[Openswan Users] Openswan + IPv6 [PATCH]

Mikael Magnusson mikaelmagnusson at tjohoo.se
Wed Jul 14 12:12:18 CEST 2004 

On Tue, Jul 13, 2004 at 11:38:23AM +0200, zze-DURBEC Mathieu FTRD/DTL/ISS wrote:
> Hello,
> 
> I still try to set up openswan with ipv6...
> I've applied your patch(for ipv6 support) on my openswan version but
> I've got another problem with the file parser.
> I can set up transport mode connection but I don't know how to write the
> "leftsubnet" or "rightsubnet".
> Openswan seems only to read ipv4 mask at this stage...
> 
> Any ideas ???
> 
> Cheers 
> 
> Matt
>

Hi,

have you specified connaddrfamily=ipv6 in your connection definition? 

A sample ipv6 conn section:

conn sample-ipv6-connection
	left=2002:c0a8:0001:1::1
	leftsubnet=::/0
	right=2002:c0a8:0001:5::2
	rightsubnet=2002:c0a8:0001:5::2/128
	connaddrfamily=ipv6

Regards,
Mikael


> -----Original Message-----
> From: users-bounces at lists.openswan.org
> [mailto:users-bounces at lists.openswan.org] On Behalf Of Mikael Magnusson
> Sent: mercredi 12 mai 2004 23:45
> To: users at lists.openswan.org
> Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]
> 
> Hi,
> 
> On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
> > 
> > 
> > On Wed, 12 May 2004, Gessler Gerhard wrote:
> > 
> > > 
> > > Hi all,
> > > 
> > > let me first state that I have not done tests with IPsec for IPv6 
> > > using the ipsec backport for 2.4.x kernels. But I think that (as the
> 
> > > basic code should be quite the same), if OpenSWAN can negotiate and 
> > > install
> > > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or
> 
> > > am I missing some big difference in the PF_KEY interface.
> > 
> > If 2.6 kernel works, then the backport should work too - it's the same
> 
> > code, just with structs / some function calls adjusted.
> > 
> > > Nevertheless, even is the necessary code in _confread is not there 
> > > to support the definition of IPv6 conns in ipsec.conf, the code and 
> > > logic is already in Pluto and Whack (since FreeSWAN 1.6).
> > > I am able to define, load, negotiate and install e.g. host-to-host 
> > > IPv6 SA (client net is /128) with ESP authentication using OpenSWAN
> 2.1.2rc5.
> > > IKE authentication is done via PSK, the connection is loaded 
> > > manually into Pluto using Whack.
> > 
> > Wow... this is good news.  I would like to get full IPv6 support 
> > working in the rest of Openswan, if you can give me some direction (I 
> > don't have
> > IPv6 testbed anyways to play) we'd happily accept patches/pointers on 
> > where stuff needs to be changed.
> > 
> > 
> > > The _updown script needed some changes as it does not support the 
> > > necessary -v6 verbs that Pluto hands  over to it, but after defining
> 
> > > them (doing just nothing), the Quick Mode SA gets installed 
> > > successfully.
> > 
> > Can you you send me your hacked up _updown so I can look at merging 
> > the stubs in for now?  In 2.6, _updown doesn't do much at all anyways.
> > 
> > > Currently I seem to have problem with doing the same with a 
> > > connection that does AH authentication and ESP encryption. The 
> > > negotiation is successfull, but the resulting packets from the
> kernel are just crap.
> > 
> > Not where where the issue is here, but doesn't sound like it's under 
> > Openswan control.
> > 
> 
> As a matter of coincident, I was playing with Openswan and IPv6 today
> and succeeded in setting up an automatic IPSEC tunnel. Both hosts were
> running Debian unstable. One with kernel 2.4.24 with the backported
> IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular system
> with kernel 2.6.5. I have tested both host-to-host and host-to-net
> tunnels, and both works.
> 
> I first tried to use Freeswan from Debian unstable, but it had problems
> with negotiating auth algorithms on 2.4.24 UML. 
> 
> Almost all of the work were already done. I only had to define a new
> connection parameter that specifies the address family, and stubs for
> the
> IPv6 operations in _updown. I haven't added any implementation of the
> IPv6 operations since it doesn't seem to be necessary.
> 
> Maybe the IPv6 modules esp6 and ah6 should be modprobed in _startklips.
> It apparently isn't needed in 2.6, but in 2.4 the kernel fails to
> autoload the module.
> 
> I have attached my patch to the email.
> 
> Regards,
> Mikael Magnusson

More information about the Users mailing list