Version 2 - History - Mobile IPv6 HOWTO - Mobile IPv6 HOWTO - strongSwan

Mobile IPv6 HOWTO » History » Version 2

« Previous - Version 2/10 (diff) - Next » - Current version
Andreas Steffen, 13.11.2008 05:00
Added TOC

<abbr title="heading=Mobile IPv6">TOC</abbr> = Mobile IPv6 =

Starting with version 4.2.9, strongSwan can be used to secure the Mobile IPv6 Binding Update messages and all payload traffic between a Mobile Node (MN) and its Home Agent (HA) using an IPsec transport and an IPsec tunnel Security Association (SA), respectively.

Mobile Node "carol"

=== /etc/mip6d.conf ===

{{{
NodeConfig MN;

UseMnHaIPsec enabled;
KeyMngMobCapability enabled;
DoRouteOptimizationMN disabled;

Interface "eth0";

MnHomeLink "eth0" {
HomeAgentAddress 2001:1::1;
HomeAddress 2001:1::10/64;
}

IPsecPolicySet {
HomeAgentAddress 2001:1::1;
HomeAddress 2001:1::10/64;

IPsecPolicy Mh UseESP 1;
    IPsecPolicy TunnelPayload UseESP 2;
}
}}}

=== /etc/ipsec.conf ===

{{{
config setup
crlcheckinterval=180
plutostart=no
charondebug="knl 2"

conn %default
keyexchange=ikev2
reauth=no
mobike=no
installpolicy=no

conn mh
also=home
rightsubnet=2001:1::1/128
leftprotoport=135/0
rightprotoport=135/0
type=transport_proxy
auto=route

conn tunnel
also=home
rightsubnet=::/0
auto=route

conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftsubnet=2001:1::10/128
right=2001:1::1
rightid=moon.strongswan.org
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
}}}

=== ipsec statusall ===

{{{
Performance:
uptime: 56 seconds, since Nov 13 01:06:39 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Listening IP addresses:
192.168.0.100
2001::18d9:88ff:fe7d:36b3
fec0::18d9:88ff:fe7d:36b3
2001:1::10
Connections:
mh: %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
mh: public key authentication
mh: 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵
tunnel: 2001:1::10/128 === ::/0
Security Associations:
mh¹: ESTABLISHED, 2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh¹: IKE SPIs: 372bdbd1320c2eb4_i* a53801fd03fbffee_r, rekeying in 55 minutes
mh¹: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
mh{1}: ROUTED, TRANSPORT
mh{1}: 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵
tunnel{2}: ROUTED, TUNNEL
tunnel{2}: 2001:1::10/128 === ::/0
mh{1}: INSTALLED, TRANSPORT, ESP SPIs: cf472638_i c31ec667_o
mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 49s_i no_o
mh{1}: 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c4f98106_i c0f90752_o
tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 45s_i no_o
tunnel{2}: 2001:1::10/128 === ::/0
}}}

=== ip xfrm policy ===

{{{
src 2001:1::1/128 dst 2001:1::10/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport

src 2001:1::10/128 dst 2001:1::1/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport

src ::/0 dst 2001:1::10/128
dir in priority 10 ptype main
tmpl src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3
proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0
dir out priority 10 ptype main
tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1
proto esp reqid 2 mode tunnel
}}}

=== ip xfrm state ===

{{{
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0

src :: dst ::
proto route2 reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0

src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::18d9:88ff:fe7d:36b3
lastused 2008-11-13 01:06:50
sel src 2001:1::10/128 dst 2001:1::1/128

src 2001:1::10 dst 2001:1::1
proto esp spi 0xc31ec667 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xf6815c3cd001ff884eb6c1b4112ea9db0daf1eef
enc cbc(aes) 0xa51f577d694f46beb85179ecc5d35251
sel src ::/0 dst ::/0

src 2001:1::1 dst 2001:1::10
proto esp spi 0xcf472638 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x8d9790093b1baa89a128e92c7019c32d776eccac
enc cbc(aes) 0xe02ea1231d5e1908564992ccafdc97cd
sel src ::/0 dst ::/0

src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1
proto esp spi 0xc0f90752 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x8339d597ed1d92d820443171d3e3282d83186572
enc cbc(aes) 0xcba21b583a2330897e33339b72855eaa

src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3
proto esp spi 0xc4f98106 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xf4ffd5a21d52b4766ea81c22945f3f558f24c675
enc cbc(aes) 0x7c0d20968090085fbb17557f53c8818b
}}}

=== /var/log/daemon.log ===

{{{
Nov 13 01:06:39 carol charon: 01[DMN] starting charon (strongSwan Version 4.2.9rc18)
Nov 13 01:06:39 carol charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 13 01:06:39 carol charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 13 01:06:39 carol charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 13 01:06:39 carol charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 13 01:06:39 carol charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 13 01:06:39 carol charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 13 01:06:39 carol charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl'
Nov 13 01:06:39 carol charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 13 01:06:39 carol charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/carolKey.pem'
Nov 13 01:06:39 carol charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Nov 13 01:06:39 carol charon: 01[KNL] listening on interfaces:
Nov 13 01:06:39 carol charon: 01[KNL] eth0
Nov 13 01:06:39 carol charon: 01[KNL] 192.168.0.100
Nov 13 01:06:39 carol charon: 01[KNL] 2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:39 carol charon: 01[KNL] fec0::18d9:88ff:fe7d:36b3
Nov 13 01:06:39 carol charon: 01[KNL] fe80::18d9:88ff:fe7d:36b3
Nov 13 01:06:39 carol charon: 01[JOB] spawning 16 worker threads
Nov 13 01:06:40 carol charon: 07[CFG] received stroke: add connection 'mh'
Nov 13 01:06:40 carol charon: 07[KNL] getting interface name for 2001:1::1
Nov 13 01:06:40 carol charon: 07[KNL] 2001:1::1 is not a local address
Nov 13 01:06:40 carol charon: 07[KNL] getting interface name for %any
Nov 13 01:06:40 carol charon: 07[KNL] %any is not a local address
Nov 13 01:06:40 carol charon: 07[CFG] left nor right host is our side, assuming left=local
Nov 13 01:06:40 carol charon: 07[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 13 01:06:40 carol charon: 07[CFG] added configuration 'mh': %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 13 01:06:40 carol charon: 09[CFG] received stroke: route 'mh'
Nov 13 01:06:40 carol charon: 10[KNL] getting address to reach 2001:1::1
Nov 13 01:06:40 carol charon: 10[CHD] my address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10
Nov 13 01:06:40 carol charon: 10[IKE] CHILD_SA routed
Nov 13 01:06:40 carol charon: 11[CFG] received stroke: add connection 'tunnel'
Nov 13 01:06:40 carol charon: 11[KNL] getting interface name for 2001:1::1
Nov 13 01:06:40 carol charon: 11[KNL] 2001:1::1 is not a local address
Nov 13 01:06:40 carol charon: 11[KNL] getting interface name for %any
Nov 13 01:06:40 carol charon: 11[KNL] %any is not a local address
Nov 13 01:06:40 carol charon: 11[CFG] left nor right host is our side, assuming left=local
Nov 13 01:06:40 carol charon: 11[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 13 01:06:40 carol charon: 11[CFG] added child to existing configuration 'mh'
Nov 13 01:06:40 carol charon: 12[CFG] received stroke: route 'tunnel'
Nov 13 01:06:40 carol charon: 16[KNL] getting address to reach 2001:1::1
Nov 13 01:06:40 carol charon: 16[IKE] CHILD_SA routed

Nov 13 01:06:45 carol mip6d¹⁰⁷²: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Mobile Node)

Nov 13 01:06:45 carol charon: 04[KNL] interface ip6tnl1 activated
Nov 13 01:06:45 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 appeared on ip6tnl1
Nov 13 01:06:45 carol charon: 04[KNL] 2001:1::10 appeared on ip6tnl1
Nov 13 01:06:45 carol mip6d¹⁰⁷³: Interface 1 (lo):type 772 unsupported
Nov 13 01:06:45 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 disappeared from eth0
Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] policy: 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵ out, index 0
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_KMADDRESS
Nov 13 01:06:45 carol charon: 03[KNL] kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] migrate ESP %any...%any to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {1}
Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵ out with reqid {1}
Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] policy: 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵ in, index 0
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_KMADDRESS
Nov 13 01:06:45 carol charon: 03[KNL] kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] migrate ESP %any...%any to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {1}
Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵ in with reqid {1}
Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] policy: 2001:1::10/128 === ::/0 out, index 0
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_KMADDRESS
Nov 13 01:06:45 carol charon: 03[KNL] kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}
Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}
Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] policy: ::/0 === 2001:1::10/128 in, index 0
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_KMADDRESS
Nov 13 01:06:45 carol charon: 03[KNL] kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_MIGRATE
Nov 13 01:06:45 carol charon: 03[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {2}
Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_ACQUIRE
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_TMPL
Nov 13 01:06:45 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:45 carol charon: 03[KNL] creating acquire job for policy 2001:1::10/128[135/5] === 2001:1::1/128¹³⁵ with reqid {1}
Nov 13 01:06:45 carol charon: 11[IKE] initiating IKE_SA mh¹ to 2001:1::1
Nov 13 01:06:45 carol charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 13 01:06:45 carol charon: 11[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:45 carol charon: 15[KNL] getting address to reach 2001:1::1
Nov 13 01:06:45 carol charon: 16[NET] received packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰
Nov 13 01:06:45 carol charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 13 01:06:45 carol charon: 16[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 carol charon: 16[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 carol charon: 16[IKE] authentication of 'carol@strongswan.org' (myself) with RSA signature successful
Nov 13 01:06:45 carol charon: 16[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 13 01:06:45 carol charon: 16[IKE] establishing CHILD_SA mh{1}
Nov 13 01:06:45 carol charon: 16[CHD] my address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10
Nov 13 01:06:45 carol charon: 16[KNL] getting SPI for reqid {1}
Nov 13 01:06:45 carol charon: 16[KNL] got SPI cf472638 for reqid {1}
Nov 13 01:06:45 carol charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 13 01:06:45 carol charon: 16[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:45 carol charon: 12[NET] received packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰
Nov 13 01:06:45 carol charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 13 01:06:45 carol charon: 12[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 13 01:06:45 carol charon: 12[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 13 01:06:45 carol charon: 12[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 carol charon: 12[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 13 01:06:45 carol charon: 12[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 carol charon: 12[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 carol charon: 12[CFG] crl is valid: until Nov 13 22:27:58 2008
Nov 13 01:06:45 carol charon: 12[CFG] using cached crl
Nov 13 01:06:45 carol charon: 12[CFG] certificate status is good
Nov 13 01:06:45 carol charon: 12[IKE] authentication of 'moon.strongswan.org' with RSA signature successful
Nov 13 01:06:45 carol charon: 12[IKE] scheduling rekeying in 3374s
Nov 13 01:06:45 carol charon: 12[IKE] maximum IKE_SA lifetime 3554s
Nov 13 01:06:45 carol charon: 12[IKE] IKE_SA mh¹ established between 2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 13 01:06:45 carol charon: 12[KNL] adding SAD entry with SPI c31ec667 and reqid {1}
Nov 13 01:06:45 carol charon: 12[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:45 carol charon: 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:45 carol charon: 12[KNL] adding SAD entry with SPI cf472638 and reqid {1}
Nov 13 01:06:45 carol charon: 12[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:45 carol charon: 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:45 carol charon: 12[IKE] CHILD_SA mh{1} established with SPIs cf472638_i c31ec667_o and TS 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵
Nov 13 01:06:46 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 appeared on eth0

Nov 13 01:06:47 carol charon: 03[KNL] received a XFRM_MSG_ACQUIRE
Nov 13 01:06:47 carol charon: 03[KNL] XFRMA_TMPL
Nov 13 01:06:47 carol charon: 03[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 carol charon: 03[KNL] creating acquire job for policy 2001:1::10/128[ipv6-icmp/146] === 2001:1::1/128[ipv6-icmp] with reqid {2}
Nov 13 01:06:47 carol charon: 10[IKE] establishing CHILD_SA tunnel{2}
Nov 13 01:06:47 carol charon: 10[KNL] getting SPI for reqid {2}
Nov 13 01:06:47 carol charon: 10[KNL] got SPI c4f98106 for reqid {2}
Nov 13 01:06:47 carol charon: 10[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 13 01:06:47 carol charon: 10[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:47 carol charon: 17[KNL] getting address to reach 2001:1::1
Nov 13 01:06:47 carol charon: 08[NET] received packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰
Nov 13 01:06:47 carol charon: 08[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 13 01:06:47 carol charon: 08[KNL] adding SAD entry with SPI c0f90752 and reqid {2}
Nov 13 01:06:47 carol charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:47 carol charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:47 carol charon: 08[KNL] adding SAD entry with SPI c4f98106 and reqid {2}
Nov 13 01:06:47 carol charon: 08[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:47 carol charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:47 carol charon: 08[IKE] CHILD_SA tunnel{2} established with SPIs c4f98106_i c0f90752_o and TS 2001:1::10/128 === ::/0
}}}

Home Agent "moon"

=== /etc/mip6d.conf ===

{{{
NodeConfig HA;

UseMnHaIPsec enabled;
KeyMngMobCapability enabled;
DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf"
}}}

=== /etc/mip6d.conf.d/carol.mip6d.conf ===

{{{
Interface "eth1";

IPsecPolicySet {
HomeAgentAddress 2001:1::1;
HomeAddress 2001:1::10/64;

IPsecPolicy Mh UseESP 1;
    IPsecPolicy TunnelPayload UseESP 2;
}

BindingAclPolicy 2001:1::10 allow;
}}}

=== /etc/ipsec.conf ===

{{{
config setup
crlcheckinterval=180
plutostart=no
charondebug="knl 2"

conn %default
keyexchange=ikev2
reauth=no
mobike=no
installpolicy=no

conn mh
also=ha
leftsubnet=2001:1::1/128
leftprotoport=135/0
rightprotoport=135/0
type=transport_proxy

conn tunnel
also=ha
leftsubnet=::/0

conn ha
left=2001:1::1
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf
include /etc/ipsec.conf.d/dave.ipsec.conf
}}}

=== /etc/ipsec.conf.d/carol.ipsec.conf ===

{{{
conn carol
rightsubnet=2001:1::10/128
rightid=carol@strongswan.org

conn carol-mh
also=carol
also=mh
auto=add

conn carol-tunnel
also=carol
also=tunnel
auto=add
}}}

=== ipsec statusall ===

{{{
Performance:
uptime: 9 minutes, since Nov 13 01:05:33 2008
worker threads: 91 idle of 98, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
Listening IP addresses:
10.1.0.1
2001:1::1
fec1::1
192.168.0.1
2001::1
fec0::1
Connections:
carol-mh: 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
carol-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
carol-mh: public key authentication
carol-mh: 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵
carol-tunnel: ::/0 === 2001:1::10/128
dave-mh: 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
dave-mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
dave-mh: public key authentication
dave-mh: 2001:1::1/128¹³⁵ === 2001:1::20/128¹³⁵
dave-tunnel: ::/0 === 2001:1::20/128
Security Associations:
carol-mh¹: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]
carol-mh¹: IKE SPIs: 372bdbd1320c2eb4_i a53801fd03fbffee_r*, rekeying in 47 minutes
carol-mh¹: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
carol-mh{1}: INSTALLED, TRANSPORT, ESP SPIs: c31ec667_i cf472638_o
carol-mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 485s_i no_o
carol-mh{1}: 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵
carol-tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c0f90752_i c4f98106_o
carol-tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 481s_i no_o
carol-tunnel{2}: ::/0 === 2001:1::10/128
}}}

=== ip xfrm policy ===

{{{
src 2001:1::10/128 dst 2001:1::1/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport

src 2001:1::10/128 dst ::/0
dir in priority 10 ptype main
tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1
proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0
dir fwd priority 10 ptype main
tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1
proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128
dir out priority 10 ptype main
tmpl src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3
proto esp reqid 2 mode tunnel
}}}

=== ip xfrm state ===

{{{
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0

src 2001:1::1 dst 2001:1::10
proto route2 reqid 0 mode ro
replay-window 0
coa 2001::18d9:88ff:fe7d:36b3
lastused 2008-11-13 01:06:50
sel src 2001:1::1/128 dst 2001:1::10/128

src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::18d9:88ff:fe7d:36b3
sel src 2001:1::10/128 dst 2001:1::1/128

=== /var/log/daemon.log ===

{{{
Nov 13 01:05:33 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9rc18)
Nov 13 01:05:33 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 13 01:05:33 moon charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 13 01:05:33 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 13 01:05:33 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 13 01:05:33 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 13 01:05:33 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 13 01:05:33 moon charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl'
Nov 13 01:05:33 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 13 01:05:33 moon charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/moonKey.pem'
Nov 13 01:05:34 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql
Nov 13 01:05:34 moon charon: 01[KNL] listening on interfaces:
Nov 13 01:05:34 moon charon: 01[KNL] eth1
Nov 13 01:05:34 moon charon: 01[KNL] 10.1.0.1
Nov 13 01:05:34 moon charon: 01[KNL] 2001:1::1
Nov 13 01:05:34 moon charon: 01[KNL] fec1::1
Nov 13 01:05:34 moon charon: 01[KNL] fe80::b8d5:baff:feea:d493
Nov 13 01:05:34 moon charon: 01[KNL] eth0
Nov 13 01:05:34 moon charon: 01[KNL] 192.168.0.1
Nov 13 01:05:34 moon charon: 01[KNL] 2001::1
Nov 13 01:05:34 moon charon: 01[KNL] fec0::1
Nov 13 01:05:34 moon charon: 01[KNL] fe80::e4f6:c7ff:fe59:80e1
Nov 13 01:05:34 moon charon: 01[JOB] spawning 98 worker threads
Nov 13 01:05:35 moon charon: 23[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov 13 01:05:35 moon charon: 25[CFG] received stroke: add connection 'carol-mh'
Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for %any
Nov 13 01:05:35 moon charon: 25[KNL] %any is not a local address
Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for 2001:1::1
Nov 13 01:05:35 moon charon: 25[KNL] 2001:1::1 is on interface eth1
Nov 13 01:05:35 moon charon: 25[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 13 01:05:35 moon charon: 25[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]
Nov 13 01:05:35 moon charon: 27[CFG] received stroke: add connection 'carol-tunnel'
Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for %any
Nov 13 01:05:35 moon charon: 27[KNL] %any is not a local address
Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for 2001:1::1
Nov 13 01:05:35 moon charon: 27[KNL] 2001:1::1 is on interface eth1
Nov 13 01:05:35 moon charon: 27[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 13 01:05:35 moon charon: 27[CFG] added child to existing configuration 'carol-mh'
Nov 13 01:05:35 moon charon: 28[CFG] received stroke: add connection 'dave-mh'
Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for %any
Nov 13 01:05:35 moon charon: 28[KNL] %any is not a local address
Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for 2001:1::1
Nov 13 01:05:35 moon charon: 28[KNL] 2001:1::1 is on interface eth1
Nov 13 01:05:35 moon charon: 28[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 13 01:05:35 moon charon: 28[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]
Nov 13 01:05:35 moon charon: 30[CFG] received stroke: add connection 'dave-tunnel'
Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for %any
Nov 13 01:05:35 moon charon: 30[KNL] %any is not a local address
Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for 2001:1::1
Nov 13 01:05:35 moon charon: 30[KNL] 2001:1::1 is on interface eth1
Nov 13 01:05:35 moon charon: 30[LIB] loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'
Nov 13 01:05:35 moon charon: 30[CFG] added child to existing configuration 'dave-mh'

Nov 13 01:05:39 moon mip6d¹¹⁶⁷: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

Nov 13 01:06:45 moon charon: 33[NET] received packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:45 moon charon: 33[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 13 01:06:45 moon charon: 33[IKE] 2001::18d9:88ff:fe7d:36b3 is initiating an IKE_SA
Nov 13 01:06:45 moon charon: 33[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 moon charon: 33[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 13 01:06:45 moon charon: 33[NET] sending packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰
Nov 13 01:06:45 moon charon: 34[NET] received packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:45 moon charon: 34[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 13 01:06:45 moon charon: 34[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 moon charon: 34[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 13 01:06:45 moon charon: 34[CFG] using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 moon charon: 34[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 13 01:06:45 moon charon: 34[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 moon charon: 34[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 13 01:06:45 moon charon: 34[CFG] crl is valid: until Nov 13 22:27:58 2008
Nov 13 01:06:45 moon charon: 34[CFG] using cached crl
Nov 13 01:06:45 moon charon: 34[CFG] certificate status is good
Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'carol@strongswan.org' with RSA signature successful
Nov 13 01:06:45 moon charon: 34[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5
Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
Nov 13 01:06:45 moon charon: 34[IKE] scheduling rekeying in 3365s
Nov 13 01:06:45 moon charon: 34[IKE] maximum IKE_SA lifetime 3545s
Nov 13 01:06:45 moon charon: 34[IKE] IKE_SA carol-mh¹ established between 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]
Nov 13 01:06:45 moon charon: 34[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 13 01:06:45 moon charon: 34[CHD] other address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10
Nov 13 01:06:45 moon charon: 34[KNL] getting SPI for reqid {1}
Nov 13 01:06:45 moon charon: 34[KNL] got SPI c31ec667 for reqid {1}
Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI c31ec667 and reqid {1}
Nov 13 01:06:45 moon charon: 34[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:45 moon charon: 34[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI cf472638 and reqid {1}
Nov 13 01:06:45 moon charon: 34[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:45 moon charon: 34[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:45 moon charon: 34[IKE] CHILD_SA carol-mh{1} established with SPIs c31ec667_i cf472638_o and TS 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵
Nov 13 01:06:45 moon charon: 34[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 13 01:06:45 moon charon: 34[NET] sending packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] policy: 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵ in, index 0
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 13 01:06:47 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] migrate ESP %any...%any to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {1}
Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128¹³⁵ === 2001:1::1/128¹³⁵ in with reqid {1}
Nov 13 01:06:47 moon charon: 05[KNL] interface ip6tnl1 activated
Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] policy: 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵ out, index 0
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 13 01:06:47 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {1}
Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128¹³⁵ === 2001:1::10/128¹³⁵ out with reqid {1}
Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in, index 0
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 13 01:06:47 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}
Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}
Nov 13 01:06:47 moon charon: 37[JOB] no CHILD_SA found with reqid {2}
Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] policy: 2001:1::10/128 === ::/0 fwd, index 0
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 13 01:06:47 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}
Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}
Nov 13 01:06:47 moon charon: 38[JOB] no CHILD_SA found with reqid {2}
Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] policy: ::/0 === 2001:1::10/128 out, index 0
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_KMADDRESS
Nov 13 01:06:47 moon charon: 04[KNL] kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 13 01:06:47 moon charon: 04[KNL] XFRMA_MIGRATE
Nov 13 01:06:47 moon charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {2}
Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}
Nov 13 01:06:47 moon charon: 39[JOB] no CHILD_SA found with reqid {2}
Nov 13 01:06:47 moon charon: 05[KNL] fe80::b8d5:baff:feea:d493 appeared on ip6tnl1

Nov 13 01:06:47 moon charon: 40[NET] received packet: from 2001::18d9:88ff:fe7d:36b3⁵⁰⁰ to 2001:1::1⁵⁰⁰
Nov 13 01:06:47 moon charon: 40[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 13 01:06:47 moon charon: 40[KNL] getting SPI for reqid {2}
Nov 13 01:06:47 moon charon: 40[KNL] got SPI c0f90752 for reqid {2}
Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c0f90752 and reqid {2}
Nov 13 01:06:47 moon charon: 40[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:47 moon charon: 40[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c4f98106 and reqid {2}
Nov 13 01:06:47 moon charon: 40[KNL] using encryption algorithm AES_CBC with key size 128
Nov 13 01:06:47 moon charon: 40[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 13 01:06:47 moon charon: 40[IKE] CHILD_SA carol-tunnel{2} established with SPIs c0f90752_i c4f98106_o and TS ::/0 === 2001:1::10/128
Nov 13 01:06:47 moon charon: 40[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 13 01:06:47 moon charon: 40[NET] sending packet: from 2001:1::1⁵⁰⁰ to 2001::18d9:88ff:fe7d:36b3⁵⁰⁰
}}}

Files (0)

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki

Mobile IPv6 HOWTO » History » Version 2