[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 03927) Re: IPsec IPv4 over IPv6 Problem: No route to host

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 03927) Re: IPsec IPv4 over IPv6 Problem: No route to host
From: "Toshiyuki Okamoto" <okamoso@xxxxxxxxx>
Date: Tue, 14 Aug 2007 20:12:08 +0900
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PnJI0rzGRGbw05AKg+jEiRCVAuYoBWXHl8psj7zedDffvamW4X9D4unJDKqICGuisLo7XooiaCLZM7O7wPt50DK+gPx+aZuSI/uqdPuzyI0EZ+4b0dMRL/xvmqNa+4lVxtgQ5JHP6Vp5D4+h7SFAUPh2RPAoMte2dDHrcHGnCPw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=BWdTFW5K/5MC3hvVS+KuQTDqW2IWbIlxCY4BE+Sp6/VVyGy/U2WTlqOi1iUvKJ9plBg1c8oUZz5+UqgAFL+wI5DrCJ7PsMRk+Jl61eZN/dntnA3Mg7OvpG5BVlt/3ZgTUJCvJwEd7xirqjzSNJxpUWHTjp+rt0WbHc6j5LpC+BY=
In-reply-to: <46B8214B.4000003@miyazawa.org>
References: <a12e65340708062154j47ef396cw40709f78ea9e9f3f@mail.gmail.com> <46B8214B.4000003@miyazawa.org>
Reply-to: usagi-users@xxxxxxxxxxxxxx

hello.

By tracing kernel source, following check on  net/xfrm/xfrm_policy.c
is the cause.

if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
    (dst->dev && !netif_running(dst->dev)))
    return 0;

Packets can be sent to eth0 by modifying this code to below:

   if (dst->dev && !netif_running(dst->dev))
        return 0;


07/08/07  Kazunori MIYAZAWA<kazunori@xxxxxxxxxxxx> wrote:
> Hi,
>
> I think you should set IPv4 routing information for
> the other gateway somehow.
>
> The IPsec process is done after routing resolution.
> I guess the gateways did not have routing information and
> returned the error.
>
> I did not use IPv4 over IPv6. I however have similar situation,
> using IPv6 over IPv4 IPsec. In my case, I did not have IPv6
> route between two gateways. I could not configure specific routing
> information and/or default gateway of IPv6 accordingly.
>
> I configure "sit" device to set routing information to cheat the kernel
> on routing resolution.
>
> POINTOPOINT flag affects neighbor discovery and the kernel just sent
> packets to the device in my case.
>
> BTW, Let me confirm, you want to IPv4 IPsec over IPv6 or
> IPv4 over IPv6 IPsec?
>
> Best regards,
>
> Toshiyuki Okamoto wrote:
> > Problem about IPsec IPv4 over IPv6, which is included in kernel 2.6.21.
> >
> > A IPv6 global address is assigned for eth1 by DHCPv6 IA-PD. This case,
> > IPsec SA is successfully established but packets cannot been sent to WAN.
> >
> > I do ping, this error occured:
> >
> >  $ ping: sendmsg: No route to host
> >
> > Do someone know about this issue ?
> >
> > Network is figured below:
> > LAN                 WAN                 LAN
> >    |------ GW-1 -------|
> >    | eth1        eth0  |
> >                        |------ GW-2 -------|
> >                        |  eth0       eth1  |
> >                                            |
> > ・GW-1
> > eth0      Link encap:Ethernet  HWaddr 00:11:43:AC:60:AF
> >           inet6 addr: fe80::211:43ff:feac:60af/64 Scope:Link
> >
> > eth1      Link encap:Ethernet  HWaddr 00:90:CC:DE:8B:EE
> >           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
> >           inet6 addr: 2001:1::290:ccff:fede:8bee/64 Scope:Global
> >           inet6 addr: fe80::290:ccff:fede:8bee/64 Scope:Link
> >
> >
> > ・GW-2
> > eth0      Link encap:Ethernet  HWaddr 00:11:43:AB:00:8A
> >           inet6 addr: fe80::211:43ff:feab:8a/64 Scope:Link
> >
> > eth1      Link encap:Ethernet  HWaddr 00:90:CC:DE:89:F7
> >           inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
> >           inet6 addr: 2001:2::290:ccff:fede:89f7/64 Scope:Global
> >           inet6 addr: fe80::290:ccff:fede:89f7/64 Scope:Link
> >
> > After IKE daemon (racoon2) is booted on GW-1/2, I do ping from GW-1:
> >  $ ping -I 192.168.1.1 192.168.2.1
> > This case, IKE sequence is successfully done, and IPsec SA is registered.
> > but ping packet isn't been sent with error above.
> >
> > The case IPv6 global address is assigned to eth0 manually,
> > IPv4 over IPv6 packet is sent successfully.
> > ping6 between GW-1 and GW-2 is okay.
> >
> > I suspect that IPv6 routing table is not loaded or invalid.
> >
> > I tried that IPv6 global address is assigned to eth0 manually (which
> > prefix is varied to GW1/eth0 from GW2/eth0 with appropriate routing
> > set),
> >  IPv4 over IPv6 packet is not sent successfully.
> >
> >
>
> --
> Kazunori Miyazawa
>
>
>

References:
- (usagi-users 03922) IPsec IPv4 over IPv6 Problem: No route to host
  - From: Toshiyuki Okamoto
- (usagi-users 03923) Re: IPsec IPv4 over IPv6 Problem: No route to host
  - From: Kazunori MIYAZAWA

Prev by Date: (usagi-users 03926) test IPv6 over IPv6 tunnel
Next by Date: (usagi-users 03928) RACOON/UMIP/KERNEL Patches
Previous by thread: (usagi-users 03923) Re: IPsec IPv4 over IPv6 Problem: No route to host
Next by thread: (usagi-users 03924) A question about XFRM architecture and API
Index(es):
- Date
- Thread