IKEv2. I was able to pass icmp6 traffic from 2005::2 to
> 2006::2 and vice versa.
> ...
> Listening IP addresses:
>   10.243.10.142
>   7.1.1.2
>   2005::1
>   192.168.1.1
>   2003::1
>   11.1.1.2
> Connections:
>     ipv6_pol:  2003::1...2003::2  IKEv2
>     ipv6_pol:   local:  [2003::1] uses pre-shared key authentication
>     ipv6_pol:   remote: [2003::2] uses pre-shared key authentication
>     ipv6_pol:   child:  2005::/64 === 2006::/64 TUNNEL
> Routed Connections:
>     ipv6_pol{3}:  ROUTED, TUNNEL
>     ipv6_pol{3}:   2005::/64 === 2006::/64
> Security Associations (1 up, 0 connecting):
>     ipv6_pol[3]: ESTABLISHED 5 minutes ago,
> 2003::1[2003::1]...2003::2[2003::2]
>     ipv6_pol[3]: IKEv2 SPIs: d5d7908b1732b398_i b4a6a238fa83f36e_r*,
> rekeying in 23 hours
>     ipv6_pol[3]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     ipv6_pol{4}:  INSTALLED, TUNNEL, ESP SPIs: c50c9007_i c5a02777_o
>     ipv6_pol{4}:  AES_CBC_128/HMAC_SHA1_96, 3948 bytes_i, 312 bytes_o
> (252s ago), rekeying in 43 minutes
>     ipv6_pol{4}:   2005::/64 === 2006::/64
>
>
> =log
> ...
> 2013-05-31 15:05:17.721  [CHARON-INFO:] "02[NET] sending packet: from
> 2003::1[500] to 2003::2[500]"
> 2013-05-31 15:05:17.727  [CHARON-INFO:] "06[NET] received packet: from
> 2003::2[4500] to 2003::1[4500]"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] looking for peer configs
> matching 2003::1[2003::1]...2003::2[2003::2]"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[LIB] resolving '7.1.1.2'
> failed: Address family for hostname not supported"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] selected peer config
> 'ipv6_pol'"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of
> '2003::2' with pre-shared key successful"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] peer supports MOBIKE"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of
> '2003::1' (myself) with pre-shared key"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3]
> established between 2003::1[2003::1]...2003::2[2003::2]"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3]
> established between 2003::1[2003::1]...2003::2[2003::2]"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] scheduling rekeying in
> 85779s"
> 2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] maximum IKE_SA lifetime
> 86139s"
> 2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4}
> established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "
> 2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4}
> established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "
> 2013-05-31 15:05:17.728 [CHARON-INFO:] "06[ENC] generating IKE_AUTH
> response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]"
> 2013-05-31 15:05:17.728 [CHARON-INFO:] "06[NET] sending packet: from
> 2003::1[4500] to 2003::2[4500]"
>
>
> Thanks!
> Jordan.
>

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IKEv1 doesn't pass ipv6 traffic

Reply via email to