[Openswan Users] Openswan + IPv6 [PATCH]

Mikael Magnusson mikaelmagnusson at tjohoo.se
Thu May 13 00:45:18 CEST 2004 

Hi,

On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
> 
> 
> On Wed, 12 May 2004, Gessler Gerhard wrote:
> 
> > 
> > Hi all,
> > 
> > let me first state that I have not done tests with IPsec for IPv6 using
> > the ipsec backport for 2.4.x kernels. But I think that (as the basic
> > code should be quite the same), if OpenSWAN can negotiate and install
> > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or am
> > I missing some big difference in the PF_KEY interface.
> 
> If 2.6 kernel works, then the backport should work too - it's the same 
> code, just with structs / some function calls adjusted.
> 
> > Nevertheless, even is the necessary code in _confread is not there to
> > support the definition of IPv6 conns in ipsec.conf, the code and logic
> > is already in Pluto and Whack (since FreeSWAN 1.6).
> > I am able to define, load, negotiate and install e.g. host-to-host IPv6
> > SA (client net is /128) with ESP authentication using OpenSWAN 2.1.2rc5.
> > IKE authentication is done via PSK, the connection is loaded manually
> > into Pluto using Whack. 
> 
> Wow... this is good news.  I would like to get full IPv6 support working 
> in the rest of Openswan, if you can give me some direction (I don't have 
> IPv6 testbed anyways to play) we'd happily accept patches/pointers on 
> where stuff needs to be changed.
> 
> 
> > The _updown script needed some changes as it does not support the
> > necessary -v6 verbs that Pluto hands  over to it, but after defining
> > them (doing just nothing), the Quick Mode SA gets installed
> > successfully.
> 
> Can you you send me your hacked up _updown so I can look at merging the 
> stubs in for now?  In 2.6, _updown doesn't do much at all anyways.
> 
> > Currently I seem to have problem with doing the same with a connection
> > that does AH authentication and ESP encryption. The negotiation is
> > successfull, but the resulting packets from the kernel are just crap.
> 
> Not where where the issue is here, but doesn't sound like it's under 
> Openswan control.
> 

As a matter of coincident, I was playing with Openswan and IPv6
today and succeeded in setting up an automatic IPSEC tunnel. Both hosts
were running Debian unstable. One with kernel 2.4.24 with the backported 
IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular system with
kernel 2.6.5. I have tested both host-to-host and host-to-net tunnels,
and both works.

I first tried to use Freeswan from Debian unstable, but it had problems with
negotiating auth algorithms on 2.4.24 UML. 

Almost all of the work were already done. I only had to define a new
connection parameter that specifies the address family, and stubs for the
IPv6 operations in _updown. I haven't added any implementation of the IPv6
operations since it doesn't seem to be necessary.

Maybe the IPv6 modules esp6 and ah6 should be modprobed in
_startklips. It apparently isn't needed in 2.6, but in 2.4 the kernel
fails to autoload the module.

I have attached my patch to the email.

Regards,
Mikael Magnusson
-------------- next part --------------
--- ./auto.orig	2004-04-17 18:34:41.000000000 +0200
+++ ./auto	2004-05-12 18:26:24.000000000 +0200
@@ -445,6 +445,14 @@
 		}
 
 		settings = type_flags
+		# BEGIN IPv6
+		default("connaddrfamily", "ipv4")
+		if (s["connaddrfamily"] == "ipv6") {
+			settings = settings " --ipv6"
+		} else if (s["connaddrfamily"] != "ipv4") {
+			fail("unknown connaddrfamily value " s["connaddrfamily"])
+		}
+		# END IPv6
 		if (s["auth"] == "ah")
 			settings = settings " --authenticate"
 		if (s["pfs"] == "yes")
--- ./_confread.orig	2004-04-17 18:34:41.000000000 +0200
+++ ./_confread	2004-05-12 18:20:17.000000000 +0200
@@ -130,7 +130,7 @@
 			fail("invalid section name " bq na[i] eq)
 	}
 
-	good = "also alsoflip type auto authby _plutodevel"
+	good = "also alsoflip type auto authby _plutodevel connaddrfamily"
 	left = " left leftsubnet leftnexthop leftfirewall leftupdown"
 	akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
 	akey = akey " xauth"
--- ./_updown.orig	2004-04-17 18:34:41.000000000 +0200
+++ ./_updown	2004-05-12 22:37:36.000000000 +0200
@@ -410,6 +410,35 @@
 	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
 		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
 	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:*)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:*)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
 	;;

More information about the Users mailing list