[hipl-users] Re: hipd crashes with hipconf and "This connection is insecure. Please enable HIP." problem
- From: Miika Komu <miika.komu@xxxxxxx>
- To: hipl-users@xxxxxxxxxxxxx
- Date: Tue, 02 Jun 2009 15:19:39 +0300
Sateesh Babu wrote:
Hi,
ping6 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
---8<---
$> ping6 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
PING
2001:001b:a9be:c6a6:34e5:8361:c07f:a990(2001:1b:a9be:c6a6:34e5:8361:c07f:a990)
56 data bytes
^C
--- 2001:001b:a9be:c6a6:34e5:8361:c07f:a990 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10079ms
--->8---
Is the state then I1_SENT?
---8<---
$> hipconf get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
216 bytes received from HIP daemon
HA is ESTABLISHED
Local HIT: 2001:0018:2229:4815:dd66:c380:e0c7:2a71
Peer HIT: 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.2
Local IP: 192.168.1.2
Local NAT traversal UDP port: 50500
Peer IP: 193.167.187.134
Peer NAT traversal UDP port: 50500
Peer hostname: crossroads.infrahip.net
--->8---
Can you also copy paste output of:
tcpdump -n -i any port 50500 or proto 139 or esp
---8<---
sudo tcpdump -n -i any port 50500 or proto 139 or esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
21:01:08.166459 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 44
21:01:08.166479 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 44
2 x I1
21:01:08.495036 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 668
R1
21:01:08.653581 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 636
21:01:08.653602 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 636
2 x I2
21:01:09.011610 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 244
R2
21:01:09.696582 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:09.696607 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
2 x ICMPv6 echo request over ESP over UDP
21:01:09.922207 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 116
1 x ICMPv6 echo response over ESP over UDP
21:01:10.704649 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:10.704676 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:10.930596 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 116
21:01:11.713648 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:11.713673 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:11.939719 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 116
21:01:12.720534 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:12.720556 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:12.946564 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 116
21:01:13.728570 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:13.728595 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length 116
21:01:13.954634 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length 116
..
--->8---
Looks like the IPv6 interface of crossroads is disabled. I tried ping6
of crossroads.infrahip.net, but does not work. IPv4 ping works.
No, this is not the case. Your host drops the ESP packets from the
server. Either the SAs don't match or your machine is filtering ESP or
ICMPv6. Please check:
* iptables -L -n
* ip6tables -L -n
* /etc/selinux/config (should be disabled!)
* ip xfrm state output
Other related posts:
