- Table of contents
- MIPv6 Home Agent Setup
MIPv6 Home Agent Setup¶
mip6d.conf¶
NodeConfig HA; UseMnHaIPsec enabled; KeyMngMobCapability enabled; DefaultBindingAclPolicy deny; Interface "eth0"; include "/etc/mip6d.conf.d/carol.mip6d.conf" include "/etc/mip6d.conf.d/dave.mip6d.conf"
mip6d.conf.d/carol.mip6d.conf¶
Interface "eth1";
IPsecPolicySet {
HomeAgentAddress 2001:1::1;
HomeAddress 2001:1::10/64;
IPsecPolicy Mh UseESP 1;
IPsecPolicy TunnelPayload UseESP 2;
}
BindingAclPolicy 2001:1::10 allow;
mip6d.conf.d/dave.mip6d.conf¶
IPsecPolicySet {
HomeAgentAddress 2001:1::1;
HomeAddress 2001:1::20/64;
IPsecPolicy Mh UseESP 3;
IPsecPolicy TunnelPayload UseESP 4;
}
BindingAclPolicy 2001:1::20 allow;
A word of WARNING:
The reqid defined in the IPsecPolicy lines of the mip6d.conf files currently must exactly match
the reqid assigned by strongSwan to the corresponding IPsec SA. strongSwan does the assignment using
a linear counter starting with reqid 1. Otherwise the communication between the mip6d and strongSwan daemons
via MIGRATE and ACQUIRE kernel messages is simply not going to work. Thus make sure that you start up the
MN-HA connections in the correct order, i.e. in our example first the connection from MN carol
(reqids 1 and 2) and only after that the connection from MN dave (reqids 3 and 4). We are aware that
this is a severe restriction and are working on a more robust scheme.
ipsec.conf¶
config setup
crlcheckinterval=180
plutostart=no
charondebug="knl 2"
conn %default
keyexchange=ikev2
reauth=no
mobike=no
installpolicy=no
conn mh
also=ha
leftsubnet=2001:1::1/128
leftprotoport=135/0
rightprotoport=135/0
type=transport_proxy
conn tunnel
also=ha
leftsubnet=::/0
conn ha
left=2001:1::1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
include /etc/ipsec.conf.d/carol.ipsec.conf
include /etc/ipsec.conf.d/dave.ipsec.conf
ipsec.conf.d/carol.ipsec.conf¶
conn carol
rightsubnet=2001:1::10/128
rightid=carol@strongswan.org
conn carol-mh
also=carol
also=mh
auto=add
conn carol-tunnel
also=carol
also=tunnel
auto=add
ipsec.conf.d/dave.ipsec.conf¶
conn dave
rightsubnet=2001:1::20/128
rightid=dave@strongswan.org
conn dave-mh
also=dave
also=mh
auto=add
conn dave-tunnel
also=dave
also=tunnel
auto=add
MN-to-HA Connection Establishment¶
Start strongSwan first and the IPsec connection definitions will be loaded
ipsec start Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9) Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 19 08:39:01 moon charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Nov 19 08:39:01 moon charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl' Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Nov 19 08:39:01 moon charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/moonKey.pem' Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces: Nov 19 08:39:01 moon charon: 01[KNL] eth1 Nov 19 08:39:01 moon charon: 01[KNL] 10.1.0.1 Nov 19 08:39:01 moon charon: 01[KNL] 2001:1::1 Nov 19 08:39:01 moon charon: 01[KNL] fec1::1 Nov 19 08:39:01 moon charon: 01[KNL] fe80::90fb:65ff:fea0:1d83 Nov 19 08:39:01 moon charon: 01[KNL] eth0 Nov 19 08:39:01 moon charon: 01[KNL] 192.168.0.1 Nov 19 08:39:01 moon charon: 01[KNL] 2001::1 Nov 19 08:39:01 moon charon: 01[KNL] fec0::1 Nov 19 08:39:01 moon charon: 01[KNL] fe80::fc27:dff:fe75:c32d Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh' Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 10[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel' Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 12[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh' Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh' Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 14[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel' Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 15[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh'
Next the MIPv6 daemon is activated
/etc/init.d/mip6d start Nov 19 08:39:05 moon mip6dr1490: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)
strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update
Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA
Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 19 08:39:23 moon charon: 08[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 19 08:39:23 moon charon: 08[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 19 08:39:23 moon charon: 08[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 moon charon: 08[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 moon charon: 08[CFG] crl is valid: until Dec 13 07:58:20 2008
Nov 19 08:39:23 moon charon: 08[CFG] using cached crl
Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good
Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful
Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5
Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s
Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s
Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mhr1 established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]
Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}
Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128r135 === 2001:1::10/128r135
Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
The MIPv6 daemon then sends some MIGRATE messages to strongSwan
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128r135 === 2001:1::1/128r135 in
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}
Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::1/128r135 === 2001:1::10/128r135 in
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}
Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}
Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2}
Immediately after that the MN initiates the IPsec payload tunnel SA
Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500
Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2}
Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128
Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update
Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba
Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r500..2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0
Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update
Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893
Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1r500..2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r0..2001::41a:a8ff:fe6f:c67r0
IPsec Status after Establishment¶
ipsec statusall
Performance:
uptime: 2 minutes, since Nov 19 08:39:01 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
Listening IP addresses:
10.1.0.1
2001:1::1
fec1::1
192.168.0.1
2001::1
fec0::1
Connections:
carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
carol-mh: public key authentication
carol-mh: 2001:1::1/128r135 === 2001:1::10/128r135
carol-tunnel: ::/0 === 2001:1::10/128
dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
dave-mh: public key authentication
dave-mh: 2001:1::1/128r135 === 2001:1::20/128r135
dave-tunnel: ::/0 === 2001:1::20/128
Security Associations:
carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]
carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes
carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o
carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o
carol-mh{1}: 2001:1::1/128r135 === 2001:1::10/128r135
carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o
carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o
carol-tunnel{2}: ::/0 === 2001:1::10/128
The IPsec policy in the Linux 2.6 kernel
ip xfrm policy
src 2001:1::10/128 dst 2001:1::1/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src 2001:1::1/128 dst 2001:1::10/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src 2001:1::20/128 dst 2001:1::1/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 3 mode transport
src 2001:1::1/128 dst 2001:1::20/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 3 mode transport
src 2001:1::10/128 dst ::/0
dir in priority 10 ptype main
tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp reqid 2 mode tunnel
src 2001:1::10/128 dst ::/0
dir fwd priority 10 ptype main
tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp reqid 2 mode tunnel
src ::/0 dst 2001:1::10/128
dir out priority 10 ptype main
tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp reqid 2 mode tunnel
and the IPsec state in the Linux 2.6 kernel
ip xfrm state
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto route2 reqid 0 mode ro
replay-window 0
coa 2001::41a:a8ff:fe6f:c67
lastused 2008-11-19 08:39:25
sel src 2001:1::1/128 dst 2001:1::10/128
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::41a:a8ff:fe6f:c67
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56
src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
Care-of-Address (CoA) Change¶
After some time the MN changes its Care-of-Address (CoA) to 2001::50
which is communicated to the HA via a Binding Update message. This
causes the MIPv6 daemon to issue a MIGRATE message to strongSwan
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128r135 === 2001:1::1/128r135 out
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::1/128r135 === 2001:1::10/128r135 in
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}
Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update
Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba
Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0 to 2001::50r0..2001:1::1r0
Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update
Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3)
Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}
IPSec Status after CoA Change¶
ipsec statusall
Performance:
uptime: 3 minutes, since Nov 19 08:39:01 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
Listening IP addresses:
10.1.0.1
2001:1::1
fec1::1
192.168.0.1
2001::1
fec0::1
Connections:
carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
carol-mh: public key authentication
carol-mh: 2001:1::1/128r135 === 2001:1::10/128r135
carol-tunnel: ::/0 === 2001:1::10/128
dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
dave-mh: public key authentication
dave-mh: 2001:1::1/128r135 === 2001:1::20/128r135
dave-tunnel: ::/0 === 2001:1::20/128
Security Associations:
carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org]
carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes
carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o
carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o
carol-mh{1}: 2001:1::1/128r135 === 2001:1::10/128r135
carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o
carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o
carol-tunnel{2}: ::/0 === 2001:1::10/128
and the IPsec state in the Linux 2.6 kernel
ip xfrm state
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto route2 reqid 0 mode ro
replay-window 0
coa 2001::50
lastused 2008-11-19 08:39:25
sel src 2001:1::1/128 dst 2001:1::10/128
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::50
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001:1::1 dst 2001::50
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
src 2001::50 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56