[strongSwan] is kernel-libipsec supporting native IPv6 ESP?
Noel Kuntze
noel at familie-kuntze.de
Thu Mar 9 19:56:47 CET 2017
It can't work, as explained by various threads on the mailing list,
because Linux doesn't implement UDP encapsulation for IPv6 yet.
libipsec gets packets from the same socket as the IKE part of charon.
There's no socket listening for ESP. That's because the use case for libipsec
is as part of the Android app.
On 09.03.2017 19:54, Peter Bieringer wrote:
> Hi,
>
> what are the steps to use native IPv6 ESP with kernel-libipsec?
>
> strongswan-5.4.0-2.el7 on a Virtuozzo system has to use kernel-libipsec.
>
> While IPv4 is working fine (with UDP-encapsulated ESP) with IPv6 it's
> not working.
>
> IKEv2 session is working, but then native IPv6 ESP is received (at least
> tcpdump shows), but nothing happen.
>
> 19:42:53.038851 IP6 2001:a61:** > 2a01:238:**:
> ESP(spi=0xbdece169,seq=0x9), length 84
> (resent all the time -> no reply from server)
>
> stracing charon also shows that in difference to IPv4-UDPenc-ESP no
> action is seen on charon once IPv6-ESP is received.
>
> I have the feeling that the IPv6-ESP packages are not "routed" into
> charon at all.
>
>
> Searched already with Google, didn't find a proper hint so far.
>
> Hopefully one can point me to the right config setting (either in Linux
> network stack or in charon/strongswan)
>
> Thank you!
>
> Regards,
> Peter
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170309/07fd96fd/attachment.sig>
More information about the Users
mailing list