[support] Destination unreachable from HA on BU???

Mattias Blomqvist mattias.blomqvist at gmail.com
Wed Mar 25 17:11:06 JST 2009 

Hi

Ok.
umip config on HA:

NodeConfig HA;
DebugLevel 10;
Interface "eth0";
HaAcceptMobRtr enabled;
UseMnHaIPsec disabled;
KeyMngMobCapability disabled;


I have tried with HaAcceptMobRtr disabled with the same results.

I have attached the kernel config as an attachment.

Since i was digging into xfrm, the policies and states look lilke this
with mip6d running on the HA:
ip xfrm policy show
src ::/0 dst ::/0 proto ipv6-icmp type 0
	dir out priority 12 ptype sub
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir out priority 3 ptype sub
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir out priority 12 ptype sub
src ::/0 dst ::/0 proto 135
	dir out priority 12 ptype sub
src ::/0 dst ::/0 proto 135 type 5
	dir in priority 9 ptype sub
	tmpl src :: dst ::
		proto hao reqid 0 mode ro
		level use

All these policies belong to mip6d since they go away if I stop mip6d.

XFRM state is:
ip xfrm state show
src :: dst ::
	proto hao reqid 0 mode ro
	replay-window 0 flag wildrecv
	coa ::
	sel src ::/0 dst ::/0

ip xfrm monitor doesn't give any output at all. Shouldn't it?

BR,
Mattias Blomqvist


On Tue, Mar 24, 2009 at 8:02 PM, Arnaud Ebalard <arno at natisbad.org> wrote:
> Hi,
>
> Mattias Blomqvist <mattias.blomqvist at gmail.com> writes:
>
>> I've done some more research.
>>
>> I can't get it to work with either of the mip6d from nautilus6.org or
>> from natisbad.org on either debian 4.0 or debian 5.0 with a variety of
>> kernels. I'm currently on debian 5.0 and kernel 2.6.29. The kernel is
>> before compiling checked with set_mip6_ipsec_fw_kernel_options.sh from
>> natisbad.org to make sure all the correct options are set.
>> Kernel 2.6.29 doesn't send destination unreachable as a patched 2.6.24 did.
>>
>> I'm currently investigating the xfrm setup and I have a question. A HA
>> does both xfrm_ha_init() and xfrm_cn_init(). xfrm_ha_init() only sets
>> up ipsec which I have turned off. xfrm_cn_init() says in its comments:
>>       /* Create policy for all BUs with home flag NOT set to
>>          use home address option */
>>
>> So where is the xfrm policy for BUs with home flag set ? Or isn't that
>> policy needed for the HA?
>>
>> Just trying to understand things...
>
> Can you post your kernel and umip config, please? Better asking even if
> it does not make much sense considering what you report: you do not have
> any firewall rules on the box?
>
>> Would it be a good or bad idea to cross-post this to usagi-users?
>
> Yep. Do not hesitate.
>
> Cheers,
>
> a+
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config-2.6.29
Type: application/octet-stream
Size: 56455 bytes
Desc: not available
Url : http://ml.nautilus6.org/pipermail/support/attachments/20090325/b48986ad/attachment-0001.obj

More information about the Support mailing list