strongSwan

{{>toc}}

h1. MIPv6 Home Agent Setup

h2. mip6d.conf

<pre>

NodeConfig HA;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf"

include "/etc/mip6d.conf.d/dave.mip6d.conf"

</pre>

h2. mip6d.conf.d/carol.mip6d.conf

<pre>

Interface "eth1";

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

BindingAclPolicy 2001:1::10 allow;

</pre>

h2. mip6d.conf.d/dave.mip6d.conf

<pre>

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::20/64;

    IPsecPolicy Mh UseESP 3;

    IPsecPolicy TunnelPayload UseESP 4;

}

BindingAclPolicy 2001:1::20 allow;

</pre>

*A word of WARNING:*

The *reqid* defined in the IPsecPolicy lines of the *mip6d.conf* files currently must exactly match

the *reqid* assigned by strongSwan to the corresponding IPsec SA. strongSwan does the assignment using

a linear counter starting with reqid 1. Otherwise the communication between the mip6d and strongSwan daemons

via MIGRATE and ACQUIRE kernel messages is simply not going to work. Thus make sure that you start up the

MN-HA connections in the correct order, i.e. in our example first the connection from MN *carol*

(reqids 1 and 2) and only after that the connection from MN *dave* (reqids 3 and 4). We are aware that

this is a severe restriction and are working on a more robust scheme.

h2. ipsec.conf

<pre>

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=ha

        leftsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

conn tunnel

        also=ha

        leftsubnet=::/0

conn ha

        left=2001:1::1

        leftcert=moonCert.pem

        leftid=@moon.strongswan.org

        right=%any

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf

include /etc/ipsec.conf.d/dave.ipsec.conf

</pre>

h2. ipsec.conf.d/carol.ipsec.conf

<pre>

conn carol

        rightsubnet=2001:1::10/128

        rightid=carol@strongswan.org

conn carol-mh

        also=carol

        also=mh

        auto=add

conn carol-tunnel

        also=carol

        also=tunnel

        auto=add

</pre>

h2. ipsec.conf.d/dave.ipsec.conf

<pre>

conn dave 

        rightsubnet=2001:1::20/128

        rightid=dave@strongswan.org

conn dave-mh

        also=dave

        also=mh

        auto=add

conn dave-tunnel

        also=dave

        also=tunnel

        auto=add

</pre>

h2. MN-to-HA Connection Establishment

Start strongSwan first and the IPsec connection definitions will be loaded

<pre>

ipsec start

Nov 19 08:39:01 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9)

Nov 19 08:39:01 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 19 08:39:01 moon charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 19 08:39:01 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 19 08:39:01 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 19 08:39:01 moon charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 19 08:39:01 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 19 08:39:01 moon charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/moonKey.pem'

Nov 19 08:39:01 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Nov 19 08:39:01 moon charon: 01[KNL] listening on interfaces:

Nov 19 08:39:01 moon charon: 01[KNL]   eth1

Nov 19 08:39:01 moon charon: 01[KNL]     10.1.0.1

Nov 19 08:39:01 moon charon: 01[KNL]     2001:1::1

Nov 19 08:39:01 moon charon: 01[KNL]     fec1::1

Nov 19 08:39:01 moon charon: 01[KNL]     fe80::90fb:65ff:fea0:1d83

Nov 19 08:39:01 moon charon: 01[KNL]   eth0

Nov 19 08:39:01 moon charon: 01[KNL]     192.168.0.1

Nov 19 08:39:01 moon charon: 01[KNL]     2001::1

Nov 19 08:39:01 moon charon: 01[KNL]     fec0::1

Nov 19 08:39:01 moon charon: 01[KNL]     fe80::fc27:dff:fe75:c32d

Nov 19 08:39:01 moon charon: 01[JOB] spawning 16 worker threads

Nov 19 08:39:01 moon charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled

Nov 19 08:39:01 moon charon: 10[CFG] received stroke: add connection 'carol-mh'

Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 10[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 10[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 10[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 10[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 10[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

Nov 19 08:39:01 moon charon: 12[CFG] received stroke: add connection 'carol-tunnel'

Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 12[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 12[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 12[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 12[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 12[CFG] added child to existing configuration 'carol-mh'

Nov 19 08:39:01 moon charon: 14[CFG] received stroke: add connection 'dave-mh'

Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 14[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 14[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 14[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 14[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 14[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

Nov 19 08:39:01 moon charon: 15[CFG] received stroke: add connection 'dave-tunnel'

Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for %any

Nov 19 08:39:01 moon charon: 15[KNL] %any is not a local address

Nov 19 08:39:01 moon charon: 15[KNL] getting interface name for 2001:1::1

Nov 19 08:39:01 moon charon: 15[KNL] 2001:1::1 is on interface eth1

Nov 19 08:39:01 moon charon: 15[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 19 08:39:01 moon charon: 15[CFG] added child to existing configuration 'dave-mh'

</pre>

Next the MIPv6 daemon is activated

<pre>

/etc/init.d/mip6d start

Nov 19 08:39:05 moon mip6dr1490: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

</pre>

strongSwan is now waiting for the MN to initiate the IPsec transport SA for the Binding Update

<pre>

Nov 19 08:39:23 moon charon: 03[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500

Nov 19 08:39:23 moon charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 19 08:39:23 moon charon: 03[IKE] 2001::41a:a8ff:fe6f:c67 is initiating an IKE_SA

Nov 19 08:39:23 moon charon: 03[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 19 08:39:23 moon charon: 03[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500

Nov 19 08:39:23 moon charon: 08[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500

Nov 19 08:39:23 moon charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 moon charon: 08[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 moon charon: 08[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 moon charon: 08[CFG]   crl is valid: until Dec 13 07:58:20 2008

Nov 19 08:39:23 moon charon: 08[CFG]   using cached crl

Nov 19 08:39:23 moon charon: 08[CFG] certificate status is good

Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA signature successful

Nov 19 08:39:23 moon charon: 08[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5

Nov 19 08:39:23 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful

Nov 19 08:39:23 moon charon: 08[IKE] scheduling rekeying in 3323s

Nov 19 08:39:23 moon charon: 08[IKE] maximum IKE_SA lifetime 3503s

Nov 19 08:39:23 moon charon: 08[IKE] IKE_SA carol-mhr1 established between 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]

Nov 19 08:39:23 moon charon: 08[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 19 08:39:23 moon charon: 08[CHD] other address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10

Nov 19 08:39:23 moon charon: 08[KNL] getting SPI for reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL] got SPI ca64ae98 for reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 moon charon: 08[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}

Nov 19 08:39:23 moon charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 moon charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 moon charon: 08[IKE] CHILD_SA carol-mh{1} established with SPIs ca64ae98_i c5959ac2_o and TS 2001:1::1/128r135 === 2001:1::10/128r135 

Nov 19 08:39:23 moon charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 moon charon: 08[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500

</pre>

The MIPv6 daemon then sends some MIGRATE messages to strongSwan

<pre>

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128r135 === 2001:1::1/128r135 in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}

Nov 19 08:39:24 moon charon: 05[KNL] interface ip6tnl1 activated

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::1/128r135 === 2001:1::10/128r135 in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:24 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::41a:a8ff:fe6f:c67

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:24 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}

Nov 19 08:39:24 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}

Nov 19 08:39:24 moon charon: 11[JOB] no CHILD_SA found with reqid {2}

</pre>

Immediately after that the MN initiates the IPsec payload tunnel SA

<pre>

Nov 19 08:39:24 moon charon: 14[NET] received packet: from 2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r500

Nov 19 08:39:24 moon charon: 14[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 19 08:39:24 moon charon: 14[KNL] getting SPI for reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL] got SPI c190d5ba for reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI c190d5ba and reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:24 moon charon: 14[KNL] adding SAD entry with SPI ce4db893 and reqid {2}

Nov 19 08:39:24 moon charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:24 moon charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:24 moon charon: 14[IKE] CHILD_SA carol-tunnel{2} established with SPIs c190d5ba_i ce4db893_o and TS ::/0 === 2001:1::10/128 

Nov 19 08:39:24 moon charon: 14[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 19 08:39:24 moon charon: 14[NET] sending packet: from 2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r500

Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI c190d5ba for update

Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI c190d5ba

Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r500..2001:1::1r500 to 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0

Nov 19 08:39:24 moon charon: 12[KNL] querying SAD entry with SPI ce4db893 for update

Nov 19 08:39:24 moon charon: 12[KNL] querying replay state from SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] deleting SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] deleted SAD entry with SPI ce4db893

Nov 19 08:39:24 moon charon: 12[KNL] updating SAD entry with SPI ce4db893 from 2001:1::1r500..2001::41a:a8ff:fe6f:c67r500 to 2001:1::1r0..2001::41a:a8ff:fe6f:c67r0

</pre>

h2. IPsec Status after Establishment

<pre>

ipsec statusall

Performance:

  uptime: 2 minutes, since Nov 19 08:39:01 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128r135 === 2001:1::10/128r135 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128r135 === 2001:1::20/128r135 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::41a:a8ff:fe6f:c67[carol@strongswan.org]

    carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 53 minutes

    carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 12 minutes, last use: 101s_i no_o 

    carol-mh{1}:   2001:1::1/128r135 === 2001:1::10/128r135 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 2s_i 2s_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128 

</pre>

The IPsec policy in the Linux 2.6 kernel

<pre>

ip xfrm policy

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::20/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 3 mode transport

src 2001:1::1/128 dst 2001:1::20/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 3 mode transport

src 2001:1::10/128 dst ::/0 

        dir in priority 10 ptype main 

        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir fwd priority 10 ptype main 

        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128 

        dir out priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

                proto esp reqid 2 mode tunnel

</pre>

and the IPsec state in the Linux 2.6 kernel

<pre>

ip xfrm state

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::41a:a8ff:fe6f:c67

        lastused 2008-11-19 08:39:25

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::41a:a8ff:fe6f:c67

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

</pre>

h2. Care-of-Address (CoA) Change

After some time the MN changes its Care-of-Address (CoA) to 2001::50

which is communicated to the HA via a Binding Update message. This

causes the MIPv6 daemon to issue a MIGRATE message to strongSwan

<pre>

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128r135 === 2001:1::1/128r135 out

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 === 2001:1::1/128r135 in with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::1/128r135 === 2001:1::10/128r135 in

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 === 2001:1::10/128r135 out with reqid {1}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 out

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI c190d5ba for update

Nov 19 08:41:56 moon charon: 10[KNL] querying replay state from SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] deleting SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] deleted SAD entry with SPI c190d5ba

Nov 19 08:41:56 moon charon: 10[KNL] updating SAD entry with SPI c190d5ba from 2001::41a:a8ff:fe6f:c67r0..2001:1::1r0 to 2001::50r0..2001:1::1r0

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry with SPI ce4db893 for update

Nov 19 08:41:56 moon charon: 10[KNL] querying SAD entry failed: No such process (3)

Nov 19 08:41:56 moon charon: 10[KNL] unable to update SAD entry with SPI ce4db893

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 19 08:41:56 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 fwd

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::50

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}

</pre>

h2. IPSec Status after CoA Change

<pre>

ipsec statusall

Performance:

  uptime: 3 minutes, since Nov 19 08:39:01 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128r135 === 2001:1::10/128r135 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128r135 === 2001:1::20/128r135 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mhr1: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::50[carol@strongswan.org]

    carol-mhr1: IKE SPIs: 58b6f8e6f23188fa_i 63fdcfb55179c548_r*, rekeying in 52 minutes

    carol-mhr1: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: ca64ae98_i c5959ac2_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 11 minutes, last use: 45s_i no_o 

    carol-mh{1}:   2001:1::1/128r135 === 2001:1::10/128r135 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c190d5ba_i ce4db893_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 8s_i 8s_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128

</pre>

and the IPsec state in the Linux 2.6 kernel

<pre>

ip xfrm state

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::50

        lastused 2008-11-19 08:39:25

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::50

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::1 dst 2001::50

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

src 2001::50 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

</pre>