[support] IKEv2 with strongswan

dfg dfg abxccd at msn.com
Tue Feb 9 11:09:29 JST 2010 

Hi Panos,

Initially, I followed Sebastien's guide to implement IKEv2 using racoon2. The problem is that the Linux kernel needs to be patched to support a SADB packet extension. This extension has been removed from the drafts due to certain limitations. The patch avaliable is for the 2.6.22 kernel. Since 2.6.28 KMADDRESS and migrate2 has been part of the linux kernel. This is the implementation that is the latest, and recommened for us.
 
Unfortunately, racoon2 does not support migrate and kmaddress yet. However, strongswan supports migrate2 and kmaddress, which we can then use as an IKEv2 daemon with umip on the latest linux kernel.
 
Hope that helps :)
 
If you happen to go down the strongswan route, please let me know if you can get it working.
 
Cheers :)

----------------------------------------
> From: panos at comp.lancs.ac.uk
> To: abxccd at msn.com
> Subject: RE: [support] IKEv2 with strongswan
> Date: Mon, 8 Feb 2010 10:28:19 +0000
>
> Hello,
>
> Here is a guide for dynamic keying for MIPv6 using racoon2 and mip6d
> from Sebastien Decugis.
>
> http://www.nautilus6.org/doc/dk-howto/Howto_dynamic_keying.html
>
> May I ask why you use strongswan? I am also working with ipsec and
> ikev2 but I don't exactly know whether using strongswan would help or not..
> Can you share you experience with it?
>
>
> Cheers,
> Panos
>
>
>
>
>> -----Original Message-----
>> From: support-bounces at jules.nautilus6.org [mailto:support-
>> bounces at jules.nautilus6.org] On Behalf Of dfg dfg
>> Sent: Monday, February 08, 2010 00:37
>> To: support at jules.nautilus6.org
>> Subject: [support] IKEv2 with strongswan
>>
>>
>> Hi everyone,
>>
>> Does anyone have a quick guide to setting up IKEv2 using the umip daemon
> and
>> strongswan?
>>
>> I have downloaded the latest git source from http://www.umip.org as well
> as
>> patched it with the latest patches from the git repository from that site.
> The
>> migrate2 patch was applied successfully.
>>
>> However, I attempted to implement ipsec by following
>> http://wiki.strongswan.org/wiki/strongswan/MobileIPv6.
>>
>> I was able to compile and run umip successfully without ipsec. Binding
> updates
>> would work successfully. However, it seems that I keep getting this error:
>> installing trap failed, local address unknown
>>
>> I think this is because ip6tnl1 appears only after strongswan has started.
> I
>> have tried starting umip before strongswan, but that did not work either.
> I
>> have heard that the timing of starting umip and strongswan is quite
> tricky.
>> What I have done is that in my start up script, I start strongswan first,
> then
>> umip next, assuming that the daemons will be started quicker in succession
>> than manually. This did not work though.
>>
>> I have attached my strongswan log below:
>>
>> 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.5)
>> 01[KNL] listening on interfaces:
>> 01[KNL] eth001[KNL] fe80::a00:27ff:fe09:269a01[KNL] eth1
>> 01[KNL] fe80::a00:27ff:fe77:7cd
>> 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> 01[CFG] loaded ca certificate "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=Mobile
> IPv6
>> CA, E=ca at mobileipv6-testbench.com" from
>> '/etc/ipsec.d/cacerts/strongswanCert.pem'
>> 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> 01[CFG] loading crls from '/etc/ipsec.d/crls'
>> 01[CFG] loaded crl from '/etc/ipsec.d/crls/strongswan.crl'
>> 01[CFG] loading secrets from '/etc/ipsec.secrets'
>> 01[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/mobilenodeKey.pem'
>> 01[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey
>> pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr
> resolve
>> 01[JOB] spawning 16 worker threads
>> 05[CFG] received stroke: add connection 'mh'
>> 05[CFG] left nor right host is our side, assuming left=local
>> 05[CFG] loaded certificate "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=mobilenode,
>> E=mobilenode at mobileipv6-testbench.com" from 'mobilenodeCert.pem'
>> 05[CFG] added configuration 'mh'05[CFG] received stroke: route 'mh'05[CFG]
>> installing trap failed, local address unknown
>> 05[CFG] received stroke: add connection 'tunnel'
>> 05[CFG] left nor right host is our side, assuming left=local
>> 05[CFG] loaded certificate "C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=mobilenode,
>> E=mobilenode at mobileipv6-testbench.com" from 'mobilenodeCert.pem'
>> 05[CFG] added child to existing configuration 'mh'
>> 05[CFG] received stroke: route 'tunnel'
>> 05[CFG] installing trap failed, local address unknown
>> 04[KNL] interface ip6tnl1 activated
>> 04[KNL] fe80::a00:27ff:fe09:269a appeared on ip6tnl1
>> 04[KNL] 2001:a:b::1 appeared on ip6tnl104[KNL] interface ip6tnl1
> deactivated
>> 04[KNL] 2001:a:b::1 disappeared from ip6tnl1
>> 04[KNL] fe80::a00:27ff:fe09:269a disappeared from ip6tnl1
>> 01[DMN] signal of type SIGINT received. Shutting down
>>
>> Any help appreciated :)
>> _________________________________________________________________
>>
>> _______________________________________________
>> Support mailing list
>> Support at ml.nautilus6.org
>> http://ml.nautilus6.org/mailman/listinfo/support
>
>
> 		 	   		  
_________________________________________________________________
Check your Hotmail from your phone.
http://go.microsoft.com/?linkid=9708121

More information about the Support mailing list