[strongSwan] Reg : Protocal specific encryption in Strongswan 5.3

Sindhu S. (sins) sins at cisco.com
Mon Oct 12 08:29:11 CEST 2015


Hi Noel,

I'm able to repro issue using Global ipv6 address also.

Linux kernel details:
521 => uname -a
Linux snbi-tb-c 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Topology :

DevA  (eth1)  ----------------------------------------------------------------------------------------------------------------------------------------  ( eth1 )  DevB
inet6 addr: fe80::20c:29ff:feb2:ae2f/64 Scope:Link                                                  fe80::20c:29ff:fea8:e174/64 Scope:Link
 inet6 addr: 2001:db8:0:f101::1/64 Scope:Global                                                   2001:db8:0:f101::2/64 Scope:Global


Creating GRE tunnel , with source as eth1 interface.

DevA:

ipsec at ipsec2:~/ipsec_info/file_create$ ip addr show dev gre_test_tunnel
12: gre_test_tunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1448 qdisc noqueue state UNKNOWN group default 
    link/gre6 fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:b2:ae:2f peer fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:a8:e1:74
    inet6 fd08:2fff:c2ee:0:aabb:cc00:c900:1/64 scope global 
       valid_lft forever preferred_lft forever
ipsec at ipsec2:~/ipsec_info/file_create$

ipsec at ipsec2:~/ipsec_info/file_create$ sudo ip xfrm policy
src fe80::20c:29ff:fea8:e174/128 dst fe80::20c:29ff:feb2:ae2f/128 proto gre 
        dir in priority 2050 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport
src fe80::20c:29ff:feb2:ae2f/128 dst fe80::20c:29ff:fea8:e174/128 proto gre 
        dir out priority 2050 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0



Dev B:
ipsec at ipsec1:~/client$ ip addr show dev gre_test_tunnel
12: gre_test_tunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1448 qdisc noqueue state UNKNOWN group default 
    link/gre6 fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:a8:e1:74 peer fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:b2:ae:2f
    inet6 fd08:2fff:c2ee:0:aabb:cc00:c900:2/64 scope global 
       valid_lft forever preferred_lft forever
ipsec at ipsec1:~/client$

ipsec at ipsec1:~/client$ sudo ip xfrm policy
src fe80::20c:29ff:feb2:ae2f/128 dst fe80::20c:29ff:fea8:e174/128 proto gre 
        dir in priority 2050 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport
src fe80::20c:29ff:fea8:e174/128 dst fe80::20c:29ff:feb2:ae2f/128 proto gre 
        dir out priority 2050 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0

Thanks,
Sindhu


-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de] 
Sent: Friday, October 09, 2015 7:18 PM
To: Sindhu S. (sins); users at lists.strongswan.org
Subject: Re: [strongSwan] Reg : Protocal specific encryption in Strongswan 5.3


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Sindhu,

I need to know how you test the setup.
What commands do you execute?
Also, please check what policies are installed in the kernel (`ip xfrm policy`).
Try to reproduce the problem with other addresses than local-link addresses.


- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWF8WaAAoJEDg5KY9j7GZYmU0P/jj8rQQW0pL2fd6Bf84eLW3l
RTww7JwXXg7D5JZV6reKd1KezxuiCcrriMO2bRC+EBneLbcLfjceCpeRU1K3+QeN
T/37Hj6eStd2DvP9z8X2xaibxr+m95bvrdr/8xv7jE/9Diin20gZr7eskLzwdZWw
dZzblwfGgkLTKSaOad1gy8GPmkWsUwusZc2yoDHdAfNFUN74EjrjbzirkwkfTxaI
1/3PjtS7XUzqkiB94TelGfIe3MfSVT7WjNrFGDpltUQzIPcPFhNO9urcfTXSj34v
epMnPnVprA+NqLV7wn7yFjsVHplcwV521UCwpaJa40Cu+F18W++QSFNDIuTZVx3/
6DJhDYzy0YIkWHifv4ch6/xL3nxOvcEOzhpoKeVqbwUplbUXIJaZbuFdMJy98tlh
RTZO8fSsg7uX3kjVFSjoydwfE8kGJlw/m+2clAcGvniAQ/q7NbzxDiSn2QdG2SjQ
iC/3qIEh7JlGisElS75za2ID36PZm3obAMGl4XMmMwKBu+z6ai9VadcT9uhXsviq
FGjjrUa6aUoCIOJq8QQXFs90wX/yCi1Axfm9phJB4wSO8Q2yzsRMBaHoiMS6SF1b
TTxaRwTJ9z+IEZm0HZc6yAHeQFRww0cvk/MpBbtzjvtuYTwjHEEpU+IyveOlQdKc
zt3nNc0o8a7icM6ASLpy
=2735
-----END PGP SIGNATURE-----



More information about the Users mailing list