- Table of contents
- MIPv6 Home Agent Setup
MIPv6 Home Agent Setup¶
mip6d.conf¶
NodeConfig HA; UseMnHaIPsec enabled; KeyMngMobCapability enabled; DefaultBindingAclPolicy deny; Interface "eth0"; include "/etc/mip6d.conf.d/carol.mip6d.conf" include "/etc/mip6d.conf.d/dave.mip6d.conf"
mip6d.conf.d/carol.mip6d.conf¶
Interface "eth1"; IPsecPolicySet { HomeAgentAddress 2001:1::1; HomeAddress 2001:1::10/64; IPsecPolicy Mh UseESP 1; IPsecPolicy TunnelPayload UseESP 2; } BindingAclPolicy 2001:1::10 allow;
mip6d.conf.d/dave.mip6d.conf¶
IPsecPolicySet { HomeAgentAddress 2001:1::1; HomeAddress 2001:1::20/64; IPsecPolicy Mh UseESP 3; IPsecPolicy TunnelPayload UseESP 4; } BindingAclPolicy 2001:1::20 allow;
A word of WARNING:
The reqid defined in the IPsecPolicy lines of the mip6d.conf files currently must exactly match
the reqid assigned by strongSwan to the corresponding IPsec SA. strongSwan does the assignment using
a linear counter starting with reqid 1. Otherwise the communication between the mip6d and strongSwan daemons
via MIGRATE and ACQUIRE kernel messages is simply not going to work. Thus make sure that you start up the
MN-HA connections in the correct order, i.e. in our example first the connection from MN carol
(reqids 1 and 2) and only after that the connection from MN dave (reqids 3 and 4). We are aware that
this is a severe restriction and are working on a more robust scheme.
ipsec.conf¶
config setup crlcheckinterval=180 plutostart=no charondebug="knl 2" conn %default keyexchange=ikev2 reauth=no mobike=no installpolicy=no conn mh also=ha leftsubnet=2001:1::1/128 leftprotoport=135/0 rightprotoport=135/0 type=transport_proxy conn tunnel also=ha leftsubnet=::/0 conn ha left=2001:1::1 leftcert=moonCert.pem leftid=@moon.strongswan.org right=%any ike=aes128-sha1-modp2048! esp=aes128-sha1-modp2048! include /etc/ipsec.conf.d/carol.ipsec.conf include /etc/ipsec.conf.d/dave.ipsec.conf
ipsec.conf.d/carol.ipsec.conf¶
conn carol rightsubnet=2001:1::10/128 rightid=carol@strongswan.org conn carol-mh also=carol also=mh auto=add conn carol-tunnel also=carol also=tunnel auto=add
ipsec.conf.d/dave.ipsec.conf¶
conn dave rightsubnet=2001:1::20/128 rightid=dave@strongswan.org conn dave-mh also=dave also=mh auto=add conn dave-tunnel also=dave also=tunnel auto=add
MN-to-HA Connection Establishment¶
Start strongSwan first and the IPsec connection definitions will be loaded
ipsec start Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9) Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Nov 19 08:39:01 moon charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem' Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' Nov 19 08:39:01 moon charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl' Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' Nov 19 08:39:01 moon charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/moonKey.pem' Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces: Nov 19 08:39:01 moon charon: 01[KNL] eth1 Nov 19 08:39:01 moon charon: 01[KNL] 10.1.0.1 Nov 19 08:39:01 moon charon: 01[KNL] 2001:1::1 Nov 19 08:39:01 moon charon: 01[KNL] fec1::1 Nov 19 08:39:01 moon charon: 01[KNL] fe80::90fb:65ff:fea0:1d83 Nov 19 08:39:01 moon charon: 01[KNL] eth0 Nov 19 08:39:01 moon charon: 01[KNL] 192.168.0.1 Nov 19 08:39:01 moon charon: 01[KNL] 2001::1 Nov 19 08:39:01 moon charon: 01[KNL] fec0::1 Nov 19 08:39:01 moon charon: 01[KNL] fe80::fc27:dff:fe75:c32d Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh' Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 10[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel' Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 12[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh' Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh' Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 14[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel' Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1 Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1 Nov 19 08:39:01 moon charon: 15[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh'
Next the MIPv6 daemon is activated
/etc/init.d/mip6d start Nov 19 08:39:05 moon mip6dr1490: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)
strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update
Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500 Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500 Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500 Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ] Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" Nov 19 08:39:23 moon charon: 08[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" Nov 19 08:39:23 moon charon: 08[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" Nov 19 08:39:23 moon charon: 08[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 19 08:39:23 moon charon: 08[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" Nov 19 08:39:23 moon charon: 08[CFG] crl is valid: until Dec 13 07:58:20 2008 Nov 19 08:39:23 moon charon: 08[CFG] using cached crl Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5 Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mhr1 established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org] Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10 Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1} Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1} Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1} Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1} Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128r135 === 2001:1::10/128r135 Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ] Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500
The MIPv6 daemon then sends some MIGRATE messages to strongSwan
Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128r135 === 2001:1::1/128r135 in Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1} Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1} Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::1/128r135 === 2001:1::10/128r135 in Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1} Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1} Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2} Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2} Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2} Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2} Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2} Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2} Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2}
Immediately after that the MN initiates the IPsec payload tunnel SA
Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500 Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2} Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2} Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2} Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128 Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2} Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128 Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128 Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ] Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500 Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r500..2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0 Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893 Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893 Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893 Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1r500..2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r0..2001::41a:a8ff:fe6f:c67r0
IPsec Status after Establishment¶
ipsec statusall Performance: uptime: 2 minutes, since Nov 19 08:39:01 2008 worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2 loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql Listening IP addresses: 10.1.0.1 2001:1::1 fec1::1 192.168.0.1 2001::1 fec0::1 Connections: carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any carol-mh: public key authentication carol-mh: 2001:1::1/128r135 === 2001:1::10/128r135 carol-tunnel: ::/0 === 2001:1::10/128 dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any dave-mh: public key authentication dave-mh: 2001:1::1/128r135 === 2001:1::20/128r135 dave-tunnel: ::/0 === 2001:1::20/128 Security Associations: carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org] carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o carol-mh{1}: 2001:1::1/128r135 === 2001:1::10/128r135 carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o carol-tunnel{2}: ::/0 === 2001:1::10/128
The IPsec policy in the Linux 2.6 kernel
ip xfrm policy src 2001:1::10/128 dst 2001:1::1/128 proto 135 dir in priority 2 ptype main tmpl src :: dst :: proto esp reqid 1 mode transport src 2001:1::1/128 dst 2001:1::10/128 proto 135 dir out priority 2 ptype main tmpl src :: dst :: proto esp reqid 1 mode transport src 2001:1::20/128 dst 2001:1::1/128 proto 135 dir in priority 2 ptype main tmpl src :: dst :: proto esp reqid 3 mode transport src 2001:1::1/128 dst 2001:1::20/128 proto 135 dir out priority 2 ptype main tmpl src :: dst :: proto esp reqid 3 mode transport src 2001:1::10/128 dst ::/0 dir in priority 10 ptype main tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 proto esp reqid 2 mode tunnel src 2001:1::10/128 dst ::/0 dir fwd priority 10 ptype main tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 proto esp reqid 2 mode tunnel src ::/0 dst 2001:1::10/128 dir out priority 10 ptype main tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67 proto esp reqid 2 mode tunnel
and the IPsec state in the Linux 2.6 kernel
ip xfrm state src :: dst :: proto hao reqid 0 mode ro replay-window 0 flag wildrecv coa :: sel src ::/0 dst ::/0 src 2001:1::10 dst 2001:1::1 proto esp spi 0xca64ae98 reqid 1 mode transport replay-window 32 auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611 enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20 sel src ::/0 dst ::/0 src 2001:1::1 dst 2001:1::10 proto esp spi 0xc5959ac2 reqid 1 mode transport replay-window 32 auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359 sel src ::/0 dst ::/0 src 2001:1::1 dst 2001:1::10 proto route2 reqid 0 mode ro replay-window 0 coa 2001::41a:a8ff:fe6f:c67 lastused 2008-11-19 08:39:25 sel src 2001:1::1/128 dst 2001:1::10/128 src 2001:1::10 dst 2001:1::1 proto hao reqid 0 mode ro replay-window 0 coa 2001::41a:a8ff:fe6f:c67 sel src 2001:1::10/128 dst 2001:1::1/128 src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 proto esp spi 0xc190d5ba reqid 2 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02 enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56 src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67 proto esp spi 0xce4db893 reqid 2 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
Care-of-Address (CoA) Change¶
After some time the MN changes its Care-of-Address (CoA) to 2001::50
which is communicated to the HA via a Binding Update message. This
causes the MIPv6 daemon to issue a MIGRATE message to strongSwan
Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128r135 === 2001:1::1/128r135 out Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1} Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1} Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::1/128r135 === 2001:1::10/128r135 in Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1} Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1} Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2} Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2} Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0 to 2001::50r0..2001:1::1r0 Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3) Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893 Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2} Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2} Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}
IPSec Status after CoA Change¶
ipsec statusall Performance: uptime: 3 minutes, since Nov 19 08:39:01 2008 worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2 loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql Listening IP addresses: 10.1.0.1 2001:1::1 fec1::1 192.168.0.1 2001::1 fec0::1 Connections: carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any carol-mh: public key authentication carol-mh: 2001:1::1/128r135 === 2001:1::10/128r135 carol-tunnel: ::/0 === 2001:1::10/128 dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any dave-mh: public key authentication dave-mh: 2001:1::1/128r135 === 2001:1::20/128r135 dave-tunnel: ::/0 === 2001:1::20/128 Security Associations: carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org] carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o carol-mh{1}: 2001:1::1/128r135 === 2001:1::10/128r135 carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o carol-tunnel{2}: ::/0 === 2001:1::10/128
and the IPsec state in the Linux 2.6 kernel
ip xfrm state src :: dst :: proto hao reqid 0 mode ro replay-window 0 flag wildrecv coa :: sel src ::/0 dst ::/0 src 2001:1::10 dst 2001:1::1 proto esp spi 0xca64ae98 reqid 1 mode transport replay-window 32 auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611 enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20 sel src ::/0 dst ::/0 src 2001:1::1 dst 2001:1::10 proto esp spi 0xc5959ac2 reqid 1 mode transport replay-window 32 auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359 sel src ::/0 dst ::/0 src 2001:1::1 dst 2001:1::10 proto route2 reqid 0 mode ro replay-window 0 coa 2001::50 lastused 2008-11-19 08:39:25 sel src 2001:1::1/128 dst 2001:1::10/128 src 2001:1::10 dst 2001:1::1 proto hao reqid 0 mode ro replay-window 0 coa 2001::50 sel src 2001:1::10/128 dst 2001:1::1/128 src 2001:1::1 dst 2001::50 proto esp spi 0xce4db893 reqid 2 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf src 2001::50 dst 2001:1::1 proto esp spi 0xc190d5ba reqid 2 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02 enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56