In IPv4 this works. In IPv6 things work w/o IPsec. With IPsec, there are
no security association setups established and attempts to communicate
between hosts defined by policy to require IPsec does not work. Running
the racoon daemon in the foreground shows a DEBUG message that indicates
a problem:

2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

This comes from a loop that checks the address to be used against one that
is being listened on. If the address is not one listened on, then it is
not usable in making the security association (or so implied by the code
comments).

Actually it is listening on the source address. So I modified the source
code to add new diagnostics that dump out more detail about what is being
compared when this test is taking place:

2007-07-25 16:30:09: DEBUG: get pfkey ACQUIRE message
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 00000002 (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare 0000:0000:0000:0000:0000:0000:0000:0001 (sin6_addr)
to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 0000000a (sa_family)
to 0000000a (sa_family)
2007-07-25 16:30:09: DEBUG: compare fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
to fe80:0000:0000:0000:0203:47ff:fea4:4aa3 (sin6_addr)
2007-07-25 16:30:09: DEBUG: compare 00000003 (sin6_scope_id)
to 00000000 (sin6_scope_id)
2007-07-25 16:30:09: DEBUG: ignore because do not listen on source address : fe80::203:47ff:fea4:4aa3.

All the compare messages (2 lines each) are what I added with new C code.

The first 2 compare fails are because it was testing the 2 IPv4 addresses
in the list (IPsec works over IPv4 when I use that). Compares 3 and 4 are
a fail because the address mismatches (this was the "lo" entry for IPv6).
Compares 5 and 6 and 7 are the issue. The first 2 of these matches the
address family and address OK. It's the scope id that mismatches.

Is the scope ID really relevant here?

Is the scope ID really correct?

Is the kernel supposed to supply this to the racoon daemon?

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-07-25-1409@ipal.net |
|------------------------------------/-------------------------------------|