[Openswan Users] Openswan + IPv6 [PATCH]
Mikael Magnusson
mikaelmagnusson at tjohoo.se
Thu May 13 00:45:18 CEST 2004
Hi,
On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
>
>
> On Wed, 12 May 2004, Gessler Gerhard wrote:
>
> >
> > Hi all,
> >
> > let me first state that I have not done tests with IPsec for IPv6 using
> > the ipsec backport for 2.4.x kernels. But I think that (as the basic
> > code should be quite the same), if OpenSWAN can negotiate and install
> > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or am
> > I missing some big difference in the PF_KEY interface.
>
> If 2.6 kernel works, then the backport should work too - it's the same
> code, just with structs / some function calls adjusted.
>
> > Nevertheless, even is the necessary code in _confread is not there to
> > support the definition of IPv6 conns in ipsec.conf, the code and logic
> > is already in Pluto and Whack (since FreeSWAN 1.6).
> > I am able to define, load, negotiate and install e.g. host-to-host IPv6
> > SA (client net is /128) with ESP authentication using OpenSWAN 2.1.2rc5.
> > IKE authentication is done via PSK, the connection is loaded manually
> > into Pluto using Whack.
>
> Wow... this is good news. I would like to get full IPv6 support working
> in the rest of Openswan, if you can give me some direction (I don't have
> IPv6 testbed anyways to play) we'd happily accept patches/pointers on
> where stuff needs to be changed.
>
>
> > The _updown script needed some changes as it does not support the
> > necessary -v6 verbs that Pluto hands over to it, but after defining
> > them (doing just nothing), the Quick Mode SA gets installed
> > successfully.
>
> Can you you send me your hacked up _updown so I can look at merging the
> stubs in for now? In 2.6, _updown doesn't do much at all anyways.
>
> > Currently I seem to have problem with doing the same with a connection
> > that does AH authentication and ESP encryption. The negotiation is
> > successfull, but the resulting packets from the kernel are just crap.
>
> Not where where the issue is here, but doesn't sound like it's under
> Openswan control.
>
As a matter of coincident, I was playing with Openswan and IPv6
today and succeeded in setting up an automatic IPSEC tunnel. Both hosts
were running Debian unstable. One with kernel 2.4.24 with the backported
IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular system with
kernel 2.6.5. I have tested both host-to-host and host-to-net tunnels,
and both works.
I first tried to use Freeswan from Debian unstable, but it had problems with
negotiating auth algorithms on 2.4.24 UML.
Almost all of the work were already done. I only had to define a new
connection parameter that specifies the address family, and stubs for the
IPv6 operations in _updown. I haven't added any implementation of the IPv6
operations since it doesn't seem to be necessary.
Maybe the IPv6 modules esp6 and ah6 should be modprobed in
_startklips. It apparently isn't needed in 2.6, but in 2.4 the kernel
fails to autoload the module.
I have attached my patch to the email.
Regards,
Mikael Magnusson
-------------- next part --------------
--- ./auto.orig 2004-04-17 18:34:41.000000000 +0200
+++ ./auto 2004-05-12 18:26:24.000000000 +0200
@@ -445,6 +445,14 @@
}
settings = type_flags
+ # BEGIN IPv6
+ default("connaddrfamily", "ipv4")
+ if (s["connaddrfamily"] == "ipv6") {
+ settings = settings " --ipv6"
+ } else if (s["connaddrfamily"] != "ipv4") {
+ fail("unknown connaddrfamily value " s["connaddrfamily"])
+ }
+ # END IPv6
if (s["auth"] == "ah")
settings = settings " --authenticate"
if (s["pfs"] == "yes")
--- ./_confread.orig 2004-04-17 18:34:41.000000000 +0200
+++ ./_confread 2004-05-12 18:20:17.000000000 +0200
@@ -130,7 +130,7 @@
fail("invalid section name " bq na[i] eq)
}
- good = "also alsoflip type auto authby _plutodevel"
+ good = "also alsoflip type auto authby _plutodevel connaddrfamily"
left = " left leftsubnet leftnexthop leftfirewall leftupdown"
akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
akey = akey " xauth"
--- ./_updown.orig 2004-04-17 18:34:41.000000000 +0200
+++ ./_updown 2004-05-12 22:37:36.000000000 +0200
@@ -410,6 +410,35 @@
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:*)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:*)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
More information about the Users
mailing list