[Openswan Users] IPV6 ipsec connection question.

Jason White jason at jasonjgw.net
Mon Feb 14 04:37:58 EST 2011


Gary Smith <gary.smith at holdstead.com> writes:

> We have 5 IPV6 tunnels through HE's tunnel broker that we would like
> to secure. Are there any clear examples of setting up an IPV6 network
> with openswan? I can't find any examples on what the config would look
> like for this.

conn foo
connaddrfamily=ipv6
left=2001:470:xx:xx::xx
leftsubnet=2001:470:xx:xx::/64
right=2001:470:yy:yy::yy
rightsubnet=2001:470:yy:yyy::/64
leftrsasigkey=[key material here]
rightrsasigkey=[key material here]
auto=start

If you omit either or both subnets, only traffic destined to the
specified host (or hosts in the case in which both submets are omitted)
is subject to the IPSec tunnel.

Obviously, a subnet of any size (e.g., /48) can be specified; I'm using
/64 in the above example.
> Also, if the firewall/primary router isn't the VPN
> concentrator (i.e. the VPN sits inside the DMZ), how do you route in
> that case?

The hosts which require the IPSec tunnel have to route the traffic to
the machine which is providing the tunnel. You could for example turn
off router advertisements on the primary router, configure radvd on the
machine which is running Openswan, and set up a default route from that
to the primary router. This way, hosts on the local network will all
acquire default routes referring to the machine running Openswan, which
we assume has a static IPv6 address and a default route pointing to the
gateway to the outside.

I hope this advice proves useful.



More information about the Users mailing list