[strongSwan] XFRM for IPv6 ND/NA bypass

Mike Spengler mks at foobox.com
Sun Feb 27 02:19:20 CET 2011 

I'm trying to get an IKEv2 connection to work between 2 IPv6 hosts running 
strongswan (4.5.1) on the same subnet. The policy I'm using protects all traffic 
between the hosts - I'm trying to get around the chicken-and-egg problem with 
the IPv6 Neighbor Discovery (ND) / Neighbor Advertisement (NA) messages getting 
controlled by the IKE policy. We don't have iptables installed on our systems, 
so I've been trying to use manual XFRM policies to allow the ND/NA packets to 
flow without protection. I can't seem to figure out the 'ip xfrm policy' 
statements that allow this to work.

When I ping6 between the hosts, the receiving side gets the multicast ND OK, but 
when trying to unicast the NA back, I get the following and the IKE_SA_INIT 
request never gets sent:

# ip x m
acquire proto esp
   sel src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 proto ipv6-icmp type 136 code 0 dev if1
   policy src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128
         dir out priority 3075 ptype main
         tmpl src :: dst ::
                 proto esp reqid 1 mode transport


I have these policies installed but the NA always seems to hit the 
strongswan-installed policy rather than my manual ones.

[root at hsb3800-1 conf]# ip x p
src ::/0 dst ::/0 proto ipv6-icmp type 135 code 0
         dir in priority 1073741824 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136 code 0
         dir in priority 1073741824 ptype main
src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128
         dir in priority 3075 ptype main
         tmpl src :: dst ::
                 proto esp reqid 1 mode transport
src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 proto ipv6-icmp type 135 code 0
         dir in priority 1073741830 ptype main
src fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 proto ipv6-icmp type 136 code 0
         dir in priority 1073741830 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135 code 0
         dir out priority 1073741824 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136 code 0
         dir out priority 1073741824 ptype main
src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128
         dir out priority 3075 ptype main
         tmpl src :: dst ::
                 proto esp reqid 1 mode transport
src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 proto ipv6-icmp type 135 code 0
         dir out priority 1073741830 ptype main
src fd70:c154:c2df:83:2c0:ddff:fe0d:53e6/128 dst 
fd70:c154:c2df:83:2c0:ddff:fe12:cdd4/128 proto ipv6-icmp type 136 code 0
         dir out priority 1073741830 ptype main


Also, we're running Linux 2.6.22 if that makes a difference.

Any clue would be greatly appreciated!

Regards,

-mike

More information about the Users mailing list