[Openswan Users] IPv6 status

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 9 18:46:06 EST 2010


On Tue, 2010-03-09 at 23:37 +0000, Jason White wrote: 
> Jason White  <jason at jasonjgw.net> wrote:

> >An example of desired usage would be to encrypt all traffic destined to an
> >IPv6 subnet, where the gateway belongs to the same subnet, e.g., the subnet is
> >a /64 and the gateway is xxxx:xxx:xxxx::1

> Following up to my own post, I managed to make this work without any
> difficulties, with OpenSwan at both ends.

> Specifying %defaultroute in any of the parameters gave an error stating that
> the wrong address family was being used. For now, my only solution is to
> specify the left/right and leftnexthop/rightnexthop parameters explicitly as
> IPv6 addresses. This will become problematic later with my laptop, for
> instance, which has different IPv6 addresses depending on whether it's at home
> on my native IPv6 network or elsewhere, connected via an IPv6 over IPv4
> tunnel.

That could get even more confusing with Linux routers where they are not
honoring the "default route" (::/0) if IPv6 forwarding is enabled.
That's intended to block things like site locals and link local
addresses and what not.  Routers invariable add a route 2000::/3 for the
real default route which only routes the global unicast addresses.

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100309/fabc69a6/attachment.bin 


More information about the Users mailing list