[Openswan Users] Securing dual-stack connections?

[subscription at kkeane.com]

I had asked this question a few weeks ago but didn’t get an answer, so let me try again.

 
How do you go about using OpenSwan to secure both the IPv4 and the IPv6 connections between the same two peers, using RSA certificates? I’m trying to use transport mode.

 
When I tried it, one of the two connections gets set up correctly, but the second fails with an error indicating that the eroute already exists (even though I’m using NetKey on CentOS 6, which isn’t supposed to use eroutes). I’m using the standard CentOS 6 Openswan RPM (version 2.6.30-20)

 
Here is my ipsec.conf (with redacted names):

 
version 2.0

config setup

        protostack=netkey

        nat_traversal=yes

        oe=off

        myid=system1.mydomain.local

 
conn %default

        type=transport

        authby=rsasig

        rightrsasigkey=%cert

        rightid=%fromcert

        left=system1.mydomain.local

        leftid=%fromcert

        pfs=yes

        aggrmode=no

        ike=3des-sha1-modp1536

        phase2=esp

        phase2alg=3des-sha1

        auto=start

 
 
conn system2.mydomain.local

  connaddrfamily=ipv6

  right=web.nctc.local

  rightcert=system2.mydomain.local

 
conn system2.mydomain.local

  connaddrfamily=ipv4

  right=web.nctc.local

  rightcert=system2.mydomain.local

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130712/794ad342/attachment.html>