[Swan] Establishing an IPsec SA using IPv6 Link-Local addresses

William Atwood william.atwood at concordia.ca
Mon Sep 18 06:00:51 EEST 2023 

Libreswan version 4.12

Ubuntu 20.04.6 LTS

Host 1: Perlis
Host 2: Tarjan

Perlis and Tarjan are connected to the same LAN.

There is no routing or DNS active.

The only IPv6 addresses that the paired interfaces have are their IPv6 
Link-Local (LL) addresses.

In order to establish secure IPv6 routing between these two hosts, I 
need to establish an IPsec SA between them, based on their LL addresses.

As a preliminary experiment, this is based on libreswan-generated host 
keys.  Eventually, the SA will be established based on certificates, as 
required by the ANIMA specifications (see below).

Because the appropriate interface cannot be determined from a LL 
address, the interface must also be specified when a LL address is given.

The following are the contents of PETA6.conf and TAPE6.conf.  These 
files must be different, because of the need to specify the interface. 
The host keys have been shortened for clarity.  The files are also 
asymmetrical, in that "left" is used for "local" properties and "right" 
is used for "remote" properties.

PETA6.conf
conn peta6
     leftid=@west
     left=fe80::21e:c9ff:fe29:ce38%enp4s0
     leftrsasigkey=0sAwEAAc8S...B0V7P1w==
     rightid=@east
     right=fe80::2e27:d7ff:fe46:cd40%enp4s0
     rightrsasigkey=0sAwEAAbWt...A6GChaQ==
     authby=rsasig
     auto=add

TAPE6.conf
conn tape6
     leftid=@west
     left=fe80::2e27:d7ff:fe46:cd40%eno1
     leftrsasigkey=0sAwEAAbWt...A6GChaQ==
     rightid=@east
     right=fe80::21e:c9ff:fe29:ce38%eno1
     rightrsasigkey=0sAwEAAc8S...B0V7P1w==
     authby=rsasig
     auto=add

On Tarjan:
sudo ipsec setup start
sudo ipsec auto --add tape6

On Perlis:
sudo ipsec setup start
sudo ipsec auto --add peta6
sudo ipsec auto --up peta6

I get the following error message:

dev at Perlis:~$ sudo ipsec auto --up peta6
022 "peta6": we cannot identify ourselves with either end of this 
connection.  fe80::21e:c9ff:fe29:ce38 or fe80::2e27:d7ff:fe46:cd40 are 
not usable
036 "peta6": failed to initiate connection
dev at Perlis:~$

How can I convince libreswan to accept IPv6 LL addresses?  This is 
needed to build a reference implementation of the specifications issued 
by the ANIMA Working Group of the IETF, for autonomic networking. 
Specifically, RFC 8994, Section 6.8.3.1.

   Bill Atwood

-- 
Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
Department of Computer Science
    and Software Engineering
Concordia University ER 1234      email:william.atwood at concordia.ca
1455 de Maisonneuve Blvd. West    http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8

More information about the Swan mailing list