[Openswan Users] Securing dual-stack IPv4-IPv6?

Kevin Keane Subscription subscription at kkeane.com
Mon May 27 00:15:39 UTC 2013


Hi,

 
I'm trying to figure out how to use IPsec with dual-stack IPv4/IPv6 connections. For some reason, on my system, only either IPv4 or IPv6, but not both, will have IPsec enabled.

 
This is on Centos 6.4, openswan-2.6.32-20.el6_4.x86_64

 
I'm using transport mode,

 
One clue I have is that the remote side says that it can't install the eroute for IPv6 because it is already in use for IPv4:

 
May 26 16:15:19 remote pluto[15412]: "myfqdn-6": cannot install eroute -- it is in use for "myfqdn-4" #0
 
(I think it is random chance whether the error occurs for the IPv6 or IPv4 connection).

 
 
I am using the following ipsec.conf:

 
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24
        oe=off

conn %default
        type=transport
        authby=rsasig
        rightrsasigkey=%cert
        rightid=%fromcert

        left=myfqdn
        leftid=%fromcert
        leftcert=myfqdn

        pfs=yes
        aggrmode=no
        ike=3des-sha1-modp1536
        phase2=esp
        phase2alg=3des-sha1
        auto=start
 
conn otherfqdn-4
  connaddrfamily=ipv4
  right=otherfqdn
  rightcert=otherfqdn

conn otherfqdn-6
  connaddrfamily=ipv6
  right=otherfqdn
  rightcert=otherfqdn
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130526/73760c5c/attachment.html>


More information about the Users mailing list