I can't get racoon to listen on an IPv6 address. I've tried changing /etc/conf.d/racoon to set RACOON_OPTS="-6 -l /var/log/racoon.log" and this seems to have no effect. The /var/log/racoon.log file contains the following lines: 2014-07-29 09:20:51: DEBUG: Netlink: address 127.0.0.0 added 2014-07-29 09:20:51: DEBUG: Netlink: address 127.0.0.1 added 2014-07-29 09:20:51: DEBUG: Netlink: address 192.168.1.6 added 2014-07-29 09:20:51: INFO: 192.168.1.6[500] used as isakmp port (fd=7) 2014-07-29 09:20:51: DEBUG: Netlink: address fe80::212:79ff:fed7:e5f9%eth0 added I've also edited /etc/racoon/racoon.conf to have the following section: listen { isakmp fd19:3c36:9d0c:123::6 [500]; } This results in the following lines in /var/log/racoon.log: 2014-07-29 09:19:24: DEBUG: Netlink: address 127.0.0.0 added 2014-07-29 09:19:24: DEBUG: Netlink: address 127.0.0.1 added 2014-07-29 09:19:24: DEBUG: Netlink: address 192.168.1.6 added 2014-07-29 09:19:24: DEBUG: Netlink: address fe80::212:79ff:fed7:e5f9%eth0 added Searching the file for 'isakmp' finds nothing, and 'netstat -ln' confirms nothing listening on any udp/500 port. USE="ipv6 pam readline -hybrid -idea -kerberos -ldap -nat -rc5 -selinux -stats" Can anyone help with this?
Try: listen { isakmp fd19:3c36:9d0c:123::6 [500]; strict_address; }
Thanks Anthony That seems to do it. I'm trying to get a separate server updated that's ipv6 only, to test the actual connection, but this at least shows up with netstat and a nmap scan.
(In reply to Chris Frederick from comment #2) > Thanks Anthony > > That seems to do it. I'm trying to get a separate server updated that's > ipv6 only, to test the actual connection, but this at least shows up with > netstat and a nmap scan. I know when you're having a problem that its hard to tell if you have a bug or just a support question. This would have been better in the forums because that's were people search for howtos and gotchas, but of course, I can say that with 20/20 hindsight! Anyhow, I'm glad its working.
Created attachment 382286 [details, diff] ipsec-tools-0.8.2-racoon-listen-on-ipv6.patch I was actually treating it as a bug, and looking into why Netlink was only returning link local addresses, and why those were not being caught by the configuration for listening isakmp. I got as far as a patch that got the listening to work, but haven't had a chance to test it with a remote system yet. I'm adding it here just as an archive. Maybe upstream can take a look. The two areas I had a problem with was link local addresses were the only ones listening. This didn't make any sense to me. It would effectively limit ike on default configs to local subnets only. The second was the scope id checking of the address. While needed for link local addresses to identify what interface it's for, global unicast addresses should be just fine being handled by the routing table, and treated no differently than ipv4.
Okay maybe this is not the desired behavior in which case it is a bug. Have you posted the patch upstream yet?
I don't know where to add a bug there. Their site is out dated and hard to navigate. I did add a bug to their sourceforge project that links back to here. https://sourceforge.net/p/ipsec-tools/bugs/87/ Hopefully that will get seen and addressed there.
(In reply to Chris Frederick from comment #6) > I don't know where to add a bug there. Their site is out dated and hard to > navigate. I did add a bug to their sourceforge project that links back to > here. > > https://sourceforge.net/p/ipsec-tools/bugs/87/ > > Hopefully that will get seen and addressed there. Subscribe to the lists: http://sourceforge.net/p/ipsec-tools/mailman/ They'll want to discuss the patch.
(In reply to Anthony Basile from comment #7) > (In reply to Chris Frederick from comment #6) > > I don't know where to add a bug there. Their site is out dated and hard to > > navigate. I did add a bug to their sourceforge project that links back to > > here. > > > > https://sourceforge.net/p/ipsec-tools/bugs/87/ > > > > Hopefully that will get seen and addressed there. > > Subscribe to the lists: > > http://sourceforge.net/p/ipsec-tools/mailman/ > > They'll want to discuss the patch. Ping. Did this go anywhere?
Sorry, no. Subscribed to the devel list, but got pulled of the project for a while before I got the message out. I'll send a message out this week for a response from them.
If you use strict_address; alone in the listen directive, racoon crash with a segmentation fault: kernel: racoon[30807]: segfault at 0 ip 0808383a sp bffdf890 error 4 in racoon[8048000+84000] A configuration hint message would be better than a segmentation fault, because as described in the manpage of racoon.conf "This statement will be ignored if you do not specify address definitions." strict_address should be ignored I had the same issue as the bug reporter. On IPv6, racoon listen per default only on the unrouteable unicast address.
This package is masked for removal in 30 days.
