[strongSwan] ICMP discovery fails with IPv6 and IKEv2

Eric_C_Johnson at Dell.com Eric_C_Johnson at Dell.com
Tue Jan 24 16:13:40 CET 2012 

Hi.

I'm trying to establish an IPv6 IPSec tunnel using IKEv2.  I'm seeing the Strongswan host firing the policy but the remote peer never receives the ISAKMP packet.  Looking at the trace it reveals that the IPv6 neighbor discovery is failing.  I suspect that the Ubuntu host might be treating the ICMP6 request as part of the default allow all policy.  To test this theory I disable IPSec on the Strongswan host and the remote peer.  When I do this, each host can ping each other fine.  I then quickly enable IPSec and I can get the IPSec tunnel up between the two hosts (which ishould validate the config entries).  At least until the arp entry expires.  And then I'm back to no longer establishing IPSec between the peers.

I've done some research indicating that I should accommodate the discovery in IPTables but I'm not using the firewall.  Which explains why it works when IPSec is disabled.  Is there a bit in ipsec.conf that can account for neighbor discovery outside of the IPSec policy (assuming this is what is really going on)?  There is some urgency behind this question so anything anybody could do to help would be greatly appreciated.  Thanks in advance.

Strongswan log entries with IPSec enabled:

Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 01[KNL] creating acquire job for policy fc00:2518::221:9bff:fe98:854b/128[udp/60525] === fc00:2518::10:125:56:9/128[udp/1025] with reqid {10}
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[IKE] initiating IKE_SA ubuntu-gamera9_ipv6_wka[1] to fc00:2518::10:125:56:9
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 24 09:06:11 gyaos6-PowerEdge-R610 charon: 11[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]
Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[IKE] retransmit 1 of request with message ID 0
Jan 24 09:06:15 gyaos6-PowerEdge-R610 charon: 12[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]
Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[IKE] retransmit 2 of request with message ID 0
Jan 24 09:06:22 gyaos6-PowerEdge-R610 charon: 13[NET] sending packet: from fc00:2518::221:9bff:fe98:854b[500] to fc00:2518::10:125:56:9[500]

# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120124/04214982/attachment.html>

More information about the Users mailing list