[Swan] IPv6 implicit connection
Brandon Enochs
enochs.brandon at gmail.com
Wed May 27 06:10:12 EEST 2015
I was more asking about the host to host transport mode and not tunneling.
On May 26, 2015 11:08 PM, "Paul Wouters" <paul at nohats.ca> wrote:
> On Tue, 26 May 2015, Brandon Enochs wrote:
>
> Isn't the subnet extraneous in that example since the right IP is fully
>> specified?
>>
>
> the diagram is like:
>
> [leftsubnet -[left] ----internet---[right]----[rightsubnet]
>
> Your IPsec gateway IP's are left= and right=. If you are building a
> tunnel that should cover more than just the gateways itself, so a
> subnet to subnet tunnel, you need to specify that via leftsubnet=
> and rightsubnet=
>
> Remember IPsec tunnels are not virtual wires, you cannot just "route"
> anything in to them. You need to tell exactly what src-dst of packets
> are allowed to go through.
>
> Paul
>
> On May 26, 2015 11:04 PM, "Paul Wouters" <paul at nohats.ca> wrote:
>> On Tue, 26 May 2015, Brandon Enochs wrote:
>>
>> Are IPv6 host to host connections with right specified as a
>> subnet supported?
>>
>>
>> Yes, for example:
>>
>> ipsec.conf:
>>
>> conn ipv6
>> left=2001:db8:1:2::45
>> leftid="@west"
>> right=2001:db8:1:2::23
>> rightsubnet=2001:db8:0:2::/64
>> rightid="@east"
>> auto=ondemand
>> authby=secret
>>
>> ipsec.secrets:
>>
>> 2001:db8:1:2::45 2001:db8:1:2::23 : PSK "secret"
>>
>> If your endpoints (left/right) are IPv4, and your subnet is IPv6,
>> then
>> you need a leftsubnet as well (with an ipv6 range) because both
>> need to
>> be of the same IP address family, and you need to add
>> connaddrfamily=6
>>
>> Paul
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150526/4604be90/attachment.html>
More information about the Swan
mailing list