Re: ip6 tunnel, ipsec in linux 2.6.1 / 2.6.1-bk6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ville,

> That is very odd. I'm not able to replicate this. The
> ip6_tnl_add_linklocal() function in addrconf.c loops through the
> interfaces looking for a link-local address to use and should print out
> the error message if this fails. Could you put in some additional checks
> in the function to see what it does on your gateway?

ok. maybe me debug level (*.info) was to low, i added *.debug...

> Btw: did you have any IPsec policies loaded when you performed your test?
> I don't have IPsec loaded, so that might perhaps be the reason for the
> different results.

I removed them for the new test.

now I can ping using the link local ips, even over the tunnel.

but not over the tunnel with the global ips.
As I don't have global ip6 on that tunnel, I assigned
4000::1/64 and 4000::2/64. Is that ok, or should I use
some other range?

> ipv6tunnel add ip6sec0 remote ll_gwaddr local ll_laddr dev wlan0
> ip link set ip6sec0 up
> ip -6 a dev ip6sec0

what should that be? ls?

here is what I did on the laptop:

+ setkey -F -FP
+ ip -6 addr del 4000::1/64 dev wlan0
+ ipv6tunnel del ip6sec0
+ ipv6tunnel del ip6sec1
+ set -e
+ ip -6 addr add 4000::1/64 dev wlan0
+ ipv6tunnel add ip6sec0 remote fe80::209:5bff:fe2f:ea7e local
fe80::202:ddff:fe
32:6525 dev wlan0
+ ip link set ip6sec0 up
+ ip -6 addr ls dev ip6sec0
14: ip6sec0@wlan0: <POINTOPOINT,NOARP,UP> mtu 1460 
    inet6 fe80::202:ddff:fe32:6525/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
+ ipv6tunnel add ip6sec1 remote 4000::2 local 4000::1 dev wlan0
+ ip link set ip6sec1 up
+ ip -6 addr ls dev ip6sec1
15: ip6sec1@wlan0: <NOARP,UP> mtu 1460 
    inet6 fe80::202:ddff:fe32:6525/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever

gateway:
+ setkey -F -FP
+ ip -6 addr del 4000::2/64 dev wlan0
+ ipv6tunnel del ip6sec0
+ ipv6tunnel del ip6sec1
+ set -e
+ ip -6 addr add 4000::2/64 dev wlan0
+ ipv6tunnel add ip6sec0 remote fe80::202:ddff:fe32:6525 local
fe80::209:5bff:fe2f:ea7e dev wlan0
+ ip link set ip6sec0 up
+ ip -6 addr ls dev ip6sec0
15: ip6sec0@wlan0: <POINTOPOINT,NOARP,UP> mtu 1460 
    inet6 fe80::209:5bff:fe2f:ea7e/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::/128 scope global 
       valid_lft forever preferred_lft forever
+ ipv6tunnel add ip6sec1 remote 4000::1 local 4000::2 dev wlan0
+ ip link set ip6sec1 up
+ ip -6 addr ls dev ip6sec1
16: ip6sec1@wlan0: <NOARP,UP> mtu 1460 
    inet6 fe80::209:5bff:fe2f:ea7e/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::/128 scope global 
       valid_lft forever preferred_lft forever

> Now you should have ll_laddr on both ip6sec0 and ip6sec1

yes, thanks, that is working fine now.
btw: Jan 22 15:13:09 localhost kernel: ip6_tnl_add_linklocal called
i.e. the first condition succeeds (else I would get another of
my testing printks)


> Now you *should* have ll_gaddr on both ip6sec0 and ip6sec1 Now you
> *should* also be able to ping a link-local address on both ip6sec0 and
> ip6sec1.

ip6sec0 working fine, but ip6sec1 not at all:
Jan 22 15:28:31 localhost kernel: ip6sec1: Tunnel not configured to
transmit traffic!

ip link ls on laptop:
14: ip6sec0@wlan0: <POINTOPOINT,NOARP,UP> mtu 1460 qdisc noqueue 
    link/tunnel6 fe:80:00:00:00:00:00:00:02:02:dd:ff:fe:32:65:25 peer
fe:80:00:00:00:00:00:00:02:09:5b:ff:fe:2f:ea:7e
15: ip6sec1@wlan0: <NOARP,UP> mtu 1460 qdisc noqueue 
    link/tunnel6 40:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01 brd
40:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02

the POINTOPOINT flag missing? why?

after dozends of failures with ipsec I'm giving up on that.
I went back to a net without any ipsec (psst! don't tell anyone :-)
and everythign is working, except the tunnel using global ip addresses:
ip6_tnl_add_linklocal called
ip6sec1: Tunnel not configured to transmit traffic!
ip6sec1: Tunnel not configured to transmit traffic!
ip6sec1: Tunnel not configured to transmit traffic!
ip6sec1: no IPv6 routers present

I tried again, this time used "normal" ipv6 addresses
(2002:IPv4:IPv4:5::1 and ::2), but no change at all.
Please let me know how I can help to track down this bug.

Regards, Andreas

-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux