[Swan] IPv4 and IPv6 through a single IPSec connection
Andrew Cagney
andrew.cagney at gmail.com
Sun Oct 30 17:35:16 EET 2022
On Fri, 28 Oct 2022 at 21:49, Paul Wouters <paul at nohats.ca> wrote:
>
> Not yet in 4.9. But work to support this has recently started.
>
> Sent using a virtual keyboard on a phone
>
> On Oct 28, 2022, at 19:52, Nestor Melo <Nestor.Melo at zpesystems.com> wrote:
>
>
> Hi,
>
>
> We would like to configure a single IPSec connection that would handle both IPv4 and IPv6 traffic.
>
> We considered multiple child SA sharing a single IKE SA:
>
> conn tunnel46
> auto=start
> leftid=@left
> left=%eth0
> rightid=@right
> right=172.31.0.1
> authby=secret
> ipsec-interface=yes
> leftsourceip=192.168.61.1
> rightsourceip=192.168.60.1
> leftsubnets={192.168.61.0/24,fc02::/64}
> rightsubnets={192.168.60.0/24,fc01::/64}
The subnets= code in 4.9 limits subnets= and the host to the same
address family.
Would you be able to experiment with mainline?
I've removed the one address family only limitation from subnets= in
mainline, both "add" and "up" do "something". It turns out that this
is a good way to expose some IPv4 vs IPv6 issues early. For instance:
+ "road/0x1" #2: up-client-v6 output: Error: inet6 prefix is expected
rather than "192.0.3.254".
(fixed) and:
+002 "road/0x1" #2: up-client output: Error: inet6 prefix is expected
rather than "192.0.3.254".
+002 "road/0x1" #2: up-client output: PATH/libexec/ipsec/_updown.xfrm:
addsource "ip addr add 192.0.3.254/128 dev lo scope global" failed
(Error: any valid prefix is expected rather than "192.0.3.254/128".)
I suspect sourceip needs a re-think.
> However, when we tried that, only the IPv4 traffic came through.
>
> Paul mentioned in issue #375 (https://github.com/libreswan/libreswan/issues/375) that:
>
> "For libreswan 4.2, we are working on allowing to combine these into one
> conn, and also to combine them as traffic selectors on a single IPsec SA."
>
> Are mixed address families in {left|right}subnets something that is supported in libreswan 4.9? If not, is there any alternative to achieve IPv4 and IPv6 traffic through a single tunnel?
>
>
> Thank you,
>
> Nestor Melo
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list