The success and failure logs are as below


Failed Case

Initiator
2009-08-11 15:14:46: INFO: IPsec-SA request for 2001:db8:0:1:20f:20ff:fefe:4c78 queued due to no phase1 found.
2009-08-11 15:14:46: ERROR: unknown AF: 0
2009-08-11 15:14:46: INFO: initiate new phase 1 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
2009-08-11 15:14:46: INFO: begin Aggressive mode.
2009-08-11 15:14:46: INFO: respond new phase 1 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
2009-08-11 15:14:46: INFO: begin Aggressive mode.
2009-08-11 15:14:46: INFO: received Vendor ID: DPD
2009-08-11 15:14:46: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
2009-08-11 15:15:16: NOTIFY: the packet is retransmitted by 2001:db8:0:1:20f:20ff:fefe:4c78[500] (1).
2009-08-11 15:15:17: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2001:db8:0:1:20f:20ff:fefe:4c78[0]->2001:db8:0:1:215:99ff:fe41:704c[0]
2009-08-11 15:15:17: INFO: delete phase 2 handler.



Responder
2009-08-11 14:41:57: INFO: IPsec-SA request for 2001:db8:0:1:215:99ff:fe41:704c queued due to no phase1 found.
2009-08-11 14:41:57: INFO:
new phase 1 negotiation: 2001:db8:0:1:20f:20ff:fefe:4c78[500]<=>2001:db8:0:1:215:99ff:fe41:704c[500]
2009-08-11 14:41:57: INFO: begin Aggressive mode.
2009-08-11 14:42:28: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2001:db8:0:1:215:99ff:fe41:704c[500]->2001:db8:0:1:20f:20ff:fefe:4c78[500]
2009-08-11 14:42:28: INFO: delete phase 2 handler.
2009-08-11 14:42:29: INFO: request for establishing IPsec-SA was queued due to no phase1 found.


SUCCESS case

Initiator

-sh-2.05b# ping6 2001:db8:0:1:20f:20ff:fefe:4c78
PING 2001:db8:0:1:20f:20ff:fefe:4c78 (2001:db8:0:1:20f:20ff:fefe:4c78): 56 data bytes
2009-08-14 09:03:41: INFO: IPsec-SA request for 2001:db8:0:1:20f:20ff:fefe:4c78 queued due to no phase1 found.
2009-08-14 09:03:41: ERROR: unknown AF: 0
2009-08-14 09:03:41: INFO: initiate new phase 1 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
2009-08-14 09:03:41: INFO: begin Identity Protection mode.
2009-08-14 09:03:41: INFO: received Vendor ID: DPD
2009-08-14 09:03:41: INFO: ISAKMP-SA established spi:39dc17bfd0a825cd:453409ed34eff4d9
2009-08-14 09:03:42: INFO: initiate new phase 2 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
[  161.237109] alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-generic),cbc(des3_ede-generic)))
2009-08-14 09:03:43: INFO: IPsec-SA established: ESP/Transport 2001:db8:0:1:20f:20ff:fefe:4c78[0]->2001:db8:0:1:215:99ff:fe41:704c[0] spi=256644107(0xf4c140b)
2009-08-14 09:03:43: INFO: IPsec-SA established: ESP/Transport 2001:db8:0:1:215:99ff:fe41:704c[0]->2001:db8:0:1:20f:20ff:fefe:4c78[0] spi=247422214(0xebf5d06)
ping: getnameinfo: Temporary failure in name resolution
64 bytes from unknown: icmp_seq=2 ttl=64 time=0.531 ms

Responder
[root@sapnasantani ipsec]# 2009-08-14 08:30:45: INFO: respond new phase 1 negotiation: 2001:db8:0:1:20f:20ff:fefe:4c78[500]<=>2001:db8:0:1:215:99ff:fe41:704c[500]
2009-08-14 08:30:45: INFO: begin Identity Protection mode.
2009-08-14 08:30:45: INFO: ISAKMP-SA established 2001:db8:0:1:20f:20ff:fefe:4c78[500]-2001:db8:0:1:215:99ff:fe41:704c[500] spi:39dc17bfd0a825cd:453409ed34eff4d92009-08-14 08:30:46: INFO: respond new phase 2 negotiation: 2001:db8:0:1:20f:20ff:fefe:4c78[500]<=>2001:db8:0:1:215:99ff:fe41:704c[500]
2009-08-14 08:30:46: INFO: IPsec-SA established: ESP/Transport 2001:db8:0:1:215:99ff:fe41:704c[0]->2001:db8:0:1:20f:20ff:fefe:4c78[0] spi=247422214(0xebf5d06)
2009-08-14 08:30:46: INFO: IPsec-SA established: ESP/Transport 2001:db8:0:1:20f:20ff:fefe:4c78[0]->2001:db8:0:1:215:99ff:fe41:704c[0] spi=256644107(0xf4c140b)

from the logs, it is seen that when the initiator initiates the connection, the responder does NOT respond. Instead, it also starts initiation. So ultimately, the INITIATOR is BECOMING the RESPONDER.

Any guidance would be appreciated. Thanks

With Regards,
Zakir Ahmed
 
"And fear Almighty, and know that you are to meet him in the hereafter"
 


--- On Fri, 14/8/09, ZAKIR AHMED <zaks_974@yahoo.com> wrote:

From: ZAKIR AHMED <zaks_974@yahoo.com>
Subject: [Ipsec-tools-devel] IPSEC ipv6 does NOT work consistently
To: ipsec-tools-devel@lists.sourceforge.net
Date: Friday, 14 August, 2009, 8:47 AM

Hi All,

I am reposting this as this was part of some other post which is not answered yet

I am setting up IPSEC between 2 machines. I am able to setup both transport and tunnel mode for ipv4 between these machines. But when I use ipv6 addresses, the behavior is very inconsistent. Sometimes, it works like a charm and sometimes, even after trying whole day, it does NOT work

My configurations are as below.
policy file

#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:0:1:20f:20ff:fefe:4c78 2001:db8:0:1:215:99ff:fe41:704c any -P in ipsec
   esp/transport//require;

spdadd 2001:db8:0:1:215:99ff:fe41:704c 2001:db8:0:1:20f:20ff:fefe:4c78 any -P out ipsec
  esp/transport//require;

Racoon file

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

timer {
                counter 5;
                interval 300 seconds;
                phase1 300 seconds;
                phase2 300 seconds;
}

remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;

        lifetime time 2 min;   # sec,min,hour
        initial_contact on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 2 min;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


It seems to work sometimes and NOT sometimes. Could any of you please help me out in resolving this?



With Regards,
Zakir Ahmed
 
"And fear Almighty, and know that you are to meet him in the hereafter"
 


Looking for local information? Find it on Yahoo! Local

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

-----Inline Attachment Follows-----

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz.

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

-----Inline Attachment Follows-----

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


Love Cricket? Check out live scores, photos, video highlights and more. Click here.