[Swan-dev] Libreswan 5.0 RC1 IPv6 ULA not accepted

Paul Wouters paul at nohats.ca
Mon Jan 15 22:35:50 EET 2024 

On Jan 15, 2024, at 15:03, Bill Atwood <williamatwood41 at gmail.com> wrote:
> 
> My bad.
> 
> I had re-booted Ritchie, and forgotten to re-run the script that assigns the ULA.
> 
> After running that script, I see an established connection (on both Ritchie and Tarjan).
> 
> What I don't see is any evidence of an added interface on Ritchie (5.0 RC1), where I do see this on Tarjan (4.12).  How does one access the new tunnel?

Magic grabs the packets. You can check byte counters with “ipsec traffic”.

You can also add ipsec-interface=1 and you will get an interface named ipsec1.


> 
>  Bill
> 
> dev at Ritchie:~$ ./fixaddr.sh
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
>    inet6 ::1/128 scope host
>       valid_lft forever preferred_lft forever
> 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>    inet6 fd51:20d9:5ad2:b::2/64 scope global tentative
>       valid_lft forever preferred_lft forever
>    inet6 fe80::21a:a0ff:fe15:62b8/64 scope link
>       valid_lft forever preferred_lft forever
> 3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>    inet6 fe80::20e:cff:fea9:b90f/64 scope link
>       valid_lft forever preferred_lft forever
> 4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>    inet6 fe80::20e:cff:fea9:b937/64 scope link
>       valid_lft forever preferred_lft forever
> dev at Ritchie:~$ sudo ipsec setup restart
> Redirecting to: systemctl restart ipsec.service
> dev at Ritchie:~$ sudo ipsec add RITA6c
> "RITA6c": added IKEv2 connection
> dev at Ritchie:~$ sudo ipsec status |grep interface
> using kernel interface: xfrm
> interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:4500
> interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:500
> interface lo UDP [::1]:4500
> interface lo UDP [::1]:500
> interface lo UDP 127.0.0.1:4500
> interface lo UDP 127.0.0.1:500
> interface enp4s0 UDP 132.205.9.46:4500
> interface enp4s0 UDP 132.205.9.46:500
> interface enp5s4 UDP 132.205.9.50:4500
> interface enp5s4 UDP 132.205.9.50:500
> interface enp5s5 UDP 132.205.9.53:4500
> interface enp5s5 UDP 132.205.9.53:500
> interface virbr0 UDP 192.168.123.1:4500
> interface virbr0 UDP 192.168.123.1:500
> "RITA6c":   conn_prio: 128,128; interface: enp4s0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
> dev at Ritchie:~$ sudo ipsec up RITA6c
> "RITA6c" #1: initiating IKEv2 connection to fd51:20d9:5ad2:b::1 using UDP
> "RITA6c" #1: sent IKE_SA_INIT request to [fd51:20d9:5ad2:b::1]:500
> "RITA6c" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> "RITA6c" #1: initiator established IKE SA; authenticated peer '2048-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=Tarjan certificate' issued by CA 'CN=ConU CSE HSPL'
> "RITA6c" #2: initiator established Child SA using #1; IPsec tunnel [fd51:20d9:5ad2:b::2/128===fd51:20d9:5ad2:b::1/128] {ESP/ESN=>0xfee0113a <0xee7634c5 xfrm=AES_GCM_16_256-NONE DPD=passive}
> dev at Ritchie:~$
> 
>> On 1/15/2024 2:26 PM, Paul Wouters wrote:
>>> On Mon, 15 Jan 2024, Tuomo Soini wrote:
>>> On Mon, 15 Jan 2024 13:23:58 -0500
>>> Bill Atwood <williamatwood41 at gmail.com> wrote:
>>> 
>>>> Here is the result of the status command, on Ritchie (running 5.0
>>>> RC1):
>>>> 
>>>> dev at Ritchie:~$  sudo ipsec status | grep interface
>>>> [sudo] password for dev:
>>>> using kernel interface: xfrm
>>>> interface lo UDP [::1]:4500
>>>> interface lo UDP [::1]:500
>>>> interface lo UDP 127.0.0.1:4500
>>>> interface lo UDP 127.0.0.1:500
>>>> interface enp4s0 UDP 132.205.9.46:4500
>>>> interface enp4s0 UDP 132.205.9.46:500
>>>> interface enp5s4 UDP 132.205.9.50:4500
>>>> interface enp5s4 UDP 132.205.9.50:500
>>>> interface enp5s5 UDP 132.205.9.53:4500
>>>> interface enp5s5 UDP 132.205.9.53:500
>>>> interface virbr0 UDP 192.168.123.1:4500
>>>> interface virbr0 UDP 192.168.123.1:500
>>>> "RITA6c":   conn_prio: 128,128; interface: ; metric: 0; mtu: unset;
>>>> sa_prio:auto; sa_tfc:none;
>>>> dev at Ritchie:~$
>>> 
>>> Is this directly from bootup of the machine?
>>> 
>>> Reason could be your network configuration. Libreswan requires
>>> network-online.target before startup. But if you don't have setting for
>>> IPV6 address to be required on your interface, network-online.target
>>> finisheds before you have IPv6 address on the interface and so there is
>>> no ipv6 address when libreswan starts, yet.
>> You can confirm if this is the case by issuing:
>> sudo ipsec whack --listen
>> sudo ipsec status | grep interface

More information about the Swan-dev mailing list