[Openswan Users] Openswan+Ipv6 probem....again....
Gessler Gerhard
Gessler at iabg.de
Tue May 18 18:44:37 CEST 2004
Dear Mathieu,
would strongly suggest to make your setup working in small steps:
1. Get a recent 2.6 kernel to compile and run with its native IPsec for
IPv6 support on two systems
2. Make youself familiar with manual keying and get that to work between
the two 2.6 systems
3. Install preferable OpenSWAN 2.x by only compiling / installing the
programs, don't use KLIPS
4. Manually load a IPv6 connection with PSK authentication into Pluto
using whack, e.g.
ipsec setup --start
ipsec whack --name satipv6 --ipv6 --tunnelipv6 --host
3ffe:660:3008:1701::1 --3ffe:660:3008:1701::1/128 --to --host
3ffe:660:3008:1701::2 --client 3ffe:660:3008:1701::2/128 --psk --encrypt
--pfs --ikelifetime 600 --ipseclifetime 300 --rekeymargin 20
ipsec whack --listen
ipsec whack --initiate --name satipv6
5. Give the latest CVS version with the contribution of Mikael a try to
load a IPv6 connection with
ipsec setup --start
ipsec auto --add satipv6
ipsec auto --initiate satipv6
6. Change the used authentication from PSK to RSA keys
7. Put the RSA keys into your DNS for OE and have a look if that works.
For myself, I have never tried this, so it could well be that the code
would need some tweaking to actually retrieve and process AAAA records.
Hope this helps,
Gerhard
--------------------------------------------
Gerhard Gessler
Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany
Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845
E-Mail: gessler at iabg.de
-----Original Message-----
From: zze-DURBEC Mathieu FTRD/DTL/ISS
[mailto:mathieu.durbec at rd.francetelecom.com]
Sent: Tuesday, May 18, 2004 12:42 PM
To: Gessler Gerhard
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] Openswan+Ipv6 probem....again....
Dear Gehard,
I understand that you can't use both FreeSWAN KLIPS and native
kernel IPsec...
But i can't find a solution to do what I need.
What I have to do is to setup oppotunistic encryption with ipv6
on a linux system.
That's why I try to install a new kernel which could bring me
ipv6 support.
But I've heard that you can't do opportunistic encryption with
new kernels ( > 2.6 )...
Do you know what I should use (kernel, FreesWan or OpenSWAN,
which patch ?) ??
Thank you
Matt
________________________________
From: Gessler Gerhard [mailto:Gessler at iabg.de]
Sent: vendredi 14 mai 2004 21:37
To: zze-DURBEC Mathieu FTRD/DTL/ISS
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] Openswan+Ipv6 probem....again....
Dear Mathieu,
After having taken a look at the output of "ipsec look", I am
not clear if I understand what you want to do:
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.1680.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
192.1680.0.0 0.0.0.0 255.255.255.0 U 0 0
0 ipsec0
This tells me that you have a kernel with FreeSWAN KLIPS
compiled and loaded. FreeSWAN KLIPS does not support IPv6. For having
running IPsec for IPv6 use either a 2.4.x (x>24) with ipsec backport or
a recent 2.6.x kernel. Don't compile those kernels with KLIPS support as
it is not possible to have both KLIPS and kernel ipsec!!!!
All information that I have given in my previous mails assumed
that kernel 2.6.x and Openswan 2.1.x is used. The patches Mikael
provided assumed also that kernel ipsec is used and *not* KLIPS.
Hope this helps,
Gerhard
--------------------------------------------
Gerhard Gessler
Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany
Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845
E-Mail: gessler at iabg.de
-----Original Message-----
From: zze-DURBEC Mathieu FTRD/DTL/ISS
[mailto:mathieu.durbec at rd.francetelecom.com]
Sent: Friday, May 14, 2004 11:27 AM
To: Gessler Gerhard
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] Openswan+Ipv6
probem....again....
Hi Gerhard,
First, thank you for help, that's very nice....
I've changed my config, but I think it doesn't matter.
The problem is before...
I've tried to set up an automatic keying connection (in
ipsec.conf with command ipsec auto --up connection) , but when I put
ipv6 adress, it doesn't recognize the connection....
"021 no connection named "v6" "
I'm not surprised...
When I start the ipsec service, the "ipsec look" command
shows :
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS
Window irtt Iface
192.1680.0.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0
192.1680.0.0 0.0.0.0 255.255.255.0 U 0
0 0 ipsec0
and when I execute ifconfig, it shows me the ipsec0
virtual interface, with both ipv4 adress and ipv6 local link but no the
ipv6 global one....
I'm trying now to set up a manual keying connection to
test it...
Well it doesn't work..
What do you think ?
Matt
________________________________
From: Gessler Gerhard [mailto:Gessler at iabg.de]
Sent: vendredi 14 mai 2004 07:39
To: zze-DURBEC Mathieu FTRD/DTL/ISS
Cc: users at lists.openswan.org
Subject: RE: [Openswan Users] Openswan+Ipv6
probem....again....
Hi Mathieu,
at first look, your global IPv6 address configuration
seems to be not correct. According to your ifconfig output, the prefix
length is 0. A prefix length of 64 seems to me more appropriate. Second,
the prefix length for your link local address is 64. That is quite wired
as I would normaly assume to be it 10. Third, as Mikael already pointed
out, it could well be that Pluto does not like the fact that no IPv4
address is assigned to the interface. If you only want to work with
IPv6, it does not hurt to have an (e.g. private) IPv4 address assigned.
How do yo (in the current example) try to setup your SA?
(1) With configuration in ipsec.conf (after having applied Mikaels
patches) or (2) with a manual command to Whack and Pluto. In both cases,
we would need to have the used configuration to help you further.
Cheers,
Gerhard
--------------------------------------------
Gerhard Gessler
Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany
Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845
E-Mail: gessler at iabg.de
-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of zze-DURBEC
Mathieu FTRD/DTL/ISS
Sent: Thursday, May 13, 2004 4:41 PM
To: users at lists.openswan.org
Subject: [Openswan Users] Openswan+Ipv6
probem....again....
Hi,
I've been trying for days to set up OpenSWAN
with IPv6 support...
So, I'am using the 2.1.1 version patched with
Mikael Magnusson'patch..
It doesn't seem to work with ipv6 :,-(
Here's my config
Ifconfig :
eth0 Lien encap:Ethernet HWaddr
08:00:46:A8:E2:3B
adr inet6: 2001:688:1f8b:a000::1/0
Scope:Global
adr inet6: fe80::a00:46ff:fea8:e23b/64
Scope:Lien
UP BROADCAST RUNNING MULTICAST
MTU:1500 Metric:1
RX packets:3530 errors:0 dropped:0
overruns:0 frame:0
TX packets:14 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:211800 (206.8 Kb) TX
bytes:964 (964.0 b)
Interruption:11 Adresse de base:0x2000
Route :
Table de routage IPv6 du noyau
Destination
Prochain Hop Indic Metric Ref Utilis.
Iface
::1/128 ::
U 0 11 1 lo
2001:688:1f8b:a000::1/128 ::
U 0 3 0 lo
fe80::209:5bff:fe1e:791/128 ::
U 0 0 0 lo
fe80::a00:46ff:fea8:e23b/128 ::
U 0 0 0 lo
fe80::/64 ::
UA 256 0 0 eth0
fe80::/64 ::
UA 256 0 0 eth1
ff00::/8 ::
UA 256 0 0 eth0
ff00::/8 ::
UA 256 0 0 eth1
::/0 ::
UDA 256 0 0 eth0
::/0 ::
UDA 256 0 0 eth1
And ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec
configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13
23:28:41 sam Exp $
# This file:
/usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
version 2.0 # conforms to second version of
ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
uniqueids=yes
# Debug-logging controls: "none" for
(almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
syslog=syslog.debug
Does someone manage to make it work ???
Thanks
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040518/aed3a437/attachment-0001.htm
More information about the Users
mailing list