I forgot to mention that I did try ordering the /etc/hip/hosts files for
both 'oops' and 'crash' in a consitent manner so that the first line of
both files corresponded to a DSA_anon HIT, 2nd line to a RSA_anon HIT
and so on. This didnt eliminate the problem.
\steve
Ok, I have isolated the problem. We have two hosts 'crash' and 'oops'. Each host has four HITs corresponding to the following:
1. HIT-dsa-anon -> generated from hip_host_dsa_anon 2. HIT-rsa-anon -> generated from hip_host_rsa_anon
3. HIT-dsa-pub -> generated from hip_host_dsa_pub
4. HIT-rsa-pub -> generated from hip_host_rsa_pub
I put the four HITs of 'crash' into the respective /etc/hip/hosts files of 'oops', and vice versa, in no particular order.
Now, when I run conntest-server on 'oops' and conntest-client-gai on 'crash', the hip daemon running on crash correctly chooses HIT-rsa-pub-crash as the src HIT and HIT-rsa-pub-oops as the destination HIT. This works and everything is fine, I can ping6 from crash to oops using HIT-rsa-pub-oops. However I cannot ping6 from oops using HIT-rsa-pub-crash as the destination unless I force it to use HIT-rsa-pub-oops as a src HIT using the '-I' option.
When I run conntest-server on 'crash' and conntest-client-gai on 'oops', the hip daemon running on oops chooses e.g. HIT-dsa-pub-oops as the src HIT and HIT-dsa-pub-crash as the destination HIT, or HIT-dsa-anon-oops as the src HIT and HIT-rsa-pub-crash as the destination. This means the connection cannot be established, I assume because the types of HIT selected for src and destination in this case do not match.
If I manually delete all the HITs from the dummy0 interface of both 'crash' and 'oops' except for HIT-rsa-pub, and also remove all but the respective HIT-rsa-pubs from /etc/hip/hosts on crash and oops, thus forcing the hipd to always choose HIT-rsa-pub as src and destination, then it seems to fix the problem [I know this is a bad hack!].
Is there any way to tell the hip daemon which HITs it should use to communicate with the HITs of other hosts, in order to avoid this mismatching? Could it be to do with the order of the entries in /etc/hip/hosts?
\Steve
Miika Komu wrote:....
Try also using the manual method:
hipconf add map 111f:e6e7:dbe5:2f67:5ff4:40f9:88fe:4c71 \ 2001:00a:000b:0001:0000:0000:0000:1234 ping6 -I <select_a_source_HIT> 111f:e6e7:dbe5:2f67:5ff4:40f9:88fe:4c7
The ping6 might be selecting a different source HIT than hipd. You can see this with "netstat -tan|grep 111f" and "ip xfrm policy" (or setkey -DP).
Please tell if this helps you? There might be some changes regarding to routing in the latest kernel.
