On Jan 15, 2024, at 15:03, Bill Atwood <williamatwoo...@gmail.com> wrote: > > My bad. > > I had re-booted Ritchie, and forgotten to re-run the script that assigns the > ULA. > > After running that script, I see an established connection (on both Ritchie > and Tarjan). > > What I don't see is any evidence of an added interface on Ritchie (5.0 RC1), > where I do see this on Tarjan (4.12). How does one access the new tunnel?
Magic grabs the packets. You can check byte counters with “ipsec traffic”. You can also add ipsec-interface=1 and you will get an interface named ipsec1. > > Bill > > dev@Ritchie:~$ ./fixaddr.sh > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 > inet6 fd51:20d9:5ad2:b::2/64 scope global tentative > valid_lft forever preferred_lft forever > inet6 fe80::21a:a0ff:fe15:62b8/64 scope link > valid_lft forever preferred_lft forever > 3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 > inet6 fe80::20e:cff:fea9:b90f/64 scope link > valid_lft forever preferred_lft forever > 4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 > inet6 fe80::20e:cff:fea9:b937/64 scope link > valid_lft forever preferred_lft forever > dev@Ritchie:~$ sudo ipsec setup restart > Redirecting to: systemctl restart ipsec.service > dev@Ritchie:~$ sudo ipsec add RITA6c > "RITA6c": added IKEv2 connection > dev@Ritchie:~$ sudo ipsec status |grep interface > using kernel interface: xfrm > interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:4500 > interface enp4s0 UDP [fd51:20d9:5ad2:b::2]:500 > interface lo UDP [::1]:4500 > interface lo UDP [::1]:500 > interface lo UDP 127.0.0.1:4500 > interface lo UDP 127.0.0.1:500 > interface enp4s0 UDP 132.205.9.46:4500 > interface enp4s0 UDP 132.205.9.46:500 > interface enp5s4 UDP 132.205.9.50:4500 > interface enp5s4 UDP 132.205.9.50:500 > interface enp5s5 UDP 132.205.9.53:4500 > interface enp5s5 UDP 132.205.9.53:500 > interface virbr0 UDP 192.168.123.1:4500 > interface virbr0 UDP 192.168.123.1:500 > "RITA6c": conn_prio: 128,128; interface: enp4s0; metric: 0; mtu: unset; > sa_prio:auto; sa_tfc:none; > dev@Ritchie:~$ sudo ipsec up RITA6c > "RITA6c" #1: initiating IKEv2 connection to fd51:20d9:5ad2:b::1 using UDP > "RITA6c" #1: sent IKE_SA_INIT request to [fd51:20d9:5ad2:b::1]:500 > "RITA6c" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a > prf=HMAC_SHA2_512 group=MODP2048} > "RITA6c" #1: initiator established IKE SA; authenticated peer '2048-bit > RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=Tarjan > certificate' issued by CA 'CN=ConU CSE HSPL' > "RITA6c" #2: initiator established Child SA using #1; IPsec tunnel > [fd51:20d9:5ad2:b::2/128===fd51:20d9:5ad2:b::1/128] {ESP/ESN=>0xfee0113a > <0xee7634c5 xfrm=AES_GCM_16_256-NONE DPD=passive} > dev@Ritchie:~$ > >> On 1/15/2024 2:26 PM, Paul Wouters wrote: >>> On Mon, 15 Jan 2024, Tuomo Soini wrote: >>> On Mon, 15 Jan 2024 13:23:58 -0500 >>> Bill Atwood <williamatwoo...@gmail.com> wrote: >>> >>>> Here is the result of the status command, on Ritchie (running 5.0 >>>> RC1): >>>> >>>> dev@Ritchie:~$ sudo ipsec status | grep interface >>>> [sudo] password for dev: >>>> using kernel interface: xfrm >>>> interface lo UDP [::1]:4500 >>>> interface lo UDP [::1]:500 >>>> interface lo UDP 127.0.0.1:4500 >>>> interface lo UDP 127.0.0.1:500 >>>> interface enp4s0 UDP 132.205.9.46:4500 >>>> interface enp4s0 UDP 132.205.9.46:500 >>>> interface enp5s4 UDP 132.205.9.50:4500 >>>> interface enp5s4 UDP 132.205.9.50:500 >>>> interface enp5s5 UDP 132.205.9.53:4500 >>>> interface enp5s5 UDP 132.205.9.53:500 >>>> interface virbr0 UDP 192.168.123.1:4500 >>>> interface virbr0 UDP 192.168.123.1:500 >>>> "RITA6c": conn_prio: 128,128; interface: ; metric: 0; mtu: unset; >>>> sa_prio:auto; sa_tfc:none; >>>> dev@Ritchie:~$ >>> >>> Is this directly from bootup of the machine? >>> >>> Reason could be your network configuration. Libreswan requires >>> network-online.target before startup. But if you don't have setting for >>> IPV6 address to be required on your interface, network-online.target >>> finisheds before you have IPv6 address on the interface and so there is >>> no ipv6 address when libreswan starts, yet. >> You can confirm if this is the case by issuing: >> sudo ipsec whack --listen >> sudo ipsec status | grep interface _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev