Update: Since linux kernel version 2.6.27 (ubuntu) I'm unable run IPv6
over my IPSEC tunnel. So far I've worked around the problem with simply
staying with the old kernel version (2.6.25) on that system, but that
road has come to an end, and I'm still having problems even with the
lastest and greatest of ubuntu linux kernels (2.6.38). I currently have
both a working gateway (2.6.25) and a non-working gateway (2.6.38)
running with different IPv6-networks behind them, both connected to the
same "far end" with 2.6.25.
- the same system which is working with 2.6.25 is non-working with 2.6.27
- IPv4 is working as expected with all kernel versions tried
- an IPv6 packet from a network behind a non-working IPSEC gateway is finding
it's way out, the response is back sent to the gateway but is never decrypted
and sent out on the local network (everything is silent)
- the "ip xfrm policy" looks the same on a working and non-working system, but
on the non-working host the output gets ordered according to the index (wow,
new feature.. makes me think there may be something here)
No matter what, I can't seem to be able to hit the rule which is
supposed to trigger the decryption on the non-working host (can't hit
any rules at all with IPv6 from the outside world, encrypting does
work). Also, on the non-working gateway there are a number of what seems
to be per-socket policies:
src ::/0 dst ::/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
...
Dunno why they are there, seems as if they can not be flushed or removed
in any way. But doesn't seem to be used either, but it is a clear
difference between working/non-working.
I've also tried upgrading the "far end" to something more recent (tried
2.6.28 and 2.6.38), but that makes both parties deaf to ESP packets
containing IPv6, and also compared the set of loaded kernel modules
between a working and non-working, and looked at the kernel configs, but
still nothing that catches my attention .. So I'm completely out of
suggestions, so I'm thinking "bug", but find it quite hard to believe
that the linux kernel has been broken like this since 2008. Of course it
could be an ubuntu issue, or a severe case of RTFM from my side.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/391370
Title:
Cannot decapsulate IPv6 from ESP since 2.6.27
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
