From: Andy T. <and...@gm...> - 2007-08-30 05:08:35
|
Regarding 6 below: 6. IPv6 ICMP ping to a remote system over IPSec does not get sent (Andy Tang) Anyone could offer a reason? On 8/27/07, ips...@li... > > ------------------------------ > > Message: 6 > Date: Mon, 27 Aug 2007 19:39:56 -0700 > From: "Andy Tang" <and...@gm...> > Subject: [Ipsec-tools-devel] IPv6 ICMP ping to a remote system over > IPSec does not get sent > To: ipsec-tools-devel <ips...@li...> > Message-ID: > <48d...@ma...> > Content-Type: text/plain; charset="utf-8" > > I configured my racoon using the file attached and added the following SPD > using setkey.cf: > > flush; > spdflush; > spdadd 192.168.1.103 192.168.1.100 any -P out ipsec > esp/transport//require ; > spdadd 192.168.1.100 192.168.1.103 any -P in ipsec > esp/transport//require ; > spdadd 2001:4898:28:3:20b:cdff:feb4:6338 2001:4898:28:3:20e:a6ff:feb1:2df3 > any -P out ipsec > esp/transport//require ; > spdadd 2001:4898:28:3:20e:a6ff:feb1:2df3 2001:4898:28:3:20b:cdff:feb4:6338 > any -P in ipsec > esp/transport//require ; > > Next, I attempted to > > ping6 2001:4898:28:3:20e:a6ff:feb1:2df3 > > However, I did not see an IKE negotiation packet going out to the > destination server. > The racoon contains the following trace info: > > 2007-08-27 19:02:26: DEBUG: suitable outbound SP found: > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out. > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f2578: 192.168.1.103/32[0] > 192.168.1.100/32[0] proto=any dir=out > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f34c8: 192.168.1.100/32[0] > 192.168.1.103/32[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f4418: 192.168.1.100/32[0] > 192.168.1.103/32[0] proto=any dir=fwd > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f5368: 192.168.1.103/32[0] > 192.168.1.104/32[0] proto=any dir=out > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f62b8: 192.168.1.104/32[0] > 192.168.1.103/32[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f7208: 192.168.1.104/32[0] > 192.168.1.103/32[0] proto=any dir=fwd > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f8158: > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out > 2007-08-27 19:02:26: DEBUG: sub:0xbff04648: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: db :0x82f90a8: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in > 2007-08-27 19:02:26: DEBUG: suitable inbound SP found: > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in. > 2007-08-27 19:02:26: DEBUG: new acquire > 2001:4898:28:3:20b:cdff:feb4:6338/128[0] > 2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out > 2007-08-27 19:02:26: DEBUG: anonymous sainfo selected. > 2007-08-27 19:02:26: DEBUG: (proto_id=ESP spisize=4 spi=00000000 > spi_p=00000000 encmode=Transport reqid=0:0) > 2007-08-27 19:02:26: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) > 2007-08-27 19:02:26: DEBUG: anonymous configuration selected for > 2001:4898:28:3:20e:a6ff:feb1:2df3. > 2007-08-27 19:02:26: INFO: IPsec-SA request for > 2001:4898:28:3:20e:a6ff:feb1:2df3 queued due to no phase1 found. > 2007-08-27 19:02:26: DEBUG: === > 2007-08-27 19:02:26: INFO: initiate new phase 1 negotiation: > > 2001:4898:28:3:20b:cdff:feb4:6338[500]<=>2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:26: INFO: begin Identity Protection mode. > 2007-08-27 19:02:26: DEBUG: new cookie: > 352d18c8c4d0807a > 2007-08-27 19:02:26: DEBUG: add payload of len 48, next type 13 > 2007-08-27 19:02:26: DEBUG: add payload of len 16, next type 0 > 2007-08-27 19:02:26: DEBUG: 100 bytes from > 2001:4898:28:3:20b:cdff:feb4:6338[500] to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:26: DEBUG: sockname > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:26: DEBUG: send packet from > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:26: DEBUG: send packet to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:26: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0 > 2007-08-27 19:02:26: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0 > 2007-08-27 19:02:26: DEBUG: 1 times of 100 bytes message will be sent to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:26: DEBUG: > 352d18c8 c4d0807a 00000000 00000000 01100200 00000000 00000064 0d000034 > 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c > 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc > 775701002007-08-27 19:02:26: DEBUG: resend phase1 packet > 352d18c8c4d0807a:0000000000000000 > 2007-08-27 19:02:36: DEBUG: 100 bytes from > 2001:4898:28:3:20b:cdff:feb4:6338[500] to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: sockname > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:36: DEBUG: send packet from > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:36: DEBUG: send packet to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0 > 2007-08-27 19:02:36: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0 > 2007-08-27 19:02:36: DEBUG: 1 times of 100 bytes message will be sent to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: > > 2007-08-27 19:02:26: DEBUG: resend phase1 packet > 352d18c8c4d0807a:0000000000000000 > 2007-08-27 19:02:36: DEBUG: 100 bytes from > 2001:4898:28:3:20b:cdff:feb4:6338[500] to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: sockname > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:36: DEBUG: send packet from > 2001:4898:28:3:20b:cdff:feb4:6338[500] > 2007-08-27 19:02:36: DEBUG: send packet to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0 > 2007-08-27 19:02:36: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0 > 2007-08-27 19:02:36: DEBUG: 1 times of 100 bytes message will be sent to > 2001:4898:28:3:20e:a6ff:feb1:2df3[500] > 2007-08-27 19:02:36: DEBUG: > 352d18c8 c4d0807a 00000000 00000000 01100200 00000000 00000064 0d000034 > 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c > 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc > 77570100 > > According to the line trace, there appeared to be ICMPv6 neighbor > solicitation to the destination node with no IKE packet sent. Is there a > reason why this is happening? > > I tried with the "ping <v4-address of the same target>" and the IKE MAIN > MODE INIT was initiated to the target using the IPv4 address. Any reason > why the IPv4 works but not for IPv6? > > -- > via GMAIL > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: racoon.conf > Type: application/octet-stream > Size: 546 bytes > Desc: not available > > ------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > ------------------------------ > > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > > End of Ipsec-tools-devel Digest, Vol 15, Issue 7 > ************************************************ > -- via GMAIL |