<div dir="ltr">

<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">For following scenario, is it Strongswan bug?  Responder IP address is <span> </span><b style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">fc00:cada:c406::200.<span> </span></b><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">But if reply come from even different IPv6 address everything goes successful like nothing is wrong.   In following case<span> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">IKE_SA_INIT response</span><span> </span>came from <span> </span><b style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">fc00:cada:c406::500. <span> </span></b><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I would imagine it should be rejected.</span></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div>9[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[<wbr>tcp/57861] === fc00:cada:c406::200/128[tcp/<wbr>8190] with reqid {2}</div><div>07[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200</div><div>07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]</div><div>07[NET] sending packet: from fc00:cada:c406:607::1001[500] to<span> </span><b>fc00:cada:c406::200</b>[500] (456 bytes)</div><div>08[NET] received packet: from<span> </span><b>fc00:cada:c406::500</b>[500] to fc00:cada:c406:607::1001[500] (453 bytes)</div><div>08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]</div><div>08[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"</div><div>08[IKE] received 1 cert requests for an unknown ca</div><div>08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"</div><div>08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"</div><div>08[IKE] authentication of 'C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad' (myself) with RSA signature successful</div><div>08[IKE] sending end entity cert "C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad"</div><div>08[IKE] sending issuer cert "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"</div><div>08[IKE] establishing CHILD_SA gcpfc00:cada:c406::200{2}</div><div>08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]</div><div>08[NET] sending packet: from fc00:cada:c406:607::1001[500] to fc00:cada:c406::200[500] (3200 bytes)</div><div>15[NET] received packet: from fc00:cada:c406::200[500] to fc00:cada:c406:607::1001[500] (7280 bytes)</div><div>15[ENC] parsed IKE_AUTH response 1 [ N(ESP_TFC_PAD_N) N(USE_TRANSP) IDr CERT CERT CERT CERT CERT AUTH SA TSi TSr ]</div><div>15[IKE] received end entity cert "C=US, O=CableLabs, CN=00:01:5c:96:16:00"</div><div>15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA01, CN=CableLabs Device Certification Authority"</div><div>15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA02, CN=CableLabs Device Certification Authority"</div><div>15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST CableLabs Device Certification Authority"</div><div>15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority"</div><div>15[CFG]   using certificate "C=US, O=CableLabs, CN=00:01:5c:96:16:00"</div><div>15[CFG]   using untrusted intermediate certificate "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority"</div><div>15[CFG] checking certificate status of "C=US, O=CableLabs, CN=00:01:5c:96:16:00"</div><div>15[CFG] certificate status is not available</div><div>15[CFG]   using trusted ca certificate "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST CableLabs Root Certification Authority"</div><div>15[CFG] checking certificate status of "C=US, O=CableLabs, OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider Certification Authority"</div><div>15[CFG] certificate status is not available</div><div>15[CFG]   reached self-signed root ca with a path length of 1</div><div>15[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with RSA signature successful</div><div>15[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between fc00:cada:c406:607::1001[C=US, O=ARRIS Group, OU=DCA Remote Device Certificate, CN=00:01:5c:b0:04:ad]...fc00:<wbr>cada:c406::200[C=US, O=CableLabs, CN=00:01:5c:96:16:00]</div><div>15[IKE] scheduling rekeying in 13604s</div><div>15[IKE] maximum IKE_SA lifetime 15044s</div></div>

<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 22, 2018 at 9:08 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rajeev,<br>
<span class="gmail-"><br>
> Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus<br>
> IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all<br>
> IP addresses. <br>
<br>
</span>Use iptables.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div>