[Swan] IPv6 implicit connection

Brandon Enochs enochs.brandon at gmail.com
Wed May 27 06:10:12 EEST 2015


I was more asking about the host to host transport mode and not tunneling.
On May 26, 2015 11:08 PM, "Paul Wouters" <paul at nohats.ca> wrote:

> On Tue, 26 May 2015, Brandon Enochs wrote:
>
>  Isn't the subnet extraneous in that example since the right IP is fully
>> specified?
>>
>
> the diagram is like:
>
>      [leftsubnet -[left] ----internet---[right]----[rightsubnet]
>
> Your IPsec gateway IP's are left= and right=. If you are building a
> tunnel that should cover more than just the gateways itself, so a
> subnet to subnet tunnel, you need to specify that via leftsubnet=
> and rightsubnet=
>
> Remember IPsec tunnels are not virtual wires, you cannot just "route"
> anything in to them. You need to tell exactly what src-dst of packets
> are allowed to go through.
>
> Paul
>
>  On May 26, 2015 11:04 PM, "Paul Wouters" <paul at nohats.ca> wrote:
>>       On Tue, 26 May 2015, Brandon Enochs wrote:
>>
>>             Are IPv6 host to host connections with right specified as a
>> subnet supported?
>>
>>
>>       Yes, for example:
>>
>>       ipsec.conf:
>>
>>       conn ipv6
>>               left=2001:db8:1:2::45
>>               leftid="@west"
>>               right=2001:db8:1:2::23
>>               rightsubnet=2001:db8:0:2::/64
>>               rightid="@east"
>>               auto=ondemand
>>               authby=secret
>>
>>       ipsec.secrets:
>>
>>       2001:db8:1:2::45 2001:db8:1:2::23 : PSK "secret"
>>
>>       If your endpoints (left/right) are IPv4, and your subnet is IPv6,
>> then
>>       you need a leftsubnet as well (with an ipv6 range) because both
>> need to
>>       be of the same IP address family, and you need to add
>> connaddrfamily=6
>>
>>       Paul
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150526/4604be90/attachment.html>


More information about the Swan mailing list