<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m trying to establish an IPv6 IPSec tunnel using IKEv2. I’m seeing the Strongswan host firing the policy but the remote peer never receives the ISAKMP packet. Looking at the trace it reveals that the IPv6 neighbor discovery is failing. I suspect that the Ubuntu host might be treating the ICMP6 request as part of the default allow all policy. To test this theory I disable IPSec on the Strongswan host and the remote peer. When I do this, each host can ping each other fine. I then quickly enable IPSec and I can get the IPSec tunnel up between the two hosts (which ishould validate the config entries). At least until the arp entry expires. And then I’m back to no longer establishing IPSec between the peers. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve done some research indicating that I should accommodate the discovery in IPTables but I’m not using the firewall. Which explains why it works when IPSec is disabled. Is there a bit in ipsec.conf that can account for neighbor discovery outside of the IPSec policy (assuming this is what is really going on)? There is some urgency behind this question so anything anybody could do to help would be greatly appreciated. Thanks in advance.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Strongswan log entries with IPSec enabled:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 01[KNL] creating acquire job for policy fc00:2518::221:9bff:fe98:854b/128[udp/60525] === fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[IKE] initiating IKE_SA ubuntu-gamera9_ipv6_wka[1] to fc00:2518::10:125:56:9<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[IKE] retransmit 1 of request with message ID 0<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[IKE] retransmit 2 of request with message ID 0<o:p></o:p></p><p class=MsoNormal>Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># ip6tables -L<o:p></o:p></p><p class=MsoNormal>Chain INPUT (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Chain FORWARD (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Chain OUTPUT (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>iptables -L<o:p></o:p></p><p class=MsoNormal>Chain INPUT (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Chain FORWARD (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Chain OUTPUT (policy ACCEPT)<o:p></o:p></p><p class=MsoNormal>target prot opt source destination<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>