MIPv6 Mobile Node Setup » History » Version 2
Version 1 (Andreas Steffen, 20.11.2008 00:52) → Version 2/3 (Andreas Steffen, 20.11.2008 00:52)
[[TOC(heading=MIPv6 MN Setup)]]
h1.
= MIPv6 Mobile Node Setup
h2. =
== mip6d.conf
<pre>
[[NodeConfig]] ==
{{{
NodeConfig MN;
[[UseMnHaIPsec]] UseMnHaIPsec enabled;
[[KeyMngMobCapability]] KeyMngMobCapability enabled;
[[DoRouteOptimizationMN]] DoRouteOptimizationMN disabled;
Interface "eth0";
[[MnHomeLink]] MnHomeLink "eth0" {
[[HomeAgentAddress]] HomeAgentAddress 2001:1::1;
[[HomeAddress]] HomeAddress 2001:1::10/64;
}
IPsecPolicySet {
[[HomeAgentAddress]] HomeAgentAddress 2001:1::1;
[[HomeAddress]] HomeAddress 2001:1::10/64;
IPsecPolicy Mh [[UseESP]] UseESP 1;
IPsecPolicy [[TunnelPayload]] TunnelPayload UseESP 2;
}
</pre>
h2. }}}
== ipsec.conf
<pre>
==
{{{
config setup
crlcheckinterval=180
plutostart=no
charondebug="knl 2"
conn %default
keyexchange=ikev2
reauth=no
mobike=no
installpolicy=no
conn mh
also=home
rightsubnet=2001:1::1/128
leftprotoport=135/0
rightprotoport=135/0
type=transport_proxy
auto=route
conn tunnel
also=home
rightsubnet=::/0
auto=route
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftsubnet=2001:1::10/128
right=2001:1::1
rightid=moon.strongswan.org
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
</pre>
h2. }}}
== MN-to-HA Connection Establishment
==
Start strongSwan first and the IPsec connection definitions will be loaded and routed
<pre>
{{{
ipsec start
Nov 19 08:39:19 carol charon: 01[DMN] starting charon (strongSwan Version 4.2.9)
Nov 19 08:39:19 carol charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 19 08:39:19 carol charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 19 08:39:19 carol charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 19 08:39:19 carol charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl'
Nov 19 08:39:19 carol charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 19 08:39:19 carol charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/carolKey.pem'
Nov 19 08:39:19 carol charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Nov 19 08:39:19 carol charon: 01[KNL] listening on interfaces:
Nov 19 08:39:19 carol charon: 01[KNL] eth0
Nov 19 08:39:19 carol charon: 01[KNL] 192.168.0.100
Nov 19 08:39:19 carol charon: 01[KNL] 2001::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[KNL] fec0::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[KNL] fe80::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[JOB] spawning 16 worker threads
Nov 19 08:39:19 carol charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov 19 08:39:19 carol charon: 10[CFG] received stroke: add connection 'mh'
Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for 2001:1::1
Nov 19 08:39:19 carol charon: 10[KNL] 2001:1::1 is not a local address
Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for %any
Nov 19 08:39:19 carol charon: 10[KNL] %any is not a local address
Nov 19 08:39:19 carol charon: 10[CFG] left nor right host is our side, assuming left=local
Nov 19 08:39:19 carol charon: 10[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 19 08:39:19 carol charon: 10[CFG] added configuration 'mh': %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 19 08:39:19 carol charon: 09[CFG] received stroke: route 'mh'
Nov 19 08:39:19 carol charon: 11[KNL] getting address to reach 2001:1::1
Nov 19 08:39:19 carol charon: 11[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:19 carol charon: 11[IKE] CHILD_SA routed
Nov 19 08:39:19 carol charon: 14[CFG] received stroke: add connection 'tunnel'
Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for 2001:1::1
Nov 19 08:39:19 carol charon: 14[KNL] 2001:1::1 is not a local address
Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for %any
Nov 19 08:39:19 carol charon: 14[KNL] %any is not a local address
Nov 19 08:39:19 carol charon: 14[CFG] left nor right host is our side, assuming left=local
Nov 19 08:39:19 carol charon: 14[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 19 08:39:19 carol charon: 14[CFG] added child to existing configuration 'mh'
Nov 19 08:39:19 carol charon: 17[CFG] received stroke: route 'tunnel'
Nov 19 08:39:19 carol charon: 10[KNL] getting address to reach 2001:1::1
Nov 19 08:39:19 carol charon: 10[IKE] CHILD_SA routed
</pre>
}}}
Next the MIPv6 daemon is activated
<pre>
{{{
/etc/init.d/mip6d start
Nov 19 08:39:23 carol mip6dr1317: mip6d[1317]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Mobile Node)
Nov 19 08:39:23 carol charon: 05[KNL] interface ip6tnl1 activated
Nov 19 08:39:23 carol charon: 05[KNL] 2001:1::10 appeared on ip6tnl1
</pre>
}}}
which triggers strongSwan to automatically sets up the IPsec transport SA for the Binding Update messages
<pre>
{{{
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] in
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] out with reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] out
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] in with reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: ::/0 === 2001:1::10/128 out
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_TMPL
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[135/5] === 2001:1::1/128r135 2001:1::1/128[135] with reqid {1}
Nov 19 08:39:23 carol charon: 09[IKE] initiating IKE_SA mhr1 mh[1] to 2001:1::1
Nov 19 08:39:23 carol charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 19 08:39:23 carol charon: 09[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:23 carol charon: 16[KNL] getting address to reach 2001:1::1
Nov 19 08:39:23 carol charon: 12[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:23 carol charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 19 08:39:23 carol charon: 12[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 12[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 12[IKE] authentication of 'carol@strongswan.org' (myself) with RSA signature successful
Nov 19 08:39:23 carol charon: 12[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 19 08:39:23 carol charon: 12[IKE] establishing CHILD_SA mh{1}
Nov 19 08:39:23 carol charon: 12[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:23 carol charon: 12[KNL] getting SPI for reqid {1}
Nov 19 08:39:23 carol charon: 12[KNL] got SPI c5959ac2 for reqid {1}
Nov 19 08:39:23 carol charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 carol charon: 12[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:23 carol charon: 14[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:23 carol charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 carol charon: 14[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] crl is valid: until Dec 13 07:58:20 2008
Nov 19 08:39:23 carol charon: 14[CFG] using cached crl
Nov 19 08:39:23 carol charon: 14[CFG] certificate status is good
Nov 19 08:39:23 carol charon: 14[IKE] authentication of 'moon.strongswan.org' with RSA signature successful
Nov 19 08:39:23 carol charon: 14[IKE] scheduling rekeying in 3327s
Nov 19 08:39:23 carol charon: 14[IKE] maximum IKE_SA lifetime 3507s
Nov 19 08:39:23 carol charon: 14[IKE] IKE_SA mhr1 mh[1] established between 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}
Nov 19 08:39:23 carol charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 carol charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}
Nov 19 08:39:23 carol charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 carol charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 carol charon: 14[IKE] CHILD_SA mh{1} established with SPIs c5959ac2_i ca64ae98_o and TS 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
</pre>
}}}
and right after that the IPsec tunnel SA for the payload between the MN and the HA is created
<pre>
{{{
Nov 19 08:39:24 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE
Nov 19 08:39:24 carol charon: 04[KNL] XFRMA_TMPL
Nov 19 08:39:24 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[ipv6-icmp/146] === 2001:1::1/128[ipv6-icmp] with reqid {2}
Nov 19 08:39:24 carol charon: 17[IKE] establishing CHILD_SA tunnel{2}
Nov 19 08:39:24 carol charon: 17[KNL] getting SPI for reqid {2}
Nov 19 08:39:24 carol charon: 17[KNL] got SPI ce4db893 for reqid {2}
Nov 19 08:39:24 carol charon: 17[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 carol charon: 17[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:24 carol charon: 11[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:24 carol charon: 11[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI c190d5ba and reqid {2}
Nov 19 08:39:25 carol charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:25 carol charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI ce4db893 and reqid {2}
Nov 19 08:39:25 carol charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:25 carol charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:25 carol charon: 11[IKE] CHILD_SA tunnel{2} established with SPIs ce4db893_i c190d5ba_o and TS 2001:1::10/128 === ::/0
</pre>
h2. }}}
== IPsec Status after Establishment
<pre>
==
{{{
ipsec statusall
Performance:
uptime: 50 seconds, since Nov 19 08:39:19 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Listening IP addresses:
192.168.0.100
2001::41a:a8ff:fe6f:c67
fec0::41a:a8ff:fe6f:c67
2001:1::10
Connections:
mh: %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
mh: public key authentication
mh: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel: 2001:1::10/128 === ::/0
Security Associations:
mhr1: mh[1]: ESTABLISHED, 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mhr1: mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 54 minutes
mhr1: mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
mh{1}: ROUTED, TRANSPORT_PROXY
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: ROUTED, TUNNEL
tunnel{2}: 2001:1::10/128 === ::/0
mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o
mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 45s_i no_o
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o
tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 6s_i 6s_o
tunnel{2}: 2001:1::10/128 === ::/0
</pre>
}}}
The IPsec policy in the Linux 2.6 kernel
<pre>
{{{
ip xfrm policy
src 2001:1::1/128 dst 2001:1::10/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src 2001:1::10/128 dst 2001:1::1/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src ::/0 dst 2001:1::10/128
dir in priority 10 ptype main
tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp reqid 2 mode tunnel
src 2001:1::10/128 dst ::/0
dir out priority 10 ptype main
tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp reqid 2 mode tunnel
</pre>
}}}
and the IPsec state in the Linux 2.6 kernel
<pre>
{{{
ip xfrm state
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::41a:a8ff:fe6f:c67
lastused 2008-11-19 08:39:25
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56
src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
</pre>
h2. }}}
== Care-of-Address (CoA) Change
==
After some time the MN changes its CoA to from 2001::41a:a8ff:fe6f:c67 to 2001::50
<pre>
{{{
ip addr add 2001::50/128 dev eth0
ip addr del 2001::41a:a8ff:fe6f:c67/64 dev eth0
Nov 19 08:41:43 carol charon: 05[KNL] 2001::50 appeared on eth0
Nov 19 08:41:43 carol charon: 12[KNL] getting address to reach 2001:1::1
Nov 19 08:41:56 carol charon: 05[KNL] 2001::41a:a8ff:fe6f:c67 disappeared from eth0
</pre>
}}}
which causes the MIPv6 daemon to issue MIGRATE messages to strongSwan
<pre>
{{{
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] in
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] out with reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] out
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] in with reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: ::/0 === 2001:1::10/128 out
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}
</pre>
h2. }}}
== IPSec Status after CoA Change
<pre>
==
{{{
ipsec statusall
Performance:
uptime: 3 minutes, since Nov 19 08:39:19 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Listening IP addresses:
192.168.0.100
fec0::41a:a8ff:fe6f:c67
2001::50
2001:1::10
Connections:
mh: %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
mh: public key authentication
mh: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel: 2001:1::10/128 === ::/0
Security Associations:
mhr1: mh[1]: ESTABLISHED, 2001::50[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mhr1: mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 52 minutes
mhr1: mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
mh{1}: ROUTED, TRANSPORT_PROXY
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: ROUTED, TUNNEL
tunnel{2}: 2001:1::10/128 === ::/0
mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o
mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 30s_i no_o
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o
tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 3s_i 3s_o
tunnel{2}: 2001:1::10/128 === ::/0
</pre>
}}}
and the IPsec state in the Linux 2.6 kernel
<pre>
{{{
ip xfrm state
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src :: dst ::
proto route2 reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::50
lastused 2008-11-19 08:41:56
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001::50 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56
src 2001:1::1 dst 2001::50
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
</pre>
}}}
h1.
= MIPv6 Mobile Node Setup
h2. =
== mip6d.conf
<pre>
[[NodeConfig]] ==
{{{
NodeConfig MN;
[[UseMnHaIPsec]] UseMnHaIPsec enabled;
[[KeyMngMobCapability]] KeyMngMobCapability enabled;
[[DoRouteOptimizationMN]] DoRouteOptimizationMN disabled;
Interface "eth0";
[[MnHomeLink]] MnHomeLink "eth0" {
[[HomeAgentAddress]] HomeAgentAddress 2001:1::1;
[[HomeAddress]] HomeAddress 2001:1::10/64;
}
IPsecPolicySet {
[[HomeAgentAddress]] HomeAgentAddress 2001:1::1;
[[HomeAddress]] HomeAddress 2001:1::10/64;
IPsecPolicy Mh [[UseESP]] UseESP 1;
IPsecPolicy [[TunnelPayload]] TunnelPayload UseESP 2;
}
</pre>
h2. }}}
== ipsec.conf
<pre>
==
{{{
config setup
crlcheckinterval=180
plutostart=no
charondebug="knl 2"
conn %default
keyexchange=ikev2
reauth=no
mobike=no
installpolicy=no
conn mh
also=home
rightsubnet=2001:1::1/128
leftprotoport=135/0
rightprotoport=135/0
type=transport_proxy
auto=route
conn tunnel
also=home
rightsubnet=::/0
auto=route
conn home
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftsubnet=2001:1::10/128
right=2001:1::1
rightid=moon.strongswan.org
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
</pre>
h2. }}}
== MN-to-HA Connection Establishment
==
Start strongSwan first and the IPsec connection definitions will be loaded and routed
<pre>
{{{
ipsec start
Nov 19 08:39:19 carol charon: 01[DMN] starting charon (strongSwan Version 4.2.9)
Nov 19 08:39:19 carol charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 19 08:39:19 carol charon: 01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/strongswanCert.pem'
Nov 19 08:39:19 carol charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 19 08:39:19 carol charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 19 08:39:19 carol charon: 01[LIB] loaded crl file '/etc/ipsec.d/crls/strongswan.crl'
Nov 19 08:39:19 carol charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 19 08:39:19 carol charon: 01[CFG] loaded private key file '/etc/ipsec.d/private/carolKey.pem'
Nov 19 08:39:19 carol charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Nov 19 08:39:19 carol charon: 01[KNL] listening on interfaces:
Nov 19 08:39:19 carol charon: 01[KNL] eth0
Nov 19 08:39:19 carol charon: 01[KNL] 192.168.0.100
Nov 19 08:39:19 carol charon: 01[KNL] 2001::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[KNL] fec0::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[KNL] fe80::41a:a8ff:fe6f:c67
Nov 19 08:39:19 carol charon: 01[JOB] spawning 16 worker threads
Nov 19 08:39:19 carol charon: 08[CFG] crl caching to /etc/ipsec.d/crls enabled
Nov 19 08:39:19 carol charon: 10[CFG] received stroke: add connection 'mh'
Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for 2001:1::1
Nov 19 08:39:19 carol charon: 10[KNL] 2001:1::1 is not a local address
Nov 19 08:39:19 carol charon: 10[KNL] getting interface name for %any
Nov 19 08:39:19 carol charon: 10[KNL] %any is not a local address
Nov 19 08:39:19 carol charon: 10[CFG] left nor right host is our side, assuming left=local
Nov 19 08:39:19 carol charon: 10[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 19 08:39:19 carol charon: 10[CFG] added configuration 'mh': %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 19 08:39:19 carol charon: 09[CFG] received stroke: route 'mh'
Nov 19 08:39:19 carol charon: 11[KNL] getting address to reach 2001:1::1
Nov 19 08:39:19 carol charon: 11[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:19 carol charon: 11[IKE] CHILD_SA routed
Nov 19 08:39:19 carol charon: 14[CFG] received stroke: add connection 'tunnel'
Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for 2001:1::1
Nov 19 08:39:19 carol charon: 14[KNL] 2001:1::1 is not a local address
Nov 19 08:39:19 carol charon: 14[KNL] getting interface name for %any
Nov 19 08:39:19 carol charon: 14[KNL] %any is not a local address
Nov 19 08:39:19 carol charon: 14[CFG] left nor right host is our side, assuming left=local
Nov 19 08:39:19 carol charon: 14[LIB] loaded certificate file '/etc/ipsec.d/certs/carolCert.pem'
Nov 19 08:39:19 carol charon: 14[CFG] added child to existing configuration 'mh'
Nov 19 08:39:19 carol charon: 17[CFG] received stroke: route 'tunnel'
Nov 19 08:39:19 carol charon: 10[KNL] getting address to reach 2001:1::1
Nov 19 08:39:19 carol charon: 10[IKE] CHILD_SA routed
</pre>
}}}
Next the MIPv6 daemon is activated
<pre>
{{{
/etc/init.d/mip6d start
Nov 19 08:39:23 carol mip6dr1317: mip6d[1317]: MIPL Mobile IPv6 for Linux v2.0.2-umip-0.4 started (Mobile Node)
Nov 19 08:39:23 carol charon: 05[KNL] interface ip6tnl1 activated
Nov 19 08:39:23 carol charon: 05[KNL] 2001:1::10 appeared on ip6tnl1
</pre>
}}}
which triggers strongSwan to automatically sets up the IPsec transport SA for the Binding Update messages
<pre>
{{{
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] in
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP %any...%any to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] out with reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] out
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] in with reqid {1}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP 2001:1::10...2001:1::1 to 2001::41a:a8ff:fe6f:c67...2001:1::1, reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] policy: ::/0 === 2001:1::10/128 out
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:39:23 carol charon: 04[KNL] kmaddress: 2001::41a:a8ff:fe6f:c67...2001:1::1
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:39:23 carol charon: 04[KNL] migrate ESP 2001:1::1...2001:1::10 to 2001:1::1...2001::41a:a8ff:fe6f:c67, reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}
Nov 19 08:39:23 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_TMPL
Nov 19 08:39:23 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:23 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[135/5] === 2001:1::1/128r135 2001:1::1/128[135] with reqid {1}
Nov 19 08:39:23 carol charon: 09[IKE] initiating IKE_SA mhr1 mh[1] to 2001:1::1
Nov 19 08:39:23 carol charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 19 08:39:23 carol charon: 09[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:23 carol charon: 16[KNL] getting address to reach 2001:1::1
Nov 19 08:39:23 carol charon: 12[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:23 carol charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Nov 19 08:39:23 carol charon: 12[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 12[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 12[IKE] authentication of 'carol@strongswan.org' (myself) with RSA signature successful
Nov 19 08:39:23 carol charon: 12[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
Nov 19 08:39:23 carol charon: 12[IKE] establishing CHILD_SA mh{1}
Nov 19 08:39:23 carol charon: 12[CHD] my address: 2001::41a:a8ff:fe6f:c67 is a transport mode proxy for 2001:1::10
Nov 19 08:39:23 carol charon: 12[KNL] getting SPI for reqid {1}
Nov 19 08:39:23 carol charon: 12[KNL] got SPI c5959ac2 for reqid {1}
Nov 19 08:39:23 carol charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 carol charon: 12[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:23 carol charon: 14[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:23 carol charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
Nov 19 08:39:23 carol charon: 14[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
Nov 19 08:39:23 carol charon: 14[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Nov 19 08:39:23 carol charon: 14[CFG] crl is valid: until Dec 13 07:58:20 2008
Nov 19 08:39:23 carol charon: 14[CFG] using cached crl
Nov 19 08:39:23 carol charon: 14[CFG] certificate status is good
Nov 19 08:39:23 carol charon: 14[IKE] authentication of 'moon.strongswan.org' with RSA signature successful
Nov 19 08:39:23 carol charon: 14[IKE] scheduling rekeying in 3327s
Nov 19 08:39:23 carol charon: 14[IKE] maximum IKE_SA lifetime 3507s
Nov 19 08:39:23 carol charon: 14[IKE] IKE_SA mhr1 mh[1] established between 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI ca64ae98 and reqid {1}
Nov 19 08:39:23 carol charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 carol charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 carol charon: 14[KNL] adding SAD entry with SPI c5959ac2 and reqid {1}
Nov 19 08:39:23 carol charon: 14[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:23 carol charon: 14[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:23 carol charon: 14[IKE] CHILD_SA mh{1} established with SPIs c5959ac2_i ca64ae98_o and TS 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
</pre>
}}}
and right after that the IPsec tunnel SA for the payload between the MN and the HA is created
<pre>
{{{
Nov 19 08:39:24 carol charon: 04[KNL] received a XFRM_MSG_ACQUIRE
Nov 19 08:39:24 carol charon: 04[KNL] XFRMA_TMPL
Nov 19 08:39:24 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:39:24 carol charon: 04[KNL] creating acquire job for policy 2001:1::10/128[ipv6-icmp/146] === 2001:1::1/128[ipv6-icmp] with reqid {2}
Nov 19 08:39:24 carol charon: 17[IKE] establishing CHILD_SA tunnel{2}
Nov 19 08:39:24 carol charon: 17[KNL] getting SPI for reqid {2}
Nov 19 08:39:24 carol charon: 17[KNL] got SPI ce4db893 for reqid {2}
Nov 19 08:39:24 carol charon: 17[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Nov 19 08:39:24 carol charon: 17[NET] sending packet: from 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500] to 2001:1::1r500 2001:1::1[500]
Nov 19 08:39:24 carol charon: 11[NET] received packet: from 2001:1::1r500 2001:1::1[500] to 2001::41a:a8ff:fe6f:c67r500 2001::41a:a8ff:fe6f:c67[500]
Nov 19 08:39:24 carol charon: 11[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI c190d5ba and reqid {2}
Nov 19 08:39:25 carol charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:25 carol charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:25 carol charon: 11[KNL] adding SAD entry with SPI ce4db893 and reqid {2}
Nov 19 08:39:25 carol charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Nov 19 08:39:25 carol charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Nov 19 08:39:25 carol charon: 11[IKE] CHILD_SA tunnel{2} established with SPIs ce4db893_i c190d5ba_o and TS 2001:1::10/128 === ::/0
</pre>
h2. }}}
== IPsec Status after Establishment
<pre>
==
{{{
ipsec statusall
Performance:
uptime: 50 seconds, since Nov 19 08:39:19 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Listening IP addresses:
192.168.0.100
2001::41a:a8ff:fe6f:c67
fec0::41a:a8ff:fe6f:c67
2001:1::10
Connections:
mh: %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
mh: public key authentication
mh: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel: 2001:1::10/128 === ::/0
Security Associations:
mhr1: mh[1]: ESTABLISHED, 2001::41a:a8ff:fe6f:c67[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mhr1: mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 54 minutes
mhr1: mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
mh{1}: ROUTED, TRANSPORT_PROXY
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: ROUTED, TUNNEL
tunnel{2}: 2001:1::10/128 === ::/0
mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o
mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 45s_i no_o
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o
tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 16 minutes, last use: 6s_i 6s_o
tunnel{2}: 2001:1::10/128 === ::/0
</pre>
}}}
The IPsec policy in the Linux 2.6 kernel
<pre>
{{{
ip xfrm policy
src 2001:1::1/128 dst 2001:1::10/128 proto 135
dir in priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src 2001:1::10/128 dst 2001:1::1/128 proto 135
dir out priority 2 ptype main
tmpl src :: dst ::
proto esp reqid 1 mode transport
src ::/0 dst 2001:1::10/128
dir in priority 10 ptype main
tmpl src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp reqid 2 mode tunnel
src 2001:1::10/128 dst ::/0
dir out priority 10 ptype main
tmpl src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp reqid 2 mode tunnel
</pre>
}}}
and the IPsec state in the Linux 2.6 kernel
<pre>
{{{
ip xfrm state
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::41a:a8ff:fe6f:c67
lastused 2008-11-19 08:39:25
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001::41a:a8ff:fe6f:c67 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56
src 2001:1::1 dst 2001::41a:a8ff:fe6f:c67
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
</pre>
h2. }}}
== Care-of-Address (CoA) Change
==
After some time the MN changes its CoA to from 2001::41a:a8ff:fe6f:c67 to 2001::50
<pre>
{{{
ip addr add 2001::50/128 dev eth0
ip addr del 2001::41a:a8ff:fe6f:c67/64 dev eth0
Nov 19 08:41:43 carol charon: 05[KNL] 2001::50 appeared on eth0
Nov 19 08:41:43 carol charon: 12[KNL] getting address to reach 2001:1::1
Nov 19 08:41:56 carol charon: 05[KNL] 2001::41a:a8ff:fe6f:c67 disappeared from eth0
</pre>
}}}
which causes the MIPv6 daemon to issue MIGRATE messages to strongSwan
<pre>
{{{
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] in
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP %any...%any to 2001::50...2001:1::1, reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135] out with reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] out
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP %any...%any to 2001:1::1...2001::50, reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::1/128r135 2001:1::1/128[135] === 2001:1::10/128r135 2001:1::10/128[135] in with reqid {1}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: 2001:1::10/128 === ::/0 in
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP 2001::41a:a8ff:fe6f:c67...2001:1::1 to 2001::50...2001:1::1, reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy 2001:1::10/128 === ::/0 out with reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] received a XFRM_MSG_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] policy: ::/0 === 2001:1::10/128 out
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_KMADDRESS
Nov 19 08:41:56 carol charon: 04[KNL] kmaddress: 2001::50...2001:1::1
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_POLICY_TYPE
Nov 19 08:41:56 carol charon: 04[KNL] XFRMA_MIGRATE
Nov 19 08:41:56 carol charon: 04[KNL] migrate ESP 2001:1::1...2001::41a:a8ff:fe6f:c67 to 2001:1::1...2001::50, reqid {2}
Nov 19 08:41:56 carol charon: 04[KNL] creating migrate job for policy ::/0 === 2001:1::10/128 in with reqid {2}
</pre>
h2. }}}
== IPSec Status after CoA Change
<pre>
==
{{{
ipsec statusall
Performance:
uptime: 3 minutes, since Nov 19 08:39:19 2008
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink
Listening IP addresses:
192.168.0.100
fec0::41a:a8ff:fe6f:c67
2001::50
2001:1::10
Connections:
mh: %any[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mh: CAs: "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"...%any
mh: public key authentication
mh: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel: 2001:1::10/128 === ::/0
Security Associations:
mhr1: mh[1]: ESTABLISHED, 2001::50[carol@strongswan.org]...2001:1::1[moon.strongswan.org]
mhr1: mh[1]: IKE SPIs: 58b6f8e6f23188fa_i* 63fdcfb55179c548_r, rekeying in 52 minutes
mhr1: mh[1]: IKE proposal: AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048_BIT
mh{1}: ROUTED, TRANSPORT_PROXY
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: ROUTED, TUNNEL
tunnel{2}: 2001:1::10/128 === ::/0
mh{1}: INSTALLED, TRANSPORT_PROXY, ESP SPIs: c5959ac2_i ca64ae98_o
mh{1}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 30s_i no_o
mh{1}: 2001:1::10/128r135 2001:1::10/128[135] === 2001:1::1/128r135 2001:1::1/128[135]
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: ce4db893_i c190d5ba_o
tunnel{2}: AES_CBC-128/HMAC_SHA1_96, rekeying in 13 minutes, last use: 3s_i 3s_o
tunnel{2}: 2001:1::10/128 === ::/0
</pre>
}}}
and the IPsec state in the Linux 2.6 kernel
<pre>
{{{
ip xfrm state
src :: dst ::
proto hao reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src :: dst ::
proto route2 reqid 0 mode ro
replay-window 0 flag wildrecv
coa ::
sel src ::/0 dst ::/0
src 2001:1::10 dst 2001:1::1
proto hao reqid 0 mode ro
replay-window 0
coa 2001::50
lastused 2008-11-19 08:41:56
sel src 2001:1::10/128 dst 2001:1::1/128
src 2001:1::10 dst 2001:1::1
proto esp spi 0xca64ae98 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0x419c41d8807fb521e947988cef4a6181d810b611
enc cbc(aes) 0xed90ae3f4f12a697f40cce1893b54e20
sel src ::/0 dst ::/0
src 2001:1::1 dst 2001:1::10
proto esp spi 0xc5959ac2 reqid 1 mode transport
replay-window 32
auth hmac(sha1) 0xea26afc566143c25959a060c90be3053c50ddcff
enc cbc(aes) 0x0bd5bd34d5523c0929f2efd7a7c93359
sel src ::/0 dst ::/0
src 2001::50 dst 2001:1::1
proto esp spi 0xc190d5ba reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x672c1ea4359956c6a3b869b388b424b7058eee02
enc cbc(aes) 0xaaf5be1d604e64028d4e0a41f0d92b56
src 2001:1::1 dst 2001::50
proto esp spi 0xce4db893 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdf1eeff5b86dfbd183c7a932c8250fc57d9632af
enc cbc(aes) 0x4d138f1363c1810f8c9cb2fcb1ee8bdf
</pre>
}}}