[strongSwan] CHILD_SA failed on IPv6 tunnel
Jan Engelhardt
jengelh at medozas.de
Sun Jun 20 10:06:43 CEST 2010
Hi,
I can't figure out why charon would not want to build a CHILD_SA over
IPv6. The config is exact the same as the v4 one. (And what's with
"Address family for hostname not supported"?)
Furthermore, initiating v6 from the other side magically works.
borg# rpm -q strongswan
strongswan-4.3.4-4.3.x86_64
borg# cat /etc/ipsec.conf
config setup
plutostart=no
uniqueids=no
conn nova4
left=188.40.89.202
right=178.63.15.147
auto=start
keyexchange=ikev2
leftcert="/etc/ipsec.d/certs/borg.medozas.de.pem"
rightcert="/etc/ipsec.d/certs/nova.medozas.de.pem"
conn nova6
left=2001:470:1f0b:a59::1
right=2001:470:1f0b:122c::7
auto=start
keyexchange=ikev2
leftcert="/etc/ipsec.d/certs/borg.medozas.de.pem"
rightcert="/etc/ipsec.d/certs/nova.medozas.de.pem"
(# making sure all connections are down beforehand)
borg# ipsec stroke up nova6
resolving '2001:470:1f0b:a59::1' failed: Address family for hostname not supported
initiating IKE_SA nova6[9] to 2001:470:1f0b:122c::7
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from %any to 2001:470:1f0b:122c::7[500]
received packet: from 2001:470:1f0b:122c::7[500] to 2001:470:1f0b:a59::1[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=DE, CN=nova.medozas.de"
received cert request for "CN=borg.medozas.de"
sending cert request for "CN=borg.medozas.de"
sending cert request for "CN=ares.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
authentication of 'CN=borg.medozas.de' (myself) with RSA signature successful
sending end entity cert "CN=borg.medozas.de"
establishing CHILD_SA nova6
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 2001:470:1f0b:a59::1[4500] to 2001:470:1f0b:122c::7[4500]
received packet: from 2001:470:1f0b:122c::7[4500] to 2001:470:1f0b:a59::1[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
received end entity cert "C=DE, CN=nova.medozas.de"
using trusted certificate "C=DE, CN=nova.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' with RSA signature successful
scheduling reauthentication in 10171s
maximum IKE_SA lifetime 10711s
IKE_SA nova6[9] established between 2001:470:1f0b:a59::1[CN=borg.medozas.de]...2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
borg# ipsec stroke up nova4
initiating IKE_SA nova4[10] to 178.63.15.147
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 188.40.89.202[500] to 178.63.15.147[500]
received packet: from 178.63.15.147[500] to 188.40.89.202[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=DE, CN=nova.medozas.de"
received cert request for "CN=borg.medozas.de"
sending cert request for "CN=borg.medozas.de"
sending cert request for "CN=ares.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
authentication of 'CN=borg.medozas.de' (myself) with RSA signature successful
sending end entity cert "CN=borg.medozas.de"
establishing CHILD_SA nova4
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 188.40.89.202[4500] to 178.63.15.147[4500]
received packet: from 178.63.15.147[4500] to 188.40.89.202[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=DE, CN=nova.medozas.de"
using trusted certificate "C=DE, CN=nova.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' with RSA signature successful
scheduling reauthentication in 10087s
maximum IKE_SA lifetime 10627s
IKE_SA nova4[10] established between 188.40.89.202[CN=borg.medozas.de]...178.63.15.147[C=DE, CN=nova.medozas.de]
borg# ipsec status
nova6[13]: ESTABLISHED 3 seconds ago, 2001:470:1f0b:a59::1[CN=borg.medozas.de]...2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]
(no TUNNEL component listed)
Furthermore, initiating the v6 connection from nova itself does
build the CHILD_SA:
(# making sure all connections are down beforehand)
nova# ipsec stroke up borg6
resolving '2001:470:1f0b:122c::7' failed: Address family for hostname not supported
initiating IKE_SA borg6[46] to 2001:470:1f0b:a59::1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from %any to 2001:470:1f0b:a59::1[500]
received packet: from 2001:470:1f0b:a59::1[500] to 2001:470:1f0b:122c::7[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "CN=borg.medozas.de"
received cert request for unknown ca with keyid 17:4f:34:eb:5e:8a:dd:1c:b6:c3:2e:1d:e9:74:a6:16:c0:15:0a:e5
received cert request for "C=DE, CN=nova.medozas.de"
sending cert request for "C=DE, CN=nova.medozas.de"
sending cert request for "CN=borg.medozas.de"
authentication of 'C=DE, CN=nova.medozas.de' (myself) with RSA signature successful
sending end entity cert "C=DE, CN=nova.medozas.de"
establishing CHILD_SA borg6
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) ]
sending packet: from 2001:470:1f0b:122c::7[4500] to 2001:470:1f0b:a59::1[4500]
received packet: from 2001:470:1f0b:a59::1[4500] to 2001:470:1f0b:122c::7[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
received end entity cert "CN=borg.medozas.de"
using trusted certificate "CN=borg.medozas.de"
authentication of 'CN=borg.medozas.de' with RSA signature successful
scheduling reauthentication in 9928s
maximum IKE_SA lifetime 10468s
IKE_SA borg6[46] established between 2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]...2001:470:1f0b:a59::1[CN=borg.medozas.de]
nova# cat /etc/ipsec.conf:
setup config
plutostart=no
uniqueids=no
conn borg6
left=2001:470:1f0b:122c::7
right=2001:470:1f0b:a59::1
auto=start
keyexchange=ikev2
leftcert="/etc/ipsec.d/certs/nova.medozas.de.pem"
rightcert="/etc/ipsec.d/certs/borg.medozas.de.pem"
nova# ipsec status
Security Associations:
borg6[46]: ESTABLISHED 98 seconds ago, 2001:470:1f0b:122c::7[C=DE, CN=nova.medozas.de]...2001:470:1f0b:a59::1[CN=borg.medozas.de]
borg6{46}: INSTALLED, TUNNEL, ESP SPIs: c0cb26bd_i c4896dd9_o
borg6{46}: 2001:470:1f0b:122c::7/128 === 2001:470:1f0b:a59::1/128
More information about the Users
mailing list