[Swan] Tunnel IPv4 over IPv6: connaddrfamily?

[Paul Wouters]

On Tue, 15 May 2018, Andreas Scherrer wrote:

> Dear libreswan wizards
>
> I am trying to set up my first IPSec tunnel using libreswan (v3.23) on one 
> end and racoon on the other end.
>
> The machines have IPv6 connectivity, so I want to (have to) use IPv6 for the 
> "outer" IPs.
>
> Inside the tunnel I want to route IPv4 though.

There is a bug in the parser. You can try the patch at:

https://github.com/libreswan/libreswan/issues/175

> So I tried with 'connaddrfamily=ipv6'.
>
> With that, the tunnel comes up and I can reach (ping) through the tunnel in 
> both directions.
>
> I have to explicitly set the source IP (192.168.112.1) when pinging from "the 
> libreswan end" though, while my understanding of the documentation is that 
> 'leftip=192.168.112.1' should take care of that? I assume this is not working 
> because it expects an IPv6 address there...

You mean leftsourceip= ?

So you have two IPv4 addresses? An internal and external one? And you
set leftsourceip=internalip ?

That should work indeed.

> In addition, I see the following error in the libreswan/pluto log:
>
> -----
> ERROR: netlink XFRM_MSG_UPDPOLICY response for flow eroute_connection add 
> included errno 22: Invalid argument
> -----

It might be trying to install the wrong family for the %trap and fail.
So auto=ondemand might not be working.

> I am wondering now if my configuration is actually doing what it is supposed 
> to do. Is 'connaddrfamily=ipv6' the correct thing to do even if the 
> documentation states the opposite?

These options are a bit busy and we do want to move to an auto-detection
for all of this. Sorry you were caught in these.

Paul