[Openswan Users] IPv6 status

Jason White jason at jasonjgw.net
Sun Mar 7 20:35:50 EST 2010


I am running Debian GNU/Linux, kernel 2.6.32 and Openswan 2.6.23.

I have set up a basic host-to-host connectin over IPv6 to a KVM guest (a
virtual machine) running on the same physical hardware.

The connection is established and, as far as I can tell, it all works, except
for this warning in the kernel logs:
Mar  8 11:12:14 jdc kernel: [12920.345671] alg: No test for
authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-asm)))

When one host pings the other, tcpdump shows, for each packet, both the ESP
details, e.g., ESP(spi=0x9290e772,seq=0x240) and, separately, the ICMP
information, e.g., ICMP6 echo.

Based on my rather limited knowledge, I assume this means the encryption is
indeed taking place.

before I move to more complicated scenarios, how good is the support for IPv6
in OpenSwan?

I've searched the Web (including the list archives), but I didn't find any
recent discussion. For example, there's a thread dating from 2004 indicating
that opportunistic encryption didn't work over IPv6.

An example of desired usage would be to encrypt all traffic destined to an
IPv6 subnet, where the gateway belongs to the same subnet, e.g., the subnet is
a /64 and the gateway is xxxx:xxx:xxxx::1




More information about the Users mailing list