[support] Implementation of UMIP and Dyanamic key estabilishment through IKEv2 in IPV4-only network

satya sahu satya0675 at gmail.com
Thu Feb 26 19:26:06 JST 2009 

Hi Sebastien,

I have some doubts regarding the implementation of mip6d and Dyanamic key
estabilishment through IKEv2 in IPV4-only network.

MY packages in HA and MN:

 kernel: 2.6.28 kernel with proper patched to support DSMIP udp and TLV
 encapsulation.
        UMIP-0.4: properly patched to support enhanced migrate support ,NEMO
IIPV4 traffi support and  bug fixe patches  given by you.
        IKEV2- strongswan-4.2.9

        I have configured the strongswan and mip6d.conf to support ipsec
encryption of         BU/BA messages between HA/MN.


current Behaviour obeserved:

 When MN moves from HL to IPV4 link, new coa is assgined to MN ,then MN
sends migrate messages to kernel(messages shown in syslog) as KMADDRESS is
ipv4 mapped ipv6 address.then IKE starts negotiations by sending packet form
<ipv4 mapped ipv6 address> to <ipv6 homeagent address> but on HA side this
packet is not recevied by IKE(BY digging more i found that this packet
reaches upto INPUT chain and after that it drops some where) hence IKE
negotiation fails.


I suspect that current mip6d daemon support this approach for integrating
IKE and DSMIPv6[Approach got from GROUP]

Allow DSMIPv6 to look like a virtual link for IKE. Hence, IKE will simply
run over IPv6 and will not be aware of IPv4 at all.



Message format for solution 1:
------------------------------

IPv4 header (src=V4ADDR, dst=HA_V4ADDR)
UDP header (src=DSMIPv6-PORT, dst=DSMIPv6-PORT)
IPv6 header (src=V6HOA, dst=HAADDR)
ESP header
Mobility header
BU [IPv4 HAO]
IPv4 CoA option

And IKE messages would look like:

IPv4 header (src=V4ADDR, dst=HA_V4ADDR)
UDP header (src=DSMIPv6-PORT, dst=DSMIPv6-PORT)
IPv6 header (src=V6HOA, dst=HAADDR)
UDP header (src=500, dst=500)
IKE message...



I have configured the strongswan and mip6d.conf with  IPV6 HoA and IPV6
homeagent address. There is no ipv4 address in both configuration.



At this point I have two questions in my thought :

 1) Could we use IPV4 home address and IPV4 home agent address in ipsec
policy set with IPV6 home address.

 2) Is there any code level change in mip6d.

*PS: Every thing is fine with movement from HL to IPV6 ,IPV6 to IPV6 ,IPV6
to IPV4 .IPSEC SA is properly estabilshed and IKE tunnel end points are also
successfully updated on movement.
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ml.nautilus6.org/pipermail/support/attachments/20090226/e5897ad7/attachment-0001.htm

More information about the Support mailing list