<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transition
al//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=C
ontent-Type content="text/html; charset=utf-8">
<META co
ntent="MSHTML 6.00.2800.1515" name=GENERATOR></HEAD>
<BO
DY><!-- Converted from text/plain format --><FONT size=2>
<P><BR><BR><FONT face="Bookman Old Style" size=3>Hi,<BR
>I solved this problem by
changing SP rule as follows .
<BR>linux# cat spdrule<BR>spdadd
fe80::212:79ff:fe9e:49
b8 fe80::20e:7fff:fe29:811d any -P out <STRONG>ipsec
ah
/transport//require</STRONG> ;<BR></FONT></P>
<P><FONT f
ace="Bookman Old Style" size=3>#setkey -f spdrule.</FONT>
</P>
<DIV><FONT face=Arial color=#0000ff>ah!! Ping6 is w
orking now . !!
</FONT></DIV>
<DIV><FONT face=Ari
al color=#0000ff></FONT> </DIV>
<DIV><FONT face=Ari
al color=#0000ff>Thanks to all,</FONT></DIV>
<DIV><FONT
face=Arial color=#0000ff>Praveen</FONT></DIV>
<DIV> 
;</DIV>
<P><BR><BR><BR><BR>-----Original Message-----<BR
>From:
Nobumichi.Ozoe@jp.yokogawa.com [<A
href="mailt
o:Nobumichi.Ozoe@jp.yokogawa.com">mailto:Nobumichi.Ozoe@j
p.yokogawa.com</A>]<BR>Sent:
Wednesday, September 28, 2
005 5:27 AM<BR>To: users@tahi.org<BR>Subject:
[users:00
130] Re: Problem with setkey (ipsec) and ping6<BR><BR>Hi
Praveen,<BR>Because you are setting ANY as IPsec applie
d policy, I think that
DAD has failed on NUT.<BR><BR>Be
st
regards,<BR><BR>________________________________<BR>
<BR>From: Lobo, Praveen
Rajesh (STSD) [<A
href="mailt
o:praveen.rajesh-lobo@hp.com">mailto:praveen.rajesh-lobo@
hp.com</A>]<BR>Sent:
2005/09/27 (íᎫ) 23:25<BR>To: user
s@tahi.org<BR>Subject: [users:00129] Problem
with setke
y (ipsec) and ping6<BR><BR><BR>Hi,<BR><BR>I am running IP
SEC related
tests over IPV6 using tahi test tool.<BR>If
I set security rules using setkey ,
ping6 will not wor
k . If I flush all the SAD entries then ping6 will work.<
BR>I
tried with google I couldnt get suiatable answer.<
BR> why is it so?
Does any one knows the ans
wer?<BR><BR><BR>Detailed problem is as
follows.<BR><BR>
NUT: ( Debian/ Linux 2.6.10, ipsec-tools_0.6.1-1_ia64.deb
)
linux#ifconfig eth2<BR>eth2 &n
bsp; Link
encap:Ethernet HWaddr
00:12:79:9E:49:
B8<BR> &nb
sp; inet
addr:10.1.1.1 Bcast:10.255.255.255
Mask:255.0.0.0<BR>
inet6
addr: fe80::212:79ff:fe9e:49b8
/64
Scope:Link<BR> &
nbsp; UP
BROADCAST RUNNING MULTICAST
MTU:1500
Metric:1<BR> &nbs
p; RX
packets:10108 errors:0 dr
opped:0 overruns:0
frame:0<BR> &
nbsp; TX
packets:8832 errors:0
dropped:0 overruns:0
carrier:0<BR> &nb
sp; collisions:0
txqueuel
en:1000<BR> &nbs
p; RX
bytes:12557471 (11.9 MiB) TX bytes:10
09218 (985.5
KiB)<BR> &nbs
p; Base
address:0x8040 Memory:c812000
0-c8140000<BR><BR>TN:
(freebsd-5.4)<BR>freebsd1#ifconfi
g bge0<BR>bge0:
flags=8843<UP,BROADCAST,RUNNING,SIMP
LEX,MULTICAST> mtu
1500<BR> &
nbsp;
options=1a<TXCSUM,VLAN_MTU,VLAN_HW
TAGGING><BR>
inet6 fe80::20e:7fff:fe29:811d%bge0 prefixlen 64 scope
id
0x1<BR> et
her
00:0e:7f:29:81:1d<BR>
media: Ethernet
autoselect (100baseTX
&l
t;full-duplex>)<BR>  
; status:
active<BR><BR><BR>At NUT,<BR>linux# cat
sadaddrule<BR>add
fe80::212:79ff:fe9e:49b8 fe80::20e:7
fff:fe29:811d ah 0x1000 -m
transport -A hma
c-sha1 "TAHITEST89ABCDEF0123" ;<BR><BR>linux# cat
spdrule<BR>spdadd fe80::212:79ff:fe9e:49b8 fe80::20e:7ff
f:fe29:811d any -P out
;<BR><BR>linux#setkey -f sadaddr
ule<BR>linux#setkey -f spdrule<BR>linux#
setkey -
aD<BR>fe80::212:79ff:fe9e:49b8
fe80::20e:7fff:fe29:811d
<BR> ah
mode=
transport spi=4096(0x00001000)
reqid=0(0x00000000)<BR>&
nbsp; A:
hmac-sha1&
nbsp; 54414849 54455354 38394142 43444546
30313233<BR>&
nbsp; seq=0x00000000
replay=0
flags=0x00000000 state=mature<BR> &
nbsp;
created: Sep 27 19:42:07
2005 current: Sep 27 19:42:18
2005<BR> 
; diff:
11(s)
hard: 0(s) &nbs
p; soft:
0(s)<BR> &n
bsp;
last: &nb
sp;
hard: 0(s) soft:
0(s)<BR>
current:
0(b
ytes) hard: 0(bytes)&
nbsp; soft:
0(bytes)<BR> &
nbsp; allocated:
0 hard: 0 soft
:
0<BR> sadb_
seq=0 pid=31734
refcnt=0<BR><BR>Now if I ping6 from TN<
BR><BR>freebsd1# ping6 -I bge0
fe80::212:79ff:fe9e:49b8
<BR>ping6 -I bge0
fe80::212:79ff:fe9e:49b8<BR>PING6(56=
40+8+8 bytes) fe80::20e:7fff:fe29:811d%bge0
--> fe80
::212:79ff:fe9e:49b8<BR><BR>^C<BR>--- fe80::212:79ff:fe9e
:49b8 ping6
statistics ---<BR>305 packets transmitted,
0 packets received, 100.0% packet
loss<BR><BR><BR><BR>A
t NUT, tcpdump<BR>linux# tcpdump -i eth2<BR>tcpdump:
ve
rbose output suppressed, use -v or -vv for full protocol
decode listening on
eth2, link-type EN10MB (Ethernet),
capture size 96 bytes 19:43:22.508520
fe80::20e:7fff:fe
29:811d > ff02::1:ff9e:49b8: icmp6: neighbor sol: who
has
fe80::212:79ff:fe9e:49b8<BR>19:43:23.508491 fe80::2
0e:7fff:fe29:811d >
ff02::1:ff9e:49b8: icmp6: neighb
or sol: who has
fe80::212:79ff:fe9e:49b8<BR>19:43:24.50
8518 fe80::20e:7fff:fe29:811d >
ff02::1:ff9e:49b8: i
cmp6: neighbor sol: who has
fe80::212:79ff:fe9e:49b8<BR
>19:43:26.508572 fe80::20e:7fff:fe29:811d >
ff02::1:
ff9e:49b8: icmp6: neighbor sol: who has
fe80::212:79ff:
fe9e:49b8<BR>19:43:27.508724 fe80::20e:7fff:fe29:811d >
;
ff02::1:ff9e:49b8: icmp6: neighbor sol: who has
fe8
0::212:79ff:fe9e:49b8<BR>19:43:28.508749 fe80::20e:7fff:f
e29:811d >
ff02::1:ff9e:49b8: icmp6: neighbor sol: w
ho has
fe80::212:79ff:fe9e:49b8<BR>19:43:30.508803 fe80
::20e:7fff:fe29:811d >
ff02::1:ff9e:49b8: icmp6: nei
ghbor sol: who has
fe80::212:79ff:fe9e:49b8<BR>19:43:31
.508831 fe80::20e:7fff:fe29:811d >
ff02::1:ff9e:49b8
: icmp6: neighbor sol: who has
fe80::212:79ff:fe9e:49b8
<BR>19:43:32.508857 fe80::20e:7fff:fe29:811d >
ff02:
:1:ff9e:49b8: icmp6: neighbor sol: who has
fe80::212:79
ff:fe9e:49b8<BR>19:43:34.508912 fe80::20e:7fff:fe29:811d
>
ff02::1:ff9e:49b8: icmp6: neighbor sol: who has fe
80::212:79ff:fe9e:49b8
^c<BR><BR>If I flush all SAD , S
PD entries using setkey -F , ping6 goes fine.
i.e NUT i
s replying back .<BR>Let me know if you have solution to
this
problem.<BR><BR>Thanks
,<BR>Praveen<BR><BR><BR><
BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><B
R><BR><BR><BR><BR></P></FONT></BODY></HTML>