[Openswan Users] Openswan + IPv6 [PATCH]

zze-DURBEC Mathieu FTRD/DTL/ISS mathieu.durbec at rd.francetelecom.com
Thu May 27 11:41:12 CEST 2004


 
Hello,

I'm trying to do the same thing that you(ie openswan+ipv6+automatic
tunnel), but I get stuck to set up automatic tunnel.
My system is a linux redhat 9.0, with a 2.6.6 kernel and patched with
your file
I've tried manual keying with the whack command, and everything works
fine.
But when I try to do the automatic way, the Ipsec.conf parser doesn't
understand the ipv6 adress:

" whack error : "myconnection" non-ipv6 adress may not contain `:'
"2001:688:1f8b:1001::1" "

Maybe I miss an option in ipsec.conf...

Any idea ??


Matt
-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Mikael Magnusson
Sent: mercredi 12 mai 2004 23:45
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Openswan + IPv6 [PATCH]

Hi,

On Wed, May 12, 2004 at 01:10:55PM +0200, Ken Bantoft wrote:
> 
> 
> On Wed, 12 May 2004, Gessler Gerhard wrote:
> 
> > 
> > Hi all,
> > 
> > let me first state that I have not done tests with IPsec for IPv6 
> > using the ipsec backport for 2.4.x kernels. But I think that (as the

> > basic code should be quite the same), if OpenSWAN can negotiate and 
> > install
> > IPv6 SA's on 2.6.x kernels, it should also work on 2.4.x kernels. Or

> > am I missing some big difference in the PF_KEY interface.
> 
> If 2.6 kernel works, then the backport should work too - it's the same

> code, just with structs / some function calls adjusted.
> 
> > Nevertheless, even is the necessary code in _confread is not there 
> > to support the definition of IPv6 conns in ipsec.conf, the code and 
> > logic is already in Pluto and Whack (since FreeSWAN 1.6).
> > I am able to define, load, negotiate and install e.g. host-to-host 
> > IPv6 SA (client net is /128) with ESP authentication using OpenSWAN
2.1.2rc5.
> > IKE authentication is done via PSK, the connection is loaded 
> > manually into Pluto using Whack.
> 
> Wow... this is good news.  I would like to get full IPv6 support 
> working in the rest of Openswan, if you can give me some direction (I 
> don't have
> IPv6 testbed anyways to play) we'd happily accept patches/pointers on 
> where stuff needs to be changed.
> 
> 
> > The _updown script needed some changes as it does not support the 
> > necessary -v6 verbs that Pluto hands  over to it, but after defining

> > them (doing just nothing), the Quick Mode SA gets installed 
> > successfully.
> 
> Can you you send me your hacked up _updown so I can look at merging 
> the stubs in for now?  In 2.6, _updown doesn't do much at all anyways.
> 
> > Currently I seem to have problem with doing the same with a 
> > connection that does AH authentication and ESP encryption. The 
> > negotiation is successfull, but the resulting packets from the
kernel are just crap.
> 
> Not where where the issue is here, but doesn't sound like it's under 
> Openswan control.
> 

As a matter of coincident, I was playing with Openswan and IPv6 today
and succeeded in setting up an automatic IPSEC tunnel. Both hosts were
running Debian unstable. One with kernel 2.4.24 with the backported
IPSEC/IPv6 in an User-Mode-Linux process. The other one a regular system
with kernel 2.6.5. I have tested both host-to-host and host-to-net
tunnels, and both works.

I first tried to use Freeswan from Debian unstable, but it had problems
with negotiating auth algorithms on 2.4.24 UML. 

Almost all of the work were already done. I only had to define a new
connection parameter that specifies the address family, and stubs for
the
IPv6 operations in _updown. I haven't added any implementation of the
IPv6 operations since it doesn't seem to be necessary.

Maybe the IPv6 modules esp6 and ah6 should be modprobed in _startklips.
It apparently isn't needed in 2.6, but in 2.4 the kernel fails to
autoload the module.

I have attached my patch to the email.

Regards,
Mikael Magnusson



More information about the Users mailing list