<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
  <meta name="Generator" content="Zarafa WebAccess v7.1.4-41394">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title>Securing dual-stack IPv4-IPv6?</title>
  <style type="text/css">
      body
      {
        font-family: Arial, Verdana, Sans-Serif ! important;
        font-size: 12px;
        padding: 5px 5px 5px 5px;
        margin: 0px;
        border-style: none;
        background-color: #ffffff;
      }

      p, ul, li
      {
        margin-top: 0px;
        margin-bottom: 0px;
      }
  </style>
</head>
<body>
<div><p>Hi,</p><p>&nbsp;</p><p>I&#39;m trying to figure out how to use IPsec with  dual-stack IPv4/IPv6 connections. For some reason, on my system, only  either IPv4 or IPv6, but not both, will have IPsec enabled.</p><p>&nbsp;</p><p>This is on Centos 6.4, openswan-2.6.32-20.el6_4.x86_64</p><p>&nbsp;</p><p>I&#39;m using transport mode,</p><p>&nbsp;</p><p>One clue I have is that the remote side says that it can&#39;t install the eroute for IPv6 because it is already in use for IPv4:</p><p>&nbsp;</p><p>May 26 16:15:19 remote pluto[15412]: &quot;myfqdn-6&quot;: cannot install eroute -- it is in use for &quot;myfqdn-4&quot; #0<br />&nbsp;</p><p>(I think it is random chance whether the error occurs for the IPv6 or IPv4 connection).</p><p>&nbsp;</p><p>&nbsp;</p><p>I am using the following ipsec.conf:</p><p>&nbsp;</p><p>version 2.0&nbsp;&nbsp;&nbsp;&nbsp; # conforms to second version of ipsec.conf specification<br /><br /># basic configuration<br />config setup<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protostack=netkey<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat_traversal=yes<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oe=off<br /><br />conn %default<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type=transport<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authby=rsasig<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightrsasigkey=%cert<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightid=%fromcert<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; left=myfqdn<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftid=%fromcert<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftcert=myfqdn<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pfs=yes<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aggrmode=no<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ike=3des-sha1-modp1536<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; phase2=esp<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; phase2alg=3des-sha1<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=start<br />&nbsp;</p><p>conn otherfqdn-4<br />&nbsp; connaddrfamily=ipv4<br />&nbsp; right=otherfqdn<br />&nbsp; rightcert=otherfqdn<br /><br />conn otherfqdn-6<br />&nbsp; connaddrfamily=ipv6<br />&nbsp; right=otherfqdn<br />&nbsp; rightcert=otherfqdn<br />&nbsp;</p></div>
</body>
</html>