Re: [Ipsec-tools-users] Reg enabling IPV6 for Ipsec in suse

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

>From 'man racoon':

-d  Increase the debug level.  Multiple -d arguments will increase the debug
    level even more.

You'll need to add this option in whatever script your distro is using to 
start racoon, if the logs are not verbose enough.  Please note, this will only 
increase the log verbosity of the racoon application, not any kernel logs.

If your IPv6 stack is working fine without IPSec, i.e. you can ping remote 
peers, then check the IPSec specific modules are available and loaded.  I 
think you will need most of these:

CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y

CONFIG_INET6_IPCOMP=y
CONFIG_INET6_XFRM_TUNNEL=y
CONFIG_INET6_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y

Also, if you are running a firewall you will probably need to enable IPv6 
netfilter configuration modules.  However, I would first check everything is 
working without a firewall enabled and then configure the firewall as the last 
step.

Hope this helps.

On Sunday, 7 October 2018 03:21:42 BST kalyani kaniganti wrote:
> Hi,
> 
> As per your below statement ,could you please share the procedure to test
> it.
> 
> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> enabled.
> 
> I am unable to find errors in logs racoon is not stating any errors.
> 
> BR,
> Kalyani.k
> 
> 
> On Sat, Oct 6, 2018, 11:49 PM kalyani kaniganti <kal...@gm...>
> 
> wrote:
> > Hi,
> > Thanks for the information.
> > I have found out some of the kernel modules are not loaded in kernel for
> > ipv6.
> > esp6.ko,ah6.ko and transport mode module.I loaded the modules using
> > modprobe and I can see these modules using lsmod now.
> > But issue still exist,do you have any idea what modules are required for
> > Ipsec to enable ipv6 in kernel .
> > 
> > We have already tested for IPV4 it's working fine,but same is not working
> > for ipv6.
> > How we can check logs in debug mode.Please suggest.
> > BR,
> > Kalyani.k
> > 
> > On Sat, Oct 6, 2018, 10:40 PM Mick <mic...@gm...> wrote:
> >> Hi kalyani,
> >> 
> >> Check your kernel config has CONFIG_INET6_* options suitable for IPSEC
> >> enabled.  If some kernel module is necessary for IPv6 setkey/racoon will
> >> complain when you run/start it, so check your logs for any relevant
> >> messages.
> >> 
> >> To troubleshoot this problem take one step at a time.  First check your
> >> IPv4
> >> network, routing and IPSec all work without errors.  Then check your IPv6
> >> stack is working and you can ping remote peers.  Then check your logs for
> >> error messages when you try to initiate an ESP/AH connection with
> >> racoon.
> >> Increase verbosity and study the logs to debug the problem.
> >> 
> >> On Saturday, 6 October 2018 15:28:56 BST kalyani kaniganti wrote:
> >> > Hi,
> >> > We are using ipsectools rpm version ipsec-tools-0.7.3_1.38.3.1 from
> >> 
> >> sles 11
> >> 
> >> > sp4 kernel.
> >> > We are using racoon as daemon .
> >> > We are using dual stack on os and trying to enable IPsec for IPV6 as
> >> 
> >> well
> >> 
> >> > and we have already provided support for IPV4.
> >> > I have done configuration same as ipv4 but ifind IPSEC- SA is not
> >> > initiating phase 1 authentication.
> >> > May I know we have to enable any other option on kernel to support
> >> > Ipsec
> >> > for ipv6 we are trying to use ESP and AH protocols.
> >> > 
> >> > Please suggest us
> >> > BR,
> >> > Kalyani.k
> >> 
> >> --
> >> Regards,
> >> Mick

-- 
Regards,
Mick