Project

General

Profile

MIPv6 Home Agent Setup

mip6d.conf

NodeConfig HA;

UseMnHaIPsec enabled;
KeyMngMobCapability enabled;
DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf" 
include "/etc/mip6d.conf.d/dave.mip6d.conf" 

mip6d.conf.d/carol.mip6d.conf

Interface "eth1";

IPsecPolicySet {
    HomeAgentAddress 2001:1::1;
    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;
    IPsecPolicy TunnelPayload UseESP 2;
}

BindingAclPolicy 2001:1::10 allow;

mip6d.conf.d/dave.mip6d.conf

IPsecPolicySet {
    HomeAgentAddress 2001:1::1;
    HomeAddress 2001:1::20/64;

    IPsecPolicy Mh UseESP 3;
    IPsecPolicy TunnelPayload UseESP 4;
}

BindingAclPolicy 2001:1::20 allow;

A word of WARNING:

The reqid defined in the IPsecPolicy lines of the mip6d.conf files currently must exactly match
the reqid assigned by strongSwan to the corresponding IPsec SA. strongSwan does the assignment using
a linear counter starting with reqid 1. Otherwise the communication between the mip6d and strongSwan daemons
via MIGRATE and ACQUIRE kernel messages is simply not going to work. Thus make sure that you start up the
MN-HA connections in the correct order, i.e. in our example first the connection from MN carol
(reqids 1 and 2) and only after that the connection from MN dave (reqids 3 and 4). We are aware that
this is a severe restriction and are working on a more robust scheme.

ipsec.conf

config setup
        crlcheckinterval=180
        plutostart=no
        charondebug="knl 2" 

conn %default
        keyexchange=ikev2
        reauth=no
        mobike=no
        installpolicy=no

conn mh
        also=ha
        leftsubnet=2001:1::1/128
        leftprotoport=135/0
        rightprotoport=135/0
        type=transport_proxy

conn tunnel
        also=ha
        leftsubnet=::/0

conn ha
        left=2001:1::1
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        right=%any
        ike=aes128-sha1-modp2048!
        esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf
include /etc/ipsec.conf.d/dave.ipsec.conf

ipsec.conf.d/carol.ipsec.conf

conn carol
        rightsubnet=2001:1::10/128
        rightid=carol@strongswan.org

conn carol-mh
        also=carol
        also=mh
        auto=add

conn carol-tunnel
        also=carol
        also=tunnel
        auto=add

ipsec.conf.d/dave.ipsec.conf

conn dave 
        rightsubnet=2001:1::20/128
        rightid=dave@strongswan.org

conn dave-mh
        also=dave
        also=mh
        auto=add

conn dave-tunnel
        also=dave
        also=tunnel
        auto=add

MN-to-HA Connection Establishment

Start strongSwan first and the IPsec connection definitions will be loaded

ipsec start

Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9)
Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 19 08:39:01 moon charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 19 08:39:01 moon charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'
Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 19 08:39:01 moon charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/moonKey.pem'
Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 
Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces:
Nov 19 08:39:01 moon charon: 01[KNL]   eth1
Nov 19 08:39:01 moon charon: 01[KNL]     10.1.0.1
Nov 19 08:39:01 moon charon: 01[KNL]     2001:1::1
Nov 19 08:39:01 moon charon: 01[KNL]     fec1::1
Nov 19 08:39:01 moon charon: 01[KNL]     fe80::90fb:65ff:fea0:1d83
Nov 19 08:39:01 moon charon: 01[KNL]   eth0
Nov 19 08:39:01 moon charon: 01[KNL]     192.168.0.1
Nov 19 08:39:01 moon charon: 01[KNL]     2001::1
Nov 19 08:39:01 moon charon: 01[KNL]     fec0::1
Nov 19 08:39:01 moon charon: 01[KNL]     fe80::fc27:dff:fe75:c32d
Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads
Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh'
Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any
Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address
Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1
Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1
Nov 19 08:39:01 moon charon: 10[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel'
Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any
Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address
Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1
Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1
Nov 19 08:39:01 moon charon: 12[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh'
Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh'
Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any
Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address
Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1
Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1
Nov 19 08:39:01 moon charon: 14[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel'
Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any
Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address
Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1
Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1
Nov 19 08:39:01 moon charon: 15[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh'

Next the MIPv6 daemon is activated

/etc/init.d/mip6d start

Nov 19 08:39:05 moon mip6dr1490: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update

Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA
Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" 
Nov 19 08:39:23 moon charon: 08[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" 
Nov 19 08:39:23 moon charon: 08[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" 
Nov 19 08:39:23 moon charon: 08[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Nov 19 08:39:23 moon charon: 08[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Nov 19 08:39:23 moon charon: 08[CFG]   crl is valid: until Dec 13 07:58:20 2008
Nov 19 08:39:23 moon charon: 08[CFG]   using cached crl
Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good
Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful
Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5
Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s
Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s
Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mhr1 established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]
Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" 
Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128r135 === 2001:1::10/128r135 
Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500

The MIPv6 daemon then sends some MIGRATE messages to strongSwan

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128r135 === 2001:1::1/128r135 in
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}

Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::1/128r135 === 2001:1::10/128r135 in
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}
Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2}

Immediately after that the MN initiates the IPsec payload tunnel SA

Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128 
Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update
Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r500..2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0
Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update
Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1r500..2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r0..2001::41a:a8ff:fe6f:c67r0

IPsec Status after Establishment

ipsec statusall

Performance:
  uptime: 2 minutes, since Nov 19 08:39:01 2008
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 
Listening IP addresses:
  10.1.0.1
  2001:1::1
  fec1::1
  192.168.0.1
  2001::1
  fec0::1
Connections:
    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
    carol-mh:  public key authentication
    carol-mh:    2001:1::1/128r135 === 2001:1::10/128r135 
carol-tunnel:    ::/0 === 2001:1::10/128 
     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
     dave-mh:  public key authentication
     dave-mh:    2001:1::1/128r135 === 2001:1::20/128r135 
 dave-tunnel:    ::/0 === 2001:1::20/128 
Security Associations:
    carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]
    carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes
    carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o
    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o 
    carol-mh{1}:   2001:1::1/128r135 === 2001:1::10/128r135 
carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o
carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o 
carol-tunnel{2}:   ::/0 === 2001:1::10/128 

The IPsec policy in the Linux 2.6 kernel

ip xfrm policy

src 2001:1::10/128 dst 2001:1::1/128 proto 135 
        dir in priority 2 ptype main 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135 
        dir out priority 2 ptype main 
        tmpl src :: dst ::
                proto esp reqid 1 mode transport

src 2001:1::20/128 dst 2001:1::1/128 proto 135 
        dir in priority 2 ptype main 
        tmpl src :: dst ::
                proto esp reqid 3 mode transport

src 2001:1::1/128 dst 2001:1::20/128 proto 135 
        dir out priority 2 ptype main 
        tmpl src :: dst ::
                proto esp reqid 3 mode transport

src 2001:1::10/128 dst ::/0 
        dir in priority 10 ptype main 
        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 
        dir fwd priority 10 ptype main 
        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
                proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128 
        dir out priority 10 ptype main 
        tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
                proto esp reqid 2 mode tunnel

and the IPsec state in the Linux 2.6 kernel

ip xfrm state

src :: dst ::
        proto hao reqid 0 mode ro
        replay-window 0 flag wildrecv
        coa ::
        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1
        proto esp spi 0xca64ae98 reqid 1 mode transport
        replay-window 32 
        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10
        proto esp spi 0xc5959ac2 reqid 1 mode transport
        replay-window 32 
        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10
        proto route2 reqid 0 mode ro
        replay-window 0 
        coa 2001::41a:a8ff:fe6f:c67
        lastused 2008-11-19 08:39:25
        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1
        proto hao reqid 0 mode ro
        replay-window 0 
        coa 2001::41a:a8ff:fe6f:c67
        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
        proto esp spi 0xc190d5ba reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
        proto esp spi 0xce4db893 reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

Care-of-Address (CoA) Change

After some time the MN changes its Care-of-Address (CoA) to 2001::50
which is communicated to the HA via a Binding Update message. This
causes the MIPv6 daemon to issue a MIGRATE message to strongSwan

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128r135 === 2001:1::1/128r135 out
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::1/128r135 === 2001:1::10/128r135 in
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update
Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0 to 2001::50r0..2001:1::1r0

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update
Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3)
Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}

IPSec Status after CoA Change

ipsec statusall

Performance:
  uptime: 3 minutes, since Nov 19 08:39:01 2008
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 
Listening IP addresses:
  10.1.0.1
  2001:1::1
  fec1::1
  192.168.0.1
  2001::1
  fec0::1
Connections:
    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
    carol-mh:  public key authentication
    carol-mh:    2001:1::1/128r135 === 2001:1::10/128r135 

carol-tunnel:    ::/0 === 2001:1::10/128 
     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
     dave-mh:  public key authentication
     dave-mh:    2001:1::1/128r135 === 2001:1::20/128r135 
 dave-tunnel:    ::/0 === 2001:1::20/128 
Security Associations:
    carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org]
    carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes
    carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o
    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o 
    carol-mh{1}:   2001:1::1/128r135 === 2001:1::10/128r135 
carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o
carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o 
carol-tunnel{2}:   ::/0 === 2001:1::10/128

and the IPsec state in the Linux 2.6 kernel

ip xfrm state

src :: dst ::
        proto hao reqid 0 mode ro
        replay-window 0 flag wildrecv
        coa ::
        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1
        proto esp spi 0xca64ae98 reqid 1 mode transport
        replay-window 32 
        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10
        proto esp spi 0xc5959ac2 reqid 1 mode transport
        replay-window 32 
        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10
        proto route2 reqid 0 mode ro
        replay-window 0 
        coa 2001::50
        lastused 2008-11-19 08:39:25
        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1
        proto hao reqid 0 mode ro
        replay-window 0 
        coa 2001::50
        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::1 dst 2001::50
        proto esp spi 0xce4db893 reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

src 2001::50 dst 2001:1::1
        proto esp spi 0xc190d5ba reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56