[Openswan Users] Openswan + IPv6 [PATCH]
zze-DURBEC Mathieu FTRD/DTL/ISS
mathieu.durbec at rd.francetelecom.com
Thu May 27 11:41:12 CEST 2004
Hello,
I'm trying to do the same thing that you(ie openswan+ipv6+automatic
tunnel), but I get stuck to set up automatic tunnel.
My system is a linux redhat 9.0, with a 2.6.6 kernel and patched with
your file
I've tried manual keying with the whack command, and everything works
fine.
But when I try to do the automatic way, the Ipsec.conf parser doesn't
understand the ipv6 adress:
" whack error : "myconnection" non-ipv6 adress may not contain `:'
"2001:688:1f8b:1001::1" "
Maybe I miss an option in ipsec.conf...
Any idea ??
Matt
-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Mikael Magnusson
Sent: mercredi 12 mai 2004 23:45
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]
Hi,
On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
>
>
> On Wed, 12 May 2004, Gessler Gerhard wrote:
>
> >
> > Hi all,
> >
> > let me first state that I have not done tests with IPsec for IPv6
> > using the ipsec backport for 2.4.x kernels. But I think that (as the
> > basic code should be quite the same), if OpenSWAN can negotiate and
> > install
> > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or
> > am I missing some big difference in the PF_KEY interface.
>
> If 2.6 kernel works, then the backport should work too - it's the same
> code, just with structs / some function calls adjusted.
>
> > Nevertheless, even is the necessary code in _confread is not there
> > to support the definition of IPv6 conns in ipsec.conf, the code and
> > logic is already in Pluto and Whack (since FreeSWAN 1.6).
> > I am able to define, load, negotiate and install e.g. host-to-host
> > IPv6 SA (client net is /128) with ESP authentication using OpenSWAN
2.1.2rc5.
> > IKE authentication is done via PSK, the connection is loaded
> > manually into Pluto using Whack.
>
> Wow... this is good news. I would like to get full IPv6 support
> working in the rest of Openswan, if you can give me some direction (I
> don't have
> IPv6 testbed anyways to play) we'd happily accept patches/pointers on
> where stuff needs to be changed.
>
>
> > The _updown script needed some changes as it does not support the
> > necessary -v6 verbs that Pluto hands over to it, but after defining
> > them (doing just nothing), the Quick Mode SA gets installed
> > successfully.
>
> Can you you send me your hacked up _updown so I can look at merging
> the stubs in for now? In 2.6, _updown doesn't do much at all anyways.
>
> > Currently I seem to have problem with doing the same with a
> > connection that does AH authentication and ESP encryption. The
> > negotiation is successfull, but the resulting packets from the
kernel are just crap.
>
> Not where where the issue is here, but doesn't sound like it's under
> Openswan control.
>
As a matter of coincident, I was playing with Openswan and IPv6 today
and succeeded in setting up an automatic IPSEC tunnel. Both hosts were
running Debian unstable. One with kernel 2.4.24 with the backported
IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular system
with kernel 2.6.5. I have tested both host-to-host and host-to-net
tunnels, and both works.
I first tried to use Freeswan from Debian unstable, but it had problems
with negotiating auth algorithms on 2.4.24 UML.
Almost all of the work were already done. I only had to define a new
connection parameter that specifies the address family, and stubs for
the
IPv6 operations in _updown. I haven't added any implementation of the
IPv6 operations since it doesn't seem to be necessary.
Maybe the IPv6 modules esp6 and ah6 should be modprobed in _startklips.
It apparently isn't needed in 2.6, but in 2.4 the kernel fails to
autoload the module.
I have attached my patch to the email.
Regards,
Mikael Magnusson
More information about the Users
mailing list