Re: IPSec: can't get IPv6 IPSec working with racoon

[Kazunori Miyazawa]

Hello,

On 2004/02/25(Wed) 21:58, you wrote:
> 1. Host A tries to send and ICMPv6 ping echo request to host B, but
> since there exists a Security Policy that requires the use of ESP/AH,
> before A can send the ICMPv6 echo request, it must trigger an SA
> negotiation with host B. To start this SA negotiation, host A needs to
> know the link-layer address of peer host B:
>         1.1 Host A sends a Neighbor solicitation message to host B
>         1.2 Host B tries to send a Neigbor discovery packet, but since
>         there exists a Security Policy that requires the use of ESP/AH,
>         before B can send the Neighbor discovery, it triggers SA
>         negotiation.
> 
> This seems to create a loop: host A triggers SA negotiation in first
> place, but needs to know link-layer address of B, thus it sends a
> Neighbor solicitation packet which makes host B trigger SA association.
> Thus, both hosts are trying to establish an SA association, creating a
> deadlock.

It is well known chicken and egg problem about IPv6 IPsec.
You can bypass ICMP packet with putting ICMP bypass policies before
your own policies.
Then you can not trigger IPsec with ICMP ECHO.

spdadd fec0::204:75ff:feab:6fcc fec0::2 ipv6-icmp -P out none;
spdadd fec0::204:75ff:feab:6fcc fec0::2 ipv6-icmp -P in none;

spdadd fec0::204:75ff:feab:6fcc fec0::2 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd fec0::2 fec0::204:75ff:feab:6fcc any -P in  ipsec
esp/transport//require ah/transport//require;

--Kazunori Miyazawa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/