MIPv6 Home Agent Setup » History » Version 1
Andreas Steffen, 20.11.2008 01:24
Create Home Agent Setup page
| 1 | 1 | Andreas Steffen | [[TOC(heading=MIPv6 HA Setup)]] |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | = MIPv6 Home Agent Setup = |
| 3 | 1 | Andreas Steffen | |
| 4 | 1 | Andreas Steffen | == mip6d.conf == |
| 5 | 1 | Andreas Steffen | |
| 6 | 1 | Andreas Steffen | {{{ |
| 7 | 1 | Andreas Steffen | NodeConfig HA; |
| 8 | 1 | Andreas Steffen | |
| 9 | 1 | Andreas Steffen | UseMnHaIPsec enabled; |
| 10 | 1 | Andreas Steffen | KeyMngMobCapability enabled; |
| 11 | 1 | Andreas Steffen | DefaultBindingAclPolicy deny; |
| 12 | 1 | Andreas Steffen | |
| 13 | 1 | Andreas Steffen | Interface "eth0"; |
| 14 | 1 | Andreas Steffen | |
| 15 | 1 | Andreas Steffen | include "/etc/mip6d.conf.d/carol.mip6d.conf" |
| 16 | 1 | Andreas Steffen | }}} |
| 17 | 1 | Andreas Steffen | |
| 18 | 1 | Andreas Steffen | == mip6d.conf.d/carol.mip6d.conf == |
| 19 | 1 | Andreas Steffen | |
| 20 | 1 | Andreas Steffen | {{{ |
| 21 | 1 | Andreas Steffen | Interface "eth1"; |
| 22 | 1 | Andreas Steffen | |
| 23 | 1 | Andreas Steffen | IPsecPolicySet { |
| 24 | 1 | Andreas Steffen | HomeAgentAddress 2001:1::1; |
| 25 | 1 | Andreas Steffen | HomeAddress 2001:1::10/64; |
| 26 | 1 | Andreas Steffen | |
| 27 | 1 | Andreas Steffen | IPsecPolicy Mh UseESP 1; |
| 28 | 1 | Andreas Steffen | IPsecPolicy TunnelPayload UseESP 2; |
| 29 | 1 | Andreas Steffen | } |
| 30 | 1 | Andreas Steffen | |
| 31 | 1 | Andreas Steffen | BindingAclPolicy 2001:1::10 allow; |
| 32 | 1 | Andreas Steffen | }}} |
| 33 | 1 | Andreas Steffen | |
| 34 | 1 | Andreas Steffen | == ipsec.conf == |
| 35 | 1 | Andreas Steffen | |
| 36 | 1 | Andreas Steffen | {{{ |
| 37 | 1 | Andreas Steffen | config setup |
| 38 | 1 | Andreas Steffen | crlcheckinterval=180 |
| 39 | 1 | Andreas Steffen | plutostart=no |
| 40 | 1 | Andreas Steffen | charondebug="knl 2" |
| 41 | 1 | Andreas Steffen | |
| 42 | 1 | Andreas Steffen | conn %default |
| 43 | 1 | Andreas Steffen | keyexchange=ikev2 |
| 44 | 1 | Andreas Steffen | reauth=no |
| 45 | 1 | Andreas Steffen | mobike=no |
| 46 | 1 | Andreas Steffen | installpolicy=no |
| 47 | 1 | Andreas Steffen | |
| 48 | 1 | Andreas Steffen | conn mh |
| 49 | 1 | Andreas Steffen | also=ha |
| 50 | 1 | Andreas Steffen | leftsubnet=2001:1::1/128 |
| 51 | 1 | Andreas Steffen | leftprotoport=135/0 |
| 52 | 1 | Andreas Steffen | rightprotoport=135/0 |
| 53 | 1 | Andreas Steffen | type=transport_proxy |
| 54 | 1 | Andreas Steffen | |
| 55 | 1 | Andreas Steffen | conn tunnel |
| 56 | 1 | Andreas Steffen | also=ha |
| 57 | 1 | Andreas Steffen | leftsubnet=::/0 |
| 58 | 1 | Andreas Steffen | |
| 59 | 1 | Andreas Steffen | conn ha |
| 60 | 1 | Andreas Steffen | left=2001:1::1 |
| 61 | 1 | Andreas Steffen | leftcert=moonCert.pem |
| 62 | 1 | Andreas Steffen | leftid=@moon.strongswan.org |
| 63 | 1 | Andreas Steffen | right=%any |
| 64 | 1 | Andreas Steffen | ike=aes128-sha1-modp2048! |
| 65 | 1 | Andreas Steffen | esp=aes128-sha1-modp2048! |
| 66 | 1 | Andreas Steffen | |
| 67 | 1 | Andreas Steffen | include /etc/ipsec.conf.d/carol.ipsec.conf |
| 68 | 1 | Andreas Steffen | include /etc/ipsec.conf.d/dave.ipsec.conf |
| 69 | 1 | Andreas Steffen | }}} |
| 70 | 1 | Andreas Steffen | |
| 71 | 1 | Andreas Steffen | == ipsec.conf.d/carol.ipsec.conf == |
| 72 | 1 | Andreas Steffen | |
| 73 | 1 | Andreas Steffen | {{{ |
| 74 | 1 | Andreas Steffen | conn carol |
| 75 | 1 | Andreas Steffen | rightsubnet=2001:1::10/128 |
| 76 | 1 | Andreas Steffen | rightid=carol@strongswan.org |
| 77 | 1 | Andreas Steffen | |
| 78 | 1 | Andreas Steffen | conn carol-mh |
| 79 | 1 | Andreas Steffen | also=carol |
| 80 | 1 | Andreas Steffen | also=mh |
| 81 | 1 | Andreas Steffen | auto=add |
| 82 | 1 | Andreas Steffen | |
| 83 | 1 | Andreas Steffen | conn carol-tunnel |
| 84 | 1 | Andreas Steffen | also=carol |
| 85 | 1 | Andreas Steffen | also=tunnel |
| 86 | 1 | Andreas Steffen | auto=add |
| 87 | 1 | Andreas Steffen | }}} |
| 88 | 1 | Andreas Steffen | |
| 89 | 1 | Andreas Steffen | == MN-to-HA Connection Establishment == |
| 90 | 1 | Andreas Steffen | |
| 91 | 1 | Andreas Steffen | Start strongSwan first and the IPsec connection definitions will be loaded |
| 92 | 1 | Andreas Steffen | |
| 93 | 1 | Andreas Steffen | {{{ |
| 94 | 1 | Andreas Steffen | ipsec start |
| 95 | 1 | Andreas Steffen | |
| 96 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9) |
| 97 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' |
| 98 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem' |
| 99 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' |
| 100 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' |
| 101 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' |
| 102 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls' |
| 103 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl' |
| 104 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets' |
| 105 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/moonKey.pem' |
| 106 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql |
| 107 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces: |
| 108 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] eth1 |
| 109 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] 10.1.0.1 |
| 110 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] 2001:1::1 |
| 111 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] fec1::1 |
| 112 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] fe80::90fb:65ff:fea0:1d83 |
| 113 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] eth0 |
| 114 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] 192.168.0.1 |
| 115 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] 2001::1 |
| 116 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] fec0::1 |
| 117 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[KNL] fe80::fc27:dff:fe75:c32d |
| 118 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads |
| 119 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled |
| 120 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh' |
| 121 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any |
| 122 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address |
| 123 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1 |
| 124 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1 |
| 125 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' |
| 126 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] |
| 127 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel' |
| 128 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any |
| 129 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address |
| 130 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1 |
| 131 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1 |
| 132 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' |
| 133 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh' |
| 134 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh' |
| 135 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any |
| 136 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address |
| 137 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1 |
| 138 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1 |
| 139 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' |
| 140 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] |
| 141 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel' |
| 142 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any |
| 143 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address |
| 144 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1 |
| 145 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1 |
| 146 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem' |
| 147 | 1 | Andreas Steffen | Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh' |
| 148 | 1 | Andreas Steffen | }}} |
| 149 | 1 | Andreas Steffen | |
| 150 | 1 | Andreas Steffen | Next the MIPv6 daemon is activated |
| 151 | 1 | Andreas Steffen | |
| 152 | 1 | Andreas Steffen | {{{ |
| 153 | 1 | Andreas Steffen | /etc/init.d/mip6d start |
| 154 | 1 | Andreas Steffen | |
| 155 | 1 | Andreas Steffen | Nov 19 08:39:05 moon mip6d[1490]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent) |
| 156 | 1 | Andreas Steffen | }}} |
| 157 | 1 | Andreas Steffen | |
| 158 | 1 | Andreas Steffen | strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update |
| 159 | 1 | Andreas Steffen | |
| 160 | 1 | Andreas Steffen | {{{ |
| 161 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500] |
| 162 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] |
| 163 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA |
| 164 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 165 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] |
| 166 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500] |
| 167 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500] |
| 168 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ] |
| 169 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 170 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" |
| 171 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" |
| 172 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 173 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org" |
| 174 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 175 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" |
| 176 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] crl is valid: until Dec 13 07:58:20 2008 |
| 177 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] using cached crl |
| 178 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good |
| 179 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful |
| 180 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5 |
| 181 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful |
| 182 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s |
| 183 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s |
| 184 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mh[1] established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org] |
| 185 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" |
| 186 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10 |
| 187 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1} |
| 188 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1} |
| 189 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1} |
| 190 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 |
| 191 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 |
| 192 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1} |
| 193 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 |
| 194 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 |
| 195 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128[135] === 2001:1::10/128[135] |
| 196 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ] |
| 197 | 1 | Andreas Steffen | Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500] |
| 198 | 1 | Andreas Steffen | }}} |
| 199 | 1 | Andreas Steffen | |
| 200 | 1 | Andreas Steffen | The MIPv6 daemon then sends some MIGRATE messages to strongSwan |
| 201 | 1 | Andreas Steffen | {{{ |
| 202 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 203 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128[135] === 2001:1::1/128[135] in |
| 204 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 205 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 |
| 206 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 207 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE |
| 208 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1} |
| 209 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1} |
| 210 | 1 | Andreas Steffen | |
| 211 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated |
| 212 | 1 | Andreas Steffen | |
| 213 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 214 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::1/128[135] === 2001:1::10/128[135] in |
| 215 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 216 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 |
| 217 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 218 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE |
| 219 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1} |
| 220 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1} |
| 221 | 1 | Andreas Steffen | |
| 222 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 223 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out |
| 224 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 225 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 |
| 226 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 227 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE |
| 228 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2} |
| 229 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2} |
| 230 | 1 | Andreas Steffen | |
| 231 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 232 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in |
| 233 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 234 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 |
| 235 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 236 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE |
| 237 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2} |
| 238 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2} |
| 239 | 1 | Andreas Steffen | |
| 240 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 241 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd |
| 242 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 243 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67 |
| 244 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 245 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] XFRMA_MIGRATE |
| 246 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2} |
| 247 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2} |
| 248 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2} |
| 249 | 1 | Andreas Steffen | }}} |
| 250 | 1 | Andreas Steffen | |
| 251 | 1 | Andreas Steffen | Immediately after that the MN initiates the IPsec payload tunnel SA |
| 252 | 1 | Andreas Steffen | |
| 253 | 1 | Andreas Steffen | {{{ |
| 254 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500] |
| 255 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] |
| 256 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2} |
| 257 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2} |
| 258 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2} |
| 259 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128 |
| 260 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 |
| 261 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2} |
| 262 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] using encryption algorithm AES_CBC with key size 128 |
| 263 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 |
| 264 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128 |
| 265 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ] |
| 266 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500] |
| 267 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update |
| 268 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba |
| 269 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba |
| 270 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba |
| 271 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67[500]..2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[0]..2001:1::1[0] |
| 272 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update |
| 273 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893 |
| 274 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893 |
| 275 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893 |
| 276 | 1 | Andreas Steffen | Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1[500]..2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[0]..2001::41a:a8ff:fe6f:c67[0] |
| 277 | 1 | Andreas Steffen | }}} |
| 278 | 1 | Andreas Steffen | |
| 279 | 1 | Andreas Steffen | == IPsec Status after Establishment == |
| 280 | 1 | Andreas Steffen | |
| 281 | 1 | Andreas Steffen | {{{ |
| 282 | 1 | Andreas Steffen | ipsec statusall |
| 283 | 1 | Andreas Steffen | |
| 284 | 1 | Andreas Steffen | Performance: |
| 285 | 1 | Andreas Steffen | uptime: 2 minutes, since Nov 19 08:39:01 2008 |
| 286 | 1 | Andreas Steffen | worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2 |
| 287 | 1 | Andreas Steffen | loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql |
| 288 | 1 | Andreas Steffen | Listening IP addresses: |
| 289 | 1 | Andreas Steffen | 10.1.0.1 |
| 290 | 1 | Andreas Steffen | 2001:1::1 |
| 291 | 1 | Andreas Steffen | fec1::1 |
| 292 | 1 | Andreas Steffen | 192.168.0.1 |
| 293 | 1 | Andreas Steffen | 2001::1 |
| 294 | 1 | Andreas Steffen | fec0::1 |
| 295 | 1 | Andreas Steffen | Connections: |
| 296 | 1 | Andreas Steffen | carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] |
| 297 | 1 | Andreas Steffen | carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any |
| 298 | 1 | Andreas Steffen | carol-mh: public key authentication |
| 299 | 1 | Andreas Steffen | carol-mh: 2001:1::1/128[135] === 2001:1::10/128[135] |
| 300 | 1 | Andreas Steffen | carol-tunnel: ::/0 === 2001:1::10/128 |
| 301 | 1 | Andreas Steffen | dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] |
| 302 | 1 | Andreas Steffen | dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any |
| 303 | 1 | Andreas Steffen | dave-mh: public key authentication |
| 304 | 1 | Andreas Steffen | dave-mh: 2001:1::1/128[135] === 2001:1::20/128[135] |
| 305 | 1 | Andreas Steffen | dave-tunnel: ::/0 === 2001:1::20/128 |
| 306 | 1 | Andreas Steffen | Security Associations: |
| 307 | 1 | Andreas Steffen | carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org] |
| 308 | 1 | Andreas Steffen | carol-mh[1]: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes |
| 309 | 1 | Andreas Steffen | carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT |
| 310 | 1 | Andreas Steffen | carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o |
| 311 | 1 | Andreas Steffen | carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o |
| 312 | 1 | Andreas Steffen | carol-mh{1}: 2001:1::1/128[135] === 2001:1::10/128[135] |
| 313 | 1 | Andreas Steffen | carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o |
| 314 | 1 | Andreas Steffen | carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o |
| 315 | 1 | Andreas Steffen | carol-tunnel{2}: ::/0 === 2001:1::10/128 |
| 316 | 1 | Andreas Steffen | |
| 317 | 1 | Andreas Steffen | }}} |
| 318 | 1 | Andreas Steffen | |
| 319 | 1 | Andreas Steffen | The IPsec policy in the Linux 2.6 kernel |
| 320 | 1 | Andreas Steffen | |
| 321 | 1 | Andreas Steffen | {{{ |
| 322 | 1 | Andreas Steffen | ip xfrm policy |
| 323 | 1 | Andreas Steffen | |
| 324 | 1 | Andreas Steffen | src 2001:1::10/128 dst 2001:1::1/128 proto 135 |
| 325 | 1 | Andreas Steffen | dir in priority 2 ptype main |
| 326 | 1 | Andreas Steffen | tmpl src :: dst :: |
| 327 | 1 | Andreas Steffen | proto esp reqid 1 mode transport |
| 328 | 1 | Andreas Steffen | |
| 329 | 1 | Andreas Steffen | src 2001:1::1/128 dst 2001:1::10/128 proto 135 |
| 330 | 1 | Andreas Steffen | dir out priority 2 ptype main |
| 331 | 1 | Andreas Steffen | tmpl src :: dst :: |
| 332 | 1 | Andreas Steffen | proto esp reqid 1 mode transport |
| 333 | 1 | Andreas Steffen | |
| 334 | 1 | Andreas Steffen | src 2001:1::20/128 dst 2001:1::1/128 proto 135 |
| 335 | 1 | Andreas Steffen | dir in priority 2 ptype main |
| 336 | 1 | Andreas Steffen | tmpl src :: dst :: |
| 337 | 1 | Andreas Steffen | proto esp reqid 3 mode transport |
| 338 | 1 | Andreas Steffen | |
| 339 | 1 | Andreas Steffen | src 2001:1::1/128 dst 2001:1::20/128 proto 135 |
| 340 | 1 | Andreas Steffen | dir out priority 2 ptype main |
| 341 | 1 | Andreas Steffen | tmpl src :: dst :: |
| 342 | 1 | Andreas Steffen | proto esp reqid 3 mode transport |
| 343 | 1 | Andreas Steffen | |
| 344 | 1 | Andreas Steffen | src 2001:1::10/128 dst ::/0 |
| 345 | 1 | Andreas Steffen | dir in priority 10 ptype main |
| 346 | 1 | Andreas Steffen | tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 |
| 347 | 1 | Andreas Steffen | proto esp reqid 2 mode tunnel |
| 348 | 1 | Andreas Steffen | |
| 349 | 1 | Andreas Steffen | src 2001:1::10/128 dst ::/0 |
| 350 | 1 | Andreas Steffen | dir fwd priority 10 ptype main |
| 351 | 1 | Andreas Steffen | tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 |
| 352 | 1 | Andreas Steffen | proto esp reqid 2 mode tunnel |
| 353 | 1 | Andreas Steffen | |
| 354 | 1 | Andreas Steffen | src ::/0 dst 2001:1::10/128 |
| 355 | 1 | Andreas Steffen | dir out priority 10 ptype main |
| 356 | 1 | Andreas Steffen | tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67 |
| 357 | 1 | Andreas Steffen | proto esp reqid 2 mode tunnel |
| 358 | 1 | Andreas Steffen | }}} |
| 359 | 1 | Andreas Steffen | |
| 360 | 1 | Andreas Steffen | and the IPsec state in the Linux 2.6 kernel |
| 361 | 1 | Andreas Steffen | |
| 362 | 1 | Andreas Steffen | {{{ |
| 363 | 1 | Andreas Steffen | ip xfrm state |
| 364 | 1 | Andreas Steffen | |
| 365 | 1 | Andreas Steffen | src :: dst :: |
| 366 | 1 | Andreas Steffen | proto hao reqid 0 mode ro |
| 367 | 1 | Andreas Steffen | replay-window 0 flag wildrecv |
| 368 | 1 | Andreas Steffen | coa :: |
| 369 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 370 | 1 | Andreas Steffen | |
| 371 | 1 | Andreas Steffen | src 2001:1::10 dst 2001:1::1 |
| 372 | 1 | Andreas Steffen | proto esp spi 0xca64ae98 reqid 1 mode transport |
| 373 | 1 | Andreas Steffen | replay-window 32 |
| 374 | 1 | Andreas Steffen | auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611 |
| 375 | 1 | Andreas Steffen | enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20 |
| 376 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 377 | 1 | Andreas Steffen | |
| 378 | 1 | Andreas Steffen | src 2001:1::1 dst 2001:1::10 |
| 379 | 1 | Andreas Steffen | proto esp spi 0xc5959ac2 reqid 1 mode transport |
| 380 | 1 | Andreas Steffen | replay-window 32 |
| 381 | 1 | Andreas Steffen | auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff |
| 382 | 1 | Andreas Steffen | enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359 |
| 383 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 384 | 1 | Andreas Steffen | |
| 385 | 1 | Andreas Steffen | src 2001:1::1 dst 2001:1::10 |
| 386 | 1 | Andreas Steffen | proto route2 reqid 0 mode ro |
| 387 | 1 | Andreas Steffen | replay-window 0 |
| 388 | 1 | Andreas Steffen | coa 2001::41a:a8ff:fe6f:c67 |
| 389 | 1 | Andreas Steffen | lastused 2008-11-19 08:39:25 |
| 390 | 1 | Andreas Steffen | sel src 2001:1::1/128 dst 2001:1::10/128 |
| 391 | 1 | Andreas Steffen | |
| 392 | 1 | Andreas Steffen | src 2001:1::10 dst 2001:1::1 |
| 393 | 1 | Andreas Steffen | proto hao reqid 0 mode ro |
| 394 | 1 | Andreas Steffen | replay-window 0 |
| 395 | 1 | Andreas Steffen | coa 2001::41a:a8ff:fe6f:c67 |
| 396 | 1 | Andreas Steffen | sel src 2001:1::10/128 dst 2001:1::1/128 |
| 397 | 1 | Andreas Steffen | |
| 398 | 1 | Andreas Steffen | src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1 |
| 399 | 1 | Andreas Steffen | proto esp spi 0xc190d5ba reqid 2 mode tunnel |
| 400 | 1 | Andreas Steffen | replay-window 32 flag 20 |
| 401 | 1 | Andreas Steffen | auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02 |
| 402 | 1 | Andreas Steffen | enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56 |
| 403 | 1 | Andreas Steffen | |
| 404 | 1 | Andreas Steffen | src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67 |
| 405 | 1 | Andreas Steffen | proto esp spi 0xce4db893 reqid 2 mode tunnel |
| 406 | 1 | Andreas Steffen | replay-window 32 flag 20 |
| 407 | 1 | Andreas Steffen | auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af |
| 408 | 1 | Andreas Steffen | enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf |
| 409 | 1 | Andreas Steffen | }}} |
| 410 | 1 | Andreas Steffen | |
| 411 | 1 | Andreas Steffen | == Care-of-Address (CoA) Change == |
| 412 | 1 | Andreas Steffen | |
| 413 | 1 | Andreas Steffen | After some time the MN changes its Care-of-Address (CoA) to 2001::50 |
| 414 | 1 | Andreas Steffen | which is communicated to the HA via a Binding Update message. This |
| 415 | 1 | Andreas Steffen | causes the MIPv6 daemon to issue a MIGRATE message to strongSwan |
| 416 | 1 | Andreas Steffen | |
| 417 | 1 | Andreas Steffen | {{{ |
| 418 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 419 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128[135] === 2001:1::1/128[135] out |
| 420 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 421 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 |
| 422 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 423 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE |
| 424 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1} |
| 425 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1} |
| 426 | 1 | Andreas Steffen | |
| 427 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 428 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::1/128[135] === 2001:1::10/128[135] in |
| 429 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 430 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 |
| 431 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 432 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE |
| 433 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1} |
| 434 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1} |
| 435 | 1 | Andreas Steffen | |
| 436 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 437 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 out |
| 438 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 439 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 |
| 440 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 441 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE |
| 442 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2} |
| 443 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2} |
| 444 | 1 | Andreas Steffen | |
| 445 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update |
| 446 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba |
| 447 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba |
| 448 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba |
| 449 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67[0]..2001:1::1[0] to 2001::50[0]..2001:1::1[0] |
| 450 | 1 | Andreas Steffen | |
| 451 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update |
| 452 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3) |
| 453 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893 |
| 454 | 1 | Andreas Steffen | |
| 455 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 456 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in |
| 457 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 458 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 |
| 459 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 460 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE |
| 461 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2} |
| 462 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2} |
| 463 | 1 | Andreas Steffen | |
| 464 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE |
| 465 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 fwd |
| 466 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_KMADDRESS |
| 467 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::50 |
| 468 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_POLICY_TYPE |
| 469 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] XFRMA_MIGRATE |
| 470 | 1 | Andreas Steffen | Nov 19 08:41:56 moon charon: 04[KNL] migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2} |
| 471 | 1 | Andreas Steffen | |
| 472 | 1 | Andreas Steffen | }}} |
| 473 | 1 | Andreas Steffen | |
| 474 | 1 | Andreas Steffen | == IPSec Status after CoA Change == |
| 475 | 1 | Andreas Steffen | |
| 476 | 1 | Andreas Steffen | {{{ |
| 477 | 1 | Andreas Steffen | ipsec statusall |
| 478 | 1 | Andreas Steffen | |
| 479 | 1 | Andreas Steffen | Performance: |
| 480 | 1 | Andreas Steffen | uptime: 3 minutes, since Nov 19 08:39:01 2008 |
| 481 | 1 | Andreas Steffen | worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2 |
| 482 | 1 | Andreas Steffen | loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql |
| 483 | 1 | Andreas Steffen | Listening IP addresses: |
| 484 | 1 | Andreas Steffen | 10.1.0.1 |
| 485 | 1 | Andreas Steffen | 2001:1::1 |
| 486 | 1 | Andreas Steffen | fec1::1 |
| 487 | 1 | Andreas Steffen | 192.168.0.1 |
| 488 | 1 | Andreas Steffen | 2001::1 |
| 489 | 1 | Andreas Steffen | fec0::1 |
| 490 | 1 | Andreas Steffen | Connections: |
| 491 | 1 | Andreas Steffen | carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org] |
| 492 | 1 | Andreas Steffen | carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any |
| 493 | 1 | Andreas Steffen | carol-mh: public key authentication |
| 494 | 1 | Andreas Steffen | carol-mh: 2001:1::1/128[135] === 2001:1::10/128[135] |
| 495 | 1 | Andreas Steffen | |
| 496 | 1 | Andreas Steffen | carol-tunnel: ::/0 === 2001:1::10/128 |
| 497 | 1 | Andreas Steffen | dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org] |
| 498 | 1 | Andreas Steffen | dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any |
| 499 | 1 | Andreas Steffen | dave-mh: public key authentication |
| 500 | 1 | Andreas Steffen | dave-mh: 2001:1::1/128[135] === 2001:1::20/128[135] |
| 501 | 1 | Andreas Steffen | dave-tunnel: ::/0 === 2001:1::20/128 |
| 502 | 1 | Andreas Steffen | Security Associations: |
| 503 | 1 | Andreas Steffen | carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org] |
| 504 | 1 | Andreas Steffen | carol-mh[1]: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes |
| 505 | 1 | Andreas Steffen | carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT |
| 506 | 1 | Andreas Steffen | carol-mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o |
| 507 | 1 | Andreas Steffen | carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o |
| 508 | 1 | Andreas Steffen | carol-mh{1}: 2001:1::1/128[135] === 2001:1::10/128[135] |
| 509 | 1 | Andreas Steffen | carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o |
| 510 | 1 | Andreas Steffen | carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o |
| 511 | 1 | Andreas Steffen | carol-tunnel{2}: ::/0 === 2001:1::10/128 |
| 512 | 1 | Andreas Steffen | }}} |
| 513 | 1 | Andreas Steffen | |
| 514 | 1 | Andreas Steffen | and the IPsec state in the Linux 2.6 kernel |
| 515 | 1 | Andreas Steffen | |
| 516 | 1 | Andreas Steffen | {{{ |
| 517 | 1 | Andreas Steffen | ip xfrm state |
| 518 | 1 | Andreas Steffen | |
| 519 | 1 | Andreas Steffen | src :: dst :: |
| 520 | 1 | Andreas Steffen | proto hao reqid 0 mode ro |
| 521 | 1 | Andreas Steffen | replay-window 0 flag wildrecv |
| 522 | 1 | Andreas Steffen | coa :: |
| 523 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 524 | 1 | Andreas Steffen | |
| 525 | 1 | Andreas Steffen | src 2001:1::10 dst 2001:1::1 |
| 526 | 1 | Andreas Steffen | proto esp spi 0xca64ae98 reqid 1 mode transport |
| 527 | 1 | Andreas Steffen | replay-window 32 |
| 528 | 1 | Andreas Steffen | auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611 |
| 529 | 1 | Andreas Steffen | enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20 |
| 530 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 531 | 1 | Andreas Steffen | |
| 532 | 1 | Andreas Steffen | src 2001:1::1 dst 2001:1::10 |
| 533 | 1 | Andreas Steffen | proto esp spi 0xc5959ac2 reqid 1 mode transport |
| 534 | 1 | Andreas Steffen | replay-window 32 |
| 535 | 1 | Andreas Steffen | auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff |
| 536 | 1 | Andreas Steffen | enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359 |
| 537 | 1 | Andreas Steffen | sel src ::/0 dst ::/0 |
| 538 | 1 | Andreas Steffen | |
| 539 | 1 | Andreas Steffen | src 2001:1::1 dst 2001:1::10 |
| 540 | 1 | Andreas Steffen | proto route2 reqid 0 mode ro |
| 541 | 1 | Andreas Steffen | replay-window 0 |
| 542 | 1 | Andreas Steffen | coa 2001::50 |
| 543 | 1 | Andreas Steffen | lastused 2008-11-19 08:39:25 |
| 544 | 1 | Andreas Steffen | sel src 2001:1::1/128 dst 2001:1::10/128 |
| 545 | 1 | Andreas Steffen | |
| 546 | 1 | Andreas Steffen | src 2001:1::10 dst 2001:1::1 |
| 547 | 1 | Andreas Steffen | proto hao reqid 0 mode ro |
| 548 | 1 | Andreas Steffen | replay-window 0 |
| 549 | 1 | Andreas Steffen | coa 2001::50 |
| 550 | 1 | Andreas Steffen | sel src 2001:1::10/128 dst 2001:1::1/128 |
| 551 | 1 | Andreas Steffen | |
| 552 | 1 | Andreas Steffen | src 2001:1::1 dst 2001::50 |
| 553 | 1 | Andreas Steffen | proto esp spi 0xce4db893 reqid 2 mode tunnel |
| 554 | 1 | Andreas Steffen | replay-window 32 flag 20 |
| 555 | 1 | Andreas Steffen | auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af |
| 556 | 1 | Andreas Steffen | enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf |
| 557 | 1 | Andreas Steffen | |
| 558 | 1 | Andreas Steffen | src 2001::50 dst 2001:1::1 |
| 559 | 1 | Andreas Steffen | proto esp spi 0xc190d5ba reqid 2 mode tunnel |
| 560 | 1 | Andreas Steffen | replay-window 32 flag 20 |
| 561 | 1 | Andreas Steffen | auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02 |
| 562 | 1 | Andreas Steffen | enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56 |
| 563 | 1 | Andreas Steffen | }}} |