[Swan] IPv6 implicit connection

Paul Wouters paul at nohats.ca
Wed May 27 06:08:38 EEST 2015


On Tue, 26 May 2015, Brandon Enochs wrote:

> Isn't the subnet extraneous in that example since the right IP is fully specified?

the diagram is like:

      [leftsubnet -[left] ----internet---[right]----[rightsubnet]

Your IPsec gateway IP's are left= and right=. If you are building a
tunnel that should cover more than just the gateways itself, so a
subnet to subnet tunnel, you need to specify that via leftsubnet=
and rightsubnet=

Remember IPsec tunnels are not virtual wires, you cannot just "route"
anything in to them. You need to tell exactly what src-dst of packets
are allowed to go through.

Paul

> On May 26, 2015 11:04 PM, "Paul Wouters" <paul at nohats.ca> wrote:
>       On Tue, 26 May 2015, Brandon Enochs wrote:
>
>             Are IPv6 host to host connections with right specified as a subnet supported?
> 
>
>       Yes, for example:
>
>       ipsec.conf:
>
>       conn ipv6
>               left=2001:db8:1:2::45
>               leftid="@west"
>               right=2001:db8:1:2::23
>               rightsubnet=2001:db8:0:2::/64
>               rightid="@east"
>               auto=ondemand
>               authby=secret
>
>       ipsec.secrets:
>
>       2001:db8:1:2::45 2001:db8:1:2::23 : PSK "secret"
>
>       If your endpoints (left/right) are IPv4, and your subnet is IPv6, then
>       you need a leftsubnet as well (with an ipv6 range) because both need to
>       be of the same IP address family, and you need to add connaddrfamily=6
>
>       Paul
> 
> 
>


More information about the Swan mailing list