[Openswan Users] Openswan + IPv6

Ken Bantoft ken at xelerance.com
Wed May 12 14:10:55 CEST 2004 


On Wed, 12 May 2004, Gessler Gerhard wrote:

> 
> Hi all,
> 
> let me first state that I have not done tests with IPsec for IPv6 using
> the ipsec backport for 2.4.x kernels. But I think that (as the basic
> code should be quite the same), if OpenSWAN can negotiate and install
> IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or am
> I missing some big difference in the PF_KEY interface.

If 2.6 kernel works, then the backport should work too - it's the same 
code, just with structs / some function calls adjusted.

> Nevertheless, even is the necessary code in _confread is not there to
> support the definition of IPv6 conns in ipsec.conf, the code and logic
> is already in Pluto and Whack (since FreeSWAN 1.6).
> I am able to define, load, negotiate and install e.g. host-to-host IPv6
> SA (client net is /128) with ESP authentication using OpenSWAN 2.1.2rc5.
> IKE authentication is done via PSK, the connection is loaded manually
> into Pluto using Whack. 

Wow... this is good news.  I would like to get full IPv6 support working 
in the rest of Openswan, if you can give me some direction (I don't have 
IPv6 testbed anyways to play) we'd happily accept patches/pointers on 
where stuff needs to be changed.


> The _updown script needed some changes as it does not support the
> necessary -v6 verbs that Pluto hands  over to it, but after defining
> them (doing just nothing), the Quick Mode SA gets installed
> successfully.

Can you you send me your hacked up _updown so I can look at merging the 
stubs in for now?  In 2.6, _updown doesn't do much at all anyways.

> Currently I seem to have problem with doing the same with a connection
> that does AH authentication and ESP encryption. The negotiation is
> successfull, but the resulting packets from the kernel are just crap.

Not where where the issue is here, but doesn't sound like it's under 
Openswan control.


-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list