[strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)
Yong Choo
yhc at alcatel-lucent.com
Wed Mar 31 19:22:08 CEST 2010
Hi all,
I progressed much further.
I had to manually load additional modules for IPV6 operation (For IPv4
type, ipsec automatically loads 'ah4, esp4, tunnel4, xfrm4_tunnel')
modprobe ah6
modprobe esp6
modprobe tunnel6
modprobe xfrm6_tunnel
Are there any other modules that I need to load for IPV6?
Yong Choo wrote:
> Hi,
> I'm getting the following errors on my linux 2.6.21 based using
> strongswan 4.3.3 version:
> Any Help would be appreciated! (The host that I'm communicating with has
> 2.6.27 and it has no problem)
>
> I configured/checked all required IPV6 kernel protocols in linux 2.6.21
> as defined in the installation document url also.
>
> eCCM-root-/etc> ipsec up enb12v6
> initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500]
> received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key
> establishing CHILD_SA enb12v6
> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
> sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500]
> received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500]
> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
> authentication of 'fd00::410:172:21:10:181' with pre-shared key successful
> scheduling rekeying in 50s
> maximum IKE_SA lifetime 370s
> IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181]
> received netlink error: Protocol not supported (93)
> unable to add SAD entry with SPI c05a60aa
> received netlink error: Protocol not supported (93)
> unable to add SAD entry with SPI c48cd085
> unable to install inbound and outbound IPsec SA (SAD) in kernel
>
>
> The ipsec.conf has the following entries:
>
> config setup
> plutostart=no
>
> conn %default
> auth=esp
> dpdaction=restart
> dpddelay=50s
> esp=aes128-sha1-modp1024,3des-sha1-modp1024
> forceencaps=no
> ike=aes128-sha-modp1024,3des-sha-modp1024
> ikelifetime=500s
> installpolicy=yes
> keyexchange=ikev2
> keyingtries=%forever
> keylife=400s
> mobike=no
> pfs=yes
> reauth=no
> rekey=yes
> rekeymargin=320s
> type=tunnel
> leftauth=psk
> rightauth=psk
>
> config setup
> plutostart=no
>
> conn %default
> auth=esp
> dpdaction=restart
> dpddelay=50s
> esp=aes128-sha1-modp1024,3des-sha1-modp1024
> forceencaps=no
> ike=aes128-sha-modp1024,3des-sha-modp1024
> ikelifetime=500s
> installpolicy=yes
> keyexchange=ikev2
> keyingtries=%forever
> keylife=400s
> mobike=no
> pfs=yes
> reauth=no
> rekey=yes
> rekeymargin=320s
> type=tunnel
> leftauth=psk
> rightauth=psk
>
> conn enb12v4
> left=135.112.41.22
> right=135.112.40.181
> auto=add
> conn enb12v6
> left=fd00:0000:0000:410:172:21:10:12
> #leftsourceip=fd00:0000:0000:410:172:21:10:12
> leftsubnet=fd00::12/64
> right=fd00:0000:0000:410:172:21:10:181
> rightsubnet=fd00::181/64
> auto=add
>
> conn enb12v6
> left=fd00:0000:0000:410:172:21:10:12
> #leftsourceip=fd00:0000:0000:410:172:21:10:12
> leftsubnet=fd00::12/64
> right=fd00:0000:0000:410:172:21:10:181
> rightsubnet=fd00::181/64
>
> auto=add
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list