[strongSwan] is kernel-libipsec supporting native IPv6 ESP?

Peter Bieringer pb at bieringer.de
Thu Mar 9 21:54:39 CET 2017


Hi,

thank you for your fast explanation

Looks like I've overseen the bold comment on the web page :-(

Regards,
	Peter

Am 09.03.2017 um 21:44 schrieb Noel Kuntze:
> On 09.03.2017 21:42, Peter Bieringer wrote:
>> Hi Noel,
>>
>> Am 09.03.2017 um 19:56 schrieb Noel Kuntze:
>>> It can't work, as explained by various threads on the mailing list,
>>> because Linux doesn't implement UDP encapsulation for IPv6 yet.
>> Client is Windows 10 mobile, server is Linux, IPv6 is global 1:1 (no
>> NAT), so no UDP-enc is required.
> 
> This is irrelevant. libipsec only gets the packets from the IKE part of charon
> that aren't IKE packets.
> Using libipsec enforces UDP encapsulation. You can not get around that.
> 
> You can only use libipsec with udp encapsulation and charon.
> You can not use it with AH or ESP.
> The page about the plugin that implements the fake kernel interface
> for libipsec[1] clearly states this.
> 
>>
>>
>>> libipsec gets packets from the same socket as the IKE part of charon.
>>> There's no socket listening for ESP. That's because the use case for libipsec
>>> is as part of the Android app.
>> Hmm, if charon should receive the native IPv6-ESP, then strace should
>> detect that imho.
>>
>> Unfortunately I'm currently unable to test native IPv4-ESP because of a
>> missing 2nd box with a public IPv4 address (and my Fritz!Box is using
>> IPv4-UDP-ESP, not IPv4-ESP).
>>
> 
> See above.
> 
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
> 
> 
>>> On 09.03.2017 19:54, Peter Bieringer wrote:
>>>> Hi,
>>>>
>>>> what are the steps to use native IPv6 ESP with kernel-libipsec?
>>>>
>>>> strongswan-5.4.0-2.el7 on a Virtuozzo system has to use kernel-libipsec.
>>>>
>>>> While IPv4 is working fine (with UDP-encapsulated ESP) with IPv6 it's
>>>> not working.
>>>>
>>>> IKEv2 session is working, but then native IPv6 ESP is received (at least
>>>> tcpdump shows), but nothing happen.
>>>>
>>>> 19:42:53.038851 IP6 2001:a61:** > 2a01:238:**:
>>>> ESP(spi=0xbdece169,seq=0x9), length 84
>>>> (resent all the time -> no reply from server)
>>>>
>>>> stracing charon also shows that in difference to IPv4-UDPenc-ESP no
>>>> action is seen on charon once IPv6-ESP is received.
>>>>
>>>> I have the feeling that the IPv6-ESP packages are not "routed" into
>>>> charon at all.
>>>>
>>>>
>>>> Searched already with Google, didn't find a proper hint so far.
>>>>
>>>> Hopefully one can point me to the right config setting (either in Linux
>>>> network stack or in charon/strongswan)
>>>>
>>>> Thank you!
>>>>
>>>> Regards,
>>>> 	Peter
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
> 



More information about the Users mailing list