Hi Praveen,
Because you are setting ANY as IPsec applied policy, I think that DAD has failed on NUT.
Best regards,
________________________________
From: Lobo, Praveen Rajesh (STSD) [mailto:praveen.rajesh-lobo@hp.com]
Sent: 2005/09/27 (火) 23:25
To: users@tahi.org
Subject: [users:00129] Problem with setkey (ipsec) and ping6
Hi,
I am running IPSEC related tests over IPV6 using tahi test tool.
If I set security rules using setkey , ping6 will not work . If I flush all the SAD entries then ping6 will work.
I tried with google I couldnt get suiatable answer.
why is it so? Does any one knows the answer?
Detailed problem is as follows.
NUT: ( Debian/ Linux 2.6.10, ipsec-tools_0.6.1-1_ia64.deb)
linux#ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:12:79:9E:49:B8
inet addr:10.1.1.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::212:79ff:fe9e:49b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10108 errors:0 dropped:0 overruns:0 frame:0
TX packets:8832 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12557471 (11.9 MiB) TX bytes:1009218 (985.5 KiB)
Base address:0x8040 Memory:c8120000-c8140000
TN: (freebsd-5.4)
freebsd1#ifconfig bge0
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::20e:7fff:fe29:811d%bge0 prefixlen 64 scopeid 0x1
ether 00:0e:7f:29:81:1d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
At NUT,
linux# cat sadaddrule
add fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d ah 0x1000 -m transport -A hmac-sha1 "TAHITEST89ABCDEF0123" ;
linux# cat spdrule
spdadd fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d any -P out ;
linux#setkey -f sadaddrule
linux#setkey -f spdrule
linux# setkey -aD
fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d
ah mode=transport spi=4096(0x00001000) reqid=0(0x00000000)
A: hmac-sha1 54414849 54455354 38394142 43444546 30313233
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Sep 27 19:42:07 2005 current: Sep 27 19:42:18 2005
diff: 11(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=31734 refcnt=0
Now if I ping6 from TN
freebsd1# ping6 -I bge0 fe80::212:79ff:fe9e:49b8
ping6 -I bge0 fe80::212:79ff:fe9e:49b8
PING6(56=40+8+8 bytes) fe80::20e:7fff:fe29:811d%bge0 --> fe80::212:79ff:fe9e:49b8
^C
--- fe80::212:79ff:fe9e:49b8 ping6 statistics ---
305 packets transmitted, 0 packets received, 100.0% packet loss
At NUT, tcpdump
linux# tcpdump -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
19:43:22.508520 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:23.508491 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:24.508518 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:26.508572 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:27.508724 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:28.508749 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:30.508803 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:31.508831 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:32.508857 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:34.508912 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
^c
If I flush all SAD , SPD entries using setkey -F , ping6 goes fine. i.e NUT is replying back .
Let me know if you have solution to this problem.
Thanks ,
Praveen