Issue #175

Mobile IPv6 Missing Corresponding configuration files

Added by JMU Dukes22 over 6 years ago. Updated about 5 years ago.

Affected version:



I was wondering if the strongSwan community had the corresponding ipsec.secrets and strongswan.conf files for the Mobile IPv6 IPsec setup documented at from the following sources:


P.S. The mip6d.conf and ipsec.conf files are provided, however all other ipsec files: ipsec.secrets and strongswan.conf are not documented? I was hoping to use the IPv6 PSK IKEv2 remote access architecture if possible.

failedtoaddpolicy_1.png (255 KB) failedtoaddpolicy_1.png error at end of the screenshot JMU Dukes22, 13.02.2012 15:56
failedtoaddpolicy_2.png (102 KB) failedtoaddpolicy_2.png JMU Dukes22, 13.02.2012 15:56
faildedtoaddpolicy_3.png (74.3 KB) faildedtoaddpolicy_3.png JMU Dukes22, 13.02.2012 15:56


#1 Updated by Tobias Brunner over 6 years ago

  • Status changed from New to Feedback

Since the authentication in these examples is certificate based and they are built on our UML test suite you'll find the certificates and ipsec.secrets files in source:testing/hosts. You probably don't have to configure anything special in strongswan.conf, otherwise Andreas would probably have posted it.

#2 Updated by JMU Dukes22 over 6 years ago


I am temporarily using the IKEv2 Remote Access Pre-Shared Key for this setup. However, I have been getting the "Failed to add Policy" error whenever I run Mobile IPv6 daemon via:

sudo mip6d -c /etc/mip6d.conf

Pictures of the error is shows that the mip6d daemon failed to add the policy for the CN (Correspondent Node). This seems to be a common error when I Googled it but I did not really find a solution yet.

P.S. In terms of strongSwan, I am able to setup up the IPsec tunnels successfully. However its not very clear as to whether the CN is supposed to be up and running with along with the MN (Mobile Node) and HA (Home Agent) from your documentation: I have currently been running and setting up (2)IPsec tunnels simultaneously, one for the HA to MN and one for the HA to CN. To sum it up, I now have the HA connected to both the MN and CN, meaning there are two seperate IPsec tunnels setup. I did this intentionally because the mip6d error says "Failed to add policy" for the CN so I setup the CN's IPsec tunnel to the HA as well. This did not help out with the error.


#3 Updated by Tobias Brunner over 6 years ago

I don't really know MIPv6 all that well, but from what I've read in RFC 6275 (section 5.2.) the Binding Updates sent to CNs are not secured by IPsec but simply authenticated with a MAC and the CN uses a return routability procedure to verify that the HA is actually reachable at the claimed address.

#4 Updated by JMU Dukes22 over 6 years ago


Thanks very much for the reply, I will look further into the RFC you referenced. I really appreciate you help and will keep you posted on any updates.


#5 Updated by Tobias Brunner about 6 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Invalid

#6 Updated by Andreas Steffen about 5 years ago

  • Tracker changed from Bug to Issue
  • Assignee set to Tobias Brunner

Also available in: Atom PDF