[Openswan Users] Openswan ipv6 tunnels

Paul Whelan wheelo_01 at hotmail.com
Tue Apr 1 06:30:25 EDT 2008



I install the latest version of the 2.5 branch, 2.5.17 and tried again bringing up ipv6 tunnels.
I got the following error messages:

"can not load config '/etc/ipsec.conf': /etc/ipsec.conf:27: syntax error, unexpected STRING [connaddrfamily]"

When I comment out the line "connaddrfamily=ipv6" I get "non-ipv6 address may not contain `:'" in /var/log/messages


I tried using whack also to add a IPv6 tunnel using the command

"ipsec whack --name tunipv6 --ipv6 --tunnelipv6 --host 2000:7:6:5:4:3:2:1 --to --host 6400:7:6:5:4:3:2:2 --psk --encrypt --pfs --ikelifetime 600 --ipseclifetime 300 --rekeymargin 20"

When i try bring up the tunnel using "ipsec auto --up tunipv6" I get the same ike messages being received on the second Openswan Gateway, but no replies. This is also the behaviour I get when using 2.4.9

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:54:15.754112 fe80::240:f4ff:fe87:5c5a > fe80::214:5eff:fe1e:141e: icmp6: neighbor sol: who has fe80::214:5eff:fe1e:141e
11:54:16.062705 fe80::214:5eff:fe1e:141e > fe80::240:f4ff:fe87:5c5a: icmp6: neighbor adv: tgt is fe80::214:5eff:fe1e:141e
11:54:15.754175 6400:7:6:5:4:3:2:2.isakmp > 2000:7:6:5:4:3:2:1.isakmp: isakmp: phase 1 I ident
11:54:15.754185 2000:7:6:5:4:3:2:1 > 6400:7:6:5:4:3:2:2: [|icmp6]
11:54:20.753158 fe80::214:5eff:fe1e:141e > fe80::240:f4ff:fe87:5c5a: icmp6: neighbor sol: who has fe80::240:f4ff:fe87:5c5a
11:54:20.753246 fe80::240:f4ff:fe87:5c5a > fe80::214:5eff:fe1e:141e: icmp6: neighbor adv: tgt is fe80::240:f4ff:fe87:5c5a
11:54:35.751270 6400:7:6:5:4:3:2:2.isakmp > 2000:7:6:5:4:3:2:1.isakmp: isakmp: phase 1 I ident
11:54:35.751281 2000:7:6:5:4:3:2:1 > 6400:7:6:5:4:3:2:2: [|icmp6]

Is there any parameters I'm missing when using whack?

Regards,
Paul Whelan




> Date: Fri, 28 Mar 2008 10:07:00 -0400
> From: paul at xelerance.com
> To: wheelo_01 at hotmail.com
> CC: users at openswan.org
> Subject: Re: [Openswan Users] Openswan ipv6 tunnels
> 
> On Fri, 28 Mar 2008, Paul Whelan wrote:
> 
> > I've been trying for some time to set up Openswan 2.4.9 (with NETKEY) with
> > IPv6 without success.
> 
> > My IPv6 routes and ips are correct and my kernel has the appropriate options installed. I have set up a IPv6 IPSEC tunnel using setkey to manually add SAs & SPs, I was able to ping across the tunnel and could see the ESP packets using tcpdump from each direction.
> >
> > My ipsec.conf file seems to be correct, as it doesn't give any errors when starting Openswan and is included below.
> >
> >
> > Does IPv6 work on 2.4.9, or is there some ipv6 patch i need that is mentioned in some forums?
> 
> I would try to use 2.5.x, as most of the startup scripting has been replaced
> by the addcon and libipsecconf code. We have not tested whether using the
> configuration files works fully with ipv6.
> 
> As a step in between, you can also use "ipsec whack" to 'configure' the
> conn for ipv6.
> 
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_________________________________________________________________
How well do you know your celebrity gossip?
http://originals.msn.com/thebigdebate?ocid=T002MSN03N0707A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080401/d6b8a09e/attachment-0001.html 


More information about the Users mailing list