[Swan] LibreSWAN and IPv6 Link Local addresses
William Atwood
william.atwood at concordia.ca
Fri Jan 26 05:27:30 EET 2024
Tuomo,
I apologize for disagreeing, but Libreswan not only does not support
Link-Local addresses, but it actively declares that they are not usable.
I agree that making Libreswan process Link-Local addresses properly
will not be possible until XFRM is fixed, but in the case outlined
below, it appears that XFRM is not even invoked.
I have two hosts, with a shared LAN, called Gingko and Ritchie, both
running Libreswan 5.0rc1.
File GIRI6CL.conf on Gingko:
conn GIRI6cl
left=fe80::20e:cff:fe9c:d92d%ens7
leftid="CN=Gingko Certificate"
leftrsasigkey=%cert
leftcert=GIcert
right=fe80::20e:cff:fea9:b90f%ens7
rightid="CN=Ritchie Certificate"
rightrsasigkey=%cert
auto=add
File RIGI6CL.conf on Ritchie:
conn RIGI6cl
left=fe80::20e:cff:fea9:b90f%enp5s4
leftid="CN=Ritchie Certificate"
leftrsasigkey=%cert
leftcert=RIcert
right=fe80::20e:cff:fe9c:d92d%enp5s4
rightid="CN=Gingko Certificate"
rightrsasigkey=%cert
auto=add
On Ritchie:
dev at Ritchie:~$ sudo ipsec add RIGI6cl
"RIGI6cl": added IKEv2 connection
dev at Ritchie:~$
On Gingko:
dev at Gingko:~$ sudo ipsec add GIRI6cl
"GIRI6cl": added IKEv2 connection
dev at Gingko:~$ sudo ipsec up GIRI6cl
"GIRI6cl": we cannot identify ourselves with either end of this
connection. fe80::20e:cff:fe9c:d92d or fe80::20e:cff:fea9:b90f are not
usable
dev at Gingko:~$
The listed Link-Local addresses are correct; I can " ping -6
fe80::20e:cff:fea9:b90f%ens7" on Gingko, and get the appropriate
response from Ritchie, and I can " ping -6
fe80::20e:cff:fe9c:d92d%enp5s4" from Ritchie, and get the appropriate
response from Gingko.
Finally, if I assign Unique Local Addresses to the same two interfaces,
and use these addresses in the above .conf files, the Security
Association establishes perfectly.
Therefore, I believe that your statement that "Global is only used when
adding IP for XFRM interface for route-based IPsec vpn." is incorrect.
Clearly, Libreswan has code somewhere that is rejecting non-global
addresses for simple, tunnel-mode Security Associations between two
adjacent hosts.
Andrew has put a milestone of Release 5.1 on my issue #1498, which
provides justification for the use of Link-Local addresses as valid
endpoints. I hope that XFRM has been fixed by the time 5.1 is released.
Bill
On 1/17/2024 1:24 AM, Tuomo Soini wrote:
> Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'extC)rieur du domaine de concordia.ca
>
> On Tue, 16 Jan 2024 21:17:41 -0500
> William Atwood <william.atwood at concordia.ca> wrote:
>
>> 1) I know that Libreswan does not support %zone identifiers
>> associated with Link-Local (LL) addresses, and it appears from your
>> experience that Strongswan does not either. I also know that
>> Libreswan insists that an endpoint address must be "Global".
>
> Global is only used when adding IP for XFRM interface for route-based
> IPsec vpn. And because this is route-based, this can't be LL-address.
> We told you multiple times that this doesn't affect LL address
> handling. And we can't really implement support for LL addresses on
> linux before XFRM/IPsec stack supports it.
>
--
Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046
Distinguished Professor Emeritus fax: +1 (514) 848-2830
Department of Computer Science
and Software Engineering
Concordia University ER 1234 email:william.atwood at concordia.ca
1455 de Maisonneuve Blvd. West http://users.encs.concordia.ca/~bill
Montreal, Quebec Canada H3G 1M8
More information about the Swan
mailing list