[Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted

Bill Atwood williamatwood41 at gmail.com
Mon Jan 15 22:03:18 EET 2024 

My bad.

I had re-booted Ritchie, and forgotten to re-run the script that assigns 
the ULA.

After running that script, I see an established connection (on both 
Ritchie and Tarjan).

What I don't see is any evidence of an added interface on Ritchie (5.0 
RC1), where I do see this on Tarjan (4.12).  How does one access the new 
tunnel?

   Bill

dev at Ritchie:~$ ./fixaddr.sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fd51:20d9:5ad2:b::2/64 scope global tentative
        valid_lft forever preferred_lft forever
     inet6 fe80::21a:a0ff:fe15:62b8/64 scope link
        valid_lft forever preferred_lft forever
3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fe80::20e:cff:fea9:b90f/64 scope link
        valid_lft forever preferred_lft forever
4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fe80::20e:cff:fea9:b937/64 scope link
        valid_lft forever preferred_lft forever
dev at Ritchie:~$ sudo ipsec setup restart
Redirecting to: systemctl restart ipsec.service
dev at Ritchie:~$ sudo ipsec add RITA6c
"RITA6c": added IKEv2 connection
dev at Ritchie:~$ sudo ipsec status |grep interface
using kernel interface: xfrm
interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:4500
interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:500
interface lo UDP [::1]:4500
interface lo UDP [::1]:500
interface lo UDP 127.0.0.1:4500
interface lo UDP 127.0.0.1:500
interface enp4s0 UDP 132.205.9.46:4500
interface enp4s0 UDP 132.205.9.46:500
interface enp5s4 UDP 132.205.9.50:4500
interface enp5s4 UDP 132.205.9.50:500
interface enp5s5 UDP 132.205.9.53:4500
interface enp5s5 UDP 132.205.9.53:500
interface virbr0 UDP 192.168.123.1:4500
interface virbr0 UDP 192.168.123.1:500
"RITA6c":   conn_prio: 128,128; interface: enp4s0; metric: 0; mtu: 
unset; sa_prio:auto; sa_tfc:none;
dev at Ritchie:~$ sudo ipsec up RITA6c
"RITA6c" #1: initiating IKEv2 connection to fd51:20d9:5ad2:b::1 using UDP
"RITA6c" #1: sent IKE_SA_INIT request to [fd51:20d9:5ad2:b::1]:500
"RITA6c" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a 
prf=HMAC_SHA2_512 group=MODP2048}
"RITA6c" #1: initiator established IKE SA; authenticated peer '2048-bit 
RSASSA-PSS with SHA2_512' digital signature using peer certificate 
'CN=Tarjan certificate' issued by CA 'CN=ConU CSE HSPL'
"RITA6c" #2: initiator established Child SA using #1; IPsec tunnel 
[fd51:20d9:5ad2:b::2/128===fd51:20d9:5ad2:b::1/128] {ESP/ESN=>0xfee0113a 
<0xee7634c5 xfrm=AES_GCM_16_256-NONE DPD=passive}
dev at Ritchie:~$

On 1/15/2024 2:26 PM, Paul Wouters wrote:
> On Mon, 15 Jan 2024, Tuomo Soini wrote:
> 
>> On Mon, 15 Jan 2024 13:23:58 -0500
>> Bill Atwood <williamatwood41 at gmail.com> wrote:
>>
>>> Here is the result of the status command, on Ritchie (running 5.0
>>> RC1):
>>>
>>> dev at Ritchie:~$  sudo ipsec status | grep interface
>>> [sudo] password for dev:
>>> using kernel interface: xfrm
>>> interface lo UDP [::1]:4500
>>> interface lo UDP [::1]:500
>>> interface lo UDP 127.0.0.1:4500
>>> interface lo UDP 127.0.0.1:500
>>> interface enp4s0 UDP 132.205.9.46:4500
>>> interface enp4s0 UDP 132.205.9.46:500
>>> interface enp5s4 UDP 132.205.9.50:4500
>>> interface enp5s4 UDP 132.205.9.50:500
>>> interface enp5s5 UDP 132.205.9.53:4500
>>> interface enp5s5 UDP 132.205.9.53:500
>>> interface virbr0 UDP 192.168.123.1:4500
>>> interface virbr0 UDP 192.168.123.1:500
>>> "RITA6c":   conn_prio: 128,128; interface: ; metric: 0; mtu: unset;
>>> sa_prio:auto; sa_tfc:none;
>>> dev at Ritchie:~$
>>
>> Is this directly from bootup of the machine?
>>
>> Reason could be your network configuration. Libreswan requires
>> network-online.target before startup. But if you don't have setting for
>> IPV6 address to be required on your interface, network-online.target
>> finisheds before you have IPv6 address on the interface and so there is
>> no ipv6 address when libreswan starts, yet.
> 
> You can confirm if this is the case by issuing:
> 
> sudo ipsec whack --listen
> sudo ipsec status | grep interface
>

More information about the Swan-dev mailing list