[Openswan dev] Error building klips-ipv6 (missing include?)

Ruben Laban r.laban at ism.nl
Tue Oct 12 03:44:11 EDT 2010 

Hello,

On Monday 11 October 2010 at 22:28 (CET), Ruben Laban wrote:
> Hi Harald,
> 
> On Monday 11 October 2010 at 21:51 (CET), Harald Jenny wrote:
> > > 'ipsec whack --listen' didn't result in the IPv6 address showing up on
> > > ipsec0.  However, 'ipsec setup --restart' did result in the IPv6
> > > address showing up on ipsec0. So it might the same issue (or at least
> > > similar) issue after all.
> > 
> > The issue from Debian is NETKEY based - when the system is booted it
> > seems the problem is gone...
> 
> I kinda assume(d) that it's a pluto issue, and not really related to the
> stack that's being used. Only other related thing I can think of is IPv6's
> DAD feature. Which would keep the address in a tentative state while
> openswan is starting up, making pluto ignore it. Once DAD finishes its
> tasks, pluto would pick up the address if it was told to do so (as in:
> ipsec setup restart for instance).

I'm *pretty* sure that it is indeed DAD related. I just added some debuging to
the init script (basically dump the output of `ip -6 a` to syslog), and it
showed the address in question was indeed tentative still:

Oct 12 09:27:13 vn-t-fw03 ipsec_setup: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 ::1/128 scope host 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever
Oct 12 09:27:13 vn-t-fw03 ipsec_setup: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 fe80::20c:29ff:fe3a:e518/64 scope link 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever
Oct 12 09:27:13 vn-t-fw03 ipsec_setup: 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 2a02:bd0:abcd:3::20/64 scope global tentative 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 fe80::20c:29ff:fe3a:e522/64 scope link 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever
Oct 12 09:27:13 vn-t-fw03 ipsec_setup: 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 2a02:bd0:abcd:4::10/64 scope global tentative 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:     inet6 fe80::20c:29ff:fe3a:e52c/64 scope link tentative 
Oct 12 09:27:13 vn-t-fw03 ipsec_setup:        valid_lft forever preferred_lft forever

As already been mentioned several times, the cleanest solution to this problem as 
well, is to make Openswan/pluto somehow get notified when new IPv4/IPv6 addresses
arrive on specific/any interfaces.

Regards,
Ruben Laban

More information about the Dev mailing list