Comments on: IPSec pilot between glass and teapot http://www.felipe-alfaro.org/blog/2004/02/26/ipsec-pilot-between-glass-and-teapot/ A little bit of technology, security and networking with Linux, FreeBSD and Mac OS X, plus some personal opinions. Wed, 07 Jan 2009 14:16:12 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Phil Bellino http://www.felipe-alfaro.org/blog/2004/02/26/ipsec-pilot-between-glass-and-teapot/comment-page-1/#comment-35624 Phil Bellino Tue, 15 May 2007 19:23:26 +0000 http://felipe-alfaro.org/blog/?p=50#comment-35624 Felipe, I read your excellent blog on IPsec and Racoon. I too have the IPv6 problem where : "Host B receives the Neighbor solicitation message and tries to respond to A using a unicast IPv6 packet. Since the Neighbor discovery packet is targeted at a unicast IPv6 address, it’s affected by the IPSec policy and since no SA between A and B is present, host B triggers Phase 1 of the ISAKMP protocol." I have tried the: spdadd ::/0 ::/0 icmp6 -P out none; spdadd ::/0 ::/0 icmp6 -P in none; and in my case, it did not help. My ugly workaround has been to initiate ping6 before IPsec is active, then add the SPDs and start Racoon. At this point the IPv5 IPsec works properly. My question to you is: Did you ever find a good solution to this problem or are you still using manual keyed IPsec SAs? Thanks, Phil Bellino Felipe,
I read your excellent blog on IPsec and Racoon. I too have the IPv6 problem where :
“Host B receives the Neighbor solicitation message and tries to respond to A using a unicast IPv6 packet. Since the Neighbor discovery packet is targeted at a unicast IPv6 address, it’s affected by the IPSec policy and since no SA between A and B is present, host B triggers Phase 1 of the ISAKMP protocol.”
I have tried the:
spdadd ::/0 ::/0 icmp6 -P out none;
spdadd ::/0 ::/0 icmp6 -P in none;
and in my case, it did not help.
My ugly workaround has been to initiate ping6 before IPsec is active, then add the SPDs and start Racoon. At this point the IPv5 IPsec works properly.
My question to you is:
Did you ever find a good solution to this problem or are you still using manual keyed IPsec SAs?
Thanks,
Phil Bellino

]]> By: piggy http://www.felipe-alfaro.org/blog/2004/02/26/ipsec-pilot-between-glass-and-teapot/comment-page-1/#comment-21859 piggy Tue, 31 Oct 2006 05:54:12 +0000 http://felipe-alfaro.org/blog/?p=50#comment-21859 can u drop me email? i need help on ipsec.. thanks. :-) can u drop me email? i need help on ipsec.. thanks. :-)

]]>