Date: Tue, 27 Sep 2005 19:55:24 +0530 From: "Lobo, Praveen Rajesh (STSD)" <praveen.rajesh-lobo@hp.com> Subject: [users:00129] Problem with setkey (ipsec) and ping6 To: <users@tahi.org> Message-Id: <545E14DDF942B2409BA8E372E7BB8DC1011BEDA4@bgeexc05.asiapacific.cpqcorp.net> X-Mail-Count: 00129Hi, I am running IPSEC related tests over IPV6 using tahi test tool.If I set security rules using setkey , ping6 will not work . If I flushall the SAD entries then ping6 will work.I tried with google I couldnt get suiatable answer. why is it so? Does any one knows the answer? Detailed problem is as follows. NUT: ( Debian/ Linux 2.6.10, ipsec-tools_0.6.1-1_ia64.deb) linux#ifconfig eth2eth2 Link encap:Ethernet HWaddr 00:12:79:9E:49:B8 inet addr:10.1.1.1 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::212:79ff:fe9e:49b8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10108 errors:0 dropped:0 overruns:0 frame:0 TX packets:8832 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12557471 (11.9 MiB) TX bytes:1009218 (985.5 KiB) Base address:0x8040 Memory:c8120000-c8140000 TN: (freebsd-5.4)freebsd1#ifconfig bge0bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING> inet6 fe80::20e:7fff:fe29:811d%bge0 prefixlen 64 scopeid 0x1 ether 00:0e:7f:29:81:1d media: Ethernet autoselect (100baseTX <full-duplex>) status: active At NUT, linux# cat sadaddruleadd fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d ah 0x1000 -mtransport -A hmac-sha1 "TAHITEST89ABCDEF0123" ; linux# cat spdrulespdadd fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d any -P out ; linux#setkey -f sadaddrulelinux#setkey -f spdrulelinux# setkey -aDfe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d ah mode=transport spi=4096(0x00001000) reqid=0(0x00000000) A: hmac-sha1 54414849 54455354 38394142 43444546 30313233 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Sep 27 19:42:07 2005 current: Sep 27 19:42:18 2005 diff: 11(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=31734 refcnt=0Now if I ping6 from TN freebsd1# ping6 -I bge0 fe80::212:79ff:fe9e:49b8ping6 -I bge0 fe80::212:79ff:fe9e:49b8PING6(56=40+8+8 bytes) fe80::20e:7fff:fe29:811d%bge0 -->fe80::212:79ff:fe9e:49b8 ^C--- fe80::212:79ff:fe9e:49b8 ping6 statistics ---305 packets transmitted, 0 packets received, 100.0% packet loss At NUT, tcpdump linux# tcpdump -i eth2tcpdump: verbose output suppressed, use -v or -vv for full protocoldecodelistening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes19:43:22.508520 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:23.508491 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:24.508518 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:26.508572 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:27.508724 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:28.508749 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:30.508803 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:31.508831 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:32.508857 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b819:43:34.508912 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6:neighbor sol: who has fe80::212:79ff:fe9e:49b8^c If I flush all SAD , SPD entries using setkey -F , ping6 goes fine. i.eNUT is replying back .Let me know if you have solution to this problem. Thanks ,Praveen129_2.html (attatchment)(tag is disabled)