Project

General

Profile

Issue #939

UDP Encapsulation for IPv6 traffic

Added by huanghanzhao huang about 4 years ago. Updated 18 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
kernel
Affected version:
Resolution:

Description

I tried to setup an IPv6 connection with following scenario

10.0.0.1[Server] fec0::2 ---[nat-t]-- fec0::1[Client]
when the Client's IP pass through the nat-t, the nat-t will change the Client's IP to other IP.

And the configuration as followed -

[Client side]
conn home
        left=fec0::1
        keyexchange=ikev2
        authby=secret
        right=fec0::2
        rightsubnet=0.0.0.0/0
        auto=add

[Server side]
conn psk
        left=fec0::2
        leftsubnet=0.0.0.0/0
        keyexchange=ikev2
        authby=secret
        right=%any
        auto=add

However, after IKE SA established, server side cannot setup SAD successfully.
It shows up following error log

received netlink error: Invalid argument (22)
Unable to add SAD entry with SPI c2dc9aa0
received netlink error: Invalid argument (22)
 Unable to add SAD entry with SPI ced1801e
Unable to install inbound and outbound IPSec SA (SAD) in kernel


Related issues

Related to Feature #892: Android client and ipv6 gatewayFeedback2015-03-15
Related to Issue #2231: Cannot create IPv4-via-IPv6 tunnelClosed
Related to Issue #2354: Approval from apple regarding an application using strongswan VPNClosed

History

#1 Updated by huanghanzhao huang about 4 years ago

PS:
My Linux kernel version is Linux 2.6.32.27.
And the strongswan version is 4.6.4.

#2 Updated by huanghanzhao huang about 4 years ago

I try to set the SAs into Linux, just as the following:
[root@localhost ~]# ip xfrm state add src fd14:828:ba69:2::2 dst fd14:828:ba69:1:21c:f0ff:fefa:f3c0 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df encap espinudp 4500 4500 fd13:828:ba69:2::2
RTNETLINK answers: Invalid argument
[root@localhost ~]# setkey -D
No SAD entries.
[root@localhost ~]#

Can you tell me why?

#3 Updated by Martin Willi about 4 years ago

Hi,

AFAIK the Linux kernel does not support UDP encapsulation for IPv6 SAs.

Regards
Martin

#4 Updated by nanjian5 Lee about 4 years ago

/* enable UDP decapsulation for NAT-T sockets */
if (port &this->natt &&
!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
skt, family, this->natt)) {
DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
family AF_INET ? "IPv4" : "IPv6", this->natt);
}

when I run IPv6 and strongswan 5.1.1 with linux kernel 3.12.8, I can not see the error message above. Does it means that kernel supports UDP encapsulation for IPv6 SAs?

#5 Updated by nanjian5 Lee about 4 years ago

/*
         * This is an encapsulation socket so pass the skb to
         * the socket's udp_encap_rcv() hook. Otherwise, just
         * fall through and pass this up the UDP socket.
         * up->encap_rcv() returns the following value:
         * =0 if skb was successfully passed to the encap
         *    handler or was discarded by it.
         * >0 if skb should be passed on to UDP.
         * <0 if skb should be resubmitted as proto -N
         */

        /* if we're overly short, let UDP handle it */
        encap_rcv = ACCESS_ONCE(up->encap_rcv);
        if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
            int ret;

            ret = encap_rcv(sk, skb);
            if (ret <= 0) {
                UDP_INC_STATS_BH(sock_net(sk),
                         UDP_MIB_INDATAGRAMS,
                         is_udplite);
                return -ret;
            }
        }

I dig into the source code of linux kernel 3.12.8 and find the above code in net\ipv6\udp.c

Dose it mean that kernel support UDP encapsulation? Then it should support IPv6 NAT_T SA.

#6 Updated by Martin Willi about 4 years ago

when I run IPv6 and strongswan 5.1.1 with linux kernel 3.12.8, I can not see the error message above. Does it means that kernel supports UDP encapsulation for IPv6 SAs?

Most likely.

I dig into the source code of linux kernel 3.12.8 and find the above code in net\ipv6\udp.c

The mentioned code has been added in Linux 3.5, so possible that this is supported now. I've never tested it, though.

Regards
Martin

#7 Updated by nanjian5 Lee about 4 years ago

received netlink error: Invalid argument (22)
Unable to add SAD entry with SPI c2dc9aa0
received netlink error: Invalid argument (22)
Unable to add SAD entry with SPI ced1801e
Unable to install inbound and outbound IPSec SA (SAD) in kernel ==============================================
But I still get the same error message when running IPv6 and NAT-T with strongswan 5.1.1 and kernel 3.12.8.

#8 Updated by nanjian5 Lee about 4 years ago

the same result when runing the follow command in linux kernel 3.12.8 and 3.13.11:

[root@localhost ~]# ip xfrm state add src fd14:828:ba69:2::2 dst fd14:828:ba69:1:21c:f0ff:fefa:f3c0 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe0536b enc des3_ede 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df encap espinudp 4500 4500 fd13:828:ba69:2::2
RTNETLINK answers: Invalid argument

#10 Updated by Tobias Brunner about 3 years ago

  • Related to Feature #892: Android client and ipv6 gateway added

#11 Updated by Tobias Brunner over 2 years ago

  • Related to Issue #2231: Cannot create IPv4-via-IPv6 tunnel added

#12 Updated by Noel Kuntze almost 2 years ago

  • Category set to kernel
  • Status changed from New to Feedback

Still no support in Kernel 4.9.29.

#13 Updated by Noel Kuntze almost 2 years ago

  • Affected version deleted (5.3.0)

#14 Updated by Noel Kuntze almost 2 years ago

  • Related to Issue #2354: Approval from apple regarding an application using strongswan VPN added

#15 Updated by Noel Kuntze 18 days ago

  • Subject changed from IPSEC nat-t for IPv6 to UDP Encapsulation for IPv6 traffic
  • Description updated (diff)
  • Assignee set to Noel Kuntze

Development in progress.

Also available in: Atom PDF