[Swan] Cisco IOS IPv6 Transport with IKEv2 to Libreswan

Paul Wouters paul at nohats.ca
Fri Jun 8 20:31:47 UTC 2018 

On Tue, 5 Jun 2018, Reuben Farrelly wrote:

> I only need to transport IPv4 across the IPv6 IPSec tunnel, but bonus marks 
> all around if I can optionally have an IPv4 and IPv6 address on the VTI at 
> the same time.

> Problems I have run into and would appreciate any advice are as follows...
>
> 1. The libreswan conn section for each peer requires a left= statement. This 
> works as either an IPv4 address, or an IPv6 address, but only one can be 
> defined.  And %any doesn't work either (trying this results in an error 
> "connection router-2.reub.net must specify host IP address for our side")
>
> This is a major obstacle if I have both IPv4 only and IPv6 preferred clients 
> connecting in, especially if I am migrating between the two transports as I 
> am here, because it appears I have to use one or the other, but cannot 
> support both address families at once.
>
> 2. If I change the left= side to be the IPv6 address, then it starts but I 
> get a proposal error:

Please retry the current git master. It no longer uses the
connaddrfamily= keyword. You should not need any keyword to do 6in4 or
4in6. But if you want to force the address family of the gateways, you
can use hostaddrfamily= and if you want to force the address family of
the subnets, you can use clientaddrfamily=

> Jun  5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Processing IKE_SA_INIT 
> message
> Jun  5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):: Received no 
> proposal chosen notify
> Jun  5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Failed SA init exchange
> Jun  5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):Initial exchange 
> failed: Initial exchange failed
> Jun  5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Abort exchange
> Jun  5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Deleting SA
>
> I don't understand why I'd start getting a proposal error if I haven't 
> changed any of the proposals on either side.

Most likely, your connection showed up as "unoriented" and therefor
fails in IKE_INIT to be found at all (we can only look at oriented
connections to match an exchange to)

Paul

More information about the Swan mailing list