strongSwan

[[TOC(heading=Mobile IPv6)]]

= Mobile IPv6 =

Starting with version 4.2.9, strongSwan can be used to secure the Mobile IPv6 Binding Update messages and all payload traffic between a Mobile Node (MN) and its Home Agent (HA) using an IPsec transport and an IPsec tunnel Security Association (SA), respectively.

== Mobile Node "carol" ==

=== /etc/mip6d.conf ===

{{{

NodeConfig MN;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DoRouteOptimizationMN disabled;

Interface "eth0";

MnHomeLink "eth0" {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

}

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

}}}

=== /etc/ipsec.conf ===

{{{

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=home

        rightsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

        auto=route

conn tunnel

        also=home

        rightsubnet=::/0

        auto=route

conn home

        leftcert=carolCert.pem

        leftid=carol@strongswan.org

        leftsubnet=2001:1::10/128

        right=2001:1::1

        rightid=moon.strongswan.org

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

}}}

=== ipsec statusall ===

{{{

Performance:

  uptime: 56 seconds, since Nov 13 01:06:39 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink 

Listening IP addresses:

  192.168.0.100

  2001::18d9:88ff:fe7d:36b3

  fec0::18d9:88ff:fe7d:36b3

  2001:1::10

Connections:

          mh:  %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

          mh:  public key authentication

          mh:    2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel:    2001:1::10/128 === ::/0 

Security Associations:

          mh[1]: ESTABLISHED, 2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh[1]: IKE SPIs: 372bdbd1320c2eb4_i* a53801fd03fbffee_r, rekeying in 55 minutes

          mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

          mh{1}:  ROUTED, TRANSPORT

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  ROUTED, TUNNEL

      tunnel{2}:   2001:1::10/128 === ::/0 

          mh{1}:  INSTALLED, TRANSPORT, ESP SPIs: cf472638_i c31ec667_o

          mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 49s_i no_o 

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c4f98106_i c0f90752_o

      tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 14 minutes, last use: 45s_i no_o 

      tunnel{2}:   2001:1::10/128 === ::/0 

}}}

=== ip xfrm policy ===

{{{

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src ::/0 dst 2001:1::10/128 

        dir in priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir out priority 10 ptype main 

        tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

                proto esp reqid 2 mode tunnel

}}}

=== ip xfrm state ===

{{{

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src :: dst ::

        proto route2 reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::18d9:88ff:fe7d:36b3

        lastused 2008-11-13 01:06:50

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xc31ec667 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xf6815c3cd001ff884eb6c1b4112ea9db0daf1eef

        enc cbc(aes) 0xa51f577d694f46beb85179ecc5d35251

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xcf472638 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x8d9790093b1baa89a128e92c7019c32d776eccac

        enc cbc(aes) 0xe02ea1231d5e1908564992ccafdc97cd

        sel src ::/0 dst ::/0 

src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

        proto esp spi 0xc0f90752 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x8339d597ed1d92d820443171d3e3282d83186572

        enc cbc(aes) 0xcba21b583a2330897e33339b72855eaa

src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

        proto esp spi 0xc4f98106 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xf4ffd5a21d52b4766ea81c22945f3f558f24c675

        enc cbc(aes) 0x7c0d20968090085fbb17557f53c8818b

}}}

=== /var/log/daemon.log ===

{{{

Nov 13 01:06:39 carol charon: 01[DMN] starting charon (strongSwan Version 4.2.9rc18)

Nov 13 01:06:39 carol charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 13 01:06:39 carol charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 13 01:06:39 carol charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 13 01:06:39 carol charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 13 01:06:39 carol charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 13 01:06:39 carol charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 13 01:06:39 carol charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 13 01:06:39 carol charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 13 01:06:39 carol charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/carolKey.pem'

Nov 13 01:06:39 carol charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink 

Nov 13 01:06:39 carol charon: 01[KNL] listening on interfaces:

Nov 13 01:06:39 carol charon: 01[KNL]   eth0

Nov 13 01:06:39 carol charon: 01[KNL]     192.168.0.100

Nov 13 01:06:39 carol charon: 01[KNL]     2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:39 carol charon: 01[KNL]     fec0::18d9:88ff:fe7d:36b3

Nov 13 01:06:39 carol charon: 01[KNL]     fe80::18d9:88ff:fe7d:36b3

Nov 13 01:06:39 carol charon: 01[JOB] spawning 16 worker threads

Nov 13 01:06:40 carol charon: 07[CFG] received stroke: add connection 'mh'

Nov 13 01:06:40 carol charon: 07[KNL] getting interface name for 2001:1::1

Nov 13 01:06:40 carol charon: 07[KNL] 2001:1::1 is not a local address

Nov 13 01:06:40 carol charon: 07[KNL] getting interface name for %any

Nov 13 01:06:40 carol charon: 07[KNL] %any is not a local address

Nov 13 01:06:40 carol charon: 07[CFG] left nor right host is our side, assuming left=local

Nov 13 01:06:40 carol charon: 07[LIB]   loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'

Nov 13 01:06:40 carol charon: 07[CFG] added configuration 'mh': %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

Nov 13 01:06:40 carol charon: 09[CFG] received stroke: route 'mh'

Nov 13 01:06:40 carol charon: 10[KNL] getting address to reach 2001:1::1

Nov 13 01:06:40 carol charon: 10[CHD] my address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10

Nov 13 01:06:40 carol charon: 10[IKE] CHILD_SA routed

Nov 13 01:06:40 carol charon: 11[CFG] received stroke: add connection 'tunnel'

Nov 13 01:06:40 carol charon: 11[KNL] getting interface name for 2001:1::1

Nov 13 01:06:40 carol charon: 11[KNL] 2001:1::1 is not a local address

Nov 13 01:06:40 carol charon: 11[KNL] getting interface name for %any

Nov 13 01:06:40 carol charon: 11[KNL] %any is not a local address

Nov 13 01:06:40 carol charon: 11[CFG] left nor right host is our side, assuming left=local

Nov 13 01:06:40 carol charon: 11[LIB]   loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'

Nov 13 01:06:40 carol charon: 11[CFG] added child to existing configuration 'mh'

Nov 13 01:06:40 carol charon: 12[CFG] received stroke: route 'tunnel'

Nov 13 01:06:40 carol charon: 16[KNL] getting address to reach 2001:1::1

Nov 13 01:06:40 carol charon: 16[IKE] CHILD_SA routed

Nov 13 01:06:45 carol mip6d[1072]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Mobile Node)

Nov 13 01:06:45 carol charon: 04[KNL] interface ip6tnl1 activated

Nov 13 01:06:45 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 appeared on ip6tnl1

Nov 13 01:06:45 carol charon: 04[KNL] 2001:1::10 appeared on ip6tnl1

Nov 13 01:06:45 carol mip6d[1073]: Interface 1 (lo):type 772 unsupported

Nov 13 01:06:45 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 disappeared from eth0

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] out, index 0

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:45 carol charon: 03[KNL]   kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   migrate ESP %any...%any to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {1}

Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] out with reqid {1}

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] in, index 0

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:45 carol charon: 03[KNL]   kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   migrate ESP %any...%any to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {1}

Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] in with reqid {1}

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   policy: 2001:1::10/128 === ::/0 out, index 0

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:45 carol charon: 03[KNL]   kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}

Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   policy: ::/0 === 2001:1::10/128 in, index 0

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:45 carol charon: 03[KNL]   kmaddress: 2001::18d9:88ff:fe7d:36b3...2001:1::1

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_MIGRATE

Nov 13 01:06:45 carol charon: 03[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {2}

Nov 13 01:06:45 carol charon: 03[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}

Nov 13 01:06:45 carol charon: 03[KNL] received a XFRM_MSG_ACQUIRE

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_TMPL

Nov 13 01:06:45 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:45 carol charon: 03[KNL] creating acquire job for policy 2001:1::10/128[135/5] === 2001:1::1/128[135] with reqid {1}

Nov 13 01:06:45 carol charon: 11[IKE] initiating IKE_SA mh[1] to 2001:1::1

Nov 13 01:06:45 carol charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 13 01:06:45 carol charon: 11[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 carol charon: 15[KNL] getting address to reach 2001:1::1

Nov 13 01:06:45 carol charon: 16[NET] received packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:45 carol charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 13 01:06:45 carol charon: 16[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 carol charon: 16[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 carol charon: 16[IKE] authentication of 'carol@strongswan.org' (myself) with RSA signature successful

Nov 13 01:06:45 carol charon: 16[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 carol charon: 16[IKE] establishing CHILD_SA mh{1}

Nov 13 01:06:45 carol charon: 16[CHD] my address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10

Nov 13 01:06:45 carol charon: 16[KNL] getting SPI for reqid {1}

Nov 13 01:06:45 carol charon: 16[KNL] got SPI cf472638 for reqid {1}

Nov 13 01:06:45 carol charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 carol charon: 16[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 carol charon: 12[NET] received packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:45 carol charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 carol charon: 12[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 13 01:06:45 carol charon: 12[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 13 01:06:45 carol charon: 12[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 carol charon: 12[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 13 01:06:45 carol charon: 12[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 carol charon: 12[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 carol charon: 12[CFG]   crl is valid: until Nov 13 22:27:58 2008

Nov 13 01:06:45 carol charon: 12[CFG]   using cached crl

Nov 13 01:06:45 carol charon: 12[CFG] certificate status is good

Nov 13 01:06:45 carol charon: 12[IKE] authentication of 'moon.strongswan.org' with RSA signature successful

Nov 13 01:06:45 carol charon: 12[IKE] scheduling rekeying in 3374s

Nov 13 01:06:45 carol charon: 12[IKE] maximum IKE_SA lifetime 3554s

Nov 13 01:06:45 carol charon: 12[IKE] IKE_SA mh[1] established between 2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

Nov 13 01:06:45 carol charon: 12[KNL] adding SAD entry with SPI c31ec667 and reqid {1}

Nov 13 01:06:45 carol charon: 12[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 carol charon: 12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 carol charon: 12[KNL] adding SAD entry with SPI cf472638 and reqid {1}

Nov 13 01:06:45 carol charon: 12[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 carol charon: 12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 carol charon: 12[IKE] CHILD_SA mh{1} established with SPIs cf472638_i c31ec667_o and TS 2001:1::10/128[135] === 2001:1::1/128[135] 

Nov 13 01:06:46 carol charon: 04[KNL] fe80::18d9:88ff:fe7d:36b3 appeared on eth0

Nov 13 01:06:47 carol charon: 03[KNL] received a XFRM_MSG_ACQUIRE

Nov 13 01:06:47 carol charon: 03[KNL]   XFRMA_TMPL

Nov 13 01:06:47 carol charon: 03[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 carol charon: 03[KNL] creating acquire job for policy 2001:1::10/128[ipv6-icmp/146] === 2001:1::1/128[ipv6-icmp] with reqid {2}

Nov 13 01:06:47 carol charon: 10[IKE] establishing CHILD_SA tunnel{2}

Nov 13 01:06:47 carol charon: 10[KNL] getting SPI for reqid {2}

Nov 13 01:06:47 carol charon: 10[KNL] got SPI c4f98106 for reqid {2}

Nov 13 01:06:47 carol charon: 10[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 carol charon: 10[NET] sending packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:47 carol charon: 17[KNL] getting address to reach 2001:1::1

Nov 13 01:06:47 carol charon: 08[NET] received packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:47 carol charon: 08[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 carol charon: 08[KNL] adding SAD entry with SPI c0f90752 and reqid {2}

Nov 13 01:06:47 carol charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 carol charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 carol charon: 08[KNL] adding SAD entry with SPI c4f98106 and reqid {2}

Nov 13 01:06:47 carol charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 carol charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 carol charon: 08[IKE] CHILD_SA tunnel{2} established with SPIs c4f98106_i c0f90752_o and TS 2001:1::10/128 === ::/0 

}}}

== Home Agent "moon" ==

=== /etc/mip6d.conf ===

{{{

NodeConfig HA;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf"

}}}

=== /etc/mip6d.conf.d/carol.mip6d.conf ===

{{{

Interface "eth1";

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

BindingAclPolicy 2001:1::10 allow;

}}}

=== /etc/ipsec.conf ===

{{{

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=ha

        leftsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

conn tunnel

        also=ha

        leftsubnet=::/0

conn ha

        left=2001:1::1

        leftcert=moonCert.pem

        leftid=@moon.strongswan.org

        right=%any

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf

include /etc/ipsec.conf.d/dave.ipsec.conf

}}}

=== /etc/ipsec.conf.d/carol.ipsec.conf ===

{{{

conn carol

        rightsubnet=2001:1::10/128

        rightid=carol@strongswan.org

conn carol-mh

        also=carol

        also=mh

        auto=add

conn carol-tunnel

        also=carol

        also=tunnel

        auto=add

}}}

=== ipsec statusall ===

{{{

Performance:

  uptime: 9 minutes, since Nov 13 01:05:33 2008

  worker threads: 91 idle of 98, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128[135] === 2001:1::20/128[135] 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]

    carol-mh[1]: IKE SPIs: 372bdbd1320c2eb4_i a53801fd03fbffee_r*, rekeying in 47 minutes

    carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT, ESP SPIs: c31ec667_i cf472638_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 485s_i no_o 

    carol-mh{1}:   2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c0f90752_i c4f98106_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 481s_i no_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128 

}}}

=== ip xfrm policy ===

{{{

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::10/128 dst ::/0 

        dir in priority 10 ptype main 

        tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir fwd priority 10 ptype main 

        tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128 

        dir out priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

                proto esp reqid 2 mode tunnel

}}}

=== ip xfrm state ===

{{{

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xc31ec667 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xf6815c3cd001ff884eb6c1b4112ea9db0daf1eef

        enc cbc(aes) 0xa51f577d694f46beb85179ecc5d35251

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xcf472638 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x8d9790093b1baa89a128e92c7019c32d776eccac

        enc cbc(aes) 0xe02ea1231d5e1908564992ccafdc97cd

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::18d9:88ff:fe7d:36b3

        lastused 2008-11-13 01:06:50

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::18d9:88ff:fe7d:36b3

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

        proto esp spi 0xc0f90752 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x8339d597ed1d92d820443171d3e3282d83186572

        enc cbc(aes) 0xcba21b583a2330897e33339b72855eaa

src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

        proto esp spi 0xc4f98106 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xf4ffd5a21d52b4766ea81c22945f3f558f24c675

        enc cbc(aes) 0x7c0d20968090085fbb17557f53c8818b

}}}

=== /var/log/daemon.log ===

{{{

Nov 13 01:05:33 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9rc18)

Nov 13 01:05:33 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 13 01:05:33 moon charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 13 01:05:33 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 13 01:05:33 moon charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 13 01:05:33 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 13 01:05:33 moon charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/moonKey.pem'

Nov 13 01:05:34 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Nov 13 01:05:34 moon charon: 01[KNL] listening on interfaces:

Nov 13 01:05:34 moon charon: 01[KNL]   eth1

Nov 13 01:05:34 moon charon: 01[KNL]     10.1.0.1

Nov 13 01:05:34 moon charon: 01[KNL]     2001:1::1

Nov 13 01:05:34 moon charon: 01[KNL]     fec1::1

Nov 13 01:05:34 moon charon: 01[KNL]     fe80::b8d5:baff:feea:d493

Nov 13 01:05:34 moon charon: 01[KNL]   eth0

Nov 13 01:05:34 moon charon: 01[KNL]     192.168.0.1

Nov 13 01:05:34 moon charon: 01[KNL]     2001::1

Nov 13 01:05:34 moon charon: 01[KNL]     fec0::1

Nov 13 01:05:34 moon charon: 01[KNL]     fe80::e4f6:c7ff:fe59:80e1

Nov 13 01:05:34 moon charon: 01[JOB] spawning 98 worker threads

Nov 13 01:05:35 moon charon: 23[CFG] crl caching to /etc/ipsec.d/crls enabled

Nov 13 01:05:35 moon charon: 25[CFG] received stroke: add connection 'carol-mh'

Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 25[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 25[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 25[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 25[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

Nov 13 01:05:35 moon charon: 27[CFG] received stroke: add connection 'carol-tunnel'

Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 27[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 27[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 27[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 27[CFG] added child to existing configuration 'carol-mh'

Nov 13 01:05:35 moon charon: 28[CFG] received stroke: add connection 'dave-mh'

Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 28[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 28[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 28[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 28[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

Nov 13 01:05:35 moon charon: 30[CFG] received stroke: add connection 'dave-tunnel'

Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 30[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 30[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 30[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 30[CFG] added child to existing configuration 'dave-mh'

Nov 13 01:05:39 moon mip6d[1167]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

Nov 13 01:06:45 moon charon: 33[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 moon charon: 33[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 13 01:06:45 moon charon: 33[IKE] 2001::18d9:88ff:fe7d:36b3 is initiating an IKE_SA

Nov 13 01:06:45 moon charon: 33[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 33[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 13 01:06:45 moon charon: 33[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:45 moon charon: 34[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 moon charon: 34[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 moon charon: 34[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG]   crl is valid: until Nov 13 22:27:58 2008

Nov 13 01:06:45 moon charon: 34[CFG]   using cached crl

Nov 13 01:06:45 moon charon: 34[CFG] certificate status is good

Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'carol@strongswan.org' with RSA signature successful

Nov 13 01:06:45 moon charon: 34[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5

Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful

Nov 13 01:06:45 moon charon: 34[IKE] scheduling rekeying in 3365s

Nov 13 01:06:45 moon charon: 34[IKE] maximum IKE_SA lifetime 3545s

Nov 13 01:06:45 moon charon: 34[IKE] IKE_SA carol-mh[1] established between 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]

Nov 13 01:06:45 moon charon: 34[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 13 01:06:45 moon charon: 34[CHD] other address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10

Nov 13 01:06:45 moon charon: 34[KNL] getting SPI for reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL] got SPI c31ec667 for reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI c31ec667 and reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 moon charon: 34[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI cf472638 and reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 moon charon: 34[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 moon charon: 34[IKE] CHILD_SA carol-mh{1} established with SPIs c31ec667_i cf472638_o and TS 2001:1::1/128[135] === 2001:1::10/128[135] 

Nov 13 01:06:45 moon charon: 34[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 moon charon: 34[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] in, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1}

Nov 13 01:06:47 moon charon: 05[KNL] interface ip6tnl1 activated

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] out, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 13 01:06:47 moon charon: 37[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 fwd, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 13 01:06:47 moon charon: 38[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 out, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}

Nov 13 01:06:47 moon charon: 39[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 05[KNL] fe80::b8d5:baff:feea:d493 appeared on ip6tnl1

Nov 13 01:06:47 moon charon: 40[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:47 moon charon: 40[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 moon charon: 40[KNL] getting SPI for reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL] got SPI c0f90752 for reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c0f90752 and reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 moon charon: 40[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c4f98106 and reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 moon charon: 40[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 moon charon: 40[IKE] CHILD_SA carol-tunnel{2} established with SPIs c0f90752_i c4f98106_o and TS ::/0 === 2001:1::10/128 

Nov 13 01:06:47 moon charon: 40[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 moon charon: 40[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

}}}