Subject: IPsec with IPv6 doesn't work with Mac OS X
To: None <tech-net@NetBSD.org>
From: Atsushi Yokoyama <a.yokoyama@pobox.com>
List: tech-net
Date: 05/01/2004 19:13:02
Hello,
I've tried to set up IPv6 with IPsec between Mac OS X (10.3.1) and
NetBSD 1.6.2. But I can not establish connection.
IPsec itself is working with IPv4, and IPv6 itself is also correctly
working WITHOUT IPsec. I believe I have no filtering rules for IPv6.
Does anyone has idea?
* Network configuration
leaf node: Mac OS X (3ffe::2)
router: NetBSD 1.6.2 (3ffe::1)
leaf node ipsec.conf:
spdadd 3ffe::2 ::/0 any -P out ipsec
esp/tunnel/3ffe::2-3ffe::1/require;
spdadd ::/0 3ffe::2 any -P in ipsec
esp/tunnel/3ffe::1-3ffe::2/require;
router ipsec.conf:
spdadd ::/0 3ffe::2 any -P out ipsec
esp/tunnel/3ffe::1-3ffe::2/require;
spdadd 3ffe::2 ::/0 any -P in ipsec
esp/tunnel/3ffe::2-3ffe::1/require;
I considered that neighbor solicitation packets have been applied to
the IPsec rule and it has confused that IPv6 processing, so I added
also the following rules in ipsec.conf. (This is for the leaf node,
but I also changed the rule for the router.)
spdadd ::/0 ::/0 icmp6 -P out none;
spdadd ::/0 ::/0 icmp6 -P in none;
spdadd 3ffe::2 ::/0 any -P out ipsec
esp/tunnel/3ffe::2-3ffe::1/require;
spdadd ::/0 3ffe::2 any -P in ipsec
esp/tunnel/3ffe::1-3ffe::2/require;
As result, ping could be passed through between the nodes.
But I can not still establish TCP session with IPsec... :-(
* Racoon log is as following
May 1 18:38:49 router racoon: INFO: isakmp.c:1683:isakmp_post_acquire(): IPsec-SA request for 3ffe::2 queued due to no phase1 found.
May 1 18:38:49 router racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 3ffe::1[500]<=>3ffe::2[500]
May 1 18:38:49 router racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
May 1 18:38:49 router racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
May 1 18:38:49 router racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
May 1 18:38:49 router racoon: INFO: isakmp.c:2411:log_ph1established(): ISAKMP-SA established 3ffe::1[500]-3ffe::2[500] spi:035b4cc4d428f502:392efb2f96e87bce
May 1 18:38:50 router racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 3ffe::1[0]<=>3ffe::2[0]
May 1 18:39:20 router racoon: ERROR: pfkey.c:738:pfkey_timeover(): 3ffe::2 give up to get IPsec-SA due to time up to wait.
* Ethereal log at router interface is as following
Frame 527 (146 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.591288000
Time delta from previous packet: 2.958727000 seconds
Time since reference or first frame: 83.825063000 seconds
Frame Number: 527
Packet Length: 146 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 92
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 92
Checksum: 0x330c
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...0 = No encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 84
Security Association payload
Next payload: NONE (0)
Length: 56
[Short Frame: ISAKMP]
Frame 528 (186 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.595764000
Time delta from previous packet: 0.004476000 seconds
Time since reference or first frame: 83.829539000 seconds
Frame Number: 528
Packet Length: 186 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 132
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::2
Destination address: 3ffe::1
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 132
Checksum: 0x6d22
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...0 = No encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 124
Security Association payload
Next payload: Vendor ID (13)
Length: 56
[Short Frame: ISAKMP]
Frame 529 (262 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.618863000
Time delta from previous packet: 0.023099000 seconds
Time since reference or first frame: 83.852638000 seconds
Frame Number: 529
Packet Length: 262 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 208
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 208
Checksum: 0x7669
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...0 = No encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 200
Key Exchange payload
Next payload: Nonce (10)
Length: 132
Key Exchange Data
[Short Frame: ISAKMP]
Frame 530 (262 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.679641000
Time delta from previous packet: 0.060778000 seconds
Time since reference or first frame: 83.913416000 seconds
Frame Number: 530
Packet Length: 262 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 208
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::2
Destination address: 3ffe::1
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 208
Checksum: 0x47fa
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...0 = No encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 200
Key Exchange payload
Next payload: Nonce (10)
Length: 132
Key Exchange Data
[Short Frame: ISAKMP]
Frame 531 (146 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.706902000
Time delta from previous packet: 0.027261000 seconds
Time since reference or first frame: 83.940677000 seconds
Frame Number: 531
Packet Length: 146 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 92
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 92
Checksum: 0xf02c
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 84
Encrypted payload (56 bytes)
Frame 533 (146 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.744979000
Time delta from previous packet: 0.038077000 seconds
Time since reference or first frame: 83.978754000 seconds
Frame Number: 533
Packet Length: 146 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 92
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::2
Destination address: 3ffe::1
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 92
Checksum: 0x49d9
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 84
Encrypted payload (56 bytes)
Frame 534 (146 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.745665000
Time delta from previous packet: 0.000686000 seconds
Time since reference or first frame: 83.979440000 seconds
Frame Number: 534
Packet Length: 146 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 92
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::2
Destination address: 3ffe::1
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 92
Checksum: 0xe964
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Hash (8)
Version: 1.0
Exchange type: Informational (5)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x801AB3D1
Length: 84
Encrypted payload (56 bytes)
Frame 535 (146 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:49.751369000
Time delta from previous packet: 0.005704000 seconds
Time since reference or first frame: 83.985144000 seconds
Frame Number: 535
Packet Length: 146 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 92
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 92
Checksum: 0xcca3
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Hash (8)
Version: 1.0
Exchange type: Informational (5)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0xAA07DD44
Length: 84
Encrypted payload (56 bytes)
Frame 536 (666 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:38:50.785609000
Time delta from previous packet: 1.034240000 seconds
Time since reference or first frame: 85.019384000 seconds
Frame Number: 536
Packet Length: 666 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 612
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 612
Checksum: 0x3224
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0xF419F617
Length: 604
Encrypted payload (576 bytes)
Frame 537 (86 bytes on wire, 86 bytes captured)
Arrival Time: May 1, 2004 18:38:51.156112000
Time delta from previous packet: 0.370503000 seconds
Time since reference or first frame: 85.389887000 seconds
Frame Number: 537
Packet Length: 86 bytes
Capture Length: 86 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 32
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source address: 3ffe::2
Destination address: 3ffe::1
Internet Control Message Protocol v6
Type: 135 (Neighbor solicitation)
Code: 0
Checksum: 0x22cb (correct)
Target: 3ffe::1
ICMPv6 options
Type: 1 (Source link-layer address)
Length: 8 bytes (1)
Link-layer address: xx:xx:xx:xx:xx:xx
Frame 538 (78 bytes on wire, 78 bytes captured)
Arrival Time: May 1, 2004 18:38:51.156223000
Time delta from previous packet: 0.000111000 seconds
Time since reference or first frame: 85.389998000 seconds
Frame Number: 538
Packet Length: 78 bytes
Capture Length: 78 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 24
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source address: 3ffe::1
Destination address: 3ffe::2
Internet Control Message Protocol v6
Type: 136 (Neighbor advertisement)
Code: 0
Checksum: 0x878c (correct)
Flags: 0xc0000000
1... .... .... .... .... .... .... .... = Router
.1.. .... .... .... .... .... .... .... = Solicited
..0. .... .... .... .... .... .... .... = Not override
Target: 3ffe::1
Frame 549 (86 bytes on wire, 86 bytes captured)
Arrival Time: May 1, 2004 18:38:54.310144000
Time delta from previous packet: 3.153921000 seconds
Time since reference or first frame: 88.543919000 seconds
Frame Number: 549
Packet Length: 86 bytes
Capture Length: 86 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 32
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source address: 3ffe::1
Destination address: 3ffe::2
Internet Control Message Protocol v6
Type: 135 (Neighbor solicitation)
Code: 0
Checksum: 0xc4bf (correct)
Target: 3ffe::2
ICMPv6 options
Type: 1 (Source link-layer address)
Length: 8 bytes (1)
Link-layer address: yy:yy:yy:yy:yy:yy
Frame 550 (78 bytes on wire, 78 bytes captured)
Arrival Time: May 1, 2004 18:38:54.312980000
Time delta from previous packet: 0.002836000 seconds
Time since reference or first frame: 88.546755000 seconds
Frame Number: 550
Packet Length: 78 bytes
Capture Length: 78 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 24
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source address: 3ffe::2
Destination address: 3ffe::1
Internet Control Message Protocol v6
Type: 136 (Neighbor advertisement)
Code: 0
Checksum: 0xe1d4 (correct)
Flags: 0x40000000
0... .... .... .... .... .... .... .... = Not router
.1.. .... .... .... .... .... .... .... = Solicited
..0. .... .... .... .... .... .... .... = Not override
Target: 3ffe::2
Frame 590 (666 bytes on wire, 96 bytes captured)
Arrival Time: May 1, 2004 18:39:00.790996000
Time delta from previous packet: 6.478016000 seconds
Time since reference or first frame: 95.024771000 seconds
Frame Number: 590
Packet Length: 666 bytes
Capture Length: 96 bytes
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 612
Next header: UDP (0x11)
Hop limit: 64
Source address: 3ffe::1
Destination address: 3ffe::2
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 612
Checksum: 0x3224
Internet Security Association and Key Management Protocol
Initiator cookie: 0x035B4CC4D428F502
Responder cookie: 0x392EFB2F96E87BCE
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags
.... ...1 = Encryption
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0xF419F617
Length: 604
Encrypted payload (576 bytes)
---
Atsushi Yokoyama
Saitama Japan