[Openswan Users] Openswan + IPv6 [PATCH]

zze-DURBEC Mathieu RD-MAPS-ISS mathieu.durbec at rd.francetelecom.com
Thu Jul 15 10:57:36 CEST 2004 

Hi,

Thank you, I've fix it... My leftsubnet was not correct....
But I got a new problem now... I'd want to store RSA Keys in a DNS and
use it for ipsec
Althought it works under ipv4, it doesn't work under ipv6. 
Is it normal ? Does the patch allow me to do it ???

Regards

Matt 

-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Mikael Magnusson
Sent: mercredi 14 juillet 2004 11:12
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]

On Tue, Jul 13, 2004 at 11:38:23AM +0200, zze-DURBEC Mathieu
FTRD/DTL/ISS wrote:
> Hello,
> 
> I still try to set up openswan with ipv6...
> I've applied your patch(for ipv6 support) on my openswan version but 
> I've got another problem with the file parser.
> I can set up transport mode connection but I don't know how to write 
> the "leftsubnet" or "rightsubnet".
> Openswan seems only to read ipv4 mask at this stage...
> 
> Any ideas ???
> 
> Cheers
> 
> Matt
>

Hi,

have you specified connaddrfamily=ipv6 in your connection definition? 

A sample ipv6 conn section:

conn sample-ipv6-connection
	left=2002:c0a8:0001:1::1
	leftsubnet=::/0
	right=2002:c0a8:0001:5::2
	rightsubnet=2002:c0a8:0001:5::2/128
	connaddrfamily=ipv6

Regards,
Mikael


> -----Original Message-----
> From: users-bounces at lists.openswan.org 
> [mailto:users-bounces at lists.openswan.org] On Behalf Of Mikael 
> Magnusson
> Sent: mercredi 12 mai 2004 23:45
> To: users at lists.openswan.org
> Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]
> 
> Hi,
> 
> On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
> > 
> > 
> > On Wed, 12 May 2004, Gessler Gerhard wrote:
> > 
> > > 
> > > Hi all,
> > > 
> > > let me first state that I have not done tests with IPsec for IPv6 
> > > using the ipsec backport for 2.4.x kernels. But I think that (as 
> > > the
> 
> > > basic code should be quite the same), if OpenSWAN can negotiate 
> > > and install
> > > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. 
> > > Or
> 
> > > am I missing some big difference in the PF_KEY interface.
> > 
> > If 2.6 kernel works, then the backport should work too - it's the 
> > same
> 
> > code, just with structs / some function calls adjusted.
> > 
> > > Nevertheless, even is the necessary code in _confread is not there

> > > to support the definition of IPv6 conns in ipsec.conf, the code 
> > > and logic is already in Pluto and Whack (since FreeSWAN 1.6).
> > > I am able to define, load, negotiate and install e.g. host-to-host
> > > IPv6 SA (client net is /128) with ESP authentication using 
> > > OpenSWAN
> 2.1.2rc5.
> > > IKE authentication is done via PSK, the connection is loaded 
> > > manually into Pluto using Whack.
> > 
> > Wow... this is good news.  I would like to get full IPv6 support 
> > working in the rest of Openswan, if you can give me some direction 
> > (I don't have
> > IPv6 testbed anyways to play) we'd happily accept patches/pointers 
> > on where stuff needs to be changed.
> > 
> > 
> > > The _updown script needed some changes as it does not support the 
> > > necessary -v6 verbs that Pluto hands  over to it, but after 
> > > defining
> 
> > > them (doing just nothing), the Quick Mode SA gets installed 
> > > successfully.
> > 
> > Can you you send me your hacked up _updown so I can look at merging 
> > the stubs in for now?  In 2.6, _updown doesn't do much at all
anyways.
> > 
> > > Currently I seem to have problem with doing the same with a 
> > > connection that does AH authentication and ESP encryption. The 
> > > negotiation is successfull, but the resulting packets from the
> kernel are just crap.
> > 
> > Not where where the issue is here, but doesn't sound like it's under

> > Openswan control.
> > 
> 
> As a matter of coincident, I was playing with Openswan and IPv6 today 
> and succeeded in setting up an automatic IPSEC tunnel. Both hosts were

> running Debian unstable. One with kernel 2.4.24 with the backported
> IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular 
> system with kernel 2.6.5. I have tested both host-to-host and 
> host-to-net tunnels, and both works.
> 
> I first tried to use Freeswan from Debian unstable, but it had 
> problems with negotiating auth algorithms on 2.4.24 UML.
> 
> Almost all of the work were already done. I only had to define a new 
> connection parameter that specifies the address family, and stubs for 
> the
> IPv6 operations in _updown. I haven't added any implementation of the
> IPv6 operations since it doesn't seem to be necessary.
> 
> Maybe the IPv6 modules esp6 and ah6 should be modprobed in
_startklips.
> It apparently isn't needed in 2.6, but in 2.4 the kernel fails to 
> autoload the module.
> 
> I have attached my patch to the email.
> 
> Regards,
> Mikael Magnusson
_______________________________________________
Users mailing list
Users at lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list