strongSwan

[[TOC(heading=Mobile IPv6)]]

= Mobile IPv6 =

Starting with version 4.2.9, strongSwan can be used to secure the Mobile IPv6 Binding Update messages and all payload traffic between a Mobile Node (MN) and its Home Agent (HA) using an IPsec transport and an IPsec tunnel Security Association (SA), respectively. For the installation and configuration of the IPsec-enabled Mobile IPv6 '''mip6d''' daemon consult Arnaud Ebalard's fine [http://www.natisbad.org/MIPv6/ MIPv6 site].

== Mobile Node "carol" ==

=== /etc/mip6d.conf ===

{{{

NodeConfig MN;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DoRouteOptimizationMN disabled;

Interface "eth0";

MnHomeLink "eth0" {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

}

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

}}}

=== /etc/ipsec.conf ===

{{{

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=home

        rightsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

        auto=route

conn tunnel

        also=home

        rightsubnet=::/0

        auto=route

conn home

        leftcert=carolCert.pem

        leftid=carol@strongswan.org

        leftsubnet=2001:1::10/128

        right=2001:1::1

        rightid=moon.strongswan.org

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

}}}

Start strongSwan first and the IPsec connection definitions will be loaded and routed:

{{{

ipsec start

Nov 19 08:39:19 carol charon: 01[DMN] starting charon (strongSwan Version 4.2.9)

Nov 19 08:39:19 carol charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 19 08:39:19 carol charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 19 08:39:19 carol charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 19 08:39:19 carol charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 19 08:39:19 carol charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 19 08:39:19 carol charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 19 08:39:19 carol charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 19 08:39:19 carol charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 19 08:39:19 carol charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/carolKey.pem'

Nov 19 08:39:19 carol charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink 

Nov 19 08:39:19 carol charon: 01[KNL] listening on interfaces:

Nov 19 08:39:19 carol charon: 01[KNL]   eth0

Nov 19 08:39:19 carol charon: 01[KNL]     192.168.0.100

Nov 19 08:39:19 carol charon: 01[KNL]     2001::41a:a8ff:fe6f:c67

Nov 19 08:39:19 carol charon: 01[KNL]     fec0::41a:a8ff:fe6f:c67

Nov 19 08:39:19 carol charon: 01[KNL]     fe80::41a:a8ff:fe6f:c67

Nov 19 08:39:19 carol charon: 01[JOB] spawning 16 worker threads

Nov 19 08:39:19 carol charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled

Nov 19 08:39:19 carol charon: 10[CFG] received stroke: add connection 'mh'

Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for 2001:1::1

Nov 19 08:39:19 carol charon: 10[KNL] 2001:1::1 is not a local address

Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for %any

Nov 19 08:39:19 carol charon: 10[KNL] %any is not a local address

Nov 19 08:39:19 carol charon: 10[CFG] left nor right host is our side, assuming left=local

Nov 19 08:39:19 carol charon: 10[LIB]   loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'

Nov 19 08:39:19 carol charon: 10[CFG] added configuration 'mh': %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

Nov 19 08:39:19 carol charon: 09[CFG] received stroke: route 'mh'

Nov 19 08:39:19 carol charon: 11[KNL] getting address to reach 2001:1::1

Nov 19 08:39:19 carol charon: 11[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10

Nov 19 08:39:19 carol charon: 11[IKE] CHILD_SA routed

Nov 19 08:39:19 carol charon: 14[CFG] received stroke: add connection 'tunnel'

Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for 2001:1::1

Nov 19 08:39:19 carol charon: 14[KNL] 2001:1::1 is not a local address

Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for %any

Nov 19 08:39:19 carol charon: 14[KNL] %any is not a local address

Nov 19 08:39:19 carol charon: 14[CFG] left nor right host is our side, assuming left=local

Nov 19 08:39:19 carol charon: 14[LIB]   loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'

Nov 19 08:39:19 carol charon: 14[CFG] added child to existing configuration 'mh'

Nov 19 08:39:19 carol charon: 17[CFG] received stroke: route 'tunnel'

Nov 19 08:39:19 carol charon: 10[KNL] getting address to reach 2001:1::1

Nov 19 08:39:19 carol charon: 10[IKE] CHILD_SA routed

}}}

Next the MIPv6 daemon is activated

{{{

/etc/init.d/mip6d start

Nov 19 08:39:23 carol mip6d[1317]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Mobile Node)

Nov 19 08:39:23 carol charon: 05[KNL] interface ip6tnl1 activated

Nov 19 08:39:23 carol charon: 05[KNL] 2001:1::10 appeared on ip6tnl1

}}}

which triggers strongSwan to automatically sets up the IPsec transport SA for the Binding Update messages

{{{

Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] in

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:23 carol charon: 04[KNL]   kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}

Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] out with reqid {1}

Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] out

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:23 carol charon: 04[KNL]   kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}

Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] in with reqid {1}

Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:23 carol charon: 04[KNL]   kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}

Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}

Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 out

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:39:23 carol charon: 04[KNL]   kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:39:23 carol charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}

Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}

Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_TMPL

Nov 19 08:39:23 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:23 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[135/5] === 2001:1::1/128[135] with reqid {1}

Nov 19 08:39:23 carol charon: 09[IKE] initiating IKE_SA mh[1] to 2001:1::1

Nov 19 08:39:23 carol charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 19 08:39:23 carol charon: 09[NET] sending packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:23 carol charon: 16[KNL] getting address to reach 2001:1::1

Nov 19 08:39:23 carol charon: 12[NET] received packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

Nov 19 08:39:23 carol charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 19 08:39:23 carol charon: 12[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 carol charon: 12[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 carol charon: 12[IKE] authentication of 'carol@strongswan.org' (myself) with RSA signature successful

Nov 19 08:39:23 carol charon: 12[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 19 08:39:23 carol charon: 12[IKE] establishing CHILD_SA mh{1}

Nov 19 08:39:23 carol charon: 12[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10

Nov 19 08:39:23 carol charon: 12[KNL] getting SPI for reqid {1}

Nov 19 08:39:23 carol charon: 12[KNL] got SPI c5959ac2 for reqid {1}

Nov 19 08:39:23 carol charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 carol charon: 12[NET] sending packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:23 carol charon: 14[NET] received packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

Nov 19 08:39:23 carol charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 19 08:39:23 carol charon: 14[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 19 08:39:23 carol charon: 14[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 19 08:39:23 carol charon: 14[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 carol charon: 14[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 19 08:39:23 carol charon: 14[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 carol charon: 14[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 19 08:39:23 carol charon: 14[CFG]   crl is valid: until Dec 13 07:58:20 2008

Nov 19 08:39:23 carol charon: 14[CFG]   using cached crl

Nov 19 08:39:23 carol charon: 14[CFG] certificate status is good

Nov 19 08:39:23 carol charon: 14[IKE] authentication of 'moon.strongswan.org' with RSA signature successful

Nov 19 08:39:23 carol charon: 14[IKE] scheduling rekeying in 3327s

Nov 19 08:39:23 carol charon: 14[IKE] maximum IKE_SA lifetime 3507s

Nov 19 08:39:23 carol charon: 14[IKE] IKE_SA mh[1] established between 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}

Nov 19 08:39:23 carol charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 carol charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}

Nov 19 08:39:23 carol charon: 14[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:23 carol charon: 14[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:23 carol charon: 14[IKE] CHILD_SA mh{1} established with SPIs c5959ac2_i ca64ae98_o and TS 2001:1::10/128[135] === 2001:1::1/128[135] 

}}}

and right after that the IPsec tunnel SA for the payload between the MN and the HA is created.

{{{

Nov 19 08:39:24 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE

Nov 19 08:39:24 carol charon: 04[KNL]   XFRMA_TMPL

Nov 19 08:39:24 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:39:24 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[ipv6-icmp/146] === 2001:1::1/128[ipv6-icmp] with reqid {2}

Nov 19 08:39:24 carol charon: 17[IKE] establishing CHILD_SA tunnel{2}

Nov 19 08:39:24 carol charon: 17[KNL] getting SPI for reqid {2}

Nov 19 08:39:24 carol charon: 17[KNL] got SPI ce4db893 for reqid {2}

Nov 19 08:39:24 carol charon: 17[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 19 08:39:24 carol charon: 17[NET] sending packet: from 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1[500]

Nov 19 08:39:24 carol charon: 11[NET] received packet: from 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67[500]

Nov 19 08:39:24 carol charon: 11[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI c190d5ba and reqid {2}

Nov 19 08:39:25 carol charon: 11[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:25 carol charon: 11[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI ce4db893 and reqid {2}

Nov 19 08:39:25 carol charon: 11[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 19 08:39:25 carol charon: 11[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 19 08:39:25 carol charon: 11[IKE] CHILD_SA tunnel{2} established with SPIs ce4db893_i c190d5ba_o and TS 2001:1::10/128 === ::/0 

}}}

=== MN status information after establishment ===

{{{

ipsec statusall

Performance:

  uptime: 50 seconds, since Nov 19 08:39:19 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink 

Listening IP addresses:

  192.168.0.100

  2001::41a:a8ff:fe6f:c67

  fec0::41a:a8ff:fe6f:c67

  2001:1::10

Connections:

          mh:  %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

          mh:  public key authentication

          mh:    2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel:    2001:1::10/128 === ::/0 

Security Associations:

          mh[1]: ESTABLISHED, 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 54 minutes

          mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

          mh{1}:  ROUTED, TRANSPORT_PROXY

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  ROUTED, TUNNEL

      tunnel{2}:   2001:1::10/128 === ::/0 

          mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o

          mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 45s_i no_o 

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o

      tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 6s_i 6s_o 

      tunnel{2}:   2001:1::10/128 === ::/0 

}}}

The IPsec policy in the kernel

{{{

ip xfrm policy

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src ::/0 dst 2001:1::10/128 

        dir in priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir out priority 10 ptype main 

        tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

                proto esp reqid 2 mode tunnel

}}}

and the IPsec state in the kernel

{{{

ip xfrm state

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::41a:a8ff:fe6f:c67

        lastused 2008-11-19 08:39:25

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

}}}

=== Migration of the Care-of-Address ===

After some time the MN changes its Care-of-Address (CoA) to 2001::50

{{{

Nov 19 08:41:43 carol charon: 05[KNL] 2001::50 appeared on eth0

Nov 19 08:41:43 carol charon: 12[KNL] getting address to reach 2001:1::1

Nov 19 08:41:56 carol charon: 05[KNL] 2001::41a:a8ff:fe6f:c67 disappeared from eth0

}}}

which causes the MIPv6 daemon to issue a MIGRATE message to strongSwan

{{{

Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] in

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 carol charon: 04[KNL]   kmaddress: 2001::50...2001:1::1

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}

Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] out with reqid {1}

Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] out

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 carol charon: 04[KNL]   kmaddress: 2001::50...2001:1::1

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}

Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] in with reqid {1}

Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 carol charon: 04[KNL]   kmaddress: 2001::50...2001:1::1

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}

Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}

Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 out

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_KMADDRESS

Nov 19 08:41:56 carol charon: 04[KNL]   kmaddress: 2001::50...2001:1::1

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 19 08:41:56 carol charon: 04[KNL]   XFRMA_MIGRATE

Nov 19 08:41:56 carol charon: 04[KNL]   migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}

Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}

}}}

The IKEv2 connection status after the CoA migration to 2001::50

{{{

ipsec statusall

Performance:

  uptime: 3 minutes, since Nov 19 08:39:19 2008

  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink 

Listening IP addresses:

  192.168.0.100

  fec0::41a:a8ff:fe6f:c67

  2001::50

  2001:1::10

Connections:

          mh:  %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

          mh:  public key authentication

          mh:    2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel:    2001:1::10/128 === ::/0 

Security Associations:

          mh[1]: ESTABLISHED, 2001::50[carol@strongswan.org]...2001:1::1[moon.strongswan.org]

          mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 52 minutes

          mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

          mh{1}:  ROUTED, TRANSPORT_PROXY

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  ROUTED, TUNNEL

      tunnel{2}:   2001:1::10/128 === ::/0 

          mh{1}:  INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o

          mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 30s_i no_o 

          mh{1}:   2001:1::10/128[135] === 2001:1::1/128[135] 

      tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o

      tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 3s_i 3s_o 

      tunnel{2}:   2001:1::10/128 === ::/0 

}}}

and in the Linux 2.6 kernel

{{{

ip xfrm state

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src :: dst ::

        proto route2 reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::50

        lastused 2008-11-19 08:41:56

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xca64ae98 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611

        enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xc5959ac2 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff

        enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359

        sel src ::/0 dst ::/0 

src 2001::50 dst 2001:1::1

        proto esp spi 0xc190d5ba reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02

        enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56

src 2001:1::1 dst 2001::50

        proto esp spi 0xce4db893 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af

        enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf

}}}

== Home Agent "moon" ==

=== /etc/mip6d.conf ===

{{{

NodeConfig HA;

UseMnHaIPsec enabled;

KeyMngMobCapability enabled;

DefaultBindingAclPolicy deny;

Interface "eth0";

include "/etc/mip6d.conf.d/carol.mip6d.conf"

}}}

=== /etc/mip6d.conf.d/carol.mip6d.conf ===

{{{

Interface "eth1";

IPsecPolicySet {

    HomeAgentAddress 2001:1::1;

    HomeAddress 2001:1::10/64;

    IPsecPolicy Mh UseESP 1;

    IPsecPolicy TunnelPayload UseESP 2;

}

BindingAclPolicy 2001:1::10 allow;

}}}

=== /etc/ipsec.conf ===

{{{

config setup

        crlcheckinterval=180

        plutostart=no

        charondebug="knl 2"

conn %default

        keyexchange=ikev2

        reauth=no

        mobike=no

        installpolicy=no

conn mh

        also=ha

        leftsubnet=2001:1::1/128

        leftprotoport=135/0

        rightprotoport=135/0

        type=transport_proxy

conn tunnel

        also=ha

        leftsubnet=::/0

conn ha

        left=2001:1::1

        leftcert=moonCert.pem

        leftid=@moon.strongswan.org

        right=%any

        ike=aes128-sha1-modp2048!

        esp=aes128-sha1-modp2048!

include /etc/ipsec.conf.d/carol.ipsec.conf

include /etc/ipsec.conf.d/dave.ipsec.conf

}}}

=== /etc/ipsec.conf.d/carol.ipsec.conf ===

{{{

conn carol

        rightsubnet=2001:1::10/128

        rightid=carol@strongswan.org

conn carol-mh

        also=carol

        also=mh

        auto=add

conn carol-tunnel

        also=carol

        also=tunnel

        auto=add

}}}

=== ipsec statusall ===

{{{

Performance:

  uptime: 9 minutes, since Nov 13 01:05:33 2008

  worker threads: 91 idle of 98, job queue load: 0, scheduled events: 2

  loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Listening IP addresses:

  10.1.0.1

  2001:1::1

  fec1::1

  192.168.0.1

  2001::1

  fec0::1

Connections:

    carol-mh:  2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

    carol-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

    carol-mh:  public key authentication

    carol-mh:    2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel:    ::/0 === 2001:1::10/128 

     dave-mh:  2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

     dave-mh:  CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any

     dave-mh:  public key authentication

     dave-mh:    2001:1::1/128[135] === 2001:1::20/128[135] 

 dave-tunnel:    ::/0 === 2001:1::20/128 

Security Associations:

    carol-mh[1]: ESTABLISHED, 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]

    carol-mh[1]: IKE SPIs: 372bdbd1320c2eb4_i a53801fd03fbffee_r*, rekeying in 47 minutes

    carol-mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT

    carol-mh{1}:  INSTALLED, TRANSPORT, ESP SPIs: c31ec667_i cf472638_o

    carol-mh{1}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 485s_i no_o 

    carol-mh{1}:   2001:1::1/128[135] === 2001:1::10/128[135] 

carol-tunnel{2}:  INSTALLED, TUNNEL, ESP SPIs: c0f90752_i c4f98106_o

carol-tunnel{2}:  AES_CBC-128/HMAC_SHA1_96, rekeying in 8 minutes, last use: 481s_i no_o 

carol-tunnel{2}:   ::/0 === 2001:1::10/128 

}}}

=== ip xfrm policy ===

{{{

src 2001:1::10/128 dst 2001:1::1/128 proto 135 

        dir in priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::1/128 dst 2001:1::10/128 proto 135 

        dir out priority 2 ptype main 

        tmpl src :: dst ::

                proto esp reqid 1 mode transport

src 2001:1::10/128 dst ::/0 

        dir in priority 10 ptype main 

        tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src 2001:1::10/128 dst ::/0 

        dir fwd priority 10 ptype main 

        tmpl src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

                proto esp reqid 2 mode tunnel

src ::/0 dst 2001:1::10/128 

        dir out priority 10 ptype main 

        tmpl src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

                proto esp reqid 2 mode tunnel

}}}

=== ip xfrm state ===

{{{

src :: dst ::

        proto hao reqid 0 mode ro

        replay-window 0 flag wildrecv

        coa ::

        sel src ::/0 dst ::/0 

src 2001:1::10 dst 2001:1::1

        proto esp spi 0xc31ec667 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0xf6815c3cd001ff884eb6c1b4112ea9db0daf1eef

        enc cbc(aes) 0xa51f577d694f46beb85179ecc5d35251

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto esp spi 0xcf472638 reqid 1 mode transport

        replay-window 32 

        auth hmac(sha1) 0x8d9790093b1baa89a128e92c7019c32d776eccac

        enc cbc(aes) 0xe02ea1231d5e1908564992ccafdc97cd

        sel src ::/0 dst ::/0 

src 2001:1::1 dst 2001:1::10

        proto route2 reqid 0 mode ro

        replay-window 0 

        coa 2001::18d9:88ff:fe7d:36b3

        lastused 2008-11-13 01:06:50

        sel src 2001:1::1/128 dst 2001:1::10/128 

src 2001:1::10 dst 2001:1::1

        proto hao reqid 0 mode ro

        replay-window 0 

        coa 2001::18d9:88ff:fe7d:36b3

        sel src 2001:1::10/128 dst 2001:1::1/128 

src 2001::18d9:88ff:fe7d:36b3 dst 2001:1::1

        proto esp spi 0xc0f90752 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0x8339d597ed1d92d820443171d3e3282d83186572

        enc cbc(aes) 0xcba21b583a2330897e33339b72855eaa

src 2001:1::1 dst 2001::18d9:88ff:fe7d:36b3

        proto esp spi 0xc4f98106 reqid 2 mode tunnel

        replay-window 32 flag 20

        auth hmac(sha1) 0xf4ffd5a21d52b4766ea81c22945f3f558f24c675

        enc cbc(aes) 0x7c0d20968090085fbb17557f53c8818b

}}}

=== /var/log/daemon.log ===

{{{

Nov 13 01:05:33 moon charon: 01[DMN] starting charon (strongSwan Version 4.2.9rc18)

Nov 13 01:05:33 moon charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

Nov 13 01:05:33 moon charon: 01[LIB]   loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'

Nov 13 01:05:33 moon charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

Nov 13 01:05:33 moon charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'

Nov 13 01:05:33 moon charon: 01[LIB]   loaded crl file '/etc/ipsec.d/crls/strongswan.crl'

Nov 13 01:05:33 moon charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'

Nov 13 01:05:33 moon charon: 01[CFG]   loaded private key file '/etc/ipsec.d/private/moonKey.pem'

Nov 13 01:05:34 moon charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql 

Nov 13 01:05:34 moon charon: 01[KNL] listening on interfaces:

Nov 13 01:05:34 moon charon: 01[KNL]   eth1

Nov 13 01:05:34 moon charon: 01[KNL]     10.1.0.1

Nov 13 01:05:34 moon charon: 01[KNL]     2001:1::1

Nov 13 01:05:34 moon charon: 01[KNL]     fec1::1

Nov 13 01:05:34 moon charon: 01[KNL]     fe80::b8d5:baff:feea:d493

Nov 13 01:05:34 moon charon: 01[KNL]   eth0

Nov 13 01:05:34 moon charon: 01[KNL]     192.168.0.1

Nov 13 01:05:34 moon charon: 01[KNL]     2001::1

Nov 13 01:05:34 moon charon: 01[KNL]     fec0::1

Nov 13 01:05:34 moon charon: 01[KNL]     fe80::e4f6:c7ff:fe59:80e1

Nov 13 01:05:34 moon charon: 01[JOB] spawning 98 worker threads

Nov 13 01:05:35 moon charon: 23[CFG] crl caching to /etc/ipsec.d/crls enabled

Nov 13 01:05:35 moon charon: 25[CFG] received stroke: add connection 'carol-mh'

Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 25[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 25[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 25[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 25[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 25[CFG] added configuration 'carol-mh': 2001:1::1[moon.strongswan.org]...%any[carol@strongswan.org]

Nov 13 01:05:35 moon charon: 27[CFG] received stroke: add connection 'carol-tunnel'

Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 27[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 27[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 27[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 27[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 27[CFG] added child to existing configuration 'carol-mh'

Nov 13 01:05:35 moon charon: 28[CFG] received stroke: add connection 'dave-mh'

Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 28[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 28[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 28[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 28[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 28[CFG] added configuration 'dave-mh': 2001:1::1[moon.strongswan.org]...%any[dave@strongswan.org]

Nov 13 01:05:35 moon charon: 30[CFG] received stroke: add connection 'dave-tunnel'

Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for %any

Nov 13 01:05:35 moon charon: 30[KNL] %any is not a local address

Nov 13 01:05:35 moon charon: 30[KNL] getting interface name for 2001:1::1

Nov 13 01:05:35 moon charon: 30[KNL] 2001:1::1 is on interface eth1

Nov 13 01:05:35 moon charon: 30[LIB]   loaded certificate file '/etc/ipsec.d/certs/moonCert.pem'

Nov 13 01:05:35 moon charon: 30[CFG] added child to existing configuration 'dave-mh'

Nov 13 01:05:39 moon mip6d[1167]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Home Agent)

Nov 13 01:06:45 moon charon: 33[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 moon charon: 33[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 13 01:06:45 moon charon: 33[IKE] 2001::18d9:88ff:fe7d:36b3 is initiating an IKE_SA

Nov 13 01:06:45 moon charon: 33[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 33[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]

Nov 13 01:06:45 moon charon: 33[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:45 moon charon: 34[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:45 moon charon: 34[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 moon charon: 34[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"

Nov 13 01:06:45 moon charon: 34[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

Nov 13 01:06:45 moon charon: 34[CFG]   crl is valid: until Nov 13 22:27:58 2008

Nov 13 01:06:45 moon charon: 34[CFG]   using cached crl

Nov 13 01:06:45 moon charon: 34[CFG] certificate status is good

Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'carol@strongswan.org' with RSA signature successful

Nov 13 01:06:45 moon charon: 34[CFG] found matching peer config "carol-mh": moon.strongswan.org...carol@strongswan.org with prio 40.5

Nov 13 01:06:45 moon charon: 34[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful

Nov 13 01:06:45 moon charon: 34[IKE] scheduling rekeying in 3365s

Nov 13 01:06:45 moon charon: 34[IKE] maximum IKE_SA lifetime 3545s

Nov 13 01:06:45 moon charon: 34[IKE] IKE_SA carol-mh[1] established between 2001:1::1[moon.strongswan.org]...2001::18d9:88ff:fe7d:36b3[carol@strongswan.org]

Nov 13 01:06:45 moon charon: 34[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"

Nov 13 01:06:45 moon charon: 34[CHD] other address: 2001::18d9:88ff:fe7d:36b3 is a transport mode proxy for 2001:1::10

Nov 13 01:06:45 moon charon: 34[KNL] getting SPI for reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL] got SPI c31ec667 for reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI c31ec667 and reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 moon charon: 34[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 moon charon: 34[KNL] adding SAD entry with SPI cf472638 and reqid {1}

Nov 13 01:06:45 moon charon: 34[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:45 moon charon: 34[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:45 moon charon: 34[IKE] CHILD_SA carol-mh{1} established with SPIs c31ec667_i cf472638_o and TS 2001:1::1/128[135] === 2001:1::10/128[135] 

Nov 13 01:06:45 moon charon: 34[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]

Nov 13 01:06:45 moon charon: 34[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128[135] === 2001:1::1/128[135] in, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP %any...%any to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128[135] === 2001:1::1/128[135] in with reqid {1}

Nov 13 01:06:47 moon charon: 05[KNL] interface ip6tnl1 activated

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::1/128[135] === 2001:1::10/128[135] out, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP %any...%any to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::1/128[135] === 2001:1::10/128[135] out with reqid {1}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 in, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 in with reqid {2}

Nov 13 01:06:47 moon charon: 37[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: 2001:1::10/128 === ::/0 fwd, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::10...2001:1::1 to 2001::18d9:88ff:fe7d:36b3...2001:1::1, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 fwd with reqid {2}

Nov 13 01:06:47 moon charon: 38[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] received a XFRM_MSG_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   policy: ::/0 === 2001:1::10/128 out, index 0

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_KMADDRESS

Nov 13 01:06:47 moon charon: 04[KNL]   kmaddress: 2001:1::1...2001::18d9:88ff:fe7d:36b3

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_POLICY_TYPE

Nov 13 01:06:47 moon charon: 04[KNL]   XFRMA_MIGRATE

Nov 13 01:06:47 moon charon: 04[KNL]   migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::18d9:88ff:fe7d:36b3, reqid {2}

Nov 13 01:06:47 moon charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 out with reqid {2}

Nov 13 01:06:47 moon charon: 39[JOB] no CHILD_SA found with reqid {2}

Nov 13 01:06:47 moon charon: 05[KNL] fe80::b8d5:baff:feea:d493 appeared on ip6tnl1

Nov 13 01:06:47 moon charon: 40[NET] received packet: from 2001::18d9:88ff:fe7d:36b3[500] to 2001:1::1[500]

Nov 13 01:06:47 moon charon: 40[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 moon charon: 40[KNL] getting SPI for reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL] got SPI c0f90752 for reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c0f90752 and reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 moon charon: 40[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 moon charon: 40[KNL] adding SAD entry with SPI c4f98106 and reqid {2}

Nov 13 01:06:47 moon charon: 40[KNL]   using encryption algorithm AES_CBC with key size 128

Nov 13 01:06:47 moon charon: 40[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160

Nov 13 01:06:47 moon charon: 40[IKE] CHILD_SA carol-tunnel{2} established with SPIs c0f90752_i c4f98106_o and TS ::/0 === 2001:1::10/128 

Nov 13 01:06:47 moon charon: 40[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]

Nov 13 01:06:47 moon charon: 40[NET] sending packet: from 2001:1::1[500] to 2001::18d9:88ff:fe7d:36b3[500]

}}}