<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.</div><div><br></div><div><br><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">Kevin Keane - The NetTech <<a href="mailto:kkeane@4nettech.com">kkeane@4nettech.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Securing dual-stack IPv4-IPv6?</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">26 May, 2013 7:57:39 PM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a> <<a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>><br></span></div><br><br>
<meta name="Generator" content="Zarafa WebAccess v7.1.4-41394">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Securing dual-stack IPv4-IPv6?</title>
<style type="text/css">
body
{
font-family: Arial, Verdana, Sans-Serif ! important;
font-size: 12px;
padding: 5px 5px 5px 5px;
margin: 0px;
border-style: none;
background-color: #ffffff;
}
p, ul, li
{
margin-top: 0px;
margin-bottom: 0px;
}
</style>
<div><p>Hi,</p><div> <br class="webkit-block-placeholder"></div><p>I'm trying to figure out how to use IPsec with dual-stack IPv4/IPv6 connections. For some reason, on my system, only either IPv4 or IPv6, but not both, will have IPsec enabled.</p><div> <br class="webkit-block-placeholder"></div><p>This is on Centos 6.4, openswan-2.6.32-20.el6_4.x86_64</p><div> <br class="webkit-block-placeholder"></div><p>I'm using transport mode,</p><div> <br class="webkit-block-placeholder"></div><p>One clue I have is that the remote side says that it can't install the eroute for IPv6 because it is already in use for IPv4:</p><div> <br class="webkit-block-placeholder"></div><p>May 26 16:15:19 remote pluto[15412]: "myfqdn-6": cannot install eroute -- it is in use for "myfqdn-4" #0<br> </p><p>(I think it is random chance whether the error occurs for the IPv6 or IPv4 connection).</p><div> <br class="webkit-block-placeholder"></div><div> <br class="webkit-block-placeholder"></div><p>I am using the following ipsec.conf:</p><div> <br class="webkit-block-placeholder"></div><p>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24<br> oe=off<br><br>conn %default<br> type=transport<br> authby=rsasig<br> rightrsasigkey=%cert<br> rightid=%fromcert<br><br> left=myfqdn<br> leftid=%fromcert<br> leftcert=myfqdn<br><br> pfs=yes<br> aggrmode=no<br> ike=3des-sha1-modp1536<br> phase2=esp<br> phase2alg=3des-sha1<br> auto=start<br> </p><p>conn otherfqdn-4<br> connaddrfamily=ipv4<br> right=otherfqdn<br> rightcert=otherfqdn<br><br>conn otherfqdn-6<br> connaddrfamily=ipv6<br> right=otherfqdn<br> rightcert=otherfqdn<br> </p>
</div>
<br><br></div></div><br></body></html>