[strongSwan] is kernel-libipsec supporting native IPv6 ESP?

[Peter Bieringer]

Hi Noel,

Am 09.03.2017 um 19:56 schrieb Noel Kuntze:
> It can't work, as explained by various threads on the mailing list,
> because Linux doesn't implement UDP encapsulation for IPv6 yet.

Client is Windows 10 mobile, server is Linux, IPv6 is global 1:1 (no
NAT), so no UDP-enc is required.


> libipsec gets packets from the same socket as the IKE part of charon.
> There's no socket listening for ESP. That's because the use case for libipsec
> is as part of the Android app.

Hmm, if charon should receive the native IPv6-ESP, then strace should
detect that imho.

Unfortunately I'm currently unable to test native IPv4-ESP because of a
missing 2nd box with a public IPv4 address (and my Fritz!Box is using
IPv4-UDP-ESP, not IPv4-ESP).

Regards,
	Peter



> On 09.03.2017 19:54, Peter Bieringer wrote:
>> Hi,
>>
>> what are the steps to use native IPv6 ESP with kernel-libipsec?
>>
>> strongswan-5.4.0-2.el7 on a Virtuozzo system has to use kernel-libipsec.
>>
>> While IPv4 is working fine (with UDP-encapsulated ESP) with IPv6 it's
>> not working.
>>
>> IKEv2 session is working, but then native IPv6 ESP is received (at least
>> tcpdump shows), but nothing happen.
>>
>> 19:42:53.038851 IP6 2001:a61:** > 2a01:238:**:
>> ESP(spi=0xbdece169,seq=0x9), length 84
>> (resent all the time -> no reply from server)
>>
>> stracing charon also shows that in difference to IPv4-UDPenc-ESP no
>> action is seen on charon once IPv6-ESP is received.
>>
>> I have the feeling that the IPv6-ESP packages are not "routed" into
>> charon at all.
>>
>>
>> Searched already with Google, didn't find a proper hint so far.
>>
>> Hopefully one can point me to the right config setting (either in Linux
>> network stack or in charon/strongswan)
>>
>> Thank you!
>>
>> Regards,
>> 	Peter
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>