[strongSwan] IKEv1 doesn't pass ipv6 traffic

yordanos beyene yordanosb at gmail.com
Fri May 31 19:24:49 CEST 2013 

Hi SS Team,

I am running strongswan 5.0.1, and I can not pass icmp6 traffic with IKEv1.
It creates IKE SA but it fails to create child_SA. The same configurations
works fine with IKEv2,

I have the configuration and log details below for IKEv1 and IKEv2. Please
let me know if this is a bug in strongswan code, and any tips to resolve
the issue.

Here is my deployment:
pc1(2006::2)----(2006::1)strongswan(eth13:2003::2)---(eth13:2003::1)strongswan(2005::1)----(2005::2)pc2

I initiated icmp6 traffic from 2005::2 to 2006::2.

Below is the ipsec statusall output for IKEv1. It fails to create child_sa.
...
Listening IP addresses:
  10.243.10.142
  7.1.1.2
  2005::1
  192.168.1.1
  2003::1
  11.1.1.2
Connections:
    ipv6_pol:  2003::1...2003::2  IKEv1
    ipv6_pol:   local:  [2003::1] uses pre-shared key authentication
    ipv6_pol:   remote: [2003::2] uses pre-shared key authentication
    ipv6_pol:   child:  2005::/64 === 2006::/64 TUNNEL
Routed Connections:
    ipv6_pol{2}:  ROUTED, TUNNEL
    ipv6_pol{2}:   2005::/64 === 2006::/64
Security Associations (1 up, 0 connecting):
    ipv6_pol[2]: ESTABLISHED 3 minutes ago,
2003::1[2003::1]...2003::2[2003::2]
    ipv6_pol[2]: IKEv1 SPIs: 55de706622696d07_i 3e835d9a72111fcf_r*,
rekeying in 23 hours
    ipv6_pol[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

Below is the  vpn log for IKEv1.
...
2013-05-31 14:54:54.110  [CHARON-INFO:] "14[NET] sending packet: from
2003::1[500] to 2003::2[500]"
2013-05-31 14:54:54.115  [CHARON-INFO:] "04[NET] received packet: from
2003::2[500] to 2003::1[500]"
2013-05-31 14:54:54.115  [CHARON-INFO:] "04[ENC] parsed ID_PROT request 0 [
KE No NAT-D NAT-D ]"
2013-05-31 14:54:54.125 [CHARON-INFO:] "04[ENC] generating ID_PROT response
0 [ KE No NAT-D NAT-D ]"
2013-05-31 14:54:54.125 [CHARON-INFO:] "04[NET] sending packet: from
2003::1[500] to 2003::2[500]"
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[NET] received packet: from
2003::2[500] to 2003::1[500]"
2013-05-31 14:54:54.130 [CHARON-INFO:] "12[ENC] parsed ID_PROT request 0 [
ID HASH ]"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[CFG] looking for pre-shared key
peer configs matching 2003::1...2003::2[2003::2]"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[LIB] resolving '7.1.1.2'
failed: Address family for hostname not supported"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[CFG] selected peer config
"ipv6_pol""
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2]
established between 2003::1[2003::1]...2003::2[2003::2]"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] IKE_SA ipv6_pol[2]
established between 2003::1[2003::1]...2003::2[2003::2]"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] scheduling rekeying in
85913s"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[IKE] maximum IKE_SA lifetime
86273s"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[ENC] generating ID_PROT
response 0 [ ID HASH ]"
2013-05-31 14:54:54.130  [CHARON-INFO:] "12[NET] sending packet: from
2003::1[500] to 2003::2[500]"
2013-05-31 14:54:54.131  [CHARON-INFO:] "08[NET] received packet: from
2003::2[500] to 2003::1[500]"
2013-05-31 14:54:54.131  [CHARON-INFO:] "08[ENC] parsed QUICK_MODE request
142098601 [ HASH SA No ID ID ]"
2013-05-31 14:54:54.131  [CHARON-INFO:] "08[IKE] no matching CHILD_SA
config found"
2013-05-31 14:54:54.131  [CHARON-INFO:] "08[ENC] generating
INFORMATIONAL_V1 request 335657404 [ HASH N(INVAL_ID) ]"
2013-05-31 14:54:54.131  [CHARON-INFO:] "08[NET] sending packet: from
2003::1[500] to 2003::2[500]"

====

The same deployment works fine with IKEv2. Below is the configuration and
log details with IKEv2. I was able to pass icmp6 traffic from 2005::2 to
2006::2 and vice versa.
...
Listening IP addresses:
  10.243.10.142
  7.1.1.2
  2005::1
  192.168.1.1
  2003::1
  11.1.1.2
Connections:
    ipv6_pol:  2003::1...2003::2  IKEv2
    ipv6_pol:   local:  [2003::1] uses pre-shared key authentication
    ipv6_pol:   remote: [2003::2] uses pre-shared key authentication
    ipv6_pol:   child:  2005::/64 === 2006::/64 TUNNEL
Routed Connections:
    ipv6_pol{3}:  ROUTED, TUNNEL
    ipv6_pol{3}:   2005::/64 === 2006::/64
Security Associations (1 up, 0 connecting):
    ipv6_pol[3]: ESTABLISHED 5 minutes ago,
2003::1[2003::1]...2003::2[2003::2]
    ipv6_pol[3]: IKEv2 SPIs: d5d7908b1732b398_i b4a6a238fa83f36e_r*,
rekeying in 23 hours
    ipv6_pol[3]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    ipv6_pol{4}:  INSTALLED, TUNNEL, ESP SPIs: c50c9007_i c5a02777_o
    ipv6_pol{4}:  AES_CBC_128/HMAC_SHA1_96, 3948 bytes_i, 312 bytes_o (252s
ago), rekeying in 43 minutes
    ipv6_pol{4}:   2005::/64 === 2006::/64


=log
...
2013-05-31 15:05:17.721  [CHARON-INFO:] "02[NET] sending packet: from
2003::1[500] to 2003::2[500]"
2013-05-31 15:05:17.727  [CHARON-INFO:] "06[NET] received packet: from
2003::2[4500] to 2003::1[4500]"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] looking for peer configs
matching 2003::1[2003::1]...2003::2[2003::2]"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[LIB] resolving '7.1.1.2' failed:
Address family for hostname not supported"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[CFG] selected peer config
'ipv6_pol'"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of '2003::2'
with pre-shared key successful"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] peer supports MOBIKE"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] authentication of '2003::1'
(myself) with pre-shared key"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3]
established between 2003::1[2003::1]...2003::2[2003::2]"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] IKE_SA ipv6_pol[3]
established between 2003::1[2003::1]...2003::2[2003::2]"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] scheduling rekeying in
85779s"
2013-05-31 15:05:17.727 [CHARON-INFO:] "06[IKE] maximum IKE_SA lifetime
86139s"
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4}
established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[IKE] CHILD_SA ipv6_pol{4}
established with SPIs c50c9007_i c5a02777_o and TS 2005::/64 === 2006::/64 "
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[ENC] generating IKE_AUTH
response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]"
2013-05-31 15:05:17.728 [CHARON-INFO:] "06[NET] sending packet: from
2003::1[4500] to 2003::2[4500]"


Thanks!
Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130531/d72b71bf/attachment.html>

More information about the Users mailing list