Help!

IPv6 + IPsec + ipsec-tools 0.6.[4567] + scope:link = no SA..
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> System Development RSS
Next:  undefined symbol: E_IF_exit  
Author Message
phil-news-nospam
External


Since: Nov 16, 2006
Posts: 329
PostPosted: Wed Jul 25, 2007 9:01 pm    Post subject: IPv6 + IPsec + ipsec-tools 0.6.[4567] + scope:link = no SA established
Archived from groups: comp>os>linux>networking, others (more info?)
In IPv4 this works. In IPv6 things work w/o IPsec. With IPsec, there are
no security association setups established and attempts to communicate
between hosts defined by policy to require IPsec does not work. Running
the racoon daemon in the foreground shows a DEBUG message that indicates
a problem:

2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

This comes from a loop that checks the address to be used against one that
is being listened on. If the address is not one listened on, then it is
not usable in making the security association (or so implied by the code
comments).

Actually it is listening on the source address. So I modified the source
code to add new diagnostics that dump out more detail about what is being
compared when this test is taking place:

2007-07-25 16:30:09: DEBUG: get pfkey ACQUIRE message
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000:0000:0000:0000:0000:0000:0000:0001 (sin6_addr)
to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 00000003 (sin6_scope_id)
to 00000000 (sin6_scope_id)
2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

All the compare messages (2 lines each) are what I added with new C code.

The first 2 compare fails are because it was testing the 2 IPv4 addresses
in the list (IPsec works over IPv4 when I use that). Compares 3 and 4 are
a fail because the address mismatches (this was the "lo" entry for IPv6).
Compares 5 and 6 and 7 are the issue. The first 2 of these matches the
address family and address OK. It's the scope id that mismatches.

Is the scope ID really relevant here?

Is the scope ID really correct?

Is the kernel supposed to supply this to the racoon daemon?

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-07-25-1409.DeleteThis@ipal.net |
|------------------------------------/-------------------------------------|
Back to top
pbellino



Joined: Sep 28, 2007
Posts: 1
PostPosted: Fri Sep 28, 2007 8:05 am    Post subject: IPv6 + IPsec + ipsec-tools 0.6.[4567] + scope:link = no SA
Phil,
Did you ever get this issue resolved? I have the same situation as did you adn am trying to get a resolution. My google searches have led me to believe that Linux cannot store the scop-id in the SPs or SAs.
Please email me at pbellino.TakeThisOut@mrv.com if there is anything you can tell me.
Thanks,
Phil Bellino
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> System Development All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum