strongSwan

[[TOC(heading=MIPv6 HA Setup)]]

= MIPv6 Home Agent Setup =

== mip6d.conf ==

{{{

NodeConfig HA;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf"

include "/etc/mip6d.conf.d/dave.mip6d.conf"

}}}

== mip6d.conf.d/carol.mip6d.conf ==

{{{

Interface "eth1";

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

BindingAclPolicy 2001:1::10 allow;

}}}

== mip6d.conf.d/dave.mip6d.conf ==

{{{

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::20/64;

    IPsecPolicy Mh UseESP 3;

    IPsecPolicy TunnelPayload UseESP 4;

}

BindingAclPolicy 2001:1::20 allow;

}}}

== ipsec.conf ==

{{{

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=ha

        leftsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

conn tunnel

        also=ha

        leftsubnet=::/0

conn ha

        left=2001:1::1

        leftcert=moonCert.pem

        leftid=@moon.strongswan.org

        right=%any

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf

include /etc/ipsec.conf.d/dave.ipsec.conf

}}}

== ipsec.conf.d/carol.ipsec.conf ==

{{{

conn carol

        rightsubnet=2001:1::10/128

        rightid=carol@strongswan.org

conn carol-mh

        also=carol

        also=mh

        auto=add

conn carol-tunnel

        also=carol

        also=tunnel

        auto=add

}}}

== ipsec.conf.d/dave.ipsec.conf ==

{{{

conn dave 

        rightsubnet=2001:1::20/128

        rightid=dave@strongswan.org

conn dave-mh

        also=dave

        also=mh

        auto=add

conn dave-tunnel

        also=dave

        also=tunnel

        auto=add

}}}

== MN-to-HA Connection Establishment ==

Start strongSwan first and the IPsec connection definitions will be loaded

{{{

ipsec start

Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9)

Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 19 08:39:01 moon charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 19 08:39:01 moon charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 19 08:39:01 moon charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/moonKey.pem'

Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces:

Nov 19 08:39:01 moon charon: 01[KNL]   eth1

Nov 19 08:39:01 moon charon: 01[KNL]     10.1.0.1

Nov 19 08:39:01 moon charon: 01[KNL]     2001:1::1

Nov 19 08:39:01 moon charon: 01[KNL]     fec1::1

Nov 19 08:39:01 moon charon: 01[KNL]     fe80::90fb:65ff:fea0:1d83

Nov 19 08:39:01 moon charon: 01[KNL]   eth0

Nov 19 08:39:01 moon charon: 01[KNL]     192.168.0.1

Nov 19 08:39:01 moon charon: 01[KNL]     2001::1

Nov 19 08:39:01 moon charon: 01[KNL]     fec0::1

Nov 19 08:39:01 moon charon: 01[KNL]     fe80::fc27:dff:fe75:c32d

Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads

Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled

Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh'

Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 10[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel'

Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 12[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh'

Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh'

Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 14[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel'

Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 15[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh'

}}}

Next the MIPv6 daemon is activated

{{{

/etc/init.d/mip6d start

Nov 19 08:39:05 moon mip6d[1490]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

}}}

strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update

{{{

Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA

Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG]   crl is valid: until Dec 13 07:58:20 2008

Nov 19 08:39:23 moon charon: 08[CFG]   using cached crl

Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good

Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful

Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5

Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful

Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s

Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s

Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mh[1] established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]

Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10

Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128[135] === 2001:1::10/128[135] 

Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

}}}

The MIPv6 daemon then sends some MIGRATE messages to strongSwan

{{{

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1}

Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}

Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2}

}}}

Immediately after that the MN initiates the IPsec payload tunnel SA

{{{

Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128 

Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update

Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67[500]..2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[0]..2001:1::1[0]

Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update

Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1[500]..2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[0]..2001::41a:a8ff:fe6f:c67[0]

}}}

== IPsec Status after Establishment ==

{{{

ipsec statusall

Performance:

  uptime: 2 minutes, since Nov 19 08:39:01 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128[135] === 2001:1::20/128[135] 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]

    carol-mh[1]: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes

    carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o 

    carol-mh{1}:   2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128 

}}}

The IPsec policy in the Linux 2.6 kernel

{{{

ip xfrm policy

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::20/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 3 mode transport

src 2001:1::1/128 dst 2001:1::20/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 3 mode transport

src 2001:1::10/128 dst ::/0 

        dir in priority 10 ptype main 

        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir fwd priority 10 ptype main 

        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128 

        dir out priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

                proto esp reqid 2 mode tunnel

}}}

and the IPsec state in the Linux 2.6 kernel

{{{

ip xfrm state

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::41a:a8ff:fe6f:c67

        lastused 2008-11-19 08:39:25

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::41a:a8ff:fe6f:c67

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

}}}

== Care-of-Address (CoA) Change ==

After some time the MN changes its Care-of-Address (CoA) to 2001::50

which is communicated to the HA via a Binding Update message. This

causes the MIPv6 daemon to issue a MIGRATE message to strongSwan

{{{

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] out

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] in

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update

Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67[0]..2001:1::1[0] to 2001::50[0]..2001:1::1[0]

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3)

Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}

}}}

== IPSec Status after CoA Change ==

{{{

ipsec statusall

Performance:

  uptime: 3 minutes, since Nov 19 08:39:01 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128[135] === 2001:1::20/128[135] 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org]

    carol-mh[1]: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes

    carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o 

    carol-mh{1}:   2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128

}}}

and the IPsec state in the Linux 2.6 kernel

{{{

ip xfrm state

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::50

        lastused 2008-11-19 08:39:25

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::50

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::1 dst 2001::50

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

src 2001::50 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

}}}