It appears the IPsec policy, spdadd -n 2620:10e:6024:a0::b1 2620:10e:6026:d0::/64 icmp6 -P out ipsec ah/transport//use; doesn't set the AH with traceroute6 -I. ping6 to the same host does. e.g. traceroute6 -I 14:55:30.524981 IP6 2620:10e:6024:a0::b1 > 2620:10e:6026:d0::5e40: ICMP6, echo request, seq 5, length 16 ping6 15:03:40.086329 IP6 2620:10e:6024:a0::b1 > 2620:10e:6026:d0::5e40: AH(spi=0xa05e4001,seq=0x211): ICMP6, echo request, seq 0, length 16
This looks like traceroute6(8) installs IPSEC BYPASS security policy for the used socket. This is why your policy did not applied.
(In reply to Andrey V. Elsukov from comment #1) Just for reference, Linux with a similar icmp6 out transport policy does add the AH. And FreeBSD does handle the echo response with AH.
(In reply to Jason Mader from comment #2) > (In reply to Andrey V. Elsukov from comment #1) > > Just for reference, Linux with a similar icmp6 out transport policy does add > the AH. And FreeBSD does handle the echo response with AH. This is not linux or freebsd kernel specificity, this is how traceroute6 works. You can try to rebuild traceroute6 without IPSEC support, and I think it will work like you want. Index: usr.sbin/traceroute6/Makefile =================================================================== --- usr.sbin/traceroute6/Makefile (revision 312816) +++ usr.sbin/traceroute6/Makefile (working copy) @@ -22,7 +22,7 @@ SRCS= as.c traceroute6.c BINOWN= root BINMODE= 4555 -CFLAGS+= -DIPSEC -DUSE_RFC2292BIS -DHAVE_POLL +CFLAGS+= -DUSE_RFC2292BIS -DHAVE_POLL CFLAGS+= -I${.CURDIR} -I${TRACEROUTE_DISTDIR} -I. WARNS?= 3 PS. I'm not sure, but, IMHO, almost all IPSEC related code in the traceroute6 is dead and should be removed. At least we have not implemented in our kernel all these IPV6_[ESP|AUTH]_XXX socket options, that traceroute6 tries to configure.