Hello,

On 2004/02/25(Wed) 21:58, you wrote:

1. Host A tries to send and ICMPv6 ping echo request to host B, but
since there exists a Security Policy that requires the use of ESP/AH,
before A can send the ICMPv6 echo request, it must trigger an SA
negotiation with host B. To start this SA negotiation, host A needs to
know the link-layer address of peer host B:
        1.1 Host A sends a Neighbor solicitation message to host B
        1.2 Host B tries to send a Neigbor discovery packet, but since
        there exists a Security Policy that requires the use of ESP/AH,
        before B can send the Neighbor discovery, it triggers SA
        negotiation.

This seems to create a loop: host A triggers SA negotiation in first
place, but needs to know link-layer address of B, thus it sends a
Neighbor solicitation packet which makes host B trigger SA association.
Thus, both hosts are trying to establish an SA association, creating a
deadlock.

It is well known chicken and egg problem about IPv6 IPsec.
You can bypass ICMP packet with putting ICMP bypass policies before
your own policies.
Then you can not trigger IPsec with ICMP ECHO.

spdadd fec0::204:75ff:feab:6fcc fec0::2 ipv6-icmp -P out none;
spdadd fec0::204:75ff:feab:6fcc fec0::2 ipv6-icmp -P in none;

spdadd fec0::204:75ff:feab:6fcc fec0::2 any -P out ipsec
esp/transport//require ah/transport//require;
spdadd fec0::2 fec0::204:75ff:feab:6fcc any -P in  ipsec
esp/transport//require ah/transport//require;

--Kazunori Miyazawa