[strongSwan] ip6-in-ip6 tunnel problem

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 24 11:09:38 CEST 2010 

Hi Chris,

you set up the net-net connection which defines the IPsec policy

 2002:10::/64 === 2002:20::/64

the command

  ping6 2002:20::1

generates and ICMP6 request with a source IP of 2001:ffc7::12

>  host_10: PING 2002:20::1 (2002:20::1): 56 data bytes
>             64 bytes from 2001:ffc7::12: \

which does not match the IPsec policy defined above. Therefore
this packet is not tunneled.

Try

  ping6 -I 2002:10::1 2002:20::1

instead.

Regards

Andreas

On 24.09.2010 10:58, Chris Ryan wrote:
> Hi there,
> 
> i'm quite new to strongswan. I tried several configurations in an
> kvm-based testbed. While IP4-in-IP4, IP6-in-IP4 and IP4-in-IP6 tunnels
> do work fine, i have some trouble with IP6-in-IP6. 
> 
> Testbeds simple network configuration is as follows:
> 
>     red     ---------     black
>  2002:10:1 | host_10 | 2001:ffc7::12 === ....
>             ---------
> 
>                black     ---------    red
>  .... === 2001:ffc7::14 | host_20 | 2002:20:1
>                          ---------
> 
> The environment settings, logs and configs of the two testbed hosts
> can be found here: 
> http://195.225.198.142/strongswan/host_10
> http://195.225.198.142/strongswan/host_20
> 
> The tunnel is established without problems, yet is seems that no
> traffic is passed through. I tried to ping the red net interface of
> the other host: 
> 
>  host_10: PING 2002:20::1 (2002:20::1): 56 data bytes
>             64 bytes from 2001:ffc7::12: \
>             Destination unreachable: Address unreachable
> 
> In opposite to the mentioned other scenarios, the packets are not ESP
> encapsulated. Instead, the host sends neighbor solicitation requests
> for the other hosts red net (and gets no reply to them), though a
> distinct route for that net is already set.
> 
>  host_10: IP6 2001:ffc7::12 > ff02::1:ff00:1: \
>           ICMP6, neighbor solicitation, who has 2002:20::1, length 32
> 
> Its not clear to me why the packets are not passed into the tunnel,
> even though the necessary routes and iptables rules exist.
> I'd appreciate any help.
> 
> Thanks, Chris.
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list