ipsec6

To: netbsd-users%NetBSD.org@localhost
Subject: ipsec6
From: Gary Duzan <gary%duzan.org@localhost>
Date: Wed, 16 Dec 2009 17:17:08 -0500

   Has anyone been successfully running IPSEC over IPv6 on NetBSD
5? I've gotten it working at times using the information in the
FAQ (IKE with PSK), but it isn't very consistent. I had it working,
with tcpdump showing the ISAKMP and ESP packets, but now I never
get past the ISAKMP negotiation, and ping6's don't get through.

07:39:06.898259 IP6 2001:470:1f06:558::2.500 > 2001:470:4:133::2.500: isakmp: 
phase 1 I ident
07:39:06.899686 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:16.910862 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:16.998459 IP6 2001:470:1f06:558::2.500 > 2001:470:4:133::2.500: isakmp: 
phase 1 I ident
07:39:16.998563 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:26.091474 IP6 2001:470:1f06:558::2.500 > 2001:470:4:133::2.500: isakmp: 
phase 1 I ident
07:39:26.091586 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:26.091712 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:36.109824 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:36.296246 IP6 2001:470:1f06:558::2.500 > 2001:470:4:133::2.500: isakmp: 
phase 1 I ident
07:39:36.296346 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:46.309263 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident
07:39:46.561845 IP6 2001:470:1f06:558::2.500 > 2001:470:4:133::2.500: isakmp: 
phase 1 I ident
07:39:46.561944 IP6 2001:470:4:133::2.500 > 2001:470:1f06:558::2.500: isakmp: 
phase 1 R ident

   I do see the same packets on both ends, so I don't think anything
is being blocked. In case it matters, the IPv6 is being carried
over gif on both ends. Restarting ipsec and/or racoon or rebooting
doesn't help. I removed ipnat to get it working at all, and removing
ipfilter doesn't seem to help.

   Config information included below. Any thoughts would be
appreciated.

                                              Gary Duzan


"A" End
=======

ipsec.conf
----------
spdadd AAAA:AAA:AAAA:AAA::A BBBB:BBB:B:BBB::B any -P out ipsec 
esp/transport//require;
spdadd BBBB:BBB:B:BBB::B AAAA:AAA:AAAA:AAA::A any -P in ipsec 
esp/transport//require;

psk.txt
-------
BBBB:BBB:B:BBB::B 0xHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

"B" End
=======

ipsec.conf
---------
spdadd BBBB:BBB:B:BBB::B AAAA:AAA:AAAA:AAA::A any -P out ipsec 
esp/transport//require;
spdadd AAAA:AAA:AAAA:AAA::A BBBB:BBB:B:BBB::B any -P in ipsec 
esp/transport//require;

psk.txt
-------
AAAA:AAA:AAAA:AAA::A 0xHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Prev by Date: Re: qemu segmentation fault
Next by Date: Netgear FA411
Previous by Thread: no clean unmount after shutdown -r (one disk, no RAID)
Next by Thread: Netgear FA411
Indexes:

Home | Main Index | Thread Index | Old Index