[strongSwan] is kernel-libipsec supporting native IPv6 ESP?

Noel Kuntze noel at familie-kuntze.de
Thu Mar 9 21:44:30 CET 2017 

On 09.03.2017 21:42, Peter Bieringer wrote:
> Hi Noel,
> 
> Am 09.03.2017 um 19:56 schrieb Noel Kuntze:
>> It can't work, as explained by various threads on the mailing list,
>> because Linux doesn't implement UDP encapsulation for IPv6 yet.
> Client is Windows 10 mobile, server is Linux, IPv6 is global 1:1 (no
> NAT), so no UDP-enc is required.

This is irrelevant. libipsec only gets the packets from the IKE part of charon
that aren't IKE packets.
Using libipsec enforces UDP encapsulation. You can not get around that.

You can only use libipsec with udp encapsulation and charon.
You can not use it with AH or ESP.
The page about the plugin that implements the fake kernel interface
for libipsec[1] clearly states this.

> 
> 
>> libipsec gets packets from the same socket as the IKE part of charon.
>> There's no socket listening for ESP. That's because the use case for libipsec
>> is as part of the Android app.
> Hmm, if charon should receive the native IPv6-ESP, then strace should
> detect that imho.
> 
> Unfortunately I'm currently unable to test native IPv4-ESP because of a
> missing 2nd box with a public IPv4 address (and my Fritz!Box is using
> IPv4-UDP-ESP, not IPv4-ESP).
> 

See above.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec


>> On 09.03.2017 19:54, Peter Bieringer wrote:
>>> Hi,
>>>
>>> what are the steps to use native IPv6 ESP with kernel-libipsec?
>>>
>>> strongswan-5.4.0-2.el7 on a Virtuozzo system has to use kernel-libipsec.
>>>
>>> While IPv4 is working fine (with UDP-encapsulated ESP) with IPv6 it's
>>> not working.
>>>
>>> IKEv2 session is working, but then native IPv6 ESP is received (at least
>>> tcpdump shows), but nothing happen.
>>>
>>> 19:42:53.038851 IP6 2001:a61:** > 2a01:238:**:
>>> ESP(spi=0xbdece169,seq=0x9), length 84
>>> (resent all the time -> no reply from server)
>>>
>>> stracing charon also shows that in difference to IPv4-UDPenc-ESP no
>>> action is seen on charon once IPv6-ESP is received.
>>>
>>> I have the feeling that the IPv6-ESP packages are not "routed" into
>>> charon at all.
>>>
>>>
>>> Searched already with Google, didn't find a proper hint so far.
>>>
>>> Hopefully one can point me to the right config setting (either in Linux
>>> network stack or in charon/strongswan)
>>>
>>> Thank you!
>>>
>>> Regards,
>>> 	Peter
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170309/b2128d77/attachment.sig>

More information about the Users mailing list