[Swan] ipsec tunnel "remote=%any" setting does not work with IPv6
Eduard Guzovsky
eguzovsky at gmail.com
Fri Dec 17 04:12:47 EET 2021
I use libreswan version 3.25 on centos 7.9. Here is my test-tunnel.conf on vm2
conn test-tunnel
type=transport
left=fda1::2:2
leftid=@vm2
right=fda1::3:2
rightid=@vm3
encapsulation=no
authby=secret
auto=add
retransmit-timeout=1100s
phase2alg=aes_gcm256,aes256-sha1
test-tunnel.conf on vm3:
conn test-tunnel
type=transport
left=fda1::3:2
leftid=@vm3
right=%any
rightid=@vm2
encapsulation=no
authby=secret
auto=add
retransmit-timeout=1100s
phase2alg=aes_gcm256,aes256-sha1
Ipsec tunnel establishment fails. vm3 logs:
"initial Main Mode message received on fda1:330f:7629:78c7::3:2:500
but no connection has been authorized with policy PSK+IKEV1_ALLOW"
My systems are dual stack. If I change a pair of IPv6 addresses to an
IPv4 address pair 192.168.0.2 192.168.0.3 in the same config - IPv4
tunnel works fine.
As a workaround for the IPv6 configuration I tried to replace
"right=%any" with "right=::". The tunnel was established successfully
and worked fine. Here is a snippet from vm3 "ipsec auto --status"
output with "right=::" setting.
000 "test-tunnel": fda1::3:2<fda1::3:2>[@vm3]...%any[@vm2]; unrouted;
eroute owner: #0
...
000 "test-tunnel"[1]:
fda1::3:2<fda1::3:2>[@vm3]...fda1::2:2<::>[@vm2]; erouted; eroute
owner: #2
As you can see, in the inactive state the right end is shown as
"%any", but in the active state it is "::"
What is a proper way to do it? Is "%any" fixed in the newer liberswan releases?
Thanks,
-Ed
More information about the Swan
mailing list