[Openswan Users] Openswan+Ipv6 probem....again....

Gessler Gerhard Gessler at iabg.de
Tue May 18 18:44:37 CEST 2004


Dear Mathieu,
 
would strongly suggest to make your setup working in small steps:
 
1. Get a recent 2.6 kernel to compile and run with its native IPsec for
IPv6 support on two systems
2. Make youself familiar with manual keying and get that to work between
the two 2.6 systems
3. Install preferable OpenSWAN 2.x by only compiling / installing the
programs, don't use KLIPS
4. Manually load a IPv6 connection with PSK authentication into Pluto
using whack, e.g.
 
ipsec setup --start
ipsec whack --name satipv6 --ipv6 --tunnelipv6 --host
3ffe:660:3008:1701::1 --3ffe:660:3008:1701::1/128 --to --host
3ffe:660:3008:1701::2 --client 3ffe:660:3008:1701::2/128 --psk --encrypt
--pfs --ikelifetime 600 --ipseclifetime 300 --rekeymargin 20
ipsec whack --listen
ipsec whack --initiate --name satipv6

5. Give the latest CVS version with the contribution of Mikael a try to
load a IPv6 connection with
ipsec setup --start
ipsec auto --add satipv6
ipsec auto --initiate satipv6
 
6. Change the used authentication from PSK to RSA keys
7. Put the RSA keys into your DNS for OE and have a look if that works.
For myself, I have never tried this, so it could well be that the code
would need some tweaking to actually retrieve and process AAAA records.
 
Hope this helps,
 
    Gerhard

--------------------------------------------
Gerhard Gessler

Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany

Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845

E-Mail: gessler at iabg.de 

	-----Original Message-----
	From: zze-DURBEC Mathieu FTRD/DTL/ISS
[mailto:mathieu.durbec at rd.francetelecom.com] 
	Sent: Tuesday, May 18, 2004 12:42 PM
	To: Gessler Gerhard
	Cc: users at lists.openswan.org
	Subject: RE: [Openswan Users] Openswan+Ipv6 probem....again....
	
	
	Dear Gehard,
	 
	I understand that you can't use both FreeSWAN KLIPS and native
kernel IPsec...
	But i can't find a solution to do what I need.
	What I have to do is to setup oppotunistic encryption with ipv6
on a linux system.
	That's why I try to install a new kernel which could bring me
ipv6 support.
	But I've heard that you can't do opportunistic encryption with
new kernels ( > 2.6 )...
	Do you know what I should use (kernel, FreesWan or OpenSWAN,
which patch ?) ??
	 
	Thank you 
	 
	Matt
	 

________________________________

	From: Gessler Gerhard [mailto:Gessler at iabg.de] 
	Sent: vendredi 14 mai 2004 21:37
	To: zze-DURBEC Mathieu FTRD/DTL/ISS
	Cc: users at lists.openswan.org
	Subject: RE: [Openswan Users] Openswan+Ipv6 probem....again....
	
	
	Dear Mathieu,
	 
	After having taken a look at the output of "ipsec look", I am
not clear if I understand what you want to do:
	 
	ipsec0->eth0 mtu=16260(1500)->1500
	Destination    Gateway    Genmask    Flags    MSS    Window
irtt    Iface
	192.1680.0.0    0.0.0.0    255.255.255.0    U    0            0
0    eth0
	192.1680.0.0    0.0.0.0    255.255.255.0    U    0            0
0    ipsec0
	 
	This tells me that you have a kernel with FreeSWAN KLIPS
compiled and loaded. FreeSWAN KLIPS does not support IPv6. For having
running IPsec for IPv6 use either a 2.4.x (x>24) with ipsec backport or
a recent 2.6.x kernel. Don't compile those kernels with KLIPS support as
it is not possible to have both KLIPS and kernel ipsec!!!!
	 
	All information that I have given in my previous mails assumed
that kernel 2.6.x and Openswan 2.1.x is used. The patches Mikael
provided assumed also that kernel ipsec is used and *not* KLIPS.
	 
	Hope this helps,
	 
	    Gerhard

	--------------------------------------------
	Gerhard Gessler
	
	Communication Networks, IABG mbH
	Einsteinstr. 20
	85521 Ottobrunn, Germany
	
	Telefon: +49 89 6088 - 2021
	Fax: +49 89 6088 - 2845
	
	E-Mail: gessler at iabg.de 

		-----Original Message-----
		From: zze-DURBEC Mathieu FTRD/DTL/ISS
[mailto:mathieu.durbec at rd.francetelecom.com] 
		Sent: Friday, May 14, 2004 11:27 AM
		To: Gessler Gerhard
		Cc: users at lists.openswan.org
		Subject: RE: [Openswan Users] Openswan+Ipv6
probem....again....
		
		
		Hi Gerhard,
		 
		First, thank you for help, that's very nice....
		I've changed my config, but I think it doesn't matter.
The problem is before...
		I've tried to set up an automatic keying connection (in
ipsec.conf with command ipsec auto --up connection) , but when I put
ipv6 adress, it doesn't recognize the connection....
		"021 no connection named "v6" "
		I'm not surprised...
		When I start the ipsec service, the "ipsec look" command
shows :
		 
		ipsec0->eth0 mtu=16260(1500)->1500
		Destination    Gateway    Genmask    Flags    MSS
Window    irtt    Iface
		192.1680.0.0    0.0.0.0    255.255.255.0    U    0
0            0    eth0
		192.1680.0.0    0.0.0.0    255.255.255.0    U    0
0            0    ipsec0
		 
		and when I execute ifconfig, it shows me the ipsec0
virtual interface, with both ipv4 adress and ipv6 local link but no the
ipv6 global one....
		 
		I'm trying now to set up a manual keying connection to
test it...
		 
		Well it doesn't work..
		 
		What do you think ?
		 
		Matt
		 
		 

________________________________

		From: Gessler Gerhard [mailto:Gessler at iabg.de] 
		Sent: vendredi 14 mai 2004 07:39
		To: zze-DURBEC Mathieu FTRD/DTL/ISS
		Cc: users at lists.openswan.org
		Subject: RE: [Openswan Users] Openswan+Ipv6
probem....again....
		
		
		Hi Mathieu,
		 
		at first look, your global IPv6 address configuration
seems to be not correct. According to your ifconfig output, the prefix
length is 0. A prefix length of 64 seems to me more appropriate. Second,
the prefix length for your link local address is 64. That is quite wired
as I would normaly assume to be it 10. Third, as Mikael already pointed
out, it could well be that Pluto does not like the fact that no IPv4
address is assigned to the interface. If you only want to work with
IPv6, it does not hurt to have an (e.g. private) IPv4 address assigned.
		 
		How do yo (in the current example) try to setup your SA?
(1) With configuration in ipsec.conf (after having applied Mikaels
patches) or (2) with a manual command to Whack and Pluto. In both cases,
we would need to have the used configuration to help you further.
		 
		Cheers,
		 
		    Gerhard
		 

		--------------------------------------------
		Gerhard Gessler
		
		Communication Networks, IABG mbH
		Einsteinstr. 20
		85521 Ottobrunn, Germany
		
		Telefon: +49 89 6088 - 2021
		Fax: +49 89 6088 - 2845
		
		E-Mail: gessler at iabg.de 

			-----Original Message-----
			From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of zze-DURBEC
Mathieu FTRD/DTL/ISS
			Sent: Thursday, May 13, 2004 4:41 PM
			To: users at lists.openswan.org
			Subject: [Openswan Users] Openswan+Ipv6
probem....again....
			
			

			Hi, 
			I've been trying for days to set up OpenSWAN
with IPv6 support... 
			So, I'am using the 2.1.1 version patched with
Mikael Magnusson'patch.. 
			It doesn't seem to work with ipv6  :,-( 
			Here's my config 

			Ifconfig : 

			eth0    Lien encap:Ethernet  HWaddr
08:00:46:A8:E2:3B  
			          adr inet6: 2001:688:1f8b:a000::1/0
Scope:Global 
			          adr inet6: fe80::a00:46ff:fea8:e23b/64
Scope:Lien 
			          UP BROADCAST RUNNING MULTICAST
MTU:1500  Metric:1 
			          RX packets:3530 errors:0 dropped:0
overruns:0 frame:0 
			          TX packets:14 errors:0 dropped:0
overruns:0 carrier:0 
			          collisions:0 lg file transmission:100 
			          RX bytes:211800 (206.8 Kb)  TX
bytes:964 (964.0 b) 
			          Interruption:11 Adresse de base:0x2000


			Route : 

			Table de routage IPv6 du noyau 
			Destination
Prochain Hop                            Indic Metric Ref    Utilis.
Iface 
			::1/128                                     ::
U     0      11       1 lo      
			2001:688:1f8b:a000::1/128                   ::
U     0      3        0 lo      
			fe80::209:5bff:fe1e:791/128                 ::
U     0      0        0 lo      
			fe80::a00:46ff:fea8:e23b/128                ::
U     0      0        0 lo      
			fe80::/64                                   ::
UA    256    0        0 eth0    
			fe80::/64                                   ::
UA    256    0        0 eth1    
			ff00::/8                                    ::
UA    256    0        0 eth0    
			ff00::/8                                    ::
UA    256    0        0 eth1    
			::/0                                        ::
UDA   256    0        0 eth0    
			::/0                                        ::
UDA   256    0        0 eth1    

			And ipsec.conf 

			# /etc/ipsec.conf - FreeS/WAN IPsec
configuration file 
			# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13
23:28:41 sam Exp $ 

			# This file:
/usr/local/share/doc/freeswan/ipsec.conf-sample 
			# 
			# Manual:     ipsec.conf.5 
			# 

			version 2.0     # conforms to second version of
ipsec.conf specification 

			# basic configuration 
			config setup 
			        forwardcontrol=yes 
			        interfaces="ipsec0=eth0" 
			        uniqueids=yes 
			        # Debug-logging controls:  "none" for
(almost) none, "all" for lots. 
			        klipsdebug=all 
			        plutodebug=all 
			        syslog=syslog.debug 


			Does someone manage to make it work ??? 

			Thanks 

			Matt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040518/aed3a437/attachment-0001.htm


More information about the Users mailing list