[Openswan Users] Securing dual-stack IPv4-IPv6?

[Patrick Naubert]

Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.


From: Kevin Keane - The NetTech <kkeane at 4nettech.com>
Subject: Securing dual-stack IPv4-IPv6?
Date: 26 May, 2013 7:57:39 PM EDT
To: users at lists.openswan.org <users at lists.openswan.org>


Hi,
 
I'm trying to figure out how to use IPsec with dual-stack IPv4/IPv6 connections. For some reason, on my system, only either IPv4 or IPv6, but not both, will have IPsec enabled.
 
This is on Centos 6.4, openswan-2.6.32-20.el6_4.x86_64
 
I'm using transport mode,
 
One clue I have is that the remote side says that it can't install the eroute for IPv6 because it is already in use for IPv4:
 
May 26 16:15:19 remote pluto[15412]: "myfqdn-6": cannot install eroute -- it is in use for "myfqdn-4" #0
 
(I think it is random chance whether the error occurs for the IPv6 or IPv4 connection).
 
 
I am using the following ipsec.conf:
 
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24
        oe=off

conn %default
        type=transport
        authby=rsasig
        rightrsasigkey=%cert
        rightid=%fromcert

        left=myfqdn
        leftid=%fromcert
        leftcert=myfqdn

        pfs=yes
        aggrmode=no
        ike=3des-sha1-modp1536
        phase2=esp
        phase2alg=3des-sha1
        auto=start
 
conn otherfqdn-4
  connaddrfamily=ipv4
  right=otherfqdn
  rightcert=otherfqdn

conn otherfqdn-6
  connaddrfamily=ipv6
  right=otherfqdn
  rightcert=otherfqdn
 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130526/432e8b4c/attachment.html>