[Openswan Users] Securing dual-stack IPv4-IPv6?
Patrick Naubert
patrickn at xelerance.com
Mon May 27 00:38:34 UTC 2013
Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Kevin Keane - The NetTech <kkeane at 4nettech.com>
Subject: Securing dual-stack IPv4-IPv6?
Date: 26 May, 2013 7:57:39 PM EDT
To: users at lists.openswan.org <users at lists.openswan.org>
Hi,
I'm trying to figure out how to use IPsec with dual-stack IPv4/IPv6 connections. For some reason, on my system, only either IPv4 or IPv6, but not both, will have IPsec enabled.
This is on Centos 6.4, openswan-2.6.32-20.el6_4.x86_64
I'm using transport mode,
One clue I have is that the remote side says that it can't install the eroute for IPv6 because it is already in use for IPv4:
May 26 16:15:19 remote pluto[15412]: "myfqdn-6": cannot install eroute -- it is in use for "myfqdn-4" #0
(I think it is random chance whether the error occurs for the IPv6 or IPv4 connection).
I am using the following ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24
oe=off
conn %default
type=transport
authby=rsasig
rightrsasigkey=%cert
rightid=%fromcert
left=myfqdn
leftid=%fromcert
leftcert=myfqdn
pfs=yes
aggrmode=no
ike=3des-sha1-modp1536
phase2=esp
phase2alg=3des-sha1
auto=start
conn otherfqdn-4
connaddrfamily=ipv4
right=otherfqdn
rightcert=otherfqdn
conn otherfqdn-6
connaddrfamily=ipv6
right=otherfqdn
rightcert=otherfqdn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130526/432e8b4c/attachment.html>
More information about the Users
mailing list