[Openswan Users] Securing dual-stack connections?

Leto letoams at gmail.com
Sat Jul 13 01:00:48 UTC 2013


you will need to use different leftid/rightid for the two connections. since you use certs, you might need to generate two certs for each side.
the bug is that the uniqueids code does not treat v4 and v6 differently.

alternatively you can try setting uniqueids=no


sent from a tiny device 

On 2013-07-12, at 19:53, subscription at kkeane.com wrote:

> I had asked this question a few weeks ago but didn’t get an answer, so let me try again.
>  
> How do you go about using OpenSwan to secure both the IPv4 and the IPv6 connections between the same two peers, using RSA certificates? I’m trying to use transport mode.
>  
> When I tried it, one of the two connections gets set up correctly, but the second fails with an error indicating that the eroute already exists (even though I’m using NetKey on CentOS 6, which isn’t supposed to use eroutes). I’m using the standard CentOS 6 Openswan RPM (version 2.6.30-20)
>  
> Here is my ipsec.conf (with redacted names):
>  
> version 2.0
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         oe=off
>        myid=system1.mydomain.local
>  
> conn %default
>         type=transport
>         authby=rsasig
>         rightrsasigkey=%cert
>         rightid=%fromcert
>         left=system1.mydomain.local
>         leftid=%fromcert
>         pfs=yes
>         aggrmode=no
>         ike=3des-sha1-modp1536
>         phase2=esp
>         phase2alg=3des-sha1
>         auto=start
>  
>  
> conn system2.mydomain.local
>   connaddrfamily=ipv6
>   right=web.nctc.local
>   rightcert=system2.mydomain.local
>  
> conn system2.mydomain.local
>   connaddrfamily=ipv4
>   right=web.nctc.local
>   rightcert=system2.mydomain.local
>  
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130712/8537353d/attachment.html>


More information about the Users mailing list