Article 131 at 05/09/28 14:15:02 From: praveen.rajesh-lobo@hp.com Subject: [users:00131] Re: Problem with setkey (ipsec) and ping6

Index: [Article Count Order] [Thread]
Date: Wed, 28 Sep 2005 10:44:46 +0530
From: "Lobo, Praveen Rajesh (STSD)" <praveen.rajesh-lobo@hp.com>
Subject: [users:00131] Re: Problem with setkey (ipsec) and ping6
To: <users@tahi.org>
Message-Id: <545E14DDF942B2409BA8E372E7BB8DC10121181E@bgeexc05.asiapacific.cpqcorp.net>
X-Mail-Count: 00131


Hi,
I solved this problem by changing SP rule as follows .
linux# cat spdrule
spdadd fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d any -P out ipsec ah/transport//require ;


#setkey -f spdrule.

ah!! Ping6 is working now . !! 
 
Thanks to all,
Praveen
 





-----Original Message-----
From: Nobumichi.Ozoe@jp.yokogawa.com [mailto:Nobumichi.Ozoe@jp.yokogawa.com]
Sent: Wednesday, September 28, 2005 5:27 AM
To: users@tahi.org
Subject: [users:00130] Re: Problem with setkey (ipsec) and ping6

Hi Praveen,
Because you are setting ANY as IPsec applied policy, I think that DAD has failed on NUT.

Best regards,

________________________________

From: Lobo, Praveen Rajesh (STSD) [mailto:praveen.rajesh-lobo@hp.com]
Sent: 2005/09/27 (涖辞) 23:25
To: users@tahi.org
Subject: [users:00129] Problem with setkey (ipsec) and ping6


Hi,

I am running IPSEC related tests over IPV6 using tahi test tool.
If I set security rules using setkey , ping6 will not work . If I flush all the SAD entries then ping6 will work.
I tried with google I couldnt get suiatable answer.
 why is it so?  Does any one knows the answer?


Detailed problem is as follows.

NUT: ( Debian/ Linux 2.6.10, ipsec-tools_0.6.1-1_ia64.deb) linux#ifconfig eth2
eth2      Link encap:Ethernet  HWaddr 00:12:79:9E:49:B8
          inet addr:10.1.1.1  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::212:79ff:fe9e:49b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10108 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8832 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12557471 (11.9 MiB)  TX bytes:1009218 (985.5 KiB)
          Base address:0x8040 Memory:c8120000-c8140000

TN: (freebsd-5.4)
freebsd1#ifconfig bge0
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::20e:7fff:fe29:811d%bge0 prefixlen 64 scopeid 0x1
        ether 00:0e:7f:29:81:1d
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active


At NUT,
linux# cat sadaddrule
add fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d  ah 0x1000 -m transport  -A hmac-sha1  "TAHITEST89ABCDEF0123" ;

linux# cat spdrule
spdadd fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d any -P out ;

linux#setkey -f sadaddrule
linux#setkey -f  spdrule
linux# setkey -aD
fe80::212:79ff:fe9e:49b8 fe80::20e:7fff:fe29:811d
        ah mode=transport spi=4096(0x00001000) reqid=0(0x00000000)
        A: hmac-sha1  54414849 54455354 38394142 43444546 30313233
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Sep 27 19:42:07 2005   current: Sep 27 19:42:18 2005
        diff: 11(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=31734 refcnt=0

Now if I ping6 from TN

freebsd1# ping6 -I bge0 fe80::212:79ff:fe9e:49b8
ping6 -I bge0 fe80::212:79ff:fe9e:49b8
PING6(56=40+8+8 bytes) fe80::20e:7fff:fe29:811d%bge0 --> fe80::212:79ff:fe9e:49b8

^C
--- fe80::212:79ff:fe9e:49b8 ping6 statistics ---
305 packets transmitted, 0 packets received, 100.0% packet loss



At NUT, tcpdump
linux# tcpdump -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 19:43:22.508520 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:23.508491 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:24.508518 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:26.508572 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:27.508724 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:28.508749 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:30.508803 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:31.508831 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:32.508857 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8
19:43:34.508912 fe80::20e:7fff:fe29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe80::212:79ff:fe9e:49b8 ^c

If I flush all SAD , SPD entries using setkey -F , ping6 goes fine. i.e NUT is replying back .
Let me know if you have solution to this problem.

Thanks ,
Praveen























	131_2.html (attatchment)(tag is disabled)