[Openswan dev] Error building klips-ipv6 (missing include?)

David McCullough david_mccullough at mcafee.com
Mon Oct 11 17:49:06 EDT 2010 

Jivin Ruben Laban lays it down ...
> Hello David,
> 
> It took me a bit of time to get my testing environment up and running again, 
> but just now I ran some tests against the latest klips-ipv6 checkout:
> 
> On Tuesday 31 August 2010 at 15:33 (CET), Ruben Laban wrote:
> > To summarize I see 2 "major" issues left:
> > 
> > * "messed" up destination mac addresses on outbound traffic (seen by
> > tcpdump on  ipsecX)
> 
> This one is still present.

Yep,  haven't tried to do that one yet.

> > * _updown.klips doesn't take care of adding IPv6 routes yet
> 
> This one seems to be fixed.

It should be.

> I did notice something "odd" though:
> 
> Before conn is up:
> 
> 2a02:bd0:abcd:3::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 
> hoplimit 0
> 2a02:bd0:abcd:4::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 
> hoplimit 0
> 2a02:bd0:abcd::/48 via 2a02:bd0:abcd:3::10 dev eth1  metric 1024  mtu 1500 
> advmss 1440 hoplimit 0
> fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev ipsec0  proto kernel  metric 256  mtu 16260 advmss 16200 
> hoplimit 0
> 
> After conn is up:
> 
> 2a02:bd0:abcd:1::/64 dev ipsec0  metric 1024  mtu 16260 advmss 16200 hoplimit 
> 0
> 2a02:bd0:abcd:3::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 
> hoplimit 0
> 2a02:bd0:abcd:3::/64 dev ipsec0  proto kernel  metric 256  mtu 16260 advmss 
> 16200 hoplimit 0
> 2a02:bd0:abcd:4::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 
> hoplimit 0
> 2a02:bd0:abcd::/48 via 2a02:bd0:abcd:3::10 dev eth1  metric 1024  mtu 1500 
> advmss 1440 hoplimit 0
> fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
> fe80::/64 dev ipsec0  proto kernel  metric 256  mtu 16260 advmss 16200 
> hoplimit 0
> 
> So it does add a nice route to rightsubnet= (2a02:bd0:abcd:1::/64) through 
> ipsec0. But it also adds a route to left's "uplink" network 
> (2a02:bd0:abcd:3::/64) through ipsec0. I haven't looked at the code in 
> question yet, so perhaps this is just some documented feature.

One of those is automatically added by the kernel.

> I also noticed the mtu is quite huge. I wonder if that could interfere with 
> pmtud somehow?
> 
> 
> More important (to me at least) is that I still need to do:
> 
> # ip addr add 2a02:bd0:abcd:3::20/64 dev ipsec0
> # ipsec whack --listen
> 
> before pluto starts listening on the IPv6 address.

This looks like the Debian bug that is being discussed.

The easiest way to check is to run:

	ipsec setup stop

wait for everything to be up with their correct IPv6 addresses and then
run:

	ipsec setup start

and see how it goes then.

Cheers,
Davidm

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list