<div dir="ltr"><div><div>Hi SS Team,<br><br></div>I am running strongswan 5.0.1, and I can not pass icmp6 traffic with IKEv1. It creates IKE SA but it fails to create child_SA. The same configurations works fine with IKEv2,<br>
<br></div>I have the configuration and log details below for IKEv1 and IKEv2. Please let me know if this is a bug in strongswan code, and any tips to resolve the issue.<br><br>Here is my deployment:<br>pc1(2006::2)----(2006::1)strongswan(eth13:2003::2)---(eth13:2003::1)strongswan(2005::1)----(2005::2)pc2<br>
<div><div><br></div><div>I initiated icmp6 traffic from 2005::2 to 2006::2. <br></div><div><br>Below is the ipsec statusall output for IKEv1. It fails to create child_sa.<br>...<br>Listening IP addresses:<br> 10.243.10.142<br>
7.1.1.2<br> 2005::1<br> 192.168.1.1<br> 2003::1<br> 11.1.1.2<br>Connections:<br> ipv6_pol: 2003::1...2003::2 IKEv1<br> ipv6_pol: local: [2003::1] uses pre-shared key authentication<br> ipv6_pol: remote: [2003::2] uses pre-shared key authentication<br>
ipv6_pol: child: 2005::/64 === 2006::/64 TUNNEL<br>Routed Connections:<br> ipv6_pol{2}: ROUTED, TUNNEL<br> ipv6_pol{2}: 2005::/64 === 2006::/64<br>Security Associations (1 up, 0 connecting):<br> ipv6_pol[2]: ESTABLISHED 3 minutes ago, 2003::1[2003::1]...2003::2[2003::2]<br>
ipv6_pol[2]: IKEv1 SPIs: 55de706622696d07_i 3e835d9a72111fcf_r*, rekeying in 23 hours<br> ipv6_pol[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br><br></div><div>Below is the vpn log for IKEv1.<br>
...<br>2013-05-31 14:54:54.110 [CHARON-INFO:] "14[NET] sending packet: from 2003::1[500] to 2003::2[500]"<br>2013-05-31 14:54:54.115 [CHARON-INFO:] "04[NET] received packet: from 2003::2[500] to 2003::1[500]"<br>
2013-05-31 14:54:54.115 [CHARON-INFO:] "04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]"<br>2013-05-31 14:54:54.125 [CHARON-INFO:] "04[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]"<br>
2013-05-31 14:54:54.125 [CHARON-INFO:] "04[NET] sending packet: from 2003::1[500] to 2003::2[500]"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[NET] received packet: from 2003::2[500] to 2003::1[500]"<br>
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[ENC] parsed ID_PROT request 0 [ ID HASH ]"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[CFG] looking for pre-shared key peer configs matching 2003::1...2003::2[2003::2]"<br>
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[LIB] resolving '7.1.1.2' failed: Address family for hostname not supported"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[CFG] selected peer config "ipv6_pol""<br>
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2] established between 2003::1[2003::1]...2003::2[2003::2]"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2] established between 2003::1[2003::1]...2003::2[2003::2]"<br>
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[IKE] scheduling rekeying in 85913s"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[IKE] maximum IKE_SA lifetime 86273s"<br>2013-05-31 14:54:54.130 [CHARON-INFO:] "12[ENC] generating ID_PROT response 0 [ ID HASH ]"<br>
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[NET] sending packet: from 2003::1[500] to 2003::2[500]"<br>2013-05-31 14:54:54.131 [CHARON-INFO:] "08[NET] received packet: from 2003::2[500] to 2003::1[500]"<br>
2013-05-31 14:54:54.131 [CHARON-INFO:] "08[ENC] parsed QUICK_MODE request 142098601 [ HASH SA No ID ID ]"<br>2013-05-31 14:54:54.131 [CHARON-INFO:] "08[IKE] no matching CHILD_SA config found"<br>2013-05-31 14:54:54.131 [CHARON-INFO:] "08[ENC] generating INFORMATIONAL_V1 request 335657404 [ HASH N(INVAL_ID) ]"<br>
2013-05-31 14:54:54.131 [CHARON-INFO:] "08[NET] sending packet: from 2003::1[500] to 2003::2[500]"<br><br>====<br><br></div><div>The same deployment works fine with IKEv2. Below is the configuration and log details with IKEv2. I was able to pass icmp6 traffic from 2005::2 to 2006::2 and vice versa.<br>
...<br>Listening IP addresses:<br> 10.243.10.142<br> 7.1.1.2<br> 2005::1<br> 192.168.1.1<br> 2003::1<br> 11.1.1.2<br>Connections:<br> ipv6_pol: 2003::1...2003::2 IKEv2<br> ipv6_pol: local: [2003::1] uses pre-shared key authentication<br>
ipv6_pol: remote: [2003::2] uses pre-shared key authentication<br> ipv6_pol: child: 2005::/64 === 2006::/64 TUNNEL<br>Routed Connections:<br> ipv6_pol{3}: ROUTED, TUNNEL<br> ipv6_pol{3}: 2005::/64 === 2006::/64<br>
Security Associations (1 up, 0 connecting):<br> ipv6_pol[3]: ESTABLISHED 5 minutes ago, 2003::1[2003::1]...2003::2[2003::2]<br> ipv6_pol[3]: IKEv2 SPIs: d5d7908b1732b398_i b4a6a238fa83f36e_r*, rekeying in 23 hours<br>
ipv6_pol[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br> ipv6_pol{4}: INSTALLED, TUNNEL, ESP SPIs: c50c9007_i c5a02777_o<br> ipv6_pol{4}: AES_CBC_128/HMAC_SHA1_96, 3948 bytes_i, 312 bytes_o (252s ago), rekeying in 43 minutes<br>
ipv6_pol{4}: 2005::/64 === 2006::/64<br><br><br></div><div>=log<br>...<br>2013-05-31 15:05:17.721 [CHARON-INFO:] "02[NET] sending packet: from 2003::1[500] to 2003::2[500]"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[NET] received packet: from 2003::2[4500] to 2003::1[4500]"<br>
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] looking for peer configs matching 2003::1[2003::1]...2003::2[2003::2]"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[LIB] resolving '7.1.1.2' failed: Address family for hostname not supported"<br>
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] selected peer config 'ipv6_pol'"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of '2003::2' with pre-shared key successful"<br>
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] peer supports MOBIKE"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of '2003::1' (myself) with pre-shared key"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3] established between 2003::1[2003::1]...2003::2[2003::2]"<br>
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3] established between 2003::1[2003::1]...2003::2[2003::2]"<br>2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] scheduling rekeying in 85779s"<br>
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] maximum IKE_SA lifetime 86139s"<br>2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4} established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "<br>
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4} established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "<br>2013-05-31 15:05:17.728 [CHARON-INFO:] "06[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]"<br>
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[NET] sending packet: from 2003::1[4500] to 2003::2[4500]"<br></div><div><br><br></div><div>Thanks!<br></div><div>Jordan.<br></div></div></div>