AW: [Openswan Users] AF_INET6 protocol family not supported
Gessler Gerhard
Gessler at iabg.de
Wed Jul 20 02:55:47 CEST 2005
Dear Felix,
you seem to use KLIPS for kernel IPsec support. KLIPS is not able to deal with IPv6, you have to use the native IPsec implementation of the Linux kernel (called NETKEY). The IKE daemon of Openswan (Pluto) is able to deal with IPv6, but some of the scripts used to manage IPsec connections are not supporting IPv6.
Depending on what you want to achieve, it could be most straight forward to feed your IPv6-in-IPv6 configuration directly to Pluto, without using the scripts.
Simple IPv6-in-IPv6 IPsec tunnel setup:
subnet aaaa/64 ----- IPsec GW bbbb::1 ------- IPsec GW cccc::1 ------- subnet dddd/64
The commands for such a setup could look like:
ipsec whack --name connipv6 --ipv6 --tunnelipv6 --host bbbb::1 --client aaaa::0/64 --to --host cccc::2 --client dddd::0/64 --psk --encrypt --pfs --ikelifetime 600 --ipseclifetime 300 --rekeymargin 20
ipsec whack --listen
ipsec whack --initiate --name connipv6
Hope this helps,
Gerhard
________________________________
Von: users-bounces at openswan.org im Auftrag von Felix
Gesendet: Mi 20.07.2005 00:36
An: users at openswan.org
Betreff: [Openswan Users] AF_INET6 protocol family not supported
I'm trying to setup a simple IPv6-in-IPv6 tunnel between two linux boxes running kernel version 2.4.29 and Openswan 2.3.1.
Openswan finished Main Mode, but it balked in the middle of Quick Mode. Here's what I got after I ran "ipsec auto":
-------------------------------------------------
linuxbox# ipsec auto --up ipv6conn
104 "ipv6conn" #1: STATE_MAIN_I1: initiate
003 "ipv6conn" #1: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "ipv6conn" #1: received Vendor ID payload [Dead Peer Detection]
106 "ipv6conn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ipv6conn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipv6conn" #1: STATE_MAIN_I4: ISAKMP SA established
117 "ipv6conn" #2: STATE_QUICK_I1: initiate
003 ERROR: "ipv6conn" #2: pfkey write() of SADB_X_ADDFLOW message 7 for flow tun:1001 at baad:d00d::1 failed. Errno 96: Protocol family not supported
003 ERROR: "ipv6conn" #2: pfkey write() of SADB_X_ADDFLOW message 12 for flow tun:1002 at baad:d00d::100 failed. Errno 96: Protocol family not supported
032 "ipv6conn" #2: STATE_QUICK_I1: internal error
-------------------------------------------------
>From pluto.log, I saw this:
-------------------------------------------------
| add inbound eroute baad:beef::/32:0 --0-> dead:beef::/32:0 => tun:1001 at baad:d00d::1 (raw_eroute)
ERROR: "ipv6conn" #2: pfkey write() of SADB_X_ADDFLOW message 7 for flow tun:1001 at baad:d00d::1 failed. Errno 96: Protocol family not supported
| 02 0e 00 09 23 00 00 00 07 00 00 00 85 16 00 00
| 03 00 01 00 00 00 10 01 00 00 00 00 08 00 00 00
| ff ff ff ff 00 00 00 00 05 00 05 00 00 00 00 00
| 0a 00 00 00 00 00 00 00 ba ad d0 0d 00 00 00 00
| 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00
| 05 00 06 00 00 00 00 00 0a 00 00 00 00 00 00 00
| ba ad d0 0d 00 00 00 00 00 00 00 00 00 00 00 01
| 00 00 00 00 00 00 00 00 05 00 15 00 00 00 00 00
| 0a 00 00 00 00 00 00 00 ba ad be ef 00 00 00 00
| 00 00 00 00 00 00 00 00 91 05 0d 40 00 00 00 00
| 05 00 16 00 00 00 00 00 0a 00 00 00 00 00 00 00
| de ad be ef 00 00 00 00 00 00 00 00 00 00 00 00
| 1d 00 00 00 00 00 00 00 05 00 17 00 00 00 00 00
| 0a 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00
| 00 00 00 00 00 00 00 00 f5 e9 ff bf 00 00 00 00
| 05 00 18 00 00 00 00 00 0a 00 00 00 00 00 00 00
| ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00
| 30 00 00 00 00 00 00 00
-------------------------------------------------
>From klips debug, I got this:
-------------------------------------------------
Jul 19 12:16:23 linuxbox kernel: klips_debug:pfkey_address_process: uh, ips_said.dst doesn't do address family=10 yet, said will be invalid.
Jul 19 12:16:23 linuxbox kernel: klips_debug:pfkey_address_process: s->sa_family=10 not supported.
-------------------------------------------------
I looked up "sa_family=10" in the source code, and it turns out to be AF_INET6. Does Openswan support IPv6?
Felix
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list