Issue #175

Mobile IPv6 Missing Corresponding configuration files

Added by JMU Dukes22 about 2 years ago. Updated 12 months ago.

Status:ClosedStart date:12.02.2012
Priority:Normal
Assignee:Tobias Brunner
Category:-
Affected version:4.6.1 Resolution:Invalid

Description

Hello,

I was wondering if the strongSwan community had the corresponding ipsec.secrets and strongswan.conf files for the Mobile IPv6 IPsec setup documented at from the following sources:

HomeAgent: http://wiki.strongswan.org/projects/strongswan/wiki/HomeAgentSetup
MobileNode: http://wiki.strongswan.org/projects/strongswan/wiki/MobileNodeSetup

P.S. The mip6d.conf and ipsec.conf files are provided, however all other ipsec files: ipsec.secrets and strongswan.conf are not documented? I was hoping to use the IPv6 PSK IKEv2 remote access architecture if possible.

failedtoaddpolicy_1.png - error at end of the screenshot (255 KB) JMU Dukes22, 13.02.2012 15:56

failedtoaddpolicy_2.png (102 KB) JMU Dukes22, 13.02.2012 15:56

faildedtoaddpolicy_3.png (74.3 KB) JMU Dukes22, 13.02.2012 15:56

History

#1 Updated by Tobias Brunner about 2 years ago

  • Status changed from New to Feedback

Since the authentication in these examples is certificate based and they are built on our UML test suite you'll find the certificates and ipsec.secrets files in source:testing/hosts. You probably don't have to configure anything special in strongswan.conf, otherwise Andreas would probably have posted it.

#2 Updated by JMU Dukes22 about 2 years ago

Tobias,

I am temporarily using the IKEv2 Remote Access Pre-Shared Key for this setup. However, I have been getting the "Failed to add Policy" error whenever I run Mobile IPv6 daemon via:

sudo mip6d -c /etc/mip6d.conf

Pictures of the error is provided...it shows that the mip6d daemon failed to add the policy for the CN (Correspondent Node). This seems to be a common error when I Googled it but I did not really find a solution yet.

P.S. In terms of strongSwan, I am able to setup up the IPsec tunnels successfully. However its not very clear as to whether the CN is supposed to be up and running with along with the MN (Mobile Node) and HA (Home Agent) from your documentation: http://wiki.strongswan.org/projects/strongswan/wiki/MobileIPv6 ...so I have currently been running and setting up (2)IPsec tunnels simultaneously, one for the HA to MN and one for the HA to CN. To sum it up, I now have the HA connected to both the MN and CN, meaning there are two seperate IPsec tunnels setup. I did this intentionally because the mip6d error says "Failed to add policy" for the CN so I setup the CN's IPsec tunnel to the HA as well. This did not help out with the error.

-JMUDukes22

#3 Updated by Tobias Brunner about 2 years ago

I don't really know MIPv6 all that well, but from what I've read in RFC 6275 (section 5.2.) the Binding Updates sent to CNs are not secured by IPsec but simply authenticated with a MAC and the CN uses a return routability procedure to verify that the HA is actually reachable at the claimed address.

#4 Updated by JMU Dukes22 about 2 years ago

Tobias,

Thanks very much for the reply, I will look further into the RFC you referenced. I really appreciate you help and will keep you posted on any updates.

-JMUDukes22

#5 Updated by Tobias Brunner about 2 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Invalid

#6 Updated by Andreas Steffen 12 months ago

  • Tracker changed from Bug to Issue
  • Assignee set to Tobias Brunner

Also available in: Atom PDF