Feature #92
IPv6 and %defaultroute
| Status: | New | Start date: | 24.09.2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: |
Description
In a mixed IPv4+IPv6 dynamic address environment IPSEC/IPv6 is not usable. Configurations like:
conn my
left=%defaultroute
leftcert=mycert.pem
right=%any
type=transport
auto=add
will match only IPv4 left address. «right=%any6» will break configuration completely with error «address family inconsistency in connection».
So there should be magic value like %defaultroute6 to automatically match IPv6 local address.
But sometimes (I could not figure why) %defaultroute matches IPv6 address. So, to safeguard configuration from suddenly stop working, there should be value like «%defaultroute4» which will only match IPv4 addresses. Or, more better, some option like «addressfamily» should be invited to unambiguously clarify for which address family this connection definition would match.
History
Updated by Andreas Steffen over 2 years ago
If you have the option, try the more advanced IKEv2 charon daemon with the configuration
which should automatically find a matching network interface (IPv4 or IPv6) depending
on the route to the destination.
conn my
left=%any
leftcert=mycert.pem
right=%any
type=transport
keyexchange=ikev2
auto=add
Updated by Grigory Ivanov over 2 years ago
Unfortunately, some of my peers uses only IKEv1 (racoon).
Updated by Grigory Ivanov over 2 years ago
I have tried to use IKEv2/IPv6 between two strongswans on identical debian systems.
# ipsec version Linux strongSwan U4.3.2/K2.6.30-1-686 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information.
ipsec.conf:
config setup
nat_traversal=no
charonstart=yes
plutostart=no
charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, lib 2"
conn my
left=%any6
leftcert=mycert.pem
right=%any6
type=transport
keyexchange=ikev2
auto=add
ipsec-tools.conf:
flush;
spdflush;
spdadd -6 ::/0 2000::/3 any -P out ipsec
esp/transport//use;
spdadd -6 ::/0 ::/0 any -P in ipsec
esp/transport//use;
Then I ping one machine from another. Ping goes normally, but ping initiator gets following errors in syslog:
charon: 03[KNL] received a XFRM_MSG_ACQUIRE
charon: 03[KNL] XFRMA_TMPL
charon: 03[KNL] creating acquire job for policy 2002:x:x:x:x:x:x:x/128[ipv6-icmp/128] === 2002:x:x:x:x:x:x:x/128[ipv6-icmp] with reqid {0}
charon: 10[CFG] trap not found, unable to acquire reqid 0
Ping receiver logs is silent. No IPSEC SA is made:
ping initiator:
# setkey -D
2002:x:x:x:x:x:x:x 2002:y:y:y:y:y:y:y
esp mode=transport spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Sep 26 14:18:18 2009 current: Sep 26 14:18:35 2009
diff: 17(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=1340 refcnt=0
ping receiver:
# setkey -D No SAD entries.
The only thing about «traps» I found in documentation, is
«auto = ignore | add | route | start […] route loads a connection and installs kernel traps.»
I tried to use «auto = route» and got following on initiator side:
charon: 03[KNL] received a XFRM_MSG_ACQUIRE
charon: 03[KNL] XFRMA_TMPL
charon: 03[KNL] creating acquire job for policy 2002:x:x:x:x:x:x:x/128[ipv6-icmp/128] === 2002:x:x:x:x:x:x:x/128[ipv6-icmp] with reqid {1}
charon: 16[MGR] created IKE_SA
charon: 16[IKE] unable to initiate to %any
charon: 16[MGR] checkin and destroy IKE_SA
charon: 16[IKE] IKE_SA my[5] state change: CREATED => DESTROYING
charon: 16[MGR] check-in and destroy of IKE_SA successful
No ping replies, no packets really sent to network.
Nor this works with explicitly assigned left addresses. The only configuration which works is in examples — explicitly assigned both right/left addresses and both certificates (otherwise there will be AUTHENTICATION_FAILED error).
Is charon really works with dynamic addresses?