[Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted
Bill Atwood
williamatwood41 at gmail.com
Sat Jan 13 23:56:29 EET 2024
(continued from " 5.0 RC1 connection not found", with changed subject,
because this is a new error).
After renaming RITA6C to RITA6C.conf, I ran:
sudo ipsec add RITA6c
which reported that an IPsec connection had been established.
However:
ip addr show
did *not* show the new interface. Subsequently running
sudo ipsec up RITA6c
produced the following error message:
"RITA6c": we cannot identify ourselves with either end of this
connection. fd51:20d9:5ad2:b::2 or fd51:20d9:5ad2:b::1 are not usable
Since Andrew had suggested that "addcon" had a --verbose option, I went
back and tried:
dev at Ritchie:~$ sudo ipsec addconn --verbose RITA6c
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf' ('/etc/ipsec.d/*.conf') from
/etc/ipsec.conf:80
end of file /etc/ipsec.d/RITA6C.conf
resuming /etc/ipsec.conf:80
end of file /etc/ipsec.conf
Loading conn RITA6c
loading named conns: RITA6c
resolving family=IPv6 src=fd51:20d9:5ad2:b::2 gateway=<not-set> peer
fd51:20d9:5ad2:b::1
seeking NOTHING
resolving family=IPv6 src=fd51:20d9:5ad2:b::1 gateway=<not-set> peer
fd51:20d9:5ad2:b::2
seeking NOTHING
"RITA6c": terminating SAs using this connection
"RITA6c": added IKEv2 connection
dev at Ritchie:~$
The two addresses (beginning with "fd51") are Unique Local Addresses
(ULA), and are _perfectly_valid_IPv6_ addresses. I am building an IPsec
tunnel between two adjacent hosts, which are on the same LAN, and the
assigned address for each interface is declared to be a /64, so the
kernel knows how to reach the peer.
dev at Ritchie:~$ ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd51:20d9:5ad2:b::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21a:a0ff:fe15:62b8/64 scope link
valid_lft forever preferred_lft forever
3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::20e:cff:fea9:b90f/64 scope link
valid_lft forever preferred_lft forever
4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::20e:cff:fea9:b937/64 scope link
valid_lft forever preferred_lft forever
dev at Ritchie:~$
Please remove whatever constraints are built into Libreswan that exclude
non-global addresses. (OR, provide a toggle that allows the use of ULAs)
As I have discussed previously on this list, please note that,
eventually, once XFRM is fixed to properly handle Link-Local addresses
(and their associated interface names), then Libreswan will need to
accept LL addresses as well.
Bill Atwood
More information about the Swan-dev
mailing list