Issue #190
Mobile IPv6: IPsec Issues
| Status: | Closed | Start date: | 04.04.2012 |
|---|---|---|---|
| Priority: | Normal | ||
| Assignee: | Andreas Steffen | ||
| Category: | - | ||
| Affected version: | 4.6.2 | Resolution: | Invalid |
Description
Hello,
So after following the UMIP (kernel and UMIP install) guide, I was able to successfully get mobility to work properly WITHOUT strongSwans's IPsec (disabled) configuration.
History
#1 Updated by JMU Dukes22 about 1 year ago
- File MobileNode_ipsec.conf.png added
- File MobileNode_mip6d.conf.png added
- File SA&ipsectunnelestablishedfromMN1side.png added
- File pingingfailsfromcntomn1onceipsecisenabled.png added
So the issue now is that, whenever, I disable "UseMnHaIPsec"; Mobility works just fine. Whenever this option (in the mip6d.conf files for the HomeAgent and MobileNode) is enabled, meaning IPsec has been enabled to work with Mobile IPv6, mobility does not work (meaning I move to a foreign network and the HomeAgent cannot forward all new messages to the MobileNode. When IPsec is disabled, the MobileNode can travel to a foreign network and have the HomeAgent forward packets to it).
I am not sure what is wrong and hope the strongSwan community will be able to look at my configuration files posted as pictures and give me advice to verify how I have setup IPsec improperly.
P.S. An important thing to note is that I tried to follow the "Mobile IPv6 Howto" from the strongSwan community: http://wiki.strongswan.org/projects/strongswan/wiki/MobileIPv6 , however I could not follow it as not all IPsec configuration files are provided....and the Howto used the RSA scheme which I want to learn but I am not familiar with. Because of this, I used the strongSwan PRE-SHARED IPsec settings...does it really make a different? As you will see from my pictures, the issue is not establish an IPsec tunnel...this has been done. The issue here is that whenever an I establish an IPsec tunnel, the mobility capability is affected and does not work after is enabled and a tunnel is step up.
#2 Updated by Andreas Steffen about 1 year ago
You MUST use the special ipsec.conf configuration files with among others, the installpolicy=no, type=transport_proxy and auto=route options, because the charon IKEv2 daemon is totally controlled by the mip6d daemon via XFRM ACQUIRE and MIGRATE kernel messages. If you start the IPsec tunnels manually via ipsec up, you will never achieve cooperation with Mobile IPv6. It seems to me that all necessary configuration files are provided so that you can strictly follow our HOWTO.
Regards
Andreas
#3 Updated by JMU Dukes22 about 1 year ago
Hello Andreas,
Thanks very much for your reply, however, I can confirm your "Mobile IPv6 HowTo" does not provide all necessary configuration files. If you take a closer look in your HomeAgentSetup & MobileNodeSetup: http://wiki.strongswan.org/projects/strongswan/wiki/MobileIPv6 , you can see only the special "ipsec.conf" and mip6d.conf files, there are no corresponding files such as ipsec.secrets, ipsec.sql, and strongswan.conf files which are all missing...Please let me know if you can make these available for me please.
P.S. However I guess the big question is: Does it matter if I use Pre-Shared or RSA (which is what you Mobile IPv6 Howto follows) authentication. Most importantly, if you could be please help walk me through the general process of setting up the charon/ipsec to start automatically without having to manually starting that via ipsec up that would be very helpful as well please.
Thanks in advance,
JMUDukes22
#4 Updated by Tobias Brunner 11 months ago
- Status changed from New to Closed
- Resolution set to Invalid
#5 Updated by Andreas Steffen 16 days ago
- Tracker changed from Bug to Issue
- Assignee set to Andreas Steffen