[strongSwan] IPv6 Remote Access: traffic selectors fec1::/64 === ::/0 inacceptable, failed to establish CHILD_SA
Mao, Zhiheng
zmao at qualcomm.com
Fri Aug 3 07:37:16 CEST 2012
Hi there,
I am trying to establish an IPv6 remote access with PSK between the road warrior Carol (at 2002:c023:9c17:21c:21b:78ff:fee0:dbfc/64) and the gateway Moon (at 2002:c023:9c17:21c::a29:4947/64). It appears that the they failed to establish the CHILD_SA due to traffic selectors fec1::/64 === ::/0 inacceptable. Carol's eth0 gets the assigned IPv6 address from Moon, but ping6 cannot ping each other from either end. I have included the configurations and logs below (with some red highlight).
Could someone please let me know what I am missing here?
Also, could you please let me know why the assigned IPv6 address on Carol is having the full 128-bit fec1::1/128 instead of the configured fec1::1/64?
Thanks a lot!
Regards,
Zhiheng
==================== Moon's ipsec.conf ====================
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-carol
left=2002:c023:9c17:21c::a29:4947
leftsubnet=2002:c023:9c17:21c::/64
leftid=moon at strongswan.org
leftauth=psk
leftfirewall=yes
right=%any
rightid=*@strongswan.org
rightauth=psk
rightsourceip=fec1::1/64
auto=add
================== Carol's ipsec.conf =====================
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=2002:c023:9c17:21c:21b:78ff:fee0:dbfc
leftid=carol at strongswan.org
leftauth=psk
leftfirewall=yes
leftsourceip=%config
right=2002:c023:9c17:21c::a29:4947
rightid=moon at strongswan.org
rightsubnet=fec1::/64
rightauth=psk
auto=start
================Moon's dev interfaces after setup==============
[zmao at sit-iwf sbin]$ /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1b:78:75:3b:d8 brd ff:ff:ff:ff:ff:ff
inet 10.41.73.71/23 brd 10.41.73.255 scope global eth0
inet 10.41.73.79/24 brd 10.41.73.255 scope global eth0:1
inet6 2002:c023:9c17:21c::a29:4947/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:78ff:fe75:3bd8/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:1b:78:75:3b:c4 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
31: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 2000
link/[65534]
inet 10.9.8.7/24 brd 10.9.8.255 scope global tun0
inet6 fec1::7/64 scope site
valid_lft forever preferred_lft forever
================Carol's dev interfaces after setup==============
<etc>% ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1b:78:e0:db:fc brd ff:ff:ff:ff:ff:ff
inet 10.41.73.234/23 brd 10.41.73.255 scope global eth0
inet6 2002:c023:9c17:21c:21b:78ff:fee0:dbfc/64 scope global dynamic
valid_lft 2591942sec preferred_lft 604742sec
inet6 fec1::1/128 scope site
valid_lft forever preferred_lft forever
inet6 fe80::21b:78ff:fee0:dbfc/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1b:78:e0:db:ec brd ff:ff:ff:ff:ff:ff
================Moon's syslog ==============
Aug 2 21:57:17 sit-iwf charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
Aug 2 21:57:17 sit-iwf charon: 00[KNL] listening on interfaces:
Aug 2 21:57:17 sit-iwf automount[3619]: 1 remaining in /-
Aug 2 21:57:18 sit-iwf charon: 00[KNL] eth0
Aug 2 21:57:18 sit-iwf charon: 00[KNL] 10.41.73.71
Aug 2 21:57:18 sit-iwf charon: 00[KNL] 10.41.73.79
Aug 2 21:57:18 sit-iwf charon: 00[KNL] 2002:c023:9c17:21c::a29:4947
Aug 2 21:57:18 sit-iwf charon: 00[KNL] fe80::21b:78ff:fe75:3bd8
Aug 2 21:57:18 sit-iwf charon: 00[KNL] tun0
Aug 2 21:57:18 sit-iwf charon: 00[KNL] 10.9.8.7
Aug 2 21:57:18 sit-iwf charon: 00[KNL] fec1::7
Aug 2 21:57:18 sit-iwf charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Aug 2 21:57:18 sit-iwf charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Aug 2 21:57:19 sit-iwf automount[3619]: 1 remaining in /-
Aug 2 21:57:19 sit-iwf charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 2 21:57:19 sit-iwf charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 2 21:57:20 sit-iwf charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 2 21:57:20 sit-iwf charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 2 21:57:20 sit-iwf charon: 00[CFG] loaded IKE secret for carol at strongswan.org
Aug 2 21:57:20 sit-iwf charon: 00[CFG] loaded IKE secret for moon at strongswan.org
Aug 2 21:57:20 sit-iwf charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-aka eap-md5 eap-radius xauth-generic
Aug 2 21:57:20 sit-iwf charon: 00[JOB] spawning 16 worker threads
Aug 2 21:57:20 sit-iwf automount[3619]: 4 remaining in /usr2
Aug 2 21:57:20 sit-iwf charon: 08[CFG] received stroke: add connection 'rw-carol'
Aug 2 21:57:21 sit-iwf charon: 08[CFG] added configuration 'rw-carol'
Aug 2 21:57:21 sit-iwf charon: 08[CFG] adding virtual IP address pool 'rw-carol': fec1::1/64
Aug 2 21:57:30 sit-iwf automount[3619]: 1 remaining in /-
Aug 2 21:57:32 sit-iwf automount[3619]: 1 remaining in /-
Aug 2 21:57:37 sit-iwf automount[3619]: 4 remaining in /usr2
Aug 2 21:57:47 sit-iwf automount[3619]: 1 remaining in /-
Aug 2 21:57:58 sit-iwf charon: 10[NET] received packet: from 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500] to 2002:c023:9c17:21c::a29:4947[500]
Aug 2 21:57:58 sit-iwf charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 2 21:57:58 sit-iwf charon: 10[IKE] 2002:c023:9c17:21c:21b:78ff:fee0:dbfc is initiating an IKE_SA
Aug 2 21:57:58 sit-iwf charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 2 21:57:58 sit-iwf charon: 10[NET] sending packet: from 2002:c023:9c17:21c::a29:4947[500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500]
Aug 2 21:57:58 sit-iwf charon: 11[NET] received packet: from 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[4500] to 2002:c023:9c17:21c::a29:4947[4500]
Aug 2 21:57:58 sit-iwf charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR6 DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 2 21:57:58 sit-iwf charon: 11[CFG] looking for peer configs matching 2002:c023:9c17:21c::a29:4947[moon at strongswan.org]...2002:c023:9c17:21c:21b:78ff:fee0:dbfc[carol at strongswan.org]
Aug 2 21:57:58 sit-iwf charon: 11[CFG] selected peer config 'rw-carol'
Aug 2 21:57:58 sit-iwf charon: 11[IKE] authentication of 'carol at strongswan.org' with pre-shared key successful
Aug 2 21:57:58 sit-iwf charon: 11[IKE] peer supports MOBIKE
Aug 2 21:57:58 sit-iwf charon: 11[IKE] authentication of 'moon at strongswan.org' (myself) with pre-shared key
Aug 2 21:57:58 sit-iwf charon: 11[IKE] IKE_SA rw-carol[1] established between 2002:c023:9c17:21c::a29:4947[moon at strongswan.org]...2002:c023:9c17:21c:21b:78ff:fee0:dbfc[carol at strongswan.org]
Aug 2 21:57:59 sit-iwf charon: 11[IKE] scheduling reauthentication in 3325s
Aug 2 21:57:59 sit-iwf charon: 11[IKE] maximum IKE_SA lifetime 3505s
Aug 2 21:57:59 sit-iwf charon: 11[IKE] peer requested virtual IP %any6
Aug 2 21:57:59 sit-iwf charon: 11[CFG] assigning new lease to 'carol at strongswan.org'
Aug 2 21:57:59 sit-iwf charon: 11[IKE] assigning virtual IP fec1::1 to peer 'carol at strongswan.org'
Aug 2 21:57:59 sit-iwf charon: 11[IKE] traffic selectors fec1::/64 === ::/0 inacceptable
Aug 2 21:57:59 sit-iwf charon: 11[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 2 21:57:59 sit-iwf charon: 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR6) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
Aug 2 21:57:59 sit-iwf charon: 11[NET] sending packet: from 2002:c023:9c17:21c::a29:4947[4500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[4500]
================Carol's syslog ==============
Aug 2 21:57:58 localhost charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.26.3-29.fc9.x86_64, x86_64)
Aug 2 21:57:58 localhost charon: 00[KNL] listening on interfaces:
Aug 2 21:57:58 localhost charon: 00[KNL] eth0
Aug 2 21:57:58 localhost charon: 00[KNL] 10.41.73.234
Aug 2 21:57:58 localhost charon: 00[KNL] 2002:c023:9c17:21c:21b:78ff:fee0:dbfc
Aug 2 21:57:58 localhost charon: 00[KNL] fe80::21b:78ff:fee0:dbfc
Aug 2 21:57:58 localhost charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 2 21:57:58 localhost charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Aug 2 21:57:58 localhost charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Aug 2 21:57:58 localhost charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 2 21:57:58 localhost charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 2 21:57:58 localhost charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 2 21:57:58 localhost charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 2 21:57:58 localhost charon: 00[CFG] loaded IKE secret for carol at strongswan.org
Aug 2 21:57:58 localhost charon: 00[CFG] loaded IKE secret for moon at strongswan.org
Aug 2 21:57:58 localhost charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-aka eap-md5 eap-radius xauth-generic
Aug 2 21:57:58 localhost charon: 00[JOB] spawning 16 worker threads
Aug 2 21:57:58 localhost charon: 07[CFG] received stroke: add connection 'home'
Aug 2 21:57:58 localhost charon: 07[CFG] added configuration 'home'
Aug 2 21:57:58 localhost charon: 10[CFG] received stroke: initiate 'home'
Aug 2 21:57:58 localhost charon: 10[IKE] initiating IKE_SA home[1] to 2002:c023:9c17:21c::a29:4947
Aug 2 21:57:58 localhost charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Aug 2 21:57:58 localhost charon: 10[NET] sending packet: from 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500] to 2002:c023:9c17:21c::a29:4947[500]
Aug 2 21:57:58 localhost charon: 11[NET] received packet: from 2002:c023:9c17:21c::a29:4947[500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[500]
Aug 2 21:57:58 localhost charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Aug 2 21:57:58 localhost charon: 11[IKE] authentication of 'carol at strongswan.org' (myself) with pre-shared key
Aug 2 21:57:58 localhost charon: 11[IKE] establishing CHILD_SA home
Aug 2 21:57:58 localhost charon: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR6 DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 2 21:57:58 localhost charon: 11[NET] sending packet: from 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[4500] to 2002:c023:9c17:21c::a29:4947[4500]
Aug 2 21:57:59 localhost charon: 12[NET] received packet: from 2002:c023:9c17:21c::a29:4947[4500] to 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[4500]
Aug 2 21:57:59 localhost charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR6) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
Aug 2 21:57:59 localhost charon: 12[IKE] authentication of 'moon at strongswan.org' with pre-shared key successful
Aug 2 21:57:59 localhost charon: 12[IKE] IKE_SA home[1] established between 2002:c023:9c17:21c:21b:78ff:fee0:dbfc[carol at strongswan.org]...2002:c023:9c17:21c::a29:4947[moon at strongswan.org]
Aug 2 21:57:59 localhost charon: 12[IKE] scheduling reauthentication in 3328s
Aug 2 21:57:59 localhost charon: 12[IKE] maximum IKE_SA lifetime 3508s
Aug 2 21:57:59 localhost charon: 12[IKE] installing new virtual IP fec1::1
Aug 2 21:58:01 localhost charon: 12[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
Aug 2 21:58:01 localhost charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 2 21:58:01 localhost charon: 12[IKE] received AUTH_LIFETIME of 3324s, scheduling reauthentication in 3144s
Aug 2 21:58:01 localhost charon: 12[IKE] peer supports MOBIKE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120803/21ef8081/attachment.html>
More information about the Users
mailing list