Regarding 6 below:

  6. IPv6 ICMP ping to a remote system over IPSec      does not get
     sent (Andy Tang)
Anyone could offer a reason?

On 8/27/07, ipsec-tools-devel-request@lists.sourceforge.net
------------------------------

Message: 6
Date: Mon, 27 Aug 2007 19:39:56 -0700
From: "Andy Tang" <andy.atang@gmail.com>
Subject: [Ipsec-tools-devel] IPv6 ICMP ping to a remote system over
        IPSec   does not get sent
To: ipsec-tools-devel <ipsec-tools-devel@lists.sourceforge.net>
Message-ID:
        < 48dc198c0708271939l6aff4c63tdc20c993e7d68e32@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I configured my racoon using the file attached and added the following SPD
using setkey.cf:

flush;
spdflush;
spdadd 192.168.1.103 192.168.1.100 any -P out ipsec
        esp/transport//require ;
spdadd 192.168.1.100 192.168.1.103 any -P in ipsec
        esp/transport//require ;
spdadd 2001:4898:28:3:20b:cdff:feb4:6338 2001:4898:28:3:20e:a6ff:feb1:2df3
any -P out ipsec
        esp/transport//require ;
spdadd 2001:4898:28:3:20e:a6ff:feb1:2df3 2001:4898:28:3:20b:cdff:feb4:6338
any -P in ipsec
        esp/transport//require ;

Next, I attempted to

ping6 2001:4898:28:3:20e:a6ff:feb1:2df3

However, I did not see an IKE negotiation packet going out to the
destination server.
The racoon contains the following trace info:

2007-08-27 19:02:26: DEBUG: suitable outbound SP found:
2001:4898:28:3:20b:cdff:feb4:6338/128[0]
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out.
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f2578: 192.168.1.103/32[0]
192.168.1.100/32[0] proto=any dir=out
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f34c8: 192.168.1.100/32[0]
192.168.1.103/32[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f4418: 192.168.1.100/32[0]
192.168.1.103/32[0] proto=any dir=fwd
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f5368: 192.168.1.103/32[0]
192.168.1.104/32[0] proto=any dir=out
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f62b8: 192.168.1.104/32[0]
192.168.1.103/32[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f7208: 192.168.1.104/32[0]
192.168.1.103/32[0] proto=any dir=fwd
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f8158:
2001:4898:28:3:20b:cdff:feb4:6338/128[0]
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out
2007-08-27 19:02:26: DEBUG: sub:0xbff04648:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: db :0x82f90a8:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in
2007-08-27 19:02:26: DEBUG: suitable inbound SP found:
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0]
2001:4898:28:3:20b:cdff:feb4:6338/128[0] proto=any dir=in.
2007-08-27 19:02:26: DEBUG: new acquire
2001:4898:28:3:20b:cdff:feb4:6338/128[0]
2001:4898:28:3:20e:a6ff:feb1:2df3/128[0] proto=any dir=out
2007-08-27 19:02:26: DEBUG: anonymous sainfo selected.
2007-08-27 19:02:26: DEBUG:  (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Transport reqid=0:0)
2007-08-27 19:02:26: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
2007-08-27 19:02:26: DEBUG: anonymous configuration selected for
2001:4898:28:3:20e:a6ff:feb1:2df3.
2007-08-27 19:02:26: INFO: IPsec-SA request for
2001:4898:28:3:20e:a6ff:feb1:2df3 queued due to no phase1 found.
2007-08-27 19:02:26: DEBUG: ===
2007-08-27 19:02:26: INFO: initiate new phase 1 negotiation:
2001:4898:28:3:20b:cdff:feb4:6338[500]<=>2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:26: INFO: begin Identity Protection mode.
2007-08-27 19:02:26: DEBUG: new cookie:
352d18c8c4d0807a
2007-08-27 19:02:26: DEBUG: add payload of len 48, next type 13
2007-08-27 19:02:26: DEBUG: add payload of len 16, next type 0
2007-08-27 19:02:26: DEBUG: 100 bytes from
2001:4898:28:3:20b:cdff:feb4:6338[500] to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:26: DEBUG: sockname 2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:26: DEBUG: send packet from
2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:26: DEBUG: send packet to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:26: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0
2007-08-27 19:02:26: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0
2007-08-27 19:02:26: DEBUG: 1 times of 100 bytes message will be sent to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:26: DEBUG:
352d18c8 c4d0807a 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c
80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
775701002007-08-27 19:02:26: DEBUG: resend phase1 packet
352d18c8c4d0807a:0000000000000000
2007-08-27 19:02:36: DEBUG: 100 bytes from
2001:4898:28:3:20b:cdff:feb4:6338[500] to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG: sockname 2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:36: DEBUG: send packet from
2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:36: DEBUG: send packet to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0
2007-08-27 19:02:36: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0
2007-08-27 19:02:36: DEBUG: 1 times of 100 bytes message will be sent to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG:

2007-08-27 19:02:26: DEBUG: resend phase1 packet
352d18c8c4d0807a:0000000000000000
2007-08-27 19:02:36: DEBUG: 100 bytes from
2001:4898:28:3:20b:cdff:feb4:6338[500] to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG: sockname 2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:36: DEBUG: send packet from
2001:4898:28:3:20b:cdff:feb4:6338[500]
2007-08-27 19:02:36: DEBUG: send packet to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG: src6 2001:4898:28:3:20b:cdff:feb4:6338[500] 0
2007-08-27 19:02:36: DEBUG: dst6 2001:4898:28:3:20e:a6ff:feb1:2df3[500] 0
2007-08-27 19:02:36: DEBUG: 1 times of 100 bytes message will be sent to
2001:4898:28:3:20e:a6ff:feb1:2df3[500]
2007-08-27 19:02:36: DEBUG:
352d18c8 c4d0807a 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c
80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100

According to the line trace, there appeared to be ICMPv6 neighbor
solicitation to the destination node with no IKE packet sent.  Is there a
reason why this is happening?

I tried with the "ping <v4-address of the same target>" and the IKE MAIN
MODE INIT was initiated to the target using the IPv4 address.  Any reason
why the IPv4 works but not for IPv6?

--
via GMAIL
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: racoon.conf
Type: application/octet-stream
Size: 546 bytes
Desc: not available

------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>   http://get.splunk.com/

------------------------------

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


End of Ipsec-tools-devel Digest, Vol 15, Issue 7
************************************************



--
via GMAIL