I'm tracking this down and I *think* I found it. I think it's not really an IPsec issue. Something changed between 2.6.x and 3.x regarding the handling of multicast packets. If I call "iperf -s -u -V -B ff0e::1" and those join ff0e::1, things start to work.
Regards joerg > -----Ursprüngliche Nachricht----- > Von: Ilan Tayari [mailto:[email protected]] > Gesendet: Donnerstag, 21. Juli 2016 16:41 > An: Pommnitz Jörg; Shanker Wang > Cc: [email protected] > Betreff: RE: IPv6 IPSec incompatibilities between 2.6.23 and 3.6.18/4.6.4 > > > Node 1: fd01:1b10:1000::1 is running 4.6.4 > > 14:21:50.737092 IP6 fd01:1b10:1000::3 > ff0e::1: > > ESP(spi=0x00000001,seq=0x100), length 136 > > 14:21:51.737155 IP6 fd01:1b10:1000::3 > ff0e::1: > > ESP(spi=0x00000001,seq=0x101), length 136 > ... > > ip -s xfrm state > > src fd01:1b10:1000::1 dst ff0e::1 > > proto esp spi 0x00000001(1) reqid 0(0x00000000) mode tunnel > ... > > add 2016-07-21 14:18:08 use - > ... > > dir out ... > ... > > add 2016-07-21 14:18:08 use - > ... > > dir fwd ... > > add 2016-07-21 14:18:08 use - > ... > > dir in ... > > add 2016-07-21 14:18:08 use - > > Hi Joerg, > > See the "use -" instead of a date/time of last usage (like in your output > from 2.6) Packets are received, but nothing is matched to your xfrm states > and policies. > > Are you sure this is the full output of "ip -s xfrm policy"? I feel like > something is missing. > > At first glance I'd say it looks like src+dst doesn't match the packets. > Packet source-ip is ::3, while xfrm-state source ip matches::1 > > Ilan. ________________________________ Industrieanlagen-Betriebsgesellschaft mbH Sitz der Gesellschaft: Ottobrunn, Registergericht: Amtsgericht München, HRB 5499 Geschäftsführung: Prof. Dr.-Ing. Rudolf F. Schwarz Vorsitzender des Aufsichtsrats: RA Engelbert Kupka MdL a.D.
