IPv6 + IPsec + ipsec-tools 0.6.[4567] + scope:link = no SA established

Discussion in 'Linux Networking' started by Guest, Jul 25, 2007.

  1. Guest

    Guest Guest

    In IPv4 this works. In IPv6 things work w/o IPsec. With IPsec, there are
    no security association setups established and attempts to communicate
    between hosts defined by policy to require IPsec does not work. Running
    the racoon daemon in the foreground shows a DEBUG message that indicates
    a problem:

    2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

    This comes from a loop that checks the address to be used against one that
    is being listened on. If the address is not one listened on, then it is
    not usable in making the security association (or so implied by the code
    comments).

    Actually it is listening on the source address. So I modified the source
    code to add new diagnostics that dump out more detail about what is being
    compared when this test is taking place:

    2007-07-25 16:30:09: DEBUG: get pfkey ACQUIRE message
    2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
    to 0000000a (sa_family)
    2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
    to 0000000a (sa_family)
    2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
    to 0000000a (sa_family)
    2007-07-25 16:30:09: DEBUG: compare 0000:0000:0000:0000:0000:0000:0000:0001 (sin6_addr)
    to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
    2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
    to 0000000a (sa_family)
    2007-07-25 16:30:09: DEBUG: compare fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
    to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
    2007-07-25 16:30:09: DEBUG: compare 00000003 (sin6_scope_id)
    to 00000000 (sin6_scope_id)
    2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

    All the compare messages (2 lines each) are what I added with new C code.

    The first 2 compare fails are because it was testing the 2 IPv4 addresses
    in the list (IPsec works over IPv4 when I use that). Compares 3 and 4 are
    a fail because the address mismatches (this was the "lo" entry for IPv6).
    Compares 5 and 6 and 7 are the issue. The first 2 of these matches the
    address family and address OK. It's the scope id that mismatches.

    Is the scope ID really relevant here?

    Is the scope ID really correct?

    Is the kernel supposed to supply this to the racoon daemon?
     
    Guest, Jul 25, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.