[Openswan Users] Openswan + IPv6 [PATCH]

Gessler Gerhard Gessler at iabg.de
Thu May 13 09:23:24 CEST 2004 

Dear Mikael,

thank you for so quickly sharing your patches!

While taking a look at them I think that there is one option missing.
Pluto provides the ability to define several variants of connections
with respect to the address family:

ISAKMP SA = ipv4 & IPsec SA = ipv4 (default case)
ISAKMP SA = ipv6 & IPsec SA = ipv6
ISAKMP SA = ipv4 & IPsec SA = ipv6
ISAKMP SA = ipv6 & IPsec SA = ipv4

Thats why Pluto and Whack have the options "--ipv4|--ipv6" and
"--tunnelipv4|tunnelipv6".

I think it is therefore necessary to have in total two configuration
options in "auto" and "_confread" to seperatly define the ISAKMP SA
address family and IPsec SA address family. I am not sure (read: have
not looked in the code) if it is enough to only define the ISAKMP SA
address family as Pluto / Whack then could assume that the IPSec SA
family is identical, if the other configuration option is missing.

Another possibility would be to get rid of the requirement in Pluto and
Whack to explicitly define the address family of an IP/IPv6 address and
to add logic which tries to automagically recognize the address family.

Regards,

	Gerhard

--------------------------------------------
Gerhard Gessler

Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany

Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845

E-Mail: gessler at iabg.de 

  > -----Original Message-----
  > From: users-bounces at lists.openswan.org 
  > [mailto:users-bounces at lists.openswan.org] On Behalf Of 
  > Mikael Magnusson
  > Sent: Wednesday, May 12, 2004 11:45 PM
  > To: users at lists.openswan.org
  > Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]
  > 
  > 
  > Hi,
  > 
  > On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
  > > 
  > > 
  > > On Wed, 12 May 2004, Gessler Gerhard wrote:
  > > 
  > > > 
  > > > Hi all,
  > > > 
  > > > let me first state that I have not done tests with 
  > IPsec for IPv6 
  > > > using the ipsec backport for 2.4.x kernels. But I think 
  > that (as the 
  > > > basic code should be quite the same), if OpenSWAN can 
  > negotiate and 
  > > > install IPv6 SA's on 2.6.x kernels, it should also work 
  > on 2.4.x 
  > > > kernels. Or am I missing some big difference in the PF_KEY 
  > > > interface.
  > > 
  > > If 2.6 kernel works, then the backport should work too - 
  > it's the same
  > > code, just with structs / some function calls adjusted.
  > > 
  > > > Nevertheless, even is the necessary code in _confread 
  > is not there 
  > > > to support the definition of IPv6 conns in ipsec.conf, 
  > the code and 
  > > > logic is already in Pluto and Whack (since FreeSWAN 
  > 1.6). I am able 
  > > > to define, load, negotiate and install e.g. 
  > host-to-host IPv6 SA 
  > > > (client net is /128) with ESP authentication using OpenSWAN 
  > > > 2.1.2rc5. IKE authentication is done via PSK, the connection is 
  > > > loaded manually into Pluto using Whack.
  > > 
  > > Wow... this is good news.  I would like to get full IPv6 support 
  > > working
  > > in the rest of Openswan, if you can give me some 
  > direction (I don't have 
  > > IPv6 testbed anyways to play) we'd happily accept 
  > patches/pointers on 
  > > where stuff needs to be changed.
  > > 
  > > 
  > > > The _updown script needed some changes as it does not 
  > support the 
  > > > necessary -v6 verbs that Pluto hands  over to it, but 
  > after defining 
  > > > them (doing just nothing), the Quick Mode SA gets installed 
  > > > successfully.
  > > 
  > > Can you you send me your hacked up _updown so I can look 
  > at merging 
  > > the
  > > stubs in for now?  In 2.6, _updown doesn't do much at all anyways.
  > > 
  > > > Currently I seem to have problem with doing the same with a 
  > > > connection that does AH authentication and ESP encryption. The 
  > > > negotiation is successfull, but the resulting packets from the 
  > > > kernel are just crap.
  > > 
  > > Not where where the issue is here, but doesn't sound like 
  > it's under
  > > Openswan control.
  > > 
  > 
  > As a matter of coincident, I was playing with Openswan and IPv6
  > today and succeeded in setting up an automatic IPSEC 
  > tunnel. Both hosts
  > were running Debian unstable. One with kernel 2.4.24 with 
  > the backported 
  > IPSEC/IPv6 in an User-Mode-Linux process. The other one a 
  > regular system with
  > kernel 2.6.5. I have tested both host-to-host and 
  > host-to-net tunnels,
  > and both works.
  > 
  > I first tried to use Freeswan from Debian unstable, but it 
  > had problems with
  > negotiating auth algorithms on 2.4.24 UML. 
  > 
  > Almost all of the work were already done. I only had to define a new
  > connection parameter that specifies the address family, and 
  > stubs for the
  > IPv6 operations in _updown. I haven't added any 
  > implementation of the IPv6
  > operations since it doesn't seem to be necessary.
  > 
  > Maybe the IPv6 modules esp6 and ah6 should be modprobed in
  > _startklips. It apparently isn't needed in 2.6, but in 2.4 
  > the kernel
  > fails to autoload the module.
  > 
  > I have attached my patch to the email.
  > 
  > Regards,
  > Mikael Magnusson
  >

More information about the Users mailing list