[Openswan Users] ipv6 question
Paul Wouters
paul at xelerance.com
Thu Oct 12 00:39:18 EDT 2006
On Thu, 12 Oct 2006, James Harper wrote:
> I have successfully set up a transport link between two linux (Debian
> Etch) servers using ipv6, and it seems to work okay.
Using racoon? or by using openswan's ipsec whack directly?
> What I'd like to do now is to block all non ipsec ipv6 traffic from my
> internal network, anyone who wants to send packets there has to use
> ipsec. Also I would only allow certain certificates in. I'm not that
> fussed about encryption either, only the authentication side of things.
I am not too familiar yet with ipv6, but I guess you would have to allow
the IKE traffic through despite not being IPsec, to setup the IPsec.
> I thought I could use the policy files to do it but they seem not to
> allow ipv6 addresses, I just get an error about an unsupported address
> family (not sure if that's the exact error).
Openswan 2.4.x does not fully support ipv6 when using the netkey stack,
though it is mostly a matter of problems reading and parsing the
configuration file. I believe it is possible to use 'ipsec whack'
directly to setup ipv6 connections. I am not sure if 2.5/3.0 (aka
git #public), which has the new addcon parser code does this better
at this point.
> Is this something that openswan supports now or is ipv6 support not
> quite there yet?
It is not quite there yet.
Paul
More information about the Users
mailing list