[strongSwan] Strongswan and IPv6 routing
Jason White
jason at jasonjgw.net
Thu Sep 22 02:56:09 CEST 2011
Note: I'm not sure whether my earlier posts on this topic made it to the list
(via gmane.org); I didn't receive any replies, so I'm starting a new thread
now. Apologies in advance if this is inappropriate.
Here's the configuration:
conn %default
left = 2001:44b8:412f:6e00::2
leftcert = /etc/ssl/certs/jdc.pem
auto = start
conn speakup-jdc
right = 2607:f2f8:2340::2
rightcert = /etc/ipsec.d/certs/speakup.pem
auto = add
Both sides are running Strongswan 4.5.2. The connection is established, but I
can't ping either host from the other. If the connection is shut down from
speakup.octothorp.org (i.e., the remote side), the local Strongswan receives
the notification that the connection is shut down, but none of the response
packets is ever received by the remote peer. This suggests to me that my
machine can receive packets over the tunnel, but can't send them.
When I try to ping speakup.octothorp.org I see the following in my kernel
logs:
Sep 22 10:37:03 jdc kernel: [15371.808065] pmtu discovery on SA
ESP/ce48cc5a/2607:f2f8:2340:0000:0000:0000:0000:0002
(this message is repeated for as long as the ping is in progress).
A packet dump shows an unusual number of neighbour discovery requests on the
eth0 interface while this is happening; I'll capture these if rquired.
Further details
ip -s xfrm policy show
src 2607:f2f8:2340::2/128 dst 2001:44b8:412f:6e00::2/128 uid 0
dir fwd action allow index 234 priority 1027 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:44 use -
tmpl src 2607:f2f8:2340::2 dst 2001:44b8:412f:6e00::2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 2607:f2f8:2340::2/128 dst 2001:44b8:412f:6e00::2/128 uid 0
dir in action allow index 224 priority 1027 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:44 use -
tmpl src 2607:f2f8:2340::2 dst 2001:44b8:412f:6e00::2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 2001:44b8:412f:6e00::2/128 dst 2607:f2f8:2340::2/128 uid 0
dir out action allow index 217 priority 1027 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:44 use 2011-09-22 10:37:02
tmpl src 2001:44b8:412f:6e00::2 dst 2607:f2f8:2340::2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src ::/0 dst ::/0 uid 0
socket in action allow index 211 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:44
src ::/0 dst ::/0 uid 0
socket out action allow index 204 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:44
src ::/0 dst ::/0 uid 0
socket in action allow index 195 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:40
src ::/0 dst ::/0 uid 0
socket out action allow index 188 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:39
src ::/0 dst ::/0 uid 0
socket in action allow index 179 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:54
src ::/0 dst ::/0 uid 0
socket out action allow index 172 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 163 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 156 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 147 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 140 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 131 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use 2011-09-22 10:36:36
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 124 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:29 use -
ip -s xfrm state show
src 2001:44b8:412f:6e00::2 dst 2607:f2f8:2340::2
proto esp spi 0xce48cc5a(3460877402) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xae3938ef6f29efdc8e54cdd86d9e68501bc50126 (160 bits) 96
enc cbc(aes) 0xb3ee5fde598678fb9f168fc694191019 (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2797(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
936(bytes), 9(packets)
add 2011-09-22 10:36:44 use 2011-09-22 10:36:54
stats:
replay-window 0 replay 0 failed 0
src 2607:f2f8:2340::2 dst 2001:44b8:412f:6e00::2
proto esp spi 0xcd2a0f76(3442085750) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xcc912ad3ff961fdebaa64b2a3f5683022f4b8cbc (160 bits) 96
enc cbc(aes) 0xb996035377d7c8eee07cfa00a9585379 (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2634(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2011-09-22 10:36:44 use -
stats:
replay-window 0 replay 0 failed 0
ip -6 route show
2001:44b8:412f:6e00::/64 dev eth0 proto kernel metric 256
2001:44b8:412f:6e01::/64 dev vde0 proto kernel metric 256
fe80::/64 dev vde0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev ppp0 proto kernel metric 256
fe80::/10 dev ppp0 metric 1
fe80::/10 dev ppp0 proto kernel metric 256
default via fe80::224:14ff:fe9a:8900 dev ppp0 metric 1024
ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:44b8:412f:6e00::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21a:4bff:feca:3dd3/64 scope link
valid_lft forever preferred_lft forever
3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qlen 3
inet6 fe80::293a:aa9:a72a:854f/10 scope link
valid_lft forever preferred_lft forever
4: vde0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 500
inet6 2001:44b8:412f:6e01::1/64 scope global deprecated
valid_lft forever preferred_lft forever
inet6 fe80::681c:60ff:fe71:600e/64 scope link
valid_lft forever preferred_lft forever
Does this give any clues as to the problem?
More information about the Users
mailing list