[Swan] LibreSWAN and IPv6 Link Local addresses

William Atwood william.atwood at concordia.ca
Wed Jan 17 04:17:41 EET 2024 

Moritz,

There are actually two issues:

1) I know that Libreswan does not support %zone identifiers associated 
with Link-Local (LL) addresses, and it appears from your experience that 
Strongswan does not either.  I also know that Libreswan insists that an 
endpoint address must be "Global".

2) XFRM, which does the actual packet transformation in the kernel, if 
given an LL address, will chose a random interface to send the packet 
on.  It appears that there is no way to tell XFRM about a zone 
identifier for an LL address.

The first issue can be fixed by the Libreswan/Strongswan teams.  I have 
created an issue (#1498) on the Libreswan Github site, and the 
resolution of this is scheduled for release 5.1 of Libreswan.

The second issue has to be fixed by the maintainer(s) of XRFM.  This 
will require applying sufficient motivation to these maintainers; I know 
that some people are trying to achieve this motivation.

The (short-term) fix for our project is to manually allocate Unique 
Local Addresses (ULA) to each interface, in such a way that no routing 
is required (if a LL address would do, then the two peers have to be on 
the same LAN).  This enables us to move forward with testing other parts 
of the system, and we will revert to LL addresses once XFRM supports 
them properly.

I hope that this helps.

   Bill

On 1/16/2024 1:27 PM, Moritz Wilhelmy wrote:
> Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'extérieur du domaine de concordia.ca
> 
> Hi Bill & swan mailing list,
> 
> I read your post on the swan mailing list [1] and have been wondering if
> you since had any luck configuring LibreSWAN with IPv6LL addressing;
> I've been struggling with the same issue on StrongSWAN which
> apparently[2] doesn't support IPv6LL addressing (or at least that was
> the case 15 years ago). I'm now writing to you directly because there
> has been no response to your posting on the mailing list, I didn't
> really find much information elsewhere and I'm not yet married to any
> particular IPSec implementation.
> 
> I'm also unsure whether the only issue is that the configuration file
> parsers are not supporting %zone identifiers for both projects or if
> there's more to it. Does anyone know?
> 
> CC'ing the list just in case.
> 
> Best regards
> Moritz
> 
> [1] https://www.mail-archive.com/swan@lists.libreswan.org/msg03650.html>> [2] https://users.strongswan.narkive.com/G4YhjDAa/strongswan-strongswan-doesn-t-listen-to-ipv6-address#post2>> 

-- 
Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
Department of Computer Science
    and Software Engineering
Concordia University ER 1234      email:william.atwood at concordia.ca
1455 de Maisonneuve Blvd. West    http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8

More information about the Swan mailing list