Andreas Scherrer
2018-05-14 22:33:21 UTC
Dear libreswan wizards
I am trying to set up my first IPSec tunnel using libreswan (v3.23) on
one end and racoon on the other end.
The machines have IPv6 connectivity, so I want to (have to) use IPv6 for
the "outer" IPs.
Inside the tunnel I want to route IPv4 though.
To me it currently seems that the documentation does not match what I
see with regards to "connaddrfamily".
[1] states
"set connaddrfamily= to the family of the *subnet= options, and if those
are not defined, to the family of the left=/right= options"
So for me this would mean 'ipv4', because the 'leftsubnet' and
'rightsubnet' are IPv4.
But if I do that, I see the following error when pluto starts up:
-----
failed to convert '<left ipv6>' at load time: IPv4 address may not
contain `:'
and later
We cannot identify ourselves with either end of this connection.
0.0.0.0 or 0.0.0.0 are not usable
-----
So I tried with 'connaddrfamily=ipv6'.
With that, the tunnel comes up and I can reach (ping) through the tunnel
in both directions.
I have to explicitly set the source IP (192.168.112.1) when pinging from
"the libreswan end" though, while my understanding of the documentation
is that 'leftip=192.168.112.1' should take care of that? I assume this
is not working because it expects an IPv6 address there...
In addition, I see the following error in the libreswan/pluto log:
-----
ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection
add included errno 22: Invalid argument
-----
I am wondering now if my configuration is actually doing what it is
supposed to do. Is 'connaddrfamily=ipv6' the correct thing to do even if
the documentation states the opposite?
Thanks for any hints, corrections or reassurements.
andreas
Here is my libreswan config:
-----
# /etc/ipsec.d/home.conf - Libreswan IPsec configuration file
config setup
plutodebug=all
protostack=netkey
interfaces=%none
conn mytunnel
auto=start
connaddrfamily=ipv6
left=<left ipv6>
right=<right ipv6>
also=shared
also=mysubnet
conn shared
authby=secret
ike=aes-sha2_256;dh5
phase2alg=aes-sha2_256
conn mysubnet
leftsubnet=192.168.112.0/24
leftsourceip=192.168.112.1
rightsubnet=192.168.0.0/18
rightsourceip=192.168.1.1
-----
[1] https://libreswan.org/man/ipsec.conf.5.html
I am trying to set up my first IPSec tunnel using libreswan (v3.23) on
one end and racoon on the other end.
The machines have IPv6 connectivity, so I want to (have to) use IPv6 for
the "outer" IPs.
Inside the tunnel I want to route IPv4 though.
To me it currently seems that the documentation does not match what I
see with regards to "connaddrfamily".
[1] states
"set connaddrfamily= to the family of the *subnet= options, and if those
are not defined, to the family of the left=/right= options"
So for me this would mean 'ipv4', because the 'leftsubnet' and
'rightsubnet' are IPv4.
But if I do that, I see the following error when pluto starts up:
-----
failed to convert '<left ipv6>' at load time: IPv4 address may not
contain `:'
and later
We cannot identify ourselves with either end of this connection.
0.0.0.0 or 0.0.0.0 are not usable
-----
So I tried with 'connaddrfamily=ipv6'.
With that, the tunnel comes up and I can reach (ping) through the tunnel
in both directions.
I have to explicitly set the source IP (192.168.112.1) when pinging from
"the libreswan end" though, while my understanding of the documentation
is that 'leftip=192.168.112.1' should take care of that? I assume this
is not working because it expects an IPv6 address there...
In addition, I see the following error in the libreswan/pluto log:
-----
ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection
add included errno 22: Invalid argument
-----
I am wondering now if my configuration is actually doing what it is
supposed to do. Is 'connaddrfamily=ipv6' the correct thing to do even if
the documentation states the opposite?
Thanks for any hints, corrections or reassurements.
andreas
Here is my libreswan config:
-----
# /etc/ipsec.d/home.conf - Libreswan IPsec configuration file
config setup
plutodebug=all
protostack=netkey
interfaces=%none
conn mytunnel
auto=start
connaddrfamily=ipv6
left=<left ipv6>
right=<right ipv6>
also=shared
also=mysubnet
conn shared
authby=secret
ike=aes-sha2_256;dh5
phase2alg=aes-sha2_256
conn mysubnet
leftsubnet=192.168.112.0/24
leftsourceip=192.168.112.1
rightsubnet=192.168.0.0/18
rightsourceip=192.168.1.1
-----
[1] https://libreswan.org/man/ipsec.conf.5.html
--
Stell dir vor es geht und keiner kriegt's hin.
Stell dir vor es geht und keiner kriegt's hin.