[Swan] Tunnel IPv4 over IPv6: connaddrfamily?

Andreas Scherrer ascherrer at gmail.com
Mon May 14 22:33:21 UTC 2018 

Dear libreswan wizards

I am trying to set up my first IPSec tunnel using libreswan (v3.23) on 
one end and racoon on the other end.

The machines have IPv6 connectivity, so I want to (have to) use IPv6 for 
the "outer" IPs.

Inside the tunnel I want to route IPv4 though.

To me it currently seems that the documentation does not match what I 
see with regards to "connaddrfamily".

[1] states

"set connaddrfamily= to the family of the *subnet= options, and if those 
are not defined, to the family of the left=/right= options"

So for me this would mean 'ipv4', because the 'leftsubnet' and 
'rightsubnet' are IPv4.

But if I do that, I see the following error when pluto starts up:

-----
failed to convert '<left ipv6>' at load time: IPv4 address may not 
contain `:'

and later

We cannot identify ourselves with either end of this connection. 
0.0.0.0 or 0.0.0.0 are not usable
-----

So I tried with 'connaddrfamily=ipv6'.

With that, the tunnel comes up and I can reach (ping) through the tunnel 
in both directions.

I have to explicitly set the source IP (192.168.112.1) when pinging from 
"the libreswan end" though, while my understanding of the documentation 
is that 'leftip=192.168.112.1' should take care of that? I assume this 
is not working because it expects an IPv6 address there...

In addition, I see the following error in the libreswan/pluto log:

-----
ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection 
add included errno 22: Invalid argument
-----

I am wondering now if my configuration is actually doing what it is 
supposed to do. Is 'connaddrfamily=ipv6' the correct thing to do even if 
the documentation states the opposite?


Thanks for any hints, corrections or reassurements.
andreas

Here is my libreswan config:

-----
# /etc/ipsec.d/home.conf - Libreswan IPsec configuration file

config setup
   plutodebug=all
   protostack=netkey
   interfaces=%none

conn mytunnel
   auto=start
   connaddrfamily=ipv6
   left=<left ipv6>
   right=<right ipv6>
   also=shared
   also=mysubnet

conn shared
   authby=secret
   ike=aes-sha2_256;dh5
   phase2alg=aes-sha2_256

conn mysubnet
   leftsubnet=192.168.112.0/24
   leftsourceip=192.168.112.1
   rightsubnet=192.168.0.0/18
   rightsourceip=192.168.1.1
-----

[1] https://libreswan.org/man/ipsec.conf.5.html

-- 
Stell dir vor es geht und keiner kriegt's hin.

More information about the Swan mailing list