Mobile IPv6 Missing Corresponding configuration files
I was wondering if the strongSwan community had the corresponding ipsec.secrets and strongswan.conf files for the Mobile IPv6 IPsec setup documented at from the following sources:
P.S. The mip6d.conf and ipsec.conf files are provided, however all other ipsec files: ipsec.secrets and strongswan.conf are not documented? I was hoping to use the IPv6 PSK IKEv2 remote access architecture if possible.
#1 Updated by Tobias Brunner over 4 years ago
- Status changed from New to Feedback
Since the authentication in these examples is certificate based and they are built on our UML test suite you'll find the certificates and ipsec.secrets files in source:testing/hosts. You probably don't have to configure anything special in strongswan.conf, otherwise Andreas would probably have posted it.
#2 Updated by JMU Dukes22 over 4 years ago
- File failedtoaddpolicy_1.png added
- File failedtoaddpolicy_2.png added
- File faildedtoaddpolicy_3.png added
I am temporarily using the IKEv2 Remote Access Pre-Shared Key for this setup. However, I have been getting the "Failed to add Policy" error whenever I run Mobile IPv6 daemon via:
sudo mip6d -c /etc/mip6d.conf
Pictures of the error is provided...it shows that the mip6d daemon failed to add the policy for the CN (Correspondent Node). This seems to be a common error when I Googled it but I did not really find a solution yet.
P.S. In terms of strongSwan, I am able to setup up the IPsec tunnels successfully. However its not very clear as to whether the CN is supposed to be up and running with along with the MN (Mobile Node) and HA (Home Agent) from your documentation: http://wiki.strongswan.org/projects/strongswan/wiki/MobileIPv6 ...so I have currently been running and setting up (2)IPsec tunnels simultaneously, one for the HA to MN and one for the HA to CN. To sum it up, I now have the HA connected to both the MN and CN, meaning there are two seperate IPsec tunnels setup. I did this intentionally because the mip6d error says "Failed to add policy" for the CN so I setup the CN's IPsec tunnel to the HA as well. This did not help out with the error.
#3 Updated by Tobias Brunner over 4 years ago
I don't really know MIPv6 all that well, but from what I've read in RFC 6275 (section 5.2.) the Binding Updates sent to CNs are not secured by IPsec but simply authenticated with a MAC and the CN uses a return routability procedure to verify that the HA is actually reachable at the claimed address.