IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25? | KernelTrap

IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Alan Swanson <swanson@...>

To: <netdev@...>

Subject: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?

Date: Thursday, May 15, 2008 - 4:09 pm

Hi. Usual non-subscriber CC replies request please.

There is a problem with 2.6.25(.4) using IPSEC on ipv4. You seem to need
to have ipv6 available otherwise a protocol not supported error is
returned when trying to set a Security Association Database. I'm using
setkey on a file but another user on the ipsec-tools-devel list reported
the same issue using racoon.

http://marc.info/?l=ipsec-tools-devel&m=121015164014761&w=2

So with modules loaded you expect to work.

$ lsmod
  Module                  Size  Used by
  authenc                 5056  0 
  ah4                     4672  0 
  esp4                    5824  0 
  aead                    5824  2 authenc,esp4
  xfrm4_mode_tunnel       2176  20

A static file with tunnel configuration for laptop to desktop over open
wireless not running WEP/WPA.

$ head -n 12 /etc/ipsec.conf
  #!/usr/sbin/setkey -f
  
  flush;
  spdflush;
  
  add 1.1.1.1 2.2.2.2 esp 0x500 -m tunnel
  -E rijndael-cbc 0x...
  -A hmac-sha1 0x...;
  
  add 2.2.2.2 1.1.1.1 esp 0x501 -m tunnel
  -E rijndael-cbc 0x...
  -A hmac-sha1 0x...;

You get protocol not supported error.

$ setkey -f /etc/ipsec.conf
  The result of line 8: Protocol not supported.
  The result of line 12: Protocol not supported.

But after modprobing ipv6 which automatically pulls
in xfrm6_mode_tunnel, setkey starts working and I can communicate via
IPSEC.

$ lsmod
  Module                  Size  Used by
  xfrm6_mode_tunnel       2048  4 
  ipv6                  217444  10 xfrm6_mode_tunnel
  authenc                 5056  4 
  ah4                     4672  0 
  esp4                    5824  4 
  aead                    5824  2 authenc,esp4
  xfrm4_mode_tunnel       2176  28

It really shouldn't need ipv6. Full kernel config, lsmod before and
after modprobing ipv6 are available at below URL's.

http://www.swanson.ukfsn.org/ipsec/config
http://www.swanson.ukfsn.org/ipsec/lsmod-post-modprobe-ipv6
http://www.swanson.ukfsn.org/ipsec/lsmod-pre-modprobe-ipv6

-- 
Alan.

"One must never be purposelessnessnesslessness."
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?, Alan Swanson, (Thu May 15, 4:09 pm)

Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?, Kazunori MIYAZAWA, (Wed May 21, 8:01 am)

Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?, Kazunori MIYAZAWA, (Wed May 21, 8:17 am)

Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?, Alan Swanson, (Wed May 21, 4:18 pm)

Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?, David Miller, (Wed May 21, 4:28 pm)

Navigation

Popular discussions


linux-kernel:
Michal Piotrowski	Re: 2.6.23-rc3-mm1
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Fred Tyler	Slow, persistent memory leak in 2.6.20
Roland Dreier	Re: Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Antonio Almeida	HTB accuracy for high speed
openbsd-misc:

Colocation donated by:

Who's online

There are currently 2 users and 503 guests online.

Online users

Syndicate