[Openswan Users] IPV6 ipsec connection question.

Gary Smith gary.smith at holdstead.com
Mon Feb 14 16:29:18 EST 2011

> conn foo
> connaddrfamily=ipv6
> left=2001:470:xx:xx::xx
> leftsubnet=2001:470:xx:xx::/64
> right=2001:470:yy:yy::yy
> rightsubnet=2001:470:yy:yyy::/64
> leftrsasigkey=[key material here]
> rightrsasigkey=[key material here]
> auto=start
> If you omit either or both subnets, only traffic destined to the
> specified host (or hosts in the case in which both submets are omitted)
> is subject to the IPSec tunnel.
> Obviously, a subnet of any size (e.g., /48) can be specified; I'm using
> /64 in the above example.
> > Also, if the firewall/primary router isn't the VPN
> > concentrator (i.e. the VPN sits inside the DMZ), how do you route in
> > that case?
> The hosts which require the IPSec tunnel have to route the traffic to
> the machine which is providing the tunnel. You could for example turn
> off router advertisements on the primary router, configure radvd on the
> machine which is running Openswan, and set up a default route from that
> to the primary router. This way, hosts on the local network will all
> acquire default routes referring to the machine running Openswan, which
> we assume has a static IPv6 address and a default route pointing to the
> gateway to the outside.
> I hope this advice proves useful.


This is very useful. I just needed to know a) if it could be done and b) what it needed to look. The routing is a bit more of a problem, but I can overcome that by setting it to route the destination IPV6 blocks through the Openswan, except for default gateway, which is through an IPV6 Tunnel. It should work though.

More information about the Users mailing list